About Terminal Server, Citrix, Delphi and other stuff
If this is your first visit, take your time and look around. Here are some things you might be looking for:
Do you like my work? Did my work help you?
Benjamin Delpy the author of the well known mimikatz toolkit has released a very cool extension to WinDbg today.
In summary the extension can extract Windows passwords from memory dumps, hibernation files and Virtual Machine .vmem files (paging, snapshots).
Especially the ability to extract passwords from .vmem files was very interesting. So I decided to to test this out, so let’s see how it works!
Recently I published an article on my blog that shows how to run an executable of choice when the Citrix Receiver exits.
Using public resources such as the Citrix Public Symbol Server we can analyze, understand and finally make the code more readable.
I will try to make this session not an “enter the matrix one” but one that could be considered as an intro into using Ida Pro for reverse engineering and app compat fixing.
Hope to see you all in Rome, my session is scheduled Friday November 1 from 18.30 – 19.15. There will be room for questions so feel free to take your own Crapplication™ and ask about it after the session.
See you in Rome!
I wanted to do an unattended install of the Microsoft App-V 5.0 SP1 client.
I wanted to install using the MSI’s instead of using the exe installer so I unpacked the MSI’s from the installer as documented here.
The install failed however with MSI error 1603. I activated logging but that was not very helpful since it only logged "MainEngineThread is returning 1603".
Manual install of the MSI gave a bettor error message:
I had already installed the MSVC++ 2005 SP1 runtime but the version was slightly lower.
Unfortunately Microsoft doesn’t publish the build numbers with their downloads so it takes some searching to determine the correct download.
Version 8.0.61001 is labeled as "Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update" and can be downloaded here.
There is a similar requirement for the Microsoft Visual C++ 2010 runtime which should be at least 10.0.40219. This one is easier though because the required version is extracted together with the MSI files.
As a final note you need to set the AcceptEULA MSI property to 1 for both the client and language pack MSI or the install will fail.
I wanted to run a virtual Citrix License server in my LAB.
Unfortunately Citrix only provides the VPX License Server in XenServer format (.xva). If you want to run the VPX on VMware ESX or Microsoft Hyper-V you need to convert it first.
The option to convert a Xen Virtual Appliance to OVF format was removed in XenConvert 2.4.1. So for a conversion you need version 2.3.1.
Here are the direct download links:
However when I tried to convert the downloaded VPX (Citrix_License_Server_VPX_v11.10.0_Build_12002.xva) I got the error "Failed to decode tar header record":
A while ago I was doing some research for Magic Filter when I stumbled upon something interesting within Receiver.
Inside wfica32.exe is a function called _Eng_RunExecutableOnExit. That name caught my interest, I’ve made it a little more readable with Ida Pro:
Today I was troubleshooting a warning message that popped up when launching a network application with RES Workspace Manager:
Usually this is a simple fix: add the servername (file://server) to the Local Intranet zone:
That worked when I launched the application directly. However when launching the application with RES Workspace Manager I would still get the warning. Even stranger: when I clicked Cancel the application would still be launched.
I needed to connect remotely via Remote Desktop to a Windows Server 2012 machine.
I received an rdp file that was configured to use an RD Gateway server:
However when trying to connect from my Windows 7 laptop (x64) machine, I got the following error message:
In Enterprise environments users are often working on a remote (virtual) desktop such as when using SBC or VDI.
They typically get a full screen session, perhaps on a thin client, and have not idea that they are using a remote desktop.
Clever users know they can use alternative key combinations such as Shift-F2 for Citrix or Ctrl-Alt-End for RDS.
But that’s not the seamless experience we want to give our users, is it?
Some time ago I wrote about the PNAgent data that is stored in the registry in XML format.
After that post Andrew Morgan asked me if I could extract the PNAgent icons from the XML data.
That got me interested so let’s look at this data!
If you look at XML from PNAgent the icondata as in the AppData.Details.Icon node you’ll see something like this:
Seems like the icon data is stored/encrypted in a proprietary format.
.NET .NET FrameWork Active Directory Altiris Automation Manager bug Citrix Dell Delphi Excel Exchange Exchange2003 Exchange2010 Hack HP iOS Java LinkedIn Linux Lync MSI Office Office 2010 Outlook Passat Password PowerPoint PowerShell RES RNS510 SasLibEx Security Terminal Server ThinApp TSAdminEx Unattended VBS VCDS Vista Visual Basic VMWare Volkswagen Windows PE Wordpress XenApp