In a previous post I wrote about patching update.exe to allow installing updates with modified .inf files.

A commenter asked how to do this for another build of update.exe, specifically version 6.3.4.1 as is distributed with Windows 2003 SP2 (now what would he want to do with it?).

This is actually a very easy task with the knowledge of the previous post, so let me explain it here step by step.

First we open the target file in Ida and wait for the Autoanalysis to finish. Then go to the Functions window and look for the function IsInfFileTrusted:

(more…)

As you may know the 32 bit, also called x86, editions of Windows Vista cannot address more than 4 GB of memory. You may think this 4 GB is a limit of the processor but this isn’t true; using Physical Address Extension (PAE) it’s possible to address more memory

Enterprise Server versions of Windows (2003 and 2008) can already address more than 4 GB of memory so why can we not do that with Vista? The answer is: Microsoft doesn’t want that! It is all just a licensing matter, we can see this in the registry. Take RegEdit and goto HKLM\CurrentControlSet\Control\ProductOptions and doubleclick the Value ProductPolicy, scroll down a little until you see the value “Kernel-PhysicalMemoryAllowedx86”, next to it is the value 01 00 which corresponds to 4096 (1000 is the Hex of 4096):

We can also see where this (and other licensing values) come from: if we look in %systemroot%\system32\licensing\ppdlic al license values are in XML files. The memory value is in Kernel-ppdlic.xrm-ms:

(more…)

I was installing Dell Deployment Solution (the Dell branded version of Altiris) and at end of the installation you can choose to add drivers for scripted installed. If you do it asks for the Dell Systems Build and Update Utility DVD in order to install drivers for scripted install:

I searched on the Dell site for this DVD but the only version I could find was a version of 20-11-2008 (5.5.1 AA00) with the filename OM_5.5.1_SUU_A00.ISO and it is not accepted by the installer:

What a helpfull message 😉

(more…)

As you might know Microsoft distributes updates and hotfixes with in installer, update.exe. When you run update.exe it looks into the supplied .inf files to see what it has to install. It’s not possible to make changes to the inf files however because that will invalidate it’s signature (and update.exe checks the signature that is stored in an accompanying .cat file).

In my case I wanted to deploy the MUI pack for Internet Explorer 7 to be able to support multiple languages. By default this pack installs 35 (!) languages and I wanted to install only Dutch language on top of existing English.

(more…)

A few days ago I was troubleshooting some strange problems on a Citrix Server. After some investigation (I will write about that later) it was clear to me that there was a shortage of System Page Table Entries (PTE’s). Using perfmon you can see how many free System PTE’s are available:

Any value below 5000 is not good, values below 2000 are critical. In my case it wasn’t possible to view processes with Task Manager anymore.

Next I used WinDbg and attached to the Kernel (you can do that with File | Kernel Debug | Local | OK) and issued the !vm command:

WinDbg shows us a warning that a lot of PTE allocations have failed, we can also see that there’s enough Paged Pool and Non Paged Pool available.

So how do we find the guilty driver (usually it’s a driver)? (more…)

Existing code to simulate the Secure Attention Sequence (SAS),which most people refer to as control alt delete or ctrl-alt-del, no longer works in Windows Vista. It seems that Microsoft offers a library that exports a function called SimulateSAS(). It is not public and one is supposed to request it by sending a mail to saslib@microsoft.com. Mails to this address remain unanswered though.

I researched how other people (including Microsoft) have solved this task and was unhappy with the results: some solutions work only with (or without) UAC, most solutions work only for the current or console Terminal Server sessions or need a kernel mode driver.

So I decided to create my own Saslib with the following goals:

• Should work both with and without User Account Control (UAC)
• Should support current, console and any Terminal Server session
• Does not need a driver
• The calling application does not need to be signed or have a special manifest
• Support multiple programming languages

I have succeeded and thus SasLibEx was born: not only can it successfully simulate the SAS sequence it can do this for any/all Terminal Server sessions. It can also lock the workstation (again for all sessions) and switch between the normal desktop and the secure desktop (the desktop that UAC runs on). SasLibEx was successfully tested both with and without User Account Control (UAC).

In the future I will place SasLibEx on it’s own website. Meanwhile you can contact me if you are interested in it at the following mail address:

Please note that I have spend lots of time into this project and therefore I cannot give it away for free

Update: I have added new features to SasLibEx, see here: https://www.remkoweijnen.nl/blog/2009/04/07/saslibex-updates/

I was just researching a little on how Group Policies are applied in Windows Vista. The client processing is actually done by the Group Policy Client Service. So can a user prevent Domain Policies from being applied by stopping this service?

If you go to the service properties you can see that even a local administrator cannot stop or disable the service:

The description says: “The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings will not be applied and applications and components will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is stopped or disabled.”

That sounds good! Let’s try it…

(more…)

In part 1 I showed how to create and open objects in Terminal Server Sessions. However, these are not all of the possible places where you can place objects via documented kernel32.dll functions.

If we look into Winobj again, we notice, that every BaseNamedObjects directory has a subdirectory named Restricted. To be honest, I do not know why it’s created; it’s security allows object creation for LocalSystem and RESTRICTED special user (in windows 2000, Everyone can also create objects in it). So, we can use it as prefix for object creation, for example, Restricted\MyAppEvent:

Of course, you can still use Global, Local, or Session links (more…)

As you know, many kernel32.dll functions, which are working with named objects, like OpenEvent, can be used to work with global and local objects. So what are global and local objects? Global objects are created in session 0 and are actually located in the \BaseNamedObjects directory, while local objects are created in the caller’s session (for example in the \Sessions\5\BaseNamedObjects directory (for session 0, global and local has no meaning since they point to the same object)). MSDN says that you can access only the objects in your own session(via the Local\ prefix) and in session 0 (via the Global\ prefix). But what if you need to access an object in another session? (more…)

In part 1 I’ve showed how to get rid of some terminal server restrictions on Windows xp x64. But there are still some problems:

1) You cannot connect to the localhost (127.0.0.1) (but can to 127.a.b.c, where a,b,c in [0..255] (except 127.0.0.0 and 127.255.255.255)).

When you’re connecting to remote server, Remote Desktop Connection (mstsc.exe) checks through mtscax.dll that you’re connecting to your own address, connections are only allowed and you’re in the server mode. If this is not true, the connection is denied, usually with this message: . The logic of checking is the same: call gethostbyname for server name and check if it’s not equal to 127.0.0.1. (more…)