What’s in your toolbox (Environment Variables)

Over the years I have found several tools that make a good or great addition to my PC Repair toolbox. Some you use every day and others you only pull them out on occasion.

I hope to write up several that I have used.

This first one came when I was looking recently for a better way to check and modify the Environment Variables for the system.

The normal way is to go to Control Panel –> System –> Advanced System Settings –> Environment Variables . Then you could scroll and find the variable name you want in the list, and then select the name, and then click edit, then scroll the long string or copy paste to notepad then make the modifications, then copy paste back and save. As you can see below it is not easy to see what you have there especially if there are allot in one line.

Now that is not very handy for viewing the big picture. You can not even make the window bigger. Even if you click the edit button for a variable name it is hard to work with and you may still need to copy to notepad, edit it then copy back.

The most promising program I found on a internet search was one called “RapidEE” located here http://www.rapidee.com/en/download .

What I like the most is it comes as an Installer or as a Zip file so you can drop it on a flash drive and  use it portably without having to install it if you have several systems to look at.

This tool also has a built in crash report system. So if it crashes for some reason you can save the report locally or allow it to be sent to the creator if the need would arise.

When I first tested this program (Version 7.1 Build 841) it had a bug in it that crashed the application in a seemingly random way. After several emails back and forth with the Creator I was able to send the instructions to make the bug reproducible and gave my comments on what was displayed in the bug report and within a day they were able to find and correct the bug now that they could consistently reproduce the bug.

So if you tried that version (7.1 Build 841) and blew it off, try the latest version, as it works well.

So far I haven’t been able to break it again : )

The program starts up as standard user in Vista (the OS this was tested in) and you are able to edit the user variables but not the the system variables until you restart the program as an Administrator or right click and run as admin from the beginning.

It has a button to restart as admin. too.

As you can see by the screenshot above there are some variable names in red, that indicates that there is a bad path in the variable name.  If a program removes its environment variable path from the list it can still show up as red because a “Null” or Empty path will show as an  error. You see that when you have an entry like “path,,path”. The two commas side by side like that indicate that a environment variable path was removed from between the two paths.

You may also notice the warning icon at the bottom. That indicates that you are running the program as a standard user and would need to elevate in order to edit the system variables.

Before making any changes or if you are just curious where the settings are stored you may want to (run as admin) go to the file menu and select backup. This will back up all of the setting as a registry key backup for both the user and system environment variables.

By backing them up before hand you can restore them if you make a mistake or something goes wrong while editing them. Like me. I hate when the mouse jumps and you delete the wrong thing with out first backing it up. (That’s my story and I’m sticking to it.)

This tool will change them instantly after you press the save but they will not be reflected till the next boot if the variable path is currently in use, that I have found so far.

Lets talk about a few of the other features.

You may be able to see above that the variable names are displayed as a tree view. You can expand the individual variable name and edit or view the the individual paths. You can also narrow in on the item that caused the variable name to be flagged red.

As you install and uninstall programs sometimes the variable paths are left after uninstalling them leaving several bad paths. I should have taken a screen shot before I did the edit so you can see what variable path were left behind on my system from programs that were tested, there were several.

The two windows are for the user and the system variables that you can edit. The user variables can be edited with out being elevated. There are  several right click menu items for both sides.

When you first start out in standard user mode you will notice that there are some variable names that are greyed out and you can’t edit them, For the most part you would never need to edit those as the system takes care of those and might cause a few problems if you just deleted them. (good feature for those that don’t know what the variables do)

The right click options allow you to add new variable names, add new paths, reorder the path variables in the list, and more.

This can be a great tool for quickly going in and get a quick overview on what is there.

Checking for bad or missing paths, or for quickly adding a new path to a variable name.

If you haven’t already checked this one out then give it a spin.

This program is “Free Ware” / “Donation Ware” so if you like it, then you how that works. (there is a button for that too)

I hope others find this tool as useful as I did.

That’s it for this time.

Get the Security Descriptor of a Windows Service With WMI

Reason for Project:

A while back I wrote a little utility to temporarily turn off the Microsoft Security Essentials Anti-Virus / Anti-Malware service.

In January of 2013 I discovered that my application no longer worked due to an Access denied error. I started to investigate why and discovered my application no longer had the “Rights” to shut down the service even though it was “Run As Admin”.

In order to understand what rights I or an application I wrote would have over a service I needed to see what Users and  Rights were assigned to the service. That would also explain why I no longer could control the service thru the built in Service Controller.

Back story:

Beginning with Windows Vista we now have Service isolation, Service Hardening and the ability to assign a SID to the service to help secure it more. You also need to secure the registry where the information about your service is listed so it can not be changed by unauthorized users or code.

The service can be set up with “Default permissions” or set with “Special permissions”, effectively locking it down to help keep users or malicious code from messing with it.

This is just one of many articles on the subject. Services Hardening in Windows Vista here.

So services just keep getting better protection to help keep malicious code from stopping or compromising a service.

The Code:

For several months I have been looking into finding a way to get the security descriptor from a service but no sample code could be found at the time. I asked the question on Code Project but did not get an answer.

The .Net framework  has a built in way to get at the security descriptor for the Registry,Folder, and Files but after going thru the Object browser (.Net 3.5) for some time I could not find a way to do it without creating the needed wrapper classes like was done for the other items.

So I decided to try to Platform Invoke with  the “QueryServiceObjectSecurity” function here.

After several attempts and asking another question on Code Project and not getting an answer I kept digging  and am now close but not quite there yet on getting it to work.

Now that I have a working model I can see what I am missing and possibly get it to work.

In the mean time while still researching how to do it I stumbled across a question that was asked on Stack Overflow here titled “Getting Win32_Service security descriptor using VBScript”. That question gave me a starting point to try VB script. Further research landed me on the MSDN page where I think it was originally taken from. here. WMI Security Descriptor Objects.

After seeing that, I was able to work out the following VB Script to get the Security Descriptor for all services.

VB Script:

'Tested Script Still works with the values commented out.
'SE_OWNER_DEFAULTED = &h1
'SE_GROUP_DEFAULTED = &h2
'SE_DACL_PRESENT = &h4
'SE_DACL_DEFAULTED = &h8 

 'ACCESS_ALLOWED_ACE_TYPE = &h0
 'ACCESS_DENIED_ACE_TYPE  = &h1

 strComputer = "."
 Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate, (Security)}!\\" & strComputer & "\root\cimv2")

' Get an instance of Win32_SecurityDescriptorHelper
Set objHelper = GetObject( _
    "winmgmts:root\cimv2:Win32_SecurityDescriptorHelper" )


 Set colServices =  objWMIService.ExecQuery _
  ("Select * from Win32_Service")

 For Each objService in colServices
    Wscript.Echo "Name: " & objService.Name 

 ' Get security descriptor for Service
  Return = objService.GetSecurityDescriptor( objSD )

  If ( return <> 0 ) Then
  WScript.Echo "Could not get security descriptor: " & Return
  wscript.Quit Return
  End If
  If ( return = 1 ) Then
  WScript.Echo "The request is not supported: " & Return
  wscript.Quit Return
  End If
  If ( return = 2 ) Then
  WScript.Echo "The user did not have the necessary access: " & Return
  wscript.Quit Return
  End If
  If ( return = 8 ) Then
  WScript.Echo "Interactive process: " & Return
  wscript.Quit Return
  End If
  If ( return = 9 ) Then
  WScript.Echo "The name specified was not valid: " & Return
  wscript.Quit Return
  End If
  If ( return = 21 ) Then
  WScript.Echo "The parameters passed to the service are not valid: " & Return
  wscript.Quit Return
  End If

' Convert Service security descriptor from 
'     Win32_SecurityDescriptor format to SDDL format
Return = objHelper.Win32SDToSDDL( objSD,SDDLstring )
If ( Return <> 0 )  Then
   WScript.Echo "Could not convert to SDDL: " & Return
   WScript.Quit Return
End If
WScript.Echo SDDLstring

WScript.Echo ""
WScript.Echo ""

 Next

This script requires the “Security” Keyword and to be run as Admin for it to work.

That little script took several hours to work out once I got a clue on what needed to go into it.

For the most part it is self explanatory.

The part I had trouble understanding was the Object, “objSD”.

As it turn out that is the Security Descriptor itself. That was the out Object from the call to “GetSecurityDescriptor” it was also an In Object to “Win32SDToSDDL”. I did not totally understand this until I completed the VB.Net version of this coming up next.

The script version can be modified to just check one service name or, used “as is” , to get all of them.

VB.Net

The VB.Net version was a little tougher. I first tried to work it out by starting out with the code generated from my GUI WMI Code Creator but that wasn’t working.

I could probably count on one hand the number of times in the last fifteen years that I needed to “Invoke” a method in a WMI class in order to get the information I needed. So I have to relearn how every time.

Here is the Final Project:

And here is what it looks like after formatting by hand in the textbox.

As you can see you get the Owner, Group, DACL, and the SACL.

Lets start with where the program starts Filling in the combo box.

I wanted to test two different ways to see how they worked.

The first is getting the list by using the “System.ServiceProcess” class.

Remember you have to add that “reference” before you can “Imports” it or use it in your code.

    Private Sub FillServiceNames()

        'Use ServiceProcess class to fill in the names
        Try

            Dim svcs() As ServiceController = ServiceController.GetServices()


            Dim svcCtlr As ServiceController

            For Each svcCtlr In svcs
                cbServiceNames.Items.Add(svcCtlr.ServiceName)
                count = count + 1
            Next
            lblCount.Text = "Services Found: " & count.ToString
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
    End Sub

It is pretty straight forward.

Next is using WMI to fill the Combo Box.

    Private Sub FillComboBox()
        ' Use WMI to fill in the Names
        Try

            Dim searcher As New ManagementObjectSearcher( _
            "Root\CIMV2", _
            "SELECT * FROM Win32_Service")
            For Each queryObj As ManagementObject In searcher.Get()
                cbServiceNames.Items.Add(queryObj("Name"))
                count = count + 1
            Next

            lblCount.Text = "Services Found: " & count.ToString
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try

    End Sub

They both make a call to get a list of services and then do a for each loop and then fill the Combo Box with the service name.

That was the easy part.

When I first couldn’t figure out the proper way to invoke a method using trial and error, I tried to use the “Strongly Typed” classes generated by “MgmtClassGen.exe” to get a better idea of what they were wanting, but I was still getting errors and could not figure out some of the required parameters. After several hours of that I tried the (Original) WMI Code creator. It has a section that generates code that works with methods. The code produced by that was not working and there was one parameter that I just could not figure out what it was supposed to be.

My next Idea was to turn to a program called “WMI Delphi Code Creator” found here.

I was given a link to it after I posted my article on my GUI WMI Code Creator, which does not do methods.

That program was able to produce code using methods like the (Original) WMI Code Creator but it was in C#, so I had to convert it to VB.Net.

So those that want a C# version may want to check it out.

(Side Note on that program, if you don’t want it calling home for updates then uncheck that option in the options section. Also they have a install and standalone version)

After generating the two required methods to get the security descriptor and to transform it from a Win32SD to a SDDL string form I dropped the code into the project and started piecing it together.

After several hours of working with the code and reading more on it and fixing several items that used the same names in both generated methods, the code finally went all of the way thru and output to the text box.

I was so happy that it stopped crashing that at first I didn’t understand the results that were returned.

There was no SDDL String returned and I had two different error codes retuned that was not listed in the normal WMI return Codes. The first one returned from the “GetSecurityDescriptor” method was this, 2147943714 (Converted)0×80070522.

As it turns out it is a privilege not held error from the system not WMI.

So back to the “Strongly Typed” classes to see if I could figure out what I was missing. I found this in the Function “GetSecurityDescriptor”

 Dim EnablePrivileges As Boolean = PrivateLateBoundObject.Scope.Options.EnablePrivileges
                PrivateLateBoundObject.Scope.Options.EnablePrivileges = true

That gave me the answer.

So without further ado, here is the final code.

 Try
            Dim strbldr As New StringBuilder

            Dim svcName As String
            If cbServiceNames.SelectedIndex = Nothing Then
                MsgBox("No Service Name Was Selected")
                Exit Sub
            Else
                svcName = cbServiceNames.SelectedItem.ToString
            End If



            Dim ComputerName As String = "localhost"
            Dim Scope As ManagementScope

            If Not ComputerName.Equals("localhost", StringComparison.OrdinalIgnoreCase) Then
                Dim Conn As New ConnectionOptions()
                Conn.Username = ""
                Conn.Password = ""
                Conn.Authority = "ntlmdomain:DOMAIN"
                Scope = New ManagementScope([String].Format("\\{0}\root\CIMV2", ComputerName), Conn)
            Else

                Scope = New ManagementScope([String].Format("\\{0}\root\CIMV2", ComputerName), Nothing)
                Scope.Options.EnablePrivileges = True
                'Error returned without EnablePrivleges 2147943714 (Converted)0x80070522
            End If

            Scope.Connect()
            Dim Options As New ObjectGetOptions()
            'Dim Path As New ManagementPath("Win32_Service.Name=""AdobeARMservice""")
            Dim Path As New ManagementPath("Win32_Service.Name=" & "'" & svcName & "'")
            Dim ClassInstance As New ManagementObject(Scope, Path, Options)
            Dim inParams As ManagementBaseObject = ClassInstance.GetMethodParameters("GetSecurityDescriptor")


            Dim outParams As ManagementBaseObject = ClassInstance.InvokeMethod("GetSecurityDescriptor", inParams, Nothing)

            Dim operrHex As String = String.Format("0x{0:X2}", outParams("ReturnValue"))

            Select Case outParams("ReturnValue")
                Case 0
                    ' No Problem continue on.
                Case 2
                    MsgBox("Error Code 2" & vbNewLine & "The user does not have access to the requested information.")
                    Exit Sub
                Case 8
                    MsgBox("Error Code 8" & vbNewLine & "Unknown failure.")
                    Exit Sub
                Case 9
                    MsgBox("Error Code 9" & vbNewLine & "The user does not have adequate privileges.")
                    Exit Sub
                Case 21
                    MsgBox("Error Code 21" & vbNewLine & "The specified parameter is invalid")
                    Exit Sub
                Case Else
                    MsgBox("Error Not Listed" & vbNewLine _
                           & "Error Code" & vbNewLine _
                           & outParams("ReturnValue").ToString _
                           & vbNewLine & "Hex:" _
                           & vbNewLine & operrHex)
                    Exit Sub
            End Select
            '********************
            'Start the conversion
            '********************
            Dim Path2 As New ManagementPath("Win32_SecurityDescriptorHelper")
            Dim ClassInstance2 As New ManagementClass(Path2)

            Dim inParams2 As ManagementBaseObject = ClassInstance2.GetMethodParameters("Win32SDToSDDL")

            inParams2("Descriptor") = outParams("Descriptor")

            Dim outParams2 As ManagementBaseObject = ClassInstance2.InvokeMethod("Win32SDToSDDL", inParams2, Nothing)


            strbldr.AppendLine("Security Descriptor in SDDL Format")
            strbldr.AppendLine()
            strbldr.AppendLine("Service Name:" & svcName)
            strbldr.AppendLine()

            Dim opstr As String

            If outParams2("SDDL") = Nothing Then
                opstr = "SDDL String is nothing"
            Else
                opstr = outParams2("SDDL")
            End If
            strbldr.AppendLine(opstr)

            tbOutput.Text = strbldr.ToString
        Catch ex As Exception
            MsgBox(ex.Message)
        End Try
    End Sub

The first part of the code just checks to see if a service name was selected from the combo box. If it was it sets “svcName” to the name that was selected.

Next starts the generated code. This code is setup for Local and Remote use, I left it as is.

This part checks to see if you are connecting to WMI on the local system or on the network  if yes then it inputs the network Credentials if not then it doesn’t use that parameter thus it is set to “Nothing” versus “Conn” as above.

As I hinted to above, The whole trick to get this to work with out that error above is to use the “Scope.Options.EnablePrivileges = True” setting. Then Scope.Connect() .

Next we set up to connect to the given service name and call the “GetSecurityDescriptor” method.

This is the one of the lines that gave me so much trouble.

Dim outParams As ManagementBaseObject = ClassInstance.InvokeMethod("GetSecurityDescriptor", inParams, Nothing)

In VB Script it is.

 ' Get security descriptor for Service
  Return = objService.GetSecurityDescriptor( objSD )

What is objSD ? it is not Declared anywhere like VB.Net. But it just works in the script.

And the WMI Code Creator Output.

                ' Execute the method and obtain the return values.
                Dim outParams As ManagementBaseObject = _
                    classInstance.InvokeMethod("GetSecurityDescriptor", Nothing, Nothing)

I couldn’t figure out what they were wanting for a “ManagementBaseObject” when I was working with the “Strongly Typed” classes.

The next line is just there so that if you receive an error other than the normal ones in the list it will get the hex version of the Error and add that to a message box.

Next we set up the Select Case Statement using the Values that would be output.

Next we set up for the Conversion.

Now we are at the line that I had so much trouble understanding what they were wanting.

inParams2("Descriptor") = outParams("Descriptor")

In VB Script:

Return = objHelper.Win32SDToSDDL( objSD,SDDLstring )

In the WMI Code Creator you had to give a name, who knew what it was supposed to be.

  ' Add the input parameters.
                inParams("Descriptor") =  InsertNameHere

The WMI Code Creator listed it as type “Object” but that was not very helpful.

By the “objSD” in the script I assumed it was a Security Descriptor Object but didn’t know that was the Object you worked with. So it is the out parameter of the first call. In this case it was called amazingly,  “outParams”.

The last parts just sets up the string builder to get the name of the selected service.

Then verifies there is actually an output for the SDDL String.

Then finally write the information out to the textbox.

Once you understand what the input and output is expecting then it makes the job easier.

Later I may still go back and see if I can complete the Platform Invoke version just to see if I can figure it out now that I know what is involved using other methods.

I hope you learned something because I did.

SC.exe Utility

To get the DACL using this utility use the command

sc sdshow ServiceName

To get the SID of a service use the command

sc.exe showsid ServiceName

Note: this command uses Undocumented API calls to create a SID from the ServiceName.

Final Notes:

These functions should only work on Vista and above.

 

References:

Getting Win32_Service security descriptor using VBScript

http://stackoverflow.com/questions/4651060/getting-win32-service-security-descriptor-using-vbscript

GetSecurityDescriptor method of the Win32_Service class

http://msdn.microsoft.com/en-us/library/windows/desktop/aa390785(v=vs.85).aspx

Win32SDToSDDL method of the Win32_SecurityDescriptorHelper class

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394056(v=vs.85).aspx

WMI Security Descriptor Objects

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394577(v=vs.85).aspx

Privilege Constants (WMI)

http://msdn.microsoft.com/en-us/library/windows/desktop/aa392758(v=vs.85).aspx

Executing Privileged Operations

http://msdn.microsoft.com/en-us/library/windows/desktop/aa390428(v=vs.85).aspx

Changing Access Security on Securable Objects

http://msdn.microsoft.com/en-us/library/windows/desktop/aa384905(v=vs.85).aspx

WMI Return Codes

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394574(v=vs.85).aspx

WMI Error Constants

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559(v=vs.85).aspx

WMI Delphi Code Creator

http://theroadtodelphi.wordpress.com/wmi-delphi-code-creator/

Service Changes for Windows Vista

http://msdn.microsoft.com/en-us/library/windows/desktop/bb203962(v=vs.85).aspx

Service Accounts Step-by-Step Guide (AD)

http://technet.microsoft.com/en-us/library/dd548356.aspx

WMI .NET Scenarios

http://msdn.microsoft.com/en-us/library/ms257352(v=vs.80).aspx

Blue Screen 7b after Windows update

I dual boot Windows Vista Ultimate 64Bit and Windows 7 Ultimate 64Bit and today(4/28/2013) I ran Windows update on Both partitions and when restarting the Vista partition I ended up with a STOP 0x0000007B: INACCESSIBLE_BOOT_DEVICE Blue Screen which is a problem with the disk or driver best I can find.

The Windows 7 partition worked fine so I tried running check disk from Win 7 against that drive letter for Vista and it found and repaired some problems but still crashed on reboot and would not create a new boot log to help with the troubleshooting.

After looking around some more and not finding the source of the problem I put in the OEM Vista disk and started it up with that, and then clicked on repair windows instillation.

See these links for directions.

http://www.vistax64.com/tutorials/91467-startup-repair.html

http://www.vistax64.com/tutorials/194765-system-recovery-options.html

After that run for a bit it finally came back with the source of the problem “A patch is preventing the system from starting”

And the Resolution was “Repair action: System Restore”

Thankfully I still had system restore enabled to fix the problem easily.

After the system restore was completed the system was able to boot into Vista again.

I still can not find a log file or trouble report that points at which Update(“Patch”) was causing the problem, there were 8 security updates that were important.

The log file for the startup troubleshooter can be found in %Windows%\System32\LogFiles\Srt and the file name is SrtTrail.txt . There it shows at the end what it says caused the problem.

Hope this helps someone.

Microsoft Security Essentials Locked Down Even More

The ability to temporarily stop the service has been locked down even more.

Earlier this year I installed Microsoft Security Essentials on my moms old single core Windows XP system. Sometimes as she was playing games her pointer would float or hang on her along with other system performance problems.

As with all Antivirus /anti malware programs they can on occasion have a tendency to have a mind of their own and hog system resources slowing down the system or just plain blocking what you are doing until they are done with a scan. Most have a way to temporarily stop the service to get control back or to temporarily stop it if something needs to run that it would otherwise slow down or stop the system at a inconvenient time. MSSE did not have that ability built in, you would have to use the built in service control console to stop it.

I dusted off the VS 2008 service controller control and relearned how to use it, at least well enough to do what I needed. I was now able to start and stop the service with a click of the button. That was just what I needed because my mom would not be able to navigate to the built in service control console, figure out which service it was, and then stop it.

I “Just”(yeah right, like it was that easy) had her download a copy from my online file share and then I could talk her thru how to unzip and use it. That was great only 2 buttons 1 to start and 1 to stop. Worked great for her.

The problem came in as I was setting up a new desktop tower I had ordered for her. I began to clean out some of the preinstalled junk , setting up some favorites, and transferring some of my favorite tools so I could remote assist with the Windows 7 easy connect .

After uninstalling the preinstalled 60 day Trial of Norton (what ever version it was) and then installing the Microsoft Security Essentials , I decided to try my service controller application to make sure it still worked. It failed with an error of “Can not open MsMpSvc service on Computer “.”. Ok, so what does that mean ? I had to add the inner exception message as a return message and got “Access is Denied”

The next question is what is being denied. So I went to the built in service controller console and discovered that all buttons are disabled there and you can’t do anything for that service even as a Admin .

I also went thru the services in the list one by one and discovered there are several others that this happens to.

After looking at the Security tab In Sysinternals Process Explorer I discovered that the Administrators group still had full control. I also discovered that those access rights were just for the file system and not the service controller . Ok, so I was allowed to possibly delete the files but not stop the service.

Next I turned to the Console application “SC.exe” and ran the command “sc sdshow MsMpSvc” . It returned a list like this.

D:(A;;CCLCSWRPLOCRRC;;;BU)(A;;CCLCSWRPLOCRRC;;;SY)(A;;CCLCSWRPLOCRRC;;;BA)(A;;CCLCSWRPLOCRRC;;;IU)(A;;CCLCSWRPLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCR
RC;;;S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-391397178-1713532359-3388783719-1671243502-2983178441)(A;;CCDCLCSWRPWPDTLOCRSDRCW
DWO;;;S-1-5-80-685333868-2237257676-1431965530-1907094206-2438021966)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) , wow what a list.

So after building a small app to decode all of the two letter code names and SID’s I came up with a list of “Allowed” users ,

“BUILTIN\Users”,
“NT AUTHORITY\SYSTEM”,
“BUILTIN\Administrators”,
“NT AUTHORITY\INTERACTIVE”,
“NT AUTHORITY\SERVICE” ,
“NT SERVICE\wscsvc”,
“NT SERVICE\TrustedInstaller”,
“NT SERVICE\MsMpSvc”,
“NT SERVICE\msiserver”

all with various rights assigned to them.

The one I should be most concerned with is  this one (A;;CCLCSWRPLOCRRC;;;BA)  “BUILTIN\Administrators” . So what does this mean.

After Decoding the rights using the chart from Here or Here on MSDN we get.

(You can also find them listed in the Sddl.h header file)

A= allowed
CC= SDDL_CREATE_CHILD
LC= SDDL_LIST_CHILDREN
SW= SDDL_SELF_WRITE
RP= SDDL_READ_PROPERTY
LO= SDDL_LIST_OBJECT
CR= SDDL_CONTROL_ACCESS
RC= SDDL_READ_CONTROL

Ok, so the CR tells us we have control Access but why does the application still fail with “Access Denied” ?

The Answer I believe lies in “ Code Access Security” Here on MSDN. To large of a topic for this article.

This is defiantly a subject I have allot more to learn about.

Best I can tell is, first the program is not installed and runs as a standalone application, which tells the system it is a unknown application and will deny the application access even though it is run as Administrator and the Administrators group is allowed control access. Next it is not digitally signed by a authorized signing authority with the certificate stored on the system so that is a second strike.

So, Can this application be fixed to work again ? Possibly, I still have allot to learn and research to attempt to get it to work again.

Though the point to locking down this service to start with is so malicious code can’t just shut down the service and do nasty things to the system freely.

Back to Microsoft Security Essentials. So what changed and when ?

Since I dual boot Windows Vista and Windows 7  and I normally work in Vista I still had the Windows 7 partition to check this out on since it had not had the windows update applied yet that made the big change.

I ran a script that listed the files in the folder where the application and service .dll reside before and after the update. There were several files that were updated, removed or added with this update.

Next I ran the “SC” command sc sdshow MsMpSvc to see what changed.

Here were the permissions for the built in Administrator before the update.

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

And here after

(A;;CCLCSWRPLOCRRC;;;BA)

So what was removed After the update.

DC=  SDDL_DELETE_CHILD
WP=  SDDL_WRITE_PROPERTY
DT=  SDDL_DELETE_TREE
SD=  SDDL_STANDARD_DELETE
WD=  SDDL_WRITE_DAC
WO=  SDDL_WRITE_OWNER

Basically the ability to make any changes or take ownership of it.

So which update was this ?

Microsoft Security Essentials Client Update Package – KB2754296 , Which was apparently released in September 2012 but I didn’t update the Windows 7 partition until the end of November.

This update was supposed to address performance issues and security and so far it appears to have done both.

As I have said the whole point of locking down this service is to keep malware from wreaking havoc on a system and to keep it from bypassing the service by shutting it down like they have done  so many times in the past.

For further research I can try to Install the application  and to digitally sign it and install the test cert. I can also attempt to request the specific permission for control in the code. Until this update it was not required so I need to dig deeper and learn more.

As a final note during the research of this I ran across a link on a site to a older KB article Here that for XP systems, some of the letters are different than listed above.

Troubleshooting Missing AS: Data in Wireshark’s Endpoint Maps

If you read my last post titled “Troubleshooting Wireshark’s IP Endpoint Map” then you know I found a workaround for the Endpoint maps not working in IE9 or Firefox.

After completing that post I downloaded the latest version of Wireshark and installed it.

When I got it up and running I first tested to see if it had the same problem as before with the maps not showing at all in IE9. Yes it had the same problem. So I renamed the existing Map Template file to ipmapOriginal then copied the new template file I created to the Wireshark program file directory. It will  let you open and edit the contents  in Notepad++ in the program files directory , but it will not let you save the changes you made to the file in that directory.It popped up a message telling me to check if it is open by another program. It was most likely a Access denied error that was suppressed. I originally had to copy the file to another directory and then modify it  in that directory in order to make the changes.

You can rename the existing file there with UAC enabled, and it will just pop up a warning asking for permission to make the change.

After doing another test with the new template file in place, the map did show up in IE9 and Firefox, but when checking the points on the map I realized that the “AS” data was missing from the maps. (hmm this IP Look Familiar)

So I looked back in Wireshark and the data was there but, there was a extra Column labeled AS Number but it was all blank. As you can see below.

So at this point I’m thinking I messed up something on the new install because I didn’t let the old version remove the saved settings on the uninstall. I uninstalled this new version and then reinstalled the version that came out just before this one and then tested again. Same problem. I Uninstalled again , cleaned any files and folders left behind and then rebooted then went back yet another version and installed that one. Same problem. So that kind of ruled out just a version problem because the same thing happened in all 3 versions.

Next I start searching the source code but nothing was real apparent why it would Display 2 columns with the same name. I compared the three versions of the source code  in the same section and the code was the same, so that part didn’t change.  So I reinstalled the latest version of Wireshark again fixed up my settings, added the saved profile and restated it.

From what I have seen in the source code, the way the program works is, it searches the listed directory that you supply for the GEO.dat files for the listed IP number then returns the data associated with the IP and the “AS” number (Autonomous System Number) here are a few interesting links for more information on the AS numbers (Link 1 , Link2 , Link3)  then it fills the data into the columns if the IP was found in the database.

See here on using the GEOIP in Wireshark.

Next I started looking back at older maps that were created and looked at the html source to see when the data started to disappear. I didn’t have to go very far back but, I did have to move the old file versions from the temp folder to a new folder so I could sort by creation date easier.

That  helped me narrow down when it started happening but not the why. So what had happened around that time where the data started missing from the map files. The only thing I could remember at the time what was done,  I had installed a newer version of Wireshark but I don’t remember it being a problem then or I just never noticed the extra column because you have to expand out the box to see it. Also at the time I wasn’t looking at the maps even though I was doing allot of captures to get information for a test I was doing with  remote assistance on my local network.

My next step was to look in the folder where the GEO files were located. The ones that were needed for the IPV4 data were there but so were the IPV6 versions, so I moved those to a sub folder then restarted Wireshark and surfed random sites from my history to get a lot of different locations to map. I then stopped the capture and checked the IPV4 section to see what it looked like.

As you can see from the screen shot it is back to normal.

So what was the problem ?

The best I can tell, without being able to step thru the code in a debugger, was when it was looking for the files, it found  2 of the country files in the folder, the IPV4 and the IPV6 versions and was trying to load one column for each file, but the IPV4 section would not load the IPV6 version information in the second column and when it was getting the information for building the maps it was getting the information from the variable for the second column (which was blank) instead of the first column where the data was actually showing up. So the program must not expect 2 columns in that section. In the source code it is looking for files that start with “GEO” and end with “dat” which  all of the files in the folder did so it tried to load the data in them.

If you have this problem, just check and see if you have the IPV6 files in the same folder with the IPV4 files.

It may be of help for the IPV6 support to have a separate folder to put the IPV6 files into and then direct the program to that folder like it does for the IPV4 files. Or the harder way is to add more validation to verify the contents of the files instead of just the names.

While researching the GEO IP data files on the MaxMind site Here I read in there forums that the GeoLite databases were having a accuracy problem in the beginning of 2012 and even giving locations in the wrong country or several hundred miles away. The problems were supposed to have been solved in later versions.

The Endpoint maps feature is not a make it or break it feature of Wireshark but it is nice to look up some of the locations on occasion to get an idea of were the traffic is going.

Another thing I noticed was that if you have multiple IP’s working out to be the same location or “AS” number then you still only get one point on the map.

It would be nice to see how many different IP’s mapped to that 1 point. There may be a way to do it in the template, the locations are already added to the file they would just have to be implemented. But that is a research project for another day.

That’s it for this time.

I hope someone found this helpful.

Troubleshooting Wireshark’s IP Endpoint Map

If you have ever used Wireshark then you may have seen the option to view the endpoints on a map.

Select, Statistics > Endpoints , then that will bring up the endpoint box shown below.

Now here you select the IPV4 tab to get the the End point map button to enable.

It does not work on IPV6 or any other tab. (At least not in this test)

When you click on the map button you should see something like this if you are running IE9. (Mine, Version : 9.0.8112.16421 , Build : 98112)

Or if you are running Firefox then you should see this. (Mine,Version: 14.0.1)

 

These screen shots were taken after I fixed the code. The map is down some because it is centering the points on the screen.

But here is what you got in IE9  and then Firefox before I fixed it.

How many have seen this in IE9 ?

If you notice on this one the navigation control is messed up in Firefox.

So what is the problem ?

As it turns out the Open Layers API changed, the current version is like 2.2 .

When I first starting investigating this several months ago I had saved the openlayers.js file. I found the workaround then of just Using Firefox, so I stopped investigating.

Then in my recent investigations after it wouldn’t work in Firefox at all, I used Windiff to compare the 2 files and I  discovered there were changes in the 2 “openlayers.js” files, the old one I had saved and the new one that got downloaded while testing. That meant that I had to figure out how to update the Output file from Wireshark to get it to work in the browsers. I viewed the new API info Here to help find out what needed changed.

Now I am not a web developer so this took allot longer to figure out than it should have.

So, using IE9’s F-12 developer tools I first discovered that there was a call to add a control name  that it no longer used in the current version of the API. After commenting out the control name I started to get somewhere in Firefox but still not in IE9.

So what’s  the deal in IE9 ? As it turn out IE hates extra “Commas” if it runs across them then a call will fail, but for some reason Firefox seems to ignore them.

Next thing I had to do was figure out how Wireshark created the files it uses. After downloading the complete source code for the latest stable version I ran a strings utility that I made on the folder that contained the source code, searching for the string “ipmap”.

One of the files that “ipmap” showed up in, after viewing the source code, told me that it uses a html file located in Wireshark’s program directory as a template for creating the temp file that it opens using your default browser. Basically what the programs does is takes the template file and adds the endpoints information it gets, if there is any, then writes that to a new temp file.  So in order to fix future maps created and opened by Wireshark I have to replace this file with a updated version. First rename the original to something else, so you can refer back to it if you need to and don’t end up overwriting the original.

The Fix

So here we will concentrate on what code gets changed in order to fix the problem and be able to view new maps when we click on the button in Wireshark.

The only changes are really for the API Controls and handling 2 extra commas to get it to work in IE9.

Here is a screenshot of the code affected in a file produced by the original version of the template.

So how do we Fix this ? The second extra comma is the easiest one to fix, we either just delete the comma, and then it messes with the the output for the zoom control  or we add the value that was left off in the original version when they were testing it.(They had 18 I put 10)

That will handle “That” extra comma problem. Now what about the other one ?

Short of adding code to Wireshark to remove the extra comma at the end of where the program adds the End Points, we create a workaround by adding a Fake End Point to the template file.

We also have to replace some of the controls that get added as you can see in the two screen shots below.

Here is the old and new versions of the Template.

So now using the new version of the Template, it now works in both the Latest version of IE9 and Firefox. (On my system anyway)

It is still running in “Quirks mode” in IE9 and Firefox though and not “Html 5” Compliant. I have not tested this in any other browser because I just don’t have them installed.

Download the new file.

If you think this solution may work for you I have made available my new template file and it is available on my sky drive Here , the file name is newipmap.zip .

Using the File

Okay, so you got the file so now what do you do with it?

First as I mentioned above locate the original file.

Mine is in “C:\Program Files\Wireshark” and the file name is “ipmap.html”.

Rename that file to something like, “ipmapOriginal.html” so you still have it if you need it later.

Next unzip the file you got from my sky drive and copy it to the directory where the original file is then rename it to “ipmap.html”,  you may have a warning pop up on the renames in this location asking for admin Approval if UAC is Enabled.

After that  Wireshark “Should” be using the new version of the file for creating the maps in the temp folder. The path to one mine is, “C:\Users\David\AppData\Local\Temp\Wireshark IP Map a01688”. The number on the end and the username is the only thing that would change for the path for anyone else’s.

Final Note:

If these fixes are added to a new version of  Wireshark then this fix will break.

Also if the API changes again this this fix can break from that also.

The only way to keep it from breaking in the future is to keep the files required for the API on a dedicated site for Wireshark and then point the output files to that location for a chosen API version rather than the “http://openlayers.org” site where the API gets updated.

Hope this has helped to explain and solve the problem for you.

If you have any questions or problems please let me know.

Troubleshooting Events in Event Viewer

 

This post will deal with troubleshooting two recent events on a Windows Vista Ultimate 64 Bit system. (my system)

Problem # 1

When you go to the event viewer and see something like this.

Naturally you want to look and see what is going on. So you open one of them and see this.

Ok that’s real helpful what is that CLSID ? Now you can use a registry search tool, but you may or may not find it.

What happened to me first was when I did a search using a 32 bit registry search tool on a 64 bit system was, I was unknowingly being redirected to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\ key rather than the HKEY_CLASSES_ROOT\CLSID key ,where I thought I was searching. Of course I didn’t find that CLSID till I searched by hand in regedit. Windows Vista has redirection for only certain keys in the registry, see more info on “Registry Keys Affected by WOW64” Here on MSDN.

I discovered the redirection by running Sysinternals Process  Monitor in the background while running the registry search tool to figure out why I wasn’t finding the key.

Now the info on the general tab is somewhat helpful if you know what it means but lets go to the Details tab and see what more it has to offer.

Starting from the top of this at the Provider section lets go thru and see what this all means.

Name: tells us what is trying to do the starting here.

GUID: is the Id of the “Name”

EventSourceName: Is the more friendly name we see, in this case it is DCOM.

The Event ID you can look up on line or click on the link in the general tab to see what Microsoft has to say about the event. Here it was Event ID 10016

Event Qualifiers: I found there is little information on it besides what the data type is.

Version: I’m not real sure that it pertains to figuring things out and haven’t looked that item up yet.

Time: the time can help narrow down  what else may have been happening at the time.

Event Record: just gives us the record number in the event log.

Process ID and Thread ID: can help If it is still running, then just use Sysinternals Process Explorer to locate the Process ID then go to the threads tab and check the Thread ID and see what is happening, but most of the time the operation will probably be stopped by the time you see the log so those values may not be of much help.

Channel: may or may not lead you in the right direction. In this case it is System, and the param7 S-1-5-18 is the same as  User ID= S-1-5-18  which is the the SID for the System account.

Then we have all of the rest of the parameters.

So what does all of this tell us so far ? DCOM and parameter 8  tells us it is a networking component. Next Parameter 2 and 3 tell us it was something trying to launch locally. Parameters 5,6,7 tell us it was probably going to be started as a system service.

Now that leaves us with what the actual Item at parameter 4. As I said at the beginning I was getting redirected to a different key, so I made a new program for helping me track down these items easier.  Here is what it looks like searching for the Listed CLSID {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}. Most of the searches for this CLSID will be done with the top left button “Go HKCR” but I added the other 2 for alternate locations in case you cant find it in the main one.

As you can see from this my system has 5,805 CLSID’s listed in the root CLSID key.

Next we right click on the listing in the program and click  Go to Key. Which lands us here.

O yeah, It’s the  Associated Device Presence Class. What’s that? Well lets see if the Local Service sub folder will help.

If we follow the App ID It just tells us it is a Local service and gives a regbinary version of information of the start permissions. Not as useful for this search.

Ok now we know it has to do with IPBusEnum but what is that ? A internet search tells us it is a service for enumerating Plug and Play Network Devices. One link here. I happen to have a network printer installed on my local network.

So where does that leave us? So what could cause an error of  “The application-specific permission settings do not grant Local Launch permission for….” , well there are a few things I can think of, The link in the event said possibly DCOM security permissions, Not this time. The User May not have have the permissions to launch the application, Most likely not this either, as it is the  System account trying to start the service. Well maybe the service is not installed.  So we check the Services Utility for it.

When I looked I discovered that the service was installed, but it was disabled and  I, um , remembered I Disabled it checking something a few days or so before and didn’t re enable it, so it started filling my log to get back at me. One strange thing that happened was, when I changed it from disabled to manual it changed itself to automatic (delayed start).

Here is a screen shot of the current setting.

After Just re enabling the service, that solved the problem and no more events logged for that problem.

As it turns out in this case the information in the link from the event log (Here) was misleading in a way, as it was trying to get the user to check in COM/DCOM for the problem.  The reason it didn’t have permissions was, because the service was not started and not able to get the permissions to run. So check if the service is installed and running is the quickest thing to check first before trying to mess with DCOM settings.

Problem #2

This is another somewhat misleading event that was listed. It got logged while checking some information with one of my tools.

This time after using my tool to search for the CLSID, It tells me that the COM Server application that is trying to start is “VSSCoordinator Class”, well VSS sounds familiar . Ok, this time I need to use a different button on my new tool and getting the app id from the first registry key and use the app id button on the tool to look it up and see if it gets me more information.

What I found was, it is “Volume Shadow Copy Service” and the Local Service is “VSS”.

So what caused that error ? This time it  was this little program here that uses Win32_ShadowCopy to enumerate the Shadow copy’s on the system.

What actually caused the error was since the information the program was accessing needed elevated privileges it would throw an error, so the very next entry was a success after right clicking and running it as Administrator. Using just a simple try catch block with msgbox(ex.message) for error handling in this program and  here is what we see when run as a standard user.

 

That’s a real helpful message. But since I built the application I knew what the problem was, the program needed to be run as Administrator. So if you see the last part in another WMI application that says “ Initialization Failure” then you may check if it needs to be run as an Administrator. (Some WMI Classes do not return all property’s If Administrator rights are required, or just throw an error like this one)

Well that’s it for this time, I hope the information here is helpful for your investigations.

My Tools:

My tools can be found on my sky drive Here. (along with several others I have posted)

The tools associated with this post are Win32_ShadowCopy.zip, Windows Restore Point Viewer.zip(just threw that one in) , Enum 64 Bit CLSID.zip, and ServiceDetail.zip to get the info on the services.

Note:

The tool called Enum 64 Bit CLSID when run on a 32 bit system will pop up an error dialogue when you try to use the two “64” bit specific buttons, as the registry keys don’t exist on the 32 bit system.

As usual all utility’s are free to use and are as is. These only retrieve info and not write to the system except maybe to the application data folder if I forgot to uncheck the save setting on shutdown while building them.

Please let me know if you have any questions or if you find any bugs in the programs and I will try and resolve any issues in them. Remember Some or most of these will need to be run elevated to get at some of the information. They are Admin tools after all.