Today I was troubleshooting the application “Harmony Client” which crashed upon exiting:

The application had been thinapped and the error only appeared when starting the thinapped version.

(more…)

The video below shows a Proof of Concept of bypassing Application Security in RES Workspace Manager .

Please note that at this time the code is not publicly available so please don’t ask for it.

EDIT 2: I added a video that I received from someone who tried my Excel Sheet with AppSense Application Manager.

EDIT: I wanted to clarify a couple of things regarding this post.

First of all I would like to explain why I wrote this code and why I choose to test it with RES WM.

I had the idea about this approach a long time ago but I never got around to actually do it. The main reason was that I needed to convert Delphi code to VBA and especially converting some Windows headers was a lot of work. Then suddenly I noticed that someone had already converted the headers, so I all I had to do was rewrite the code that used it to VBA.

The choice for RES was made because of two reasons:

1. If you want to beat something, you want to beat the best and I most certainly consider RES WM to be one of the top products.
2. At the time I wrote the POC code I had access to an enviroment with RES in it.

I would like to emphasize that RES contacted me very quickly after publishing this blog. I’ve had contact with RES and they showed a very constructive approach with their primary goal being a fix or guidance for their customers. Hats of to RES taking a constructive approach and I will be working together with RES on this issue.

Finally I would like to state that I didn’t expect this post to draw this much attention, if I did I would have probably taken another approach.

(more…)

Earlier this week I was asked to investigate a problem with the Xerox Universal Printer Driver. Users complained that printing to a Xerox printer was much slower than printing to an HP printer.

I received a reference document from a user, a rather complex Excel sheet. When selecting multiple tabs it took almost a minute to generate a print preview in Excel 2007 running on Windows 2003 with XenApp 5.

I was aware of a bug in the Xerox Universal Driver where almost 9.000 files were copied into the user’s profile directory (I wrote about that in an earlier post). But this seemed to be another problem.

(more…)

Today I troubleshooted an old DOS application that needed to run on a 32 bit Citrix XenApp Server. The last time I saw an actual DOS application in a production environment must be years ago.

When starting the application, the WOW subsystem (NTVDM) crashed with the message: “NTVM encountered a hard error.”:

After spending some time troubleshooting I remembered a similar issue from a few years ago where a DOS application worked fine from the Console but refused to work from an RDP or ICA session.

(more…)

Yesterday I needed to set a few registry keys remotely from a 32 bit windows machine to a 64 bit machine.

I used reg.exe to set the key but even though it returned success the key wasn’t altered.

As I suspected the key was written to the Wow6432Node. In the help I couldn’t find any switch to force reg.exe to use the 64-bit view.

On a 64 bit machine this is not a problem since both 32- and 64 bit versions of reg.exe exists. The 32 bit version of reg.exe defaults to the 32 bit view and the 64 bit version defaults to the 64 bit view.

But luckily reg.exe has a switch (that is not listed in the help) to force the View:

(more…)

So a few days ago I got new memory for a development box – an upgrade from 4 to 6 GiB (later on even 8 GiB). Much appreciated as you can imagine. After dismissing the BIOS warning about changed amount of memory (oh really? :mrgreen:), I booted into Ubuntu and happily looked at the memory stats. After that I booted into Windows (a Windows 2003 Server Standard, but I’ll just use Windows from here on) and was disappointed to see only 4 GiB available. This is apparently a limitation specific to the Standard edition.

After some pouting, I decided to take action. Of course one of my first thoughts was to ask Remko, because he had done similar things for some other Windows versions. He pointed me to MmInitSystem, which was not an immediate hit, though. I loaded my kernel .exe into a disassembler to look at the details, but MmInitSystem was a lengthy and rather boring function. However, the advice was good and got me a good bit closer, especially when Remko also mentioned the use of ExVerifySuite in the logic that would set the limits. So I brought up the references to ExVerifySuite and – surprise surprise – only seven other functions used it and out of these only one was not recognized by name from the exports and debug symbols. And since the inspection of that function (at 0x00615FB0 in my kernel) proved that it was being called from MmInitSystem, this was an immediate hit.

(more…)

If you read one of VMWare’s Best Practices Guides (in my case this one) then you may have read that it’s important to align guest partitions.

We can do this (for Windows OS) using the DiskPart tool that comes with the OS since Windows 2003 SP1 (there is a hotfix for earlier versions).

On Windows 2008, and higher, all partitions are automatically aligned to a 1 MB boundary.

But how to do this for the OS disk on Server 2003?

My first thought was to open a command prompt during setup, right before creating the partitions and then use diskpart.

However the OS partition is created during the Text portion of the install process and even though we can get a cmd prompt using SHIFT-F10 we get the recovery console (which has a builtin diskpart but cannot align).

So I used a Windows PE bootdisk. Any version with Diskpart should do but I used a bootdisk from Symantec Backup Exec System Recovery that I’ve customized to my own needs.

If you boot the original Symantec disk you can open a command prompt by accessing a hidden feature: move the mouse above the “S” from Symantec until you get a Hand icon and press the left mouse button:

(more…)

In the previous parts (part 1 part 2) i’ve described the theoretical part and implementation problems. So, now we can write the code:

1) In case we login the user, we just call LsaLogonUser to get the token:
(more…)

In part 1 I’ve described the theoretical parts needed for a custom autologon application implementation.

But there are some practical problems which I will describe here.

1) I use the LsaLogonUser function to log in the user. However, if I do not pass not null for the LocalGroups parameter, msgina.dll fails to process the logon.

Why? Because it looks for the SE_GROUP_LOGON_ID SID and treat it as logon SID. So we have to add the logon SID manually:
(more…)

Windows XP introduced the ability to use Fast User Switching (FUS from here on), which is implemented using Terminal Services.

But in some cases (i.e. when FUS is not enabled, or when you connect to the console in Windows 2003 server), the Winlogon process in an RDP session needs to transfer credentials to Session 0.

Although not documented in MSDN, the process of transferring credentials is described by Keith Brown in the June 2005 issue of MSDN magazine: Customizing GINA, Part 2.

WlxQueryConsoleSwitchCredentials and WlxGetConsoleSwitchCredentials are used in the transfer with the semi-documented WLX_SAS_TYPE_AUTHENTICATED SAS code constant.

Internally, winlogon.exe uses a Named Pipe, \\.\Pipe\TerminalServer\AutoReconnect, to implement both of these functions.

The pipe format is described in this structure:
(more…)