PrimoCache 4.20 - Hidden Registry keys and locked files

 PrimoCache is interesting software that has a 30 day trial.

Unfortunately, as part of their license system they do two disturbing things to your computer in an attempt to prevent use after the 30 day trial is up.

1. A small randomized file in the system32 directory
2. A hidden unicode registry key in the registry

The first file is easy to find. It'll be the only file in your system32 directory that has HIDDEN and SYSTEM attributes set. 

It's remarkably easy to find by doing this in the command line.

dir c:\windows\system32 /a:HS

You won't be able to delete it normally, it's held in a lock by the PrimoCache filesystem driver.

2. The hidden registry key

The second part is the hidden registry key. This uses an insidious method where the driver inserts NULL (00) into the string part of the registry key. This prevents *most* registry editors from being able to read the key. 

This hidden method is explained in much detail in posts like this:

    https://www.codeproject.com/Articles/14508/Registry-Manipulation-Using-NT-Native-APIs

But essentially, the normal Win32 Registry calls can't handle the unicode, it expects NULL terminated strings, but the Native API can, so if you write a registry key with unicode that has a NULL, normal registry editors can't read it.

Back to the key. You'll find it here, attempting to hide withn the EventLog registry tree

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\RxDeliveryStamp\{57C7DD3D-2E9C-4F3B-A270-391E8AEDF0C4}

If you attempt to access it, you'll first be hit by access denied errors. You'll need to change the security permissions on the key to access it. But to do that you have to first change the owner. Restart regedit with admin permissions, reset the owner to you, then add yourself as a full owner of the key.

That will then let you see the hidden subkey Parameter. If you click that you'll get a "Parameter cannot be opened" error. That is due to the UNICODE 00 characters. The name is something more like "Parameter\0\0\0\02347298742". Normal API calls fail because it thinks the parameter is "Parameter" because it sees the first NULL and assumes a null terminated string. The Native API returns and expects the ACTUAL string length to properly set/get names, so it doesn't care what characters are in it.

Luckily there ARE registry editors that CAN read it. Such as this one (another nice feature is that it actually has a SEARCH function find all such hidden keys)

    https://registry-finder.com/

Run it as administrator and it'll be able to see AND delete the dastardly registry key forever.

You can also use the excellent sysinternals program RegDelNull

---

An important note is that to do the deletions you'll need to have deleted any existing cache and uninstalled PrimoCache, as it is responsible for holding both the key and the file locked. 

A side effect of this, is of course that PrimoCache will have forgotten everything about your computer and its trial timer will reset.

Note that if you attempt to reboot into recovery mode, delete the key and remove that file from the recovery console, PrimoCache will still regenerate it's trial limit, probably through the use of cache settings or other registry settings. You *must* do a full clean uninstall (and then check for any existing registry keys left over)

There is a discussion to be had here about who owns my computer. PrimoCache developers seem to think they have the right to install whatever they want onto MY PC, and in contrast, I believe I have total right to do whatever I want to my PC. In trying to protect their trial time, they have intentionally made it extremely difficult (impossible without 3rd party software or programming skills) for anyone to be fully in control of their PC.

Centos 7 - SELinux and Crontab

Updated my Centos 7 and noticed a few days later, the root crontab not working.

Looking at the cron logs showed:

Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:unlabeled_t:s0 (/var/spool/cron/root)

Doing a ls -Z on that directory showed:

ls -Z /var/spool/cron/root

-rw-------. root root system_u:object_r:unlabeled_t:s0 /var/spool/cron/root

Well, there is the problem, unlabeled_t. I eventually fixed it by simply editing the crontab with crontab -e, and saving the changes, it was then fixed:

ls -Z /var/spool/cron/root

-rw-------. root root unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/root

Certainly and annoying bug, at least it had an easy fix.

Excessive Modified Memory

Logged into my workstation today and start noticing "Out of memory" errors. Whaatt? This computer has 8GB of memory and doesn't run that much!

Resource monitor showed excessive "modified" pages like this (not my screenshot, but shows how it looked):

Well, thats odd.. lets fire up google search.... 30minutes later and I've hit the solution (that many others have before more):

https://what.thedailywtf.com/topic/17472/finally-nailed-my-windows-memory-leak-a-k-a-the-official-we-hate-karl-club?page=1

Cause is due a bad realtek application, "runsw.exe".

The final kicker was the 800,000 HANDLES the application had open, you can see them in task manager if you add the handles column.

The service appears to be some kind of realtek monitoring/watchdog program that talks to another service.

Ok then, handle leak, lets find out why. First, let fire up API monitor, a wonderful program I've used before to solve issues.

Well well, lots of calls to Process32Next. Lets get it loaded up IDA and have a look. Browse the import table, do a reverse cross reference, convert to pseudocode, and tada, we get a function:

The function seems to be looking for a process using CreateToolhelp32Snapshot, then Process32First and Process32Next, then exiting, on first glance, no issue, until you consider the CreateToolhelp32Snapshot call, from the documentation:

If the function succeeds, it returns an open handle to the specified snapshot.

To destroy the snapshot, use the CloseHandle function.

Well, i'm not seeing any CloseHandle function, and the return is only being stored in esi (the HANDLE v0l // esi@1 line ).

We have located there memory leak. Looking at what is calling this function, it appears to be called once a second, so it's leaking at least one handle a second. Over time, these handles build up and use up Windows memory until Windows is either restarted or dies with out of memory errors.

A poorly designed executable from RealTek. I've emailed them about it but I don't expect it to be fixed, the memory leak has been reported about for years with no resolution.

 

Skype for Business connection issue

We recently had a Skype/Lync connection issue where the user would enter their details and the Skype client would stay at "Connecting" forever.

Our setup is a local Active Directory (with a .local domain), and a Office 365 subscription, the local directory DOES NOT sync (for various reasons) with Office 365, so the accounts/passwords could be different between them.

We have also been preparing to sync the directories and had setup a UPN Suffix for our .local domain using the Microsoft page here:

How to prepare a non-routable domain (such as .local domain) for directory synchronization

which we considered might have also been a contributing factor.

We tried a bunch of stuff to try to fix the Skype login issues:

• Caches were cleared
• DNS was flushed
• DNS entries were checked
• Temp files were deleted
• Credentials were deleted 
• Certificates were deleted

All of the standard troubleshooting techniques failed.

There were two interesting parts in the log files. The first was:

SIP/2.0 401 Unauthorized

after a SIP REGISTER a

No Certificate

error further down. No other information in the logs was helpful.


This seemed to be a very common issue with many possible fixes popping up over the web.

• https://www.michev.info/Blog/Post/1235/lync-and-mandatory-profiles
• http://ucken.blogspot.com.au/2011/10/lync-loses-connection-every-8min-28sec.html
• https://social.technet.microsoft.com/Forums/lync/en-US/c3c7567a-ffd4-453b-a0d3-e79b06e92f23/client-cant-login

 But no single fix worked. The account was able to logged in on another domain connected computer which was also strange and pointed to some local problem.

We finally got a break by looking the the "SigninTelemetryLog.XML" file that Skype created, we noticed text like "GetBestManagedCredentialByType" and determined that Skype (for whatever reason) was trying to use the local domain NTLM authentication tokens to authenticate instead of the passwords entered by the user for use in Office 365. Since these two would be different then it would be unable to authenticate properly.

We then enabled the registry key DisableNTCredentials, listed here: Manage two-factor authentication in Skype for Business Server 2015 which let Skype login without issue.

All in all, this was a very time consuming and difficult issue to diagnose. We didn't feel that the authentication process was logged by Skype to sufficiently to precisely determine what issue was. I presume that using a local Lync server we would access to more debugging tools that might have made it easier.

iTunes Audio Redirection

Something that has annoyed me for years finally annoyed me too much.

iTunes does not allow you to select an audio device on Windows. It's one of the most annoying things possible when you want to play iTunes videos on your TV but want all other sounds to come to your main speakers.

It's something people have asked for years for Apple to implement it and it isn't even that hard to do.

Well no more.

I wrote a "shim" that allows you to select your output device for iTunes. It requires you select DirectSound in your iTunes preferences.

Pretty simple to use. Put the "dsound.dll" in your iTunes folder.
Then use the accompanying iTunesAudioSelector.exe file to select your audio device. When you change a setting it stores the desired audio device in the registry so that the shim then checks when iTunes tries to create the audio device.

When iTunes next starts it should be using the device you want rather than the default.

Note this only works with x64 iTunes since that is what I use.


Get the two files here:
https://drive.google.com/file/d/0BwN-SjkZGsz2V3J6czVFT1JTQlk/view?usp=sharing

Blocking attachments by extension in Thunderbird

So after the third such incident at my work where a user had opened a .exe within a .zip, I decided to write an addon for Thunderbird that blocks attachments that are either executable or are zip files that contain an executable.

Our antivirus product (Kaspersky) has a feature to remove/rename .exe files within attachments, but unfortunately it can't remove/rename files within archives (I submitted an enhancement ticket for it).

Since we use shared hosting for our email we don't have control over the email server so I can't implement a filter directly on the email server which would have been the preferred solution.

So, my ultimate idea was a Thunderbird addon. Since this is my first such addon, and I had no idea how to write one, I forked another project and dropped my code into it as an addition.

Here is the source: https://github.com/glenritchie/SecondOpinion/tree/plusext

And pre-compiled(and signed) XPI files: https://github.com/glenritchie/SecondOpinion/tree/gh-pages/dist

Digitech UPS - MP5222

If you have one of these and you lost/forgot your serial number that was on that CD sleeve (it's stupid they don't print it on the UPS), then you can't re-install the software to manage it.

If you find yourself in this situation, try this as your username when doing the setup.

Gavin Peng

It will auto fill in the serial field with a serial number that will bypass the setup.