lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4385AFCF.DF874397@dessent.net>
Date: Thu Nov 24 12:19:35 2005
From: brian at dessent.net (Brian Dessent)
Subject: Window's O/S

Greg wrote:

> In C:\windows\ the file "nnotepad.exe" remained as I had changed it and a
> brand new (from the same date as the renamed exe) "notepad.exe" appeared and
> same under c:\windows\system32 and c:\windows\dllcache as well.

http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx

> So my question next is "If I have renamed the whole lot that I could find,
> where did this replacement notepad.exe come from?" and I cant really answer

The WFP thread watches for file changes and replaces files deemed
"system" files whenever they are modified or replaced.  This is not
unique to notepad.  I don't know how this daemon works but I'd assume it
keeps a private cached copy of all files so that it can replace them
when changed.  I think this is what "dllcache" is.  This means there are
always two copies of the file at any given time, and since it's
impossible to atomically delete two files simultaneously, the WFP thread
can always use one copy of the file to replace the other.  If not it
could probably grab it from the .cab file that's usually tucked away in
%WINDIR% somewhere.

> that one excepting to say that because notepad is the default html editor in
> IE6, perhaps IE6 has notepad somehow protected? BTW, my changed default 

No, it has nothing to do with IE or the original subject of this
thread.  Notepad.exe just happens to be one of a large number of files
that WFP has on its list.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ