Friday, August 28, 2015

Malwarebytes Install Error 0x000001d and other challenges

Back in April I pressed my older Shuttle SK41G small-form factor system out of mothballs and loaded up Win 7. New (borrowed) life for the Shuttle SK41G

Overall the process went fairly smoothly though the limited feature sets of the core processor presented challenges.

As a system running x32 bit Windows 7 OS and only purposed for visiting guests to our household to use, it seemed to be adequate. I don’t have a PATA-based DVD-ROM reader to allow me to easily load various Linux LiveCD’s that are DVD sized.

I can use some other tools to try to run them via USB, but Shuttle booting off USB drives (or emulators) is a bit hit-or-miss.  So for now I continue to test Linux distros that are CD-sized to experiment with performance.

Anyway…I was updating the system last weekend (more on that later) and Malwarebytes notified me there was a new version build available.

I manually downloaded the installer file, then launched when done and was greeted by this error

2015-08-21 11_26_46-shuttle-sff - TightVNC Viewer

mbam.exe – Application Error

The application was unable to start correctly (0x000001d). Click OK to close the application.

That was unexpected. Maybe my installer file was corrupted? I tried a few more download/reinstall attempts but was met with the same error. The previous version worked fine. What gives?

Some web searching led me to this post that detailed the problem and the fix (though the steps didn’t seem clear to me at first reading).

Per “Root Admin”, “This is due to a compatibility issue with some older processors (Single core PIII and earlier, and AMD XP+)” and appeared to arise with version 2.18.

The instructions state the following:

If you are receiving this error, luckily there is a special installer that you can use to avoid the problem. Please download the special installer from this page. Once downloaded, simply double-click to run, and the program should install as normal.

So in my mind, that meant first running the “special installer” and getting a full MBAM installation done.

Nope.

What it means is to do the following;

  1. Download and install the Malwarebytes/Malwarebytes-Free application and install it.
  2. Download and run the “special installer” file (Malwarebytes_2.1.8_SSE2_Hotfix.exe). This patches/replaces some of the core files causing issue on the older processors.
  3. Run the Malwarebytes application and it should run normally again.

Step 2 results

2015-08-21 11_33_32-shuttle-sff - TightVNC Viewer

Step 3 results.

2015-08-21 13_29_21-shuttle-sff - TightVNC Viewer

In another matter, since it had been a while since I had booted this system, my attempts to run Windows Update and download/install the waiting patches was fraught with Update Errors.

After not making much progress on this front, I punted.

I downloaded the WSUS Offline Update utility, built a special Windows 7 x86 update package on one of my other systems. Then (via USB) I copied that client build over to the Shuttle system and ran it a few times. After many restarts I ended up getting the updates on the system without any more errors.

Whew!

For now Windows 7 remains on it, but I am very close now to going to a 32-bit version of The LXLE Desktop Linux distro.

Cheers!

Claus Valca

Java (JRE) 8 Update 60 - Note

Not sure how I missed it last week. I’m usually very good about catching such things.

Oracle released Java 8 Update 60 on August 18th. - Oracle Release Notes

So I’ve been playing catch-up on updating the (few) systems that I manage that still have a JRE installation on them.

Two things I’ve noted.

First, if you are getting a 1063 Error code when installing it, first check to see if you are running Malwarebytes Anti-Exploit. If so, temporarily disable its protection before re-running the installer. When done, re-enable protection. This previous GSD post goes over the simple details & process.

Second observation is this, this particular JRE build doesn’t seem to fire the “do-you-want-to-remove-the-older-versions” uninstaller dialog window.

I’ve installed JRE 8-60 on a number of windows systems now.

Previous versions of Java 8 would go process the new version installation, then pop up a dialog window saying it (may have) found older/insecure version(s) of Java installed and do you want to uninstall them.

If you answered affirmatively, then it would remove them.

However this version go round, that dialog doesn’t present and when I checked (because I always check) the “Programs and Features” list, the older Java versions were left on the systems.

03l0c1lv.dmj

I’ve manually removed the older versions as they aren’t needed for compatibility on my managed systems and I don’t want the security overhead of these older ones.

Cheers.

Claus Valca

Friday, August 14, 2015

Sysadmin Linkfest: Rnd edition

Here is a seemingly random (Rnd) collection of linkage for the syadmins in the RSS crowd.

Enjoy.

20683743 (Tools)

FileIOTest is a command line tool that tests the speed of local or remote (SMB) storage by performing some common file IO operations repeatedly and measuring the duration.

These are the main facts:

  • Performs four different types of file IO: write, custom read, read with the GetPrivateProfileString API, create/delete
  • The number of iterations can be specified
  • Each generated file name is unique to prevent caching
  • Works with local and UNC paths
  • FileIOTest does not require any software to be installed
  • FileIOTest works on any version of Windows from Vista / Server 2008 onwards
  • FileIOTest is freeware

Couple this utility with some Windows performance monitoring traces (Win 10 WPT via the Win ADK here) and who knows what fun you could have?!  See also PerfView.

44468807 (Surface Pro)

I’ve been seeing some strange trends with a few of our Surface Pro 3 devices. For some of them, they seem to be loosing functionality (drivers?) with the Microsoft Dock hardware. Cases in point; one Surface Pro 3 tablet (Win 8.1) has lost the ability to connect to the network via the Dock Ethernet port. If I take another SP# unit and place it in the same Dock, it connects fine to the network with no issues…so it doesn’t seem to be an issue with the dock itself…just this particular tablet picking up and using the driver. I’m going to see if any of the Ethernet drivers in this pack (or the driver pack MSI itself) resolves the issue before doing reimaging the unit.  Likewise, a different SP3 user reported their external monitor connected via the display port through the Dock stopped working. Take another SP3 unit and place in the same dock and it drives the same external monitor just fine. Again, I’m going to try the driver pack first before doing a reimage on the unit. Thoughts?

59479408 (Mobile Ads/Malware)

I’ve seen a few of these “pop-up” fake alert windows in iOS, but not many. Lavie has seen more than a good many on her iOS devices. So far we have been able to get out of them with a bit of work but no harm done, yet. Regardless we are now more sensitive to these “exploit” methods.

I’m looking forward to the potential capability of ad-blocking modules (for security not revenue drain) in iOS 9. Here are some links

48734052 (Anti-Virus)

71414462 (Network Tools)

35251748 (SSD’s)

60014312 (Windows Server 2012 Essentials)

4537758 (Folder Redirection Considerations)

78434592 (Windows 8/8.1/10 and Windows Photo Viewer)

One of the most common requests for help from our Surface Pro 3 tablet users is how to get the photos embedded in emails to open up in Windows Picture Viewer rather than the Windows 10 “app”. It’s easy enough to show them how to save the attachment to disk, then right click and “open with” Windows Photo Viewer.  However that’s not convenient. Here are some tips on how to set it as the default application.

Randomness courtesy of the random number generator at RandomNumberGenerator.com

Carry on!

Claus Valca

Windows 10 Linkpost: Constructive Edition

etakt2fj.gtu

“ubuntu 9.10 cloud server in a box”
CC by 2.0 attribution: by fsse8info on flickr.
…and yes, I like the irony… 

Despite all my recent rantings about privacy issues in Windows 10 -- and my ongoing delays in actually planning to install it on any of my home systems -- I really and sincerely want to install it on my home systems.

The updates to the Windows kernel, the enhanced performance, the non-controversial feature sets it provides make it a very attractive product for most users.

So with that in mind, and having some time since the initial excitement surrounding its release, here is a new collection -- mostly troubleshooting and tweaking related -- for reference.

Alienware Black Screen During Win 10 Upgrade

My little brother decided to pull the trigger and upgrade his Windows 7 Alienware system to Windows 10 last week. Overall it went well but he did encounter a persistent “black screen” issue during the upgrade process.

Here you go for the issue background and solution.

Side note: What’s interesting to me about this particular issue is that it seems to be related to situations where you have an on-board Intel graphics controller plus a graphics card. Windows (falsely) detects a phantom monitor connected and pipes the “primary display” that direction so you can’t see it. I’ve seen a similar behavior on a new Dell Latitude system running on a Dell Dock unit kicking out extended video output via a DVI-type connection. When the system goes to sleep, or screen-locks, you get the black screen with no (apparent) way to get back onto the system other than a hard-reboot. I don’t have that issue when I run the extended display via a VGA connection.  This is going to be the trick I try next time I set up a system in that configuration.

Possibly related: Windows 8 Pro Upgrade: Black Screen Troubleshooter - Borns IT and Windows Blog (Google Translated)

Anyway, his system seems to be running well at the moment.

No. We haven’t discussed the whole privacy issue and any tweaking he may have done.

Thanks for the tip, bro!

How to do stuff to Windows 10 (Standard Level)

Most of these tips and tweaks are pretty standard items. Nothing too crazy or risky.

How to do stuff to Windows 10 (Advanced Level)

This collection of tips and tricks is a bit more technical. Mostly for the sysadmin crowd.

Clean Installs & Product Key Discovery


Security Thoughts

That first post got my recollections running.

Back for the Windows 8/8.1 release we were asking ourselves a similar question -- how do I interact with Windows Defender?

Advanced Tips for Windows Defender with Windows 8 - grandstreamdreams blog

My comments and tweak-tippage then may still be valid today.

When Lavie upgraded to a Windows 8 system, Microsoft Security Essentials couldn’t be installed as in it’s wisdom, Microsoft bundles a MSSE version of Windows Defender on the system instead.  That’s just the way it is.  While essentially the same product, it doesn’t have some of the more granular control in setting scheduled scans, DAT updates, or on-demand scans.

So if you have Windows 8, and are using the stock Windows Defender as your AV/AM solution, then you might find the following “power tips” to using/tweaking Windows Defender helpful.

Indeed, Margus Saluste has updated his posts to now include Windows 10 support.

TechNet also had a PowerShell script to add Windows Defender “scan with” to the context menu for Windows 8. Experiment on your own Windows dime: [Script of Feb. 25] How to add Windows Defender to the file context menu in Windows 8 (PowerShell) - OneScript Team Blog

So there you go. Happy Windows Defender tweaking in Windows 10.

Windows 10 Updating and Bandwidth Considerations

If you have a lot of Windows 10 systems in your network, this probably sounds like a good thing.

If you don’t like the idea of using your system/bandwidth to update others’ Windows 10 systems outside  your network (via peer to peer type connections) then that feature may be a bad thing.

To be clear, this is different (but related) to that whole - automatic force-feeding of updates thing that Windows 10 does.

Commentary

Errors and Troubleshooting

This next section is pretty link-heavy and technically deep. However there is the off chance that a particular error could arise and these may be valuable.

Cheers,

Claus Valca

This week in browser bits: the race to update

In case you didn’t notice this past week or two…

Firefox 38/39 got patched for a file-stealing bug

then Firefox 40 got released soon afters…

then Firefox 40.0.2 got released to fix some issues

Mozilla Malware Protection (enhancement) news…

In my older rant blog-post Firefox Malware Detection Download Monitoring: Thoughts I opined about the benefit but frustration of Mozilla’s safer browsing security features. Control over that feature fine-tuning began with fuller support in Firefox 39.

So with version 40 that support has been enhanced again.

Expanded Malware Protection in Firefox - Mozilla Security Blog

Fortunately, you do have a measure of control to disable (or dial back) this security feature if it blocks some legitimate sites or downloads.

In other (mostly Mozilla) news…

Browse on my friends.

Claus Valca

Windows 10 Linkpost: Privacy Nightmare Edition

imageCC by 2.0 attribution: by Cory Doctorow on flickr.

In the last GSD Win 10 linkpost edition, we covered a lot of ground including a section on Windows 10 privacy concerns. We looked at a Tinyapps.org blog link that highlighted some of the EULA changes in Windows 10 and some general tweaks that could be useful to minimize the leakage of private data.

Not too long after that was posted, I began seeing some utilities and tools being developed and released that could allow concerned Windows 10 users to go beyond the standard set of Windows 10 tweaks easily accessible by knowledgeable users to curtail information and privacy leakage.

Since that time, even more research has been done on information leakage in Windows 10.  It looks to be increasingly difficult to prevent all information leakage on the Windows 10 OS. By that I mean information leakage from the Windows 10 OS itself; not even “normal” privacy leakage and user tracking via applications, web-browsers, cookies and “super-cookies”, etc.

Windows 10’s privacy policy is the new normal - Ars Technica

Even when told not to, Windows 10 just can’t stop talking to Microsoft - Ars Technica

As Peter Bright points out in his first Ars Technica post, a lot of OS’s have similar “phone home” behavior. And it is likely that the OS’s of mobile devices can track you even more closely as you walk around the earth than a more grounded laptop/desktop system. However, considering the broad release and “free upgrade” nature of Windows 10, many consumers may be unaware just how leaky Windows 10 is, or how significantly Microsoft has changed how the Win 10 OS chatters back home compared to previous versions.

For just one example:

So there are a number of guides on how a savvy user can modify the Windows 10 settings -- either during a custom installation upgrade or after the upgrade has gone on.

It seems these just scratch the surface.

If you really want to dial down on the leakage, you may want to consider using a third party tool to make more significant and deeper changes to you Windows 10 OS.

OK. Before we move on, here are some notices.

HERE BE DRAGONS WARNING #1:

I’ve seen the following post comment issued out by Microsoft to a number of bloggers referring to the tools that will be discussed below. So let me save them some time by reposting it here.

“We strongly suggest customers do not install applications of this nature. These types of third-party apps can alter the way the system operates, creating future problems and changing important settings and features.”

HERE BE DRAGONS WARNING #2:

Different tools take different approaches and some could significantly cause performance, stability, or security issues of their own if applied. Some whack into the Windows Registry. Some stomp on Windows services. A few even make (or block) specific network communications.  Few make backups of the system settings before changes are applied restricting your ability to roll-back the changes if something breaks.

Proceed at your own risk. I really encourage you to spend some time evaluating and understanding each of the tools listed or linked below before actually using.

Windows 10 Privacy Utilities

Martin Brinkmann’s post provides links and overviews to (currently) six maybe-ready for primetime utilities that can help Windows 10 users manage and take (some) control of privacy in Windows 10.

I highly recommend starting out there.

Here are some additional links I found in the days leading up to his post. Some of the tools mentioned in these articles are also covered in the gHacks post. Check out the comments for additional discussion.

I expect one or two things to happen in the area of Windows 10 privacy in the  coming months;

  1. We will see more of these Windows 10 privacy tools and utilities come out; each with greater capability, stability, effectiveness, and polish. With Windows XP the tweak tools tended to be “GUI experience” focused. With Windows 7 that trend continued. Windows 8/8.1 tweak tools seemed to be those to restore the Start Menu and make the GUI experience more familiar to XP/Win 7 users. With Windows 10, the tweaks-de-jour will most likely be “privacy” impacting. That’s my guess.
  2. I hope we will see more information and transparency from Microsoft on ALL the components, services, network features, etc. that apply to privacy, usage and behavior tracking, and network connections in support of the OS itself. I hope. This might go a long way to restoring a sense of trust to the Windows fan base.

Regardless, I’m still waiting a while before dropping Windows 10 on any of my home systems.

Constant Vigilance!

Claus Valca

So that’s how it works: Windows Platform Binary Table (WPBT)

Thanks to the ongoing work at Lenovo for their platform support methods, I now have a better understanding of how a security product such as Computrace can survive drive wiping; to then reload itself on a reimaged system.

Lenovo used Windows anti-theft feature to install persistent crapware - Ars Technica. From Peter Bright’s article:

And in its own awful way, it's a feature that makes sense. The underlying mechanism is simple enough; the firmware constructs tables of system information when the machine boots. The operating system then examines these tables to, for example, learn what hardware is installed in the machine and how it is connected. This is all governed by a specification called ACPI, Advanced Configuration and Power Interface. Microsoft defined a new ACPI table, the Windows Platform Binary Table (WPBT), that contains information about a firmware-embedded executable. When it boots, Windows looks for a WPBT. If it finds one, it copies the executable onto the filesystem and runs it.

The primary purpose of WPBT is the automatic installation of anti-theft software. This kind of software typically does a couple of things that require online connectivity: it can phone home to check if it's been reported stolen (and brick or otherwise disable itself if it has), and it can phone home to simply report where it is to aid recovery of lost or stolen hardware.

It's reasonably common (though by no means universal) for stolen hardware to have its disk wiped, thereby removing any anti-theft software and limiting the chance of recovery. WPBT provides a solution: even if the disk is wiped and the operating system reinstalled, the firmware can re-establish the software and report that the laptop was stolen.

So to get up to speed, Lenovo used this feature in certain of their systems BIOS to ensure that their service engine software would “respawn” even if removed by the user. Couple this stealth persistence behavior along with some security issues in that software, you have the makings of a second hurricane landfall of security hurt upon Lenovo.

A Microsoft technical paper detailing the Windows Platform Binary Table (WPBT) can be found. Warning, the following link is a direct DOCX document direct link. Microsoft WPBT DOCX Link.  As most of the articles about this paper only contain a link to document itself and not the context, here is a link to the Windows Hardware Dev Center Archive - Windows 10 hardware dev where the paper in question can be located under the Driver Archive section.

If you do have a Lenovo system using this root-kit like methodology, Lenovo has provided a removal tool.

Additional linkage on the topic

And previous Lenovo “SuperFish” issues:

Knowledge of this functionality support in Microsoft could give those looking to exploit a system another means to provide APT (advanced persistent threat) survivability.

Microsoft’s own WPBT paper (previously linked to above) addresses this threat in the “Security Considerations and Requirements” section.

The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration. One use case for WPBT is to enable anti-theft software which is required to persist in case a device has been stolen, formatted, and reinstalled. In this scenario WPBT functionality provides the capability for the anti-theft software to reinstall itself into the operating system and continue to work as intended. This functionality is powerful and provides the capability for independent software vendors (ISV) and original equipment manufacturers (OEM) to have their solutions stick to the device indefinitely. Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions. In particular, WPBT solutions must not include malware (i.e., malicious software or unwanted software installed without adequate user consent).

And Microsoft also offers a warning (of sorts). Take it as you will.

Removal of Malware
If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, Microsoft may remove such software through the use of antimalware software. Software that is determined to be malicious may be subject to immediate removal without notice.

Likewise, knowledge is power, so this can provide forensic security experts with one more area of a system to investigate for incident responses.

I’m sure there are some tools that might exist to examine the area on the BIOS where this specific code could be stored and extract it for analysis; if not then I’m confident they will be developed.

One utility for examining the code in BIOS that came to my mind immediately was RWEverything. I had encountered it before as a tool in extracting the Windows Key from Win 8/8.1 systems. It probably holds true for Win 10 keys as well.  Also Nir Sofer’s FirmwareTablesView might help out with viewing the WPBT contents if supported and present.

Curious.  Very curious.

Constant Vigilance!

Claus Valca