Thursday, March 31, 2016

What are all the AppX entries under HKCU\Software\Classes?

If you poke around in the Registry a bit, you'll find a lot of weirdly-named entries under HKCU\Software\Classes that start with AppX. They represent Windows Store apps, and you can see which entry is which by looking at the ApplicationName entry under the Application subkey.

There was some confusion over the purpose of these keys and whether they indicated a virus, so I wrote this to hopefully turn up in the search results to answer that question if other people have it.

Wednesday, March 30, 2016

Escaping from a colon-lettered drive

As I already found out, it's possible for drives to have letters that aren't letters. Some symbols are more interesting than others, especially the colon. You'd think that you could change to such a drive by typing two colons at the prompt, but that's actually interpreted as a line label and does nothing. To change to that drive, you need to do cd /d "::\". Also interesting is that typing c: to go back to the C drive from there sometimes works and sometimes has no effect. cd /d "c:\" always works, though.

Sunday, March 27, 2016

Running Game Maker games on Windows 8

It appears that games compiled with Game Maker (7 or 8 I know for sure, haven't tested Studio) can experience crashes on Windows 8. The crashes seem to be related to sounds; I've seen it happen when two instances of the same sound try to play at once. Disabling all sounds in the game code worked, but that's not really an option for people without the source. Fortunately, running in compatibility mode for Windows 7 generally fixes the problem.

Saturday, March 26, 2016

Drive letters that aren't letters

An interesting thing about the subst command is that it will allow you to assign drive letters that aren't letters. For instance,

subst 1: C:\path\test

completes successfully, and you can change to the 1: drive in that command prompt. As far as I can tell, this works with all characters that aren't spaces. Unicode characters work too, but they'll render as a question mark (though they aren't garbled into one).

Closing the command prompt and opening a new one keeps the substitutions working. Unfortunately, it seems that only the command prompt is in on the joke, because other programs like Explorer won't handle it. Not even \\?\ paths help, so these "letters" are probably just a cmd facade.

Friday, March 25, 2016

Typing the U with umlaut (ü) on the Microsoft Pinyin keyboard

If you use the Microsoft Pinyin keyboard/IME to type Chinese characters, you'll probably eventually need to type a word that involves ü - the U with umlaut (two dots above it) - in the Pinyin. Pressing the normal U key always makes the keyboard assume you wanted an undecorated U.

There is a simple, but completely unobvious way to get that fancy character. Pressing the V key when a ü is valid Pinyin for the current cursor position will indeed insert a ü.

Thursday, March 24, 2016

How to look at the triggers of a "Manual (Triggered)" service

Some Windows services, like Windows Update, have a Startup Type of Manual (Triggered). The alleged triggers appear nowhere in the Services snap-in. What, then, is triggering them?

The triggers can be examined and configured with the sc utility. Specifically, sc qtriggerinfo ServiceName produces a list of the start and stop triggers for that service. For Windows Update, its triggers are based on Group Policy. You can set triggers with the triggerinfo subcommand. Help on using that can be obtained by typing sc triggerinfo (without a service name) at the prompt.

Wednesday, March 23, 2016

Redirecting command prompt output to files without butchering the encoding

I just answered this Super User question, which asked how to stop the command prompt from mangling the encoding of the fancy box-drawing characters in the output of tree. The characters showed up fine in the console, but got wrecked when the output was redirected to a file. No amount of chcp encoding changing helped.

The only way around it I could think of was to use a program that plays nice with text encoding. PowerShell was a great candidate - it handles UTF-16LE just fine, and can easily put the output of a classic command into a file.

The old broken command:

tree > tree.txt

The PowerShell command (with equivalent shorter version below):

Invoke-Expression "tree" | Out-File "tree.txt"
iex "tree" > "tree.txt"

Running the PowerShell command from the command prompt:

powershell -command "iex \"tree\" > \"tree.txt\""

The resulting file is intact and can be seen with type or in Notepad.

Tuesday, March 22, 2016

When "An attempt was made to query the existence of a blank password for an account" is logged

A cause of some paranoia and panic on the Internet is Windows 8's tendency to log batches of events to the Security log that say "An attempt was made to query the existence of a blank password for an account."

Those events are entirely normal - they appear even on a completely fresh machine. Today I discovered that an event is logged for each local account every time one of these two things happens:

  • The username/picture tile in the upper-right of the Start screen is pressed. The events are logged even on domain-joined machines where the resulting menu contains no local users. In this case, the Subject is the logged-in user.
  • The logon screen shows the list of active local users. In this case, the Subject is NT AUTHORITY\LOCAL SERVICE.

Monday, March 21, 2016

Looking at alternative hostnames on SSL certificates

It's possible for a single SSL certificate to support multiple domains (not just wildcard domains like *.google.com). If you're interested in examining the other hostnames affiliated with a certificate, you can use the normal Windows certificate properties window.

In Chrome, you can get to that window by clicking the padlock or page icon next in the address bar, switching to the Connection tab, and clicking Certificate information. In the resulting window, switch to the Details tab, and selecting the Subject Alternative Name item.


It appears that Blogger at one point was accessible at blogblog.com, but going there now produces a Google-themed error page.

Sunday, March 20, 2016

Automatically redirecting HTTP to HTTPS in IIS

If you want to automatically redirect the HTTP version of a site to HTTPS (SSL) with IIS, you have a few options. One option would be to write up some code in Global.asax. Another option, if you would prefer to avoid writing new code, would be to take advantage of an optional IIS component.

That component is HTTP Redirection, under Common HTTP Features in the feature management dialog. Once that feature is installed, an entry called HTTP Redirect will appear in the IIS manager. The easiest way to use it to do the redirection is to create a new empty site, bind that to port 80, and set that feature on just the new site to serve a permanent redirect to the HTTPS version of the URL.

Settings that cause the site to redirect to https://example.com

Friday, March 18, 2016

Enabling Remote Desktop with Group Policy

If you want to enable a computer as a Remote Desktop server (i.e. allow remote connections to it) via Group Policy, you need to set two options, both under Computer Configuration:

  • Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Allow users to connect remotely by using Remote Desktop Services (set to Enabled)
  • Administrative Templates → Network → Network Connections → Windows Firewall → (a profile) → Windows Firewall: Allow inbound Remote Desktop exceptions (set to Enabled)
Once those two items are enabled, the affected machines will allow users to connect remotely.

Thursday, March 17, 2016

When IIS serves blank pages instead of error messages

I noticed that my web site was serving completely blank pages instead of any kind of error when a user attempted to visit a nonexistent page. I had set an error document for code 404 in the IIS Manager, but it didn't help.

Some research turned up this Stack Overflow question, the top answer of which led me to the solution. Evidently, the error redirection feature in IIS requires a Windows feature, specifically Internet Information Services → World Wide Web Services → Common HTTP Features → HTTP Errors, which in some cases does not get enabled by default.

My site is actually hosted on a Windows Server 2008 machine, so the Windows Features dialog doesn't exist. The feature in question is a Role Service of the IIS (Web Server) role.

Wednesday, March 16, 2016

Even enabling SeBackupPrivilege is not enough

SeBackupPrivilege gives one the ability to bypass object ACLs to read those objects. Having a privilege available, however, is not the same thing as having it enabled. For instance, creating symbolic links is a privilege that administrators usually have, but attempting to use the link creation API without first enabling SeCreateSymbolicLinkPrivilege will fail. The mklink tool enables that privilege to do its job.

Interestingly, enabling SeBackupPrivilege does not give the process read authority everywhere. Doing that only allows the use of the FILE_FLAG_BACKUP_SEMANTICS option in the CreateFile function, which is what actually leverages the power. Therefore, one can't just switch on the privilege and run programs that don't try anything special; programs not in the know will request normal access and fail if the ACL denies the requested access.

Tuesday, March 15, 2016

No logon servers available even when ping works on one

I recently did some troubleshooting in an Active Directory environment. A power outage had just occurred, and suddenly some workstations were unable to find a logon server even though I could ping a properly-functioning server from them.

The clue appeared in the IP configuration: the DNS suffix and the DNS servers were gone. The router responsible for DHCP had somehow lost those items; it was using a blank DNS suffix and Google's DNS servers. That explained why only some machines were affected - laptops (not affected by short power outages) didn't get a new DHCP lease because they didn't reboot.

When I restored those settings and ran ipconfig /renew and ipconfig /flushdns on the affected machines, everything started working again.

Monday, March 14, 2016

FMod - v2.8.3

It's been two years now since the release of Abiathar v1.0. To celebrate that occasion, I've decided to finally release the small changes I've made since v2.8.2 as v2.8.3 despite not having accomplished everything I hoped for. You can read about the notable changes in "Small Fixes" and "Circumventing GDI+".

The new version is now out on the update server.

Saturday, March 12, 2016

7-zip "Store" archives' fault tolerance

The 7-zip file compression software has a compression mode called Store that just jams a bunch of files and folders into one archive file without doing any actual compression. Compression and decompression with these archives is quite fast and not at all CPU-intensive.

I did some tests and discovered that when one part of such an archive is damaged, only the file that the modified range represents is corrupted. In fact, it's not really even corrupted - the 7zip extraction process will warn about a checksum mismatch, but it will extract the modified file.

Bookkeeping (addresses, checksums, and file names) are kept at the beginning and end of the archive file. If that part is damaged, a hex editor may be required to pull the remaining data out. Fortunately, the middle of archives is pure user data; the start of one file is immediately after the end of the previous.

Friday, March 11, 2016

SSL certificate acquisition security and Outlook Online groups

Many organizations that issue basic SSL certificates use e-mail to verify ownership of the domain. Such processes involve sending a verification code to hostmaster or postmaster or webmaster at the domain in question (or its parent, in the case of subdomains).

I know of some enterprise and academic organizations that use Office 365 and Outlook Online for their e-mail. One feature of Office 365 is groups, which can function as faux-addresses that forward all e-mails to the group members. Depending on the settings, users can form and disband groups as they please without administrative approval.

What do those two facts have to do with each other? Well, imagine what would happen if somebody could create a group called hostmaster. Sure enough, that's possible, and it will indeed produce the group address of hostmaster@domain.tld. If the Outlook addresses are at the root domain, anybody who can form groups can effectively pretend to be the hostmaster and create SSL certificates for the domain. A free issuing entity that uses e-mail verification is StartSSL.

What can be done about that? Some things:

  • Reserve sensitive group names by creating private groups (so users can't join)
  • Don't give normal users addresses at your root domain (do something like ourmail.example.com)
  • Disable the group features if you don't need them
Microsoft might want to consider making sensitive names not allowable as group IDs.

Thursday, March 10, 2016

Where's the first sign-in text stored?

When a user signs into a Windows 8 machine for the first time, a big UI experience is shown, involving friendly text on a hue-cycling background. Those texts are things like "Installing your apps" and "You can get more apps from the Store". I figured out where most OS texts are stored, but those specific texts are nowhere to be found in any MUI file I could see. I don't think they would be hardcoded in English, so I'm still searching for where they're kept.

Tuesday, March 8, 2016

Where Windows keeps localized text strings

If, for some reason, you want to know where Windows keeps all the strings of text used by a certain program, you might try looking at the executable of that program. And, for integral Windows programs, you would not find what you're looking for. Because Windows supports having multiple language packs on a single machine, the texts for a program can't be embedded in the EXE.

The localized (translated) texts are actually stored in MUI (Multilingual User Interface) files. You'll find the MUI file for a Windows program (or DLL) in a folder named the language code in the same folder as the EXE/DLL. For instance, notepad.exe is in \Windows\System32, and its MUI is at \Windows\System32\en-US\notepad.exe.mui. Several subfolders of System32 also have language folders.

The MUI files are technically DLL (PE images) in their own right, with a single resource called "MUI". The strings appear to be mostly stored as Pascal strings in UTF-16LE, that is, with the length of the string in UTF-16 characters followed by the character data with no null terminator. (There are exceptions, like findstr.exe.mui, and I have no idea what's happening there. You could probably get more insight with a resource editor - I just used a hex editor.)

Monday, March 7, 2016

When svchost.exe takes more and more memory

I just experienced an Interesting Phenomenon.

I noticed in Task Manager that the memory in use by a certain svchost.exe instance was 4 GB and continuously rising. Poking around in the Processes tab revealed that numerous services were hosted by that one process, including Windows Update and Windows Management Instrumentation. Stopping the Windows Update service made the memory usage stop rising, but it didn't free anything. The extra usage only went away after I rebooted. It would appear that there's a memory leak in the Windows Update service.

Sunday, March 6, 2016

If you can install arbitrary software, you're an administrator

Today I interacted with someone who wanted to allow a certain non-administrator user account to bypass UAC and access controls for the purpose of installing software. I explained that there's no way sufficient permissions for installing arbitrary programs can be granted without effectively making that user an administrator.

The first problem is that it's not possible to perfectly differentiate between setup programs and utilities that whack important things. Being able to write to admin-only locations (Program Files, Windows, HKLM, HKCR) also allows one to modify existing programs. An attacker would swap a legitimate, frequently-run program out with a malicious program, then wait for a full admin to run it; then bad things happen and the system is compromised. A user that can create or modify Windows services can execute arbitrary code at the highest level of privilege.

Many think the Power Users group is some sort of magic compromise that allows non-admins to install software, but it's only a small step from membership in Power Users to being a full administrator. This is what Microsoft support has to say about that issue:

"Do not use the Power Users group."

Saturday, March 5, 2016

Quickly removing formatting from copied text

I frequently need to copy text and strip the formatting off of it before pasting it into some other text box. (Usually this blog, actually.) I've developed a little procedure for doing this quickly when there is or should be only one line on the clipboard:

  1. Copy the text (Ctrl+C)
  2. Open the Windows Run dialog (Win+R)
  3. Paste the text (Ctrl+V)
  4. Select everything in the box (Ctrl+A)
  5. Copy the text (Ctrl+C)
  6. Remove the dialog (Esc)
At step 3, formatting is stripped from the text because the Run dialog only has a simple text box. At the end of the quick keyboard-only process, the original text is still on the clipboard, but without its formatting.

(For multi-line texts, I have not yet found a quick method to remove formatting, and so I have to open a scratch Notepad window.)

Friday, March 4, 2016

Where Windows stores user certificates

The Certificates Manager MMC snap-in can list and manage certificates. It gives no indication, however, as to where the certificates are actually stored.

The certificates are not stored in files, but in the Registry, in this path under either HKLM (for the system) or HKCU (for an individual user):

\Software\Microsoft\SystemCertificates

EFS public keys are stored in TrustedPeople\Certificates under the above path in HKLM. EFS private keys are stored in the HKCU equivalent. Each certificate gets a subkey of Certificates named the thumbprint. The data is kept in a binary value called Blob that seems to be in the same format as a PKCS #12 file, though I have not tried to run it through a decoder.

Thursday, March 3, 2016

Which certificate Windows EFS uses to encrypt new files

It's possible to have multiple EFS certificates for one user, allowing that user to have access to files encrypted with the several keys. A question, however, is which certificate will be used to encrypt new files.

The answer is that there's one definitive certificate associated with each user who has EFS files. That certificate is in the system's Trusted People store and is titled with the user's name. When a user looks at the Trusted People store in the Current User scope, the definitive certificate is the one with the user's name that does not have a key on the icon.

Only that certificate is used to encrypt files when the Encrypt contents to secure data box is checked or when cipher /e is used. More certificates can be granted access to the file with cipher /adduser.

Wednesday, March 2, 2016

Great stuff from Stack Overflow

Several months ago, I participated in Stack Overflow's celebration of ten million questions. Yesterday, I received some great items from them in the mail:


That's a Stack Overflow-branded T-shirt, pen, journal, and water bottle. Thanks, Stack Exchange!

Tuesday, March 1, 2016

Opera regression: Jump list items not restored

I did some testing with the Opera browser recently, and while doing that I noticed an interesting thing. The version I originally had - 25, maybe; it had the old non-perfectly-circular-O-with-a-shadow icon - would, upon its jump list tasks being deleted, restore them on the next run. The newest version of Opera does not do this. I couldn't find a way to bring the items back without doing a complete uninstall and reinstall of the program.