Remko Weijnen's Blog (Remko's Blog)

Dear Visitor

Remko — Thu, 01 Nov 2007 14:19:05 +0000

If this is your first visit, take your time and look around. Here are some things you might be looking for:

SasLibEx: a library that can simulate the Secure Attention Sequence (Ctrl-Alt-Del) but it can even unlock a workstation or session without entering or needing the user’s credentials (and many more things).
Who locks my file?
Patch 32 bit Windows to use the full 4 GB (and even more) memory
Patch Terminal Server to allow more Concurrent Sessions: 2003, Windows XP X64, 2003 X64, 2008, Vista
Some of my freeware tools such as LaunchRDP, RDP Password Encryption, Active Directory Excel Addin, RDP Clipboard Fix (well this list can go on and on, see also the Downloads section).

Do you like my work? Did my work help you?

Leave a comment and tell me how it was usefull to you.
If you want you can make a donation with the Paypal Donate Button in the right Sidebar.

Thank you!

Harmony Client crashes upon exit

Remko — Tue, 31 Jan 2012 15:37:08 +0000

Today I was troubleshooting the application “Harmony Client” which crashed upon exiting:

The application had been thinapped and the error only appeared when starting the thinapped version.

Using Process Monitor I noticed that the application wrote logfiles to the C:\Temp\HarmonyClient\Log folder (which of course it shouldn’t write there.).

00.11:12:56.033 Log created on 31-01-2012 (c:\temp\Harmonyclient\Log\HMY_Client_03A2@server_20120131_111256.LOG) User name: testuser
00.11:13:04.423 00000318 TCOEventHandler EXCEPTION: Destroy eventhandler is called while client is still running.
00.11:13:04.424 00000318 TCOEventHandler .Destroy
00.11:13:04.424 00000318 TCOEventHandler .Destroy … Done
00.11:13:04.424 00000318 TCOEventHandler Client disconnected by user

My next step was to trace using the Thinapp Log Monitor but unfortunately the error doesn’t occur when tracing.

This makes me believe it’s a timing issue; upon exit the application is cleaning up memory (objects) but destroys a certain object (eventhandler) while it’s still being accessed.

Upon further inspection of the Process Monitor log I noticed access to a file called HARMONY_Client.exe.9e3c5c50.ini.inuse which was in the ThinApp SandBox (%Local AppData%\ApplicationHistory\HARMONY_Client.exe.9e3c5c50.ini.inuse).

The application creates this file when it’s started and when it exists it copies this to HARMONY_Client.exe.9e3c5c50.ini.

I deleted this file and this made the error go away. Perhaps this fault will surface again in the future, further testing will need to tell us.

Workaround

Delete *.inuse from the SandBox, preferably using a (vbs) script in the thinapp package each time the app is launched.

Solution

Contact Vendor and get them to fix their software and while they’re at it, have them fix access to things such as C:\Temp as well.

Bypassing RES/Appsense Application Security

Remko — Fri, 27 Jan 2012 15:15:38 +0000

The video below shows a Proof of Concept of bypassing Application Security in RES Workspace Manager .

Please note that at this time the code is not publicly available so please don’t ask for it.

EDIT 2: I added a video that I received from someone who tried my Excel Sheet with AppSense Application Manager.

EDIT: I wanted to clarify a couple of things regarding this post.

First of all I would like to explain why I wrote this code and why I choose to test it with RES WM.

I had the idea about this approach a long time ago but I never got around to actually do it. The main reason was that I needed to convert Delphi code to VBA and especially converting some Windows headers was a lot of work. Then suddenly I noticed that someone had already converted the headers, so I all I had to do was rewrite the code that used it to VBA.

The choice for RES was made because of two reasons:

If you want to beat something, you want to beat the best and I most certainly consider RES WM to be one of the top products.
At the time I wrote the POC code I had access to an enviroment with RES in it.

I would like to emphasize that RES contacted me very quickly after publishing this blog. I’ve had contact with RES and they showed a very constructive approach with their primary goal being a fix or guidance for their customers. Hats of to RES taking a constructive approach and I will be working together with RES on this issue.

Finally I would like to state that I didn’t expect this post to draw this much attention, if I did I would have probably taken another approach.

Same demo but now with AppSense:

From Jailbreak to Jailbreak part 2

Remko — Sat, 21 Jan 2012 13:02:15 +0000

In this post, which is a followup on my From JailBreak to Jailbreak post, I will describe the same procedure for A5 devices (iPhone 4S and iPad 2).

A lot of the stuff is really the same so I will not describe that again, this includes the actual update to iOs 5.01, xBackup, SHSH signatures and backup using iTunes.

Currently the Jailbreak for A5 devices with iOS 5 is only for iOS 5.01. Since Apple is expected to release iOS 5.1 very soon it’s highly recommended to update to iOS 5.01 NOW. Especially because it’s not yet possible to downgrade to iOS 5.01 using Tiny Umbrella.

Although a Windows version of the Jailbreak will be released soon (in the form of an updated Redsn0w) I decided to do the Jailbreak now on my iPad2 3G.

Update: the Windows version of the Absinthe Jailbreak has been released and can be found here. Note that all steps below and screenshots refer to the Mac OS X version on a virtualized OS X.

Before you begin, delete any VPN Connections you might have defined on your device.

I used VMWare Workstation and a Virtual Machine with Mac OS X and it worked perfectly.

Connect your iPad2 to the Virtual Machine:
Launch Absinthe and press the Jailbreak button:
The Jailbreak starts automatically, you do not need to go into DFU mode. Note that this first step may take a while (around 30 minutes in my case):
When the process finishes the device is rebooted:
Then the actual Payload is sent:
And if all is well you should end with this screen:

If the above steps went well you should have a Green Pois0n icon, just click it and the rest of the process should perform automatically.

In my case it didn’t but I could manually trigger it by going to Settings | VPN (there should be a Jailbreak VPN entry) and connect to it. My iPad automatically rebooted after which the Cydia icon appeared.

Last step is start Cydia which will adjust the filesystem and the Jailbreak is finished.

I restored my Cydia settings, repositories and apps using xBackup as I described in the previous post. The other steps like installing Installous and synching Apps with iTunes are identical as well.

Have fun and please let me know if you have tips or any steps I missed!

Get the location of an advertised shortcut

Remko — Wed, 18 Jan 2012 12:28:36 +0000

Installers can create so called Advertised Shortcuts in the Start Menu. I wanted to check the Target Path of such an shortcut but Explorer doesn’t show it:

But we can easily retrieve the path using a small VB Script:

Option Explicit
Dim WshShell : Set WshShell = WScript.CreateObject("Wscript.Shell")
Dim objShortcut : Set objShortcut = WshShell.CreateShortcut(WScript.Arguments(0))
WScript.Echo("Target Path : " & objShortcut.TargetPath & vbCrLf & _
"Icon Location: " & objShortcut.IconLocation)

Set objShortcut = Nothing
Set WshShell = Nothing

The scripts accepts the shortcut filename as a parameter so you can simply drag the shortcut to the script and it will show the Target Path and Icon Location:

Bonus Chatter: if you want to prevent an installer from creating Advertised Shortcuts set the DISABLEADVTSHORTCUTS MSI property to 1 (MsiExec /I MyMsi.msi DISABLEADVTSHORTCUTS=1).

Take ownership of a registry key in PowerShell

Remko — Mon, 16 Jan 2012 15:39:36 +0000

After reading Andy Morgan’s (excellent) blog post about Removing Screen Resolution and Personalize shell extensions from a users desktop session I couldn’t help it.

I had to write a PowerShell script to take ownership of the mentioned registry keys. So here goes:

The code is only quick to show we can do it (after all PowerShell has no limits) and could be improved error handling and so on. But it works!

$definition = @"
using System;
using System.Runtime.InteropServices;

namespace Win32Api
{

public class NtDll
{
[DllImport("ntdll.dll", EntryPoint="RtlAdjustPrivilege")]
public static extern int RtlAdjustPrivilege(ulong Privilege, bool Enable, bool CurrentThread, ref bool Enabled);
}
}
"@

Add-Type -TypeDefinition $definition -PassThru

$bEnabled = $false

# Enable SeTakeOwnershipPrivilege
$res = [Win32Api.NtDll]::RtlAdjustPrivilege(9, $true, $false, [ref]$bEnabled)

$key = [Microsoft.Win32.Registry]::ClassesRoot.OpenSubKey("DesktopBackground\Shell\Display", [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,[System.Security.AccessControl.RegistryRights]::takeownership)
$acl = $key.GetAccessControl()
$acl.SetOwner([System.Security.Principal.NTAccount]"Administrators")
$key.SetAccessControl($acl)

The case of the Slow Xerox Universal Print Driver

Remko — Wed, 04 Jan 2012 21:54:29 +0000

Earlier this week I was asked to investigate a problem with the Xerox Universal Printer Driver. Users complained that printing to a Xerox printer was much slower than printing to an HP printer.

I received a reference document from a user, a rather complex Excel sheet. When selecting multiple tabs it took almost a minute to generate a print preview in Excel 2007 running on Windows 2003 with XenApp 5.

I was aware of a bug in the Xerox Universal Driver where almost 9.000 files were copied into the user’s profile directory (I wrote about that in an earlier post). But this seemed to be another problem.

I made a trace with Process Monitor while generating the print preview and this made clear that the driver tries to create the key HKLM\Software\Xerox. This is denied because a user has of course no permissions to write in HKLM:

The Registry Summary shows us that the driver tries to access HKLM\Software\Xerox almost 8.000 times before finally giving up:

I changed the permissions on the Xerox key to see what the driver writes to this key. It creates a subkey with the SID of the User under HKLM\Software\Xerox\V5.0\Low.

Then it gives the user special permissions on this key and subkeys so the user is allowed to write there.

Finally it stores a few settings in that key:

This looks like a serious design flaw because not only is a standard user not allowed to create keys under the HKLM hive but it also means that user settings are stored on a single machine and are not roaming with the user.

The good news was that the time to generate the print preview went back to around 4 seconds which is acceptable considering the complexity of the reference Excel sheet.

I tested in total 3 versions of the Xerox Universal Print Driver and they all exhibited this particular issue:

5.185.42.0N 2011.03.02
5.216.12.0N 2011.06.10
5.246.7.0 2011.12.07

From Jailbreak to Jailbreak

Remko — Wed, 04 Jan 2012 21:02:04 +0000

A few days ago I decided to update my iPhone which was still running iOS 4.3.1 to iOS 5.0.1. I delayed this update for a while because I had Jailbreaked my iPhone. Unfortunately an update is much more work when you have Jailbreaked because you also have to restore Cydia settings such as the repositories and Cydia installed Apps.

This blog post is not a guide on how to Jailbreak but more a collections of tips to go from a Jailbreak iOS 4.x to iOS 5.01.

If you notice any extra steps while doing your update please send them to me so I can add them to this post.

Backup
Before starting it would be probably be a good idea to create a backup of your device in iTunes. I would also advise to backup your SHSH signatures which you can do using TinyUmbrella. There are lots of guides on how to do this so I will not repeat that here.

Without saving your SHSH signatures you cannot restore to an older iOS version if anything goes wrong!

You may also want to have the IPSW for your current iOS version (preferably the IPSW that you used to do the Jailbreak last time, else you also need the Jailbreak tool for that iOS version).

I used xBackup to create a backup of my Cydia settings, including repositories and Apps that were installed through Cydia. xBackup costs $1.50 (about ?1,20) which I found a very reasonable price.

I enabled the Cloud option which stores the backup on a remote server and also opted for backup of App Settings and Icon Layout:
Press Backup.
When it’s finished, the backup is uploaded to “the Cloud”
Optionally pick up the local backup if you want to be extra sure (or create another iTunes Backup)

Update to IOS 5.01
Next step is the actual update to iOS 5.01, note that we do not need to hack the IPSW and restore it, so there’s no need to download the IPSW. Just use iTunes to update to iOS 5.01.

Warning: if you have unlocked your iPhone or are using a Gevey SIM you will probably want to preserve the baseband. In which you do need the IPSW and use the Extras option in Redsn0w. Thanks to Don Hellwich for pointing that out.

You may get a warning indicating there are purchased items on your device that have not yet been transferred to iTunes yet:

To resolve this go to your device, right click and select Transfer Purchases:

Wait until the Transferring Purchases has finished:

iTunes will warn you that the update to iOS 5.0.1 will delete all Apps, don’t worry they should be in your iTunes backup.

If you get a backup error, like the screenshot below, you probably have an entry in your hosts file (that was put there by TinyUmbrella) such as “127.0.0.1 gs.apple.com”:

The update may take a while.

Jailbreak
After the update has been finished, restore your iTunes backup after which you are ready to Jailbreak again. I did this using Redsn0w for Windows v0.9.10b3. This Jailbreak is Untethered, based on geohot’s limera1n exploit and was created by @pod2g.

Please do consider a donation to pod2g.

The Jailbreak is very easy, just launch Redsn0w, boot into DFU mode and follow the on screen instructions. I will not describe the actual Jailbreak process here.

Restore

When the Jailbreak has finished, open Cydia, then install and launch xBackup.

Go to the Restore Tab and click Download & Restore:
xBackup will first restore the reposiories.
And then re-install your packages:

The only application that was not reinstalled by xBackup (by design??) was Installous and it’s components. If you were using Installous previously you will need to reinstall this one manually.

Synchronize Apps with iTunes
Final step is to synchronize your Apps with iTunes to get all your Applications back. If you installed Installous in the previous step then you already have AppSync which is required to synchronize non signed applications with iTunes. If not then first install AppSync for iOS 5.0+.

Good luck!

Error 372 in Thinapped Visual Basic Application

Remko — Tue, 03 Jan 2012 21:34:29 +0000

Today I was troubleshooting a Thinapped Visual Basic Application. The application halts with a Run-time error ’372′ when trying to run a report:

Microsoft KB article kb942870 hints to an ActiveX component that is registered into HKCU instead of HKLM.

A trace with the ThinApp Log Monitor reveals that the application is looking for an ActiveX component under HKCU:

RegOpenKeyExW [80000001h=HKEY_CURRENT_USER\][Software\Business Objects\Suite 11.0\Components\ActiveX Viewer not found in RW_View & fully isolated] -> 2h

A registry trace shows that the component (Crystal Reports ActiveX Report Viewer) registers itself to HKLM but also creates a few keys under HKCU that are required to make the viewer run.

I decided to register the component from a VBScript inside the ThinApp package since this is easier and more fool proof than capturing all the registry keys and adding them to the package.ini.

The VBS Script simply calls RegSvr32.exe with the /s (silent) parameter:

Function OnFirstParentExit
ExecuteExternalProcess("RegSvr32 /s " & chr(34) & "C:\Program Files\Common Files\Business Objects\3.0\crystalreportviewers11\ActiveXControls\crviewer.dll" & Chr(34))
End Function

Just save the VBS script with a name of choice in the same folder as the package.ini file.

System Process PID 4 is listening on port 80

Remko — Mon, 02 Jan 2012 09:23:21 +0000

I wanted to save the SHSH signatures from my iPhone before updating to iOS 5.01. I started Tiny Umbrella but it showed an error indicating that there’s already a process listening on port 80:

I verified this using netstat (netstat -aon | find /I “LISTENING” | find /I “:80″):

A telnet to port 80 showed there was indeed a webserver running:

The fact that the webserver is running in the system process means that it needs to have System Privileges. It could be either a Service or, less friendly, some kind of malware DLL that injects itself.

I checked with Process Explorer which DLL’s are loaded into the System Process and this didn’t reveal any strange DLL’s:

So a service seemed most likely but I didn’t have any of the usual suspects (in most likely order):

IIS Admin Service (Internet Information Server)
SQL Server Reporting Services
Apache Tomcat 7

But in my case it was the “Web Deployment Agent Service” (MsDepSvc) which is installed by Microsoft WebMatrix.