Mark Russinovich’s technical blog covering topics such as Windows troubleshooting, technologies and security.
PingBack from http://jaeweb.cantr.net/?p=20
# re: The Case of the Mysterious Driver
Interesting, wonder if this will cause any stir at Real..
3/27/2006 10:07:00 PM by Anonymous
Thanks Mark, another excellent hands-on demonstration of malware hunting.
3/27/2006 11:15:00 PM by Anonymous
When I searched for "Asctrm.sys" using Google, it came up with a website that listed "Asctrm.sys" as being part of Real Player. So that wasn't so difficult to find, was it? :-)
3/28/2006 12:35:00 AM by L. Zandman
Btw, Mark, why procexp90.sys does NOT have version info? :)
3/28/2006 2:23:00 AM by Anonymous
So that wasn't so difficult to find, was it? :-)
Well perhaps it wasn't. But then the article wouldn't have been half as interesting if it had finished after the first paragraph.
3/28/2006 4:56:00 AM by simple57uk
The process explorer driver does include version information, but Process Explorer can't find the infomration because the driver is deleted from disk after it loads. The version information is visible with the "lm kv" command in a kernel debugger.
3/28/2006 6:11:00 AM by Mark Russinovich
I did see a couple of reader-supplied comments in one of the database entries on the asctrm driver indicating a connection with RealPlayer, but no confirmation and so didn't trust the information.
3/28/2006 6:16:00 AM by Mark Russinovich
Very very interesting :-)
Which tool did you use to find strings in a binary file ? (the one which gave the output in mysteriousdriver2.gif).
3/28/2006 6:27:00 AM by Giuly
fascinating! i was not aware that you could use process explorer to see the drivers like this.
this is one of the things that makes your blog so useful, it is increadibly educational in how to use your utilities :)
3/28/2006 7:00:00 AM by Anonymous
Thanks a lot for the excellent tools and demos you provide on this web site!
Keep on explaining us Windows!
3/28/2006 7:08:00 AM by Sebastien
"However this example highlights the need for all software vendors (Microsoft included!) to clearly identify their applications and drivers in their version resources and in any associated Registry keys or values."
I agree completely, but my main problem is with the programs that install the drivers and applications so that they start automatically when the system loads.
For goodness sake, I don't WANT Realplayer or ITunes to load when my system starts. I would understand if the installation program gave me the OPTION of having those features enabled, but some programs have no way to disable the auto-start feature, even after installation. Furthermore, most of those applications automatically check on startup to see if their autostart registry key is still there, and if not, the program recreates it causing my manual removal of the entries to have no effect the next time the program is executed.
It seems like many programs take the approach, "I'll load myself at startup and run in the backgound so that the user thinks it's really cool that I can 'load' super fast." To me, the quick appearance of a program like this is not as important as overall system reaction speed.
Maybe I'm just different than everyone else, but I can see that at least someone out there has the same trouble I do...why else would there be programs like autoruns?
Some programs that I find to be offenders:
1. AOL (Aol Instant Messenger/AOL internet client software)
2. Real Player
3. Quick time
5. Windows Messenger -- seems that unchecking "load at system startup" doesn't always work, but I'm not sure if that's because another program is loading it.
Now, most of these programs I haven't used in some time (I gave up a long time ago and went to Trillian, RealAlternative, etc) so they may have been improved since I last tried them. Also, I concede that some people want AOL to load at system boot. I just find it annoying that software venders think they know what is "best" for the user. I've "fixed" many computers. Usually, I get called over to someone's house because their system is "slow." More times than not, it is the many legitimate programs autostarting and running in the background that are slowing the computer down, not malware.
3/28/2006 10:01:00 AM by Aaron
TkBellExe is a program that monitors media file associations and if anybody ever associates mp3 with some other application (the nerve!), Tinkerbell will reassign it back to RealPlayer. You agreed to run Tinkerbell as part of the license agreement you probably didn't read.
3/28/2006 10:07:00 AM by Anonymous
TkBellExe is a program that monitors media file associations and if anybody ever associates mp3 with some other application (the nerve!), Tinkerbell will reassign it back to RealPlayer.
I believe that it also manages the RealNetworks message center and performs auto-update checks.
3/28/2006 10:23:00 AM by Mark Russinovich
Real Player and other malicious software from non-malicious software manufacturuers---
I also disable TKBellEXE (i.e. RealSched.exe) everytime I load RealPlayer on my computer or anyone else's computer I work on. The license agreement does actually say what the program is for, but to me it is malicious. Malicious software by my definition is anything that uses up system resources without providing any benefit to the USER. Many companies like Real Corp. install software that benefits them but not the user, and makes them run automatically. Most companies don't include information about such in their EULA's. I do give Real Corp KUDOS for putting it in the EULA, but I still don't agree to run that part of the software so I disable it.
RealSched.exe its intersting they say doesn't communicate with their servers, however they admist to such communcations, and they claim that RealSched just schedules when another portion of the software will do that communcation.
"8. SCHEDULER. An application Scheduler, known as "realsched.exe," is installed along with RealPlayer. Once installed, it runs independently of RealPlayer. The Scheduler does not collect personal information or communicate with RealNetworks' servers. It is used to remind AutoUpdate, Message Center and the Watch Folders feature to perform their tasks at pre-scheduled intervals. Scheduler also watches for and alerts RealPlayer to connection and disconnection of portable devices. You can control these activities via the Automatic Services section of the Preferences dialog, located under the Tools menu."
Of course what it scedules are all of the "AUTOMATIC COMMUNICATIONS FEATURES." described in Section 7a-e.
This is pre-assuming Real Corp tells the truth, but considering they don't as Marc put it "clearly identify their applications and drivers in their version resources and in any associated Registry keys or values." I don't know that I can trust them. Still, at least they did put it in their EULA which is more than most other companies do. And, their software doesn't cease to work without the offending component. So I just disable it and remove the file so it can't run.
3/28/2006 6:43:00 PM by Neify
Process Explorer 10.x driver's version information: (use livekd)
kd> lm v m procexp100
start end module name
f8beb000 f8beca00 PROCEXP100 (deferred)
Image path: \??\C:\WINDOWS\system32\Drivers\PROCEXP100.SYS
Image name: PROCEXP100.SYS
Timestamp: Fri Jan 06 17:04:34 2006 (43BEE972)
File version: 126.96.36.199
Product version: 188.8.131.52
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
CompanyName: Sysinternals - www.sysinternals.com
ProductName: Process Explorer
FileDescription: Process Explorer
LegalCopyright: Copyright (C) M. Russinovich 1996-2005
3/28/2006 11:39:00 PM by Anonymous
Markuses RealPlayer? Has it stopped being a spyware-infested pile of poor programming since I last saw it?
3/29/2006 2:13:00 AM by Anonymous
RealPlayer certainly used to be a horrid festering pile, but the company has since cleaned up its act considerably.
I use RealPlayer for Linux every day to listen to net radio, and it's a wonderful piece of software - small, fast, light, with a consistent and well designed UI. It's even quite attractive without going overboard with totally native widgets.
In short, judge them by what they do today, not what they did yesterday (tempting though it is ...)
3/29/2006 7:07:00 AM by Anonymous
But ProcessExplorer 10.6 doesn’t show version information about C:\WINDOWS\system32\Drivers\PROCEXP100.SYS on my system. The Drivers directory doesn’t even contain such file. It’s so hard to find this file. I need to use Resouce Hacker to extract this file form Procexp.exe. Then I can see it’s version information.
I think this side effect exists because ProcessExplorer hasn’t got installer. Instead loads driver dynamically.
P.S. Sorry for my bad English.
3/30/2006 3:55:00 PM by Anonymous
What is it with companies from that part of the world trying to foist their, often less than open, ways on the rest of us.
How about a bit of corporate morality from the US of A without having it forced on them by courts etc.
4/3/2006 6:43:00 AM by Anonymous
Mark, and what do you think about mandatory driver signing on Vista?
Does it stop rootkits, like Sony DRM ? If not, what is the reason for that "protection" ?
4/3/2006 8:48:00 AM by alex
aaron, I too am bothered by those utils that feel they belong in the Run section somehow. In 99% of the cases, they don't!
IIRC, I also had to remove OpenOffice from the Run section, as well as the latest version of Adobe Acrobat Reader. I'm guessing that most "free" software vendors at this point feel they can act like jerks.
4/5/2006 1:01:00 AM by Rune
Hello Marks and Thanks a lot.
Just a question...
Can Process Explorer monitors process like counters in perfmon.msc? I'd like to monitor each process for a day or night whatever period, in order to locate the process who exceed 80 percent of time processor the cause of reduction of perfomance. (sorry for my english, I'm french :-p )
4/6/2006 10:19:00 AM by Betatesteur
Cant understand why anybody would want to run Real*.* after their spyware tactics in the past...
4/7/2006 5:43:00 AM by Instant
you are my god mark!( spam spam spam )You teach me. you are sooo good!
4/9/2006 8:44:00 AM by gaconverse
Just a question about the "infamous" TKBell.exe that launches the "realsched" task at boot time : I keep disabling it from autoruns, but as soons as I relaunch realplayer, it installs again. Is there a way to avoid this ?
4/10/2006 1:52:00 AM by MerleOne
Speaking of drivers... Is it possible to kill a KERNEL_DRIVER service that doesn't implement a stop function without having to reboot?
4/13/2006 4:16:00 PM by Anonymous
however this example highlights the need for all software vendors (Microsoft included!) to clearly identify their applications and drivers in their version resources and in any associated Registry keys or values.
taking a look straight off at ProcessExplorer (OH HOW I LOVE THESE WINTERNAL TOOLS!!)
MARK, PROCEXP100.SYS is not even Identified.
Just an observation :-)
4/19/2006 7:34:00 PM by MozartZ
Yes the good news is that you can stop those startups !
TKBell.exe + RealSched.exe + also Quicktimes qttask.exe can all be Renamed for eg - .exer. You will never be troubled again, unless you update of course, and they might install a replacement. But hey all is not lost, because if you create a dummy file with the Exact same names as those you Renamed, then they can't get replaced as 2 files of the same name arn't allowed to exist in the same location.
Actually you can use this trick for other pesky Apps too, and for all sorts of other blocking purposes, as i have !
In fact i think it might be possible to use this idea as some form of general Malware blocker. I've created a few Dummy files with the names of nasties and dropped into various locations in my PC. If any of those should ever, unlikely with my setup, try to get placed they will fail, and with a nice friendly Windows message to boot lol !
Have a nice peaceful stress free start up from now on.
5/1/2006 2:13:00 PM by SpannerITWks
Thank you for your high quality system tools.
I'm using process explorer now. I checked the System process and found one mysterious driver without any description and event without image file! So I can't hunt it.
Here is the simple text mode snapshot of this driver property.
Error opening file
Could you help me to figure it out?
Email: alingsjtu at gmail.com
5/31/2006 2:25:00 AM by Anonymous
An excerpt from the article
"Eliminating Explorer's delay when deleting an in-use file" ;
"Now that we know which addresses to patch, we need to map those addresses into the kernel-mode area of the memory. This will allow us to lock the pages in memory, thus preventing them from being swapped out to disk. In this case the memory we're modifying is "backed" by shell32.dll. If it were to be swapped out, the memory manager would attempt to write the changes back to shell32.dll. This would most likely cause Windows File Protection to swing into action, which is something we want to avoid, since it would most likely undo the changes we're going to make."
so my questions;
why WFP swings into action? isn't the driver just patching the memory but not the file? is swapping out a modified memory causes memory manager to write changes to the file? which file we are talking about? or WFP comes into action not only when a file is modified but also when the memory it has been mapped?
6/13/2006 6:20:00 AM by Spolsky
I hope you will continue to develop the tools for us poor administrators
7/26/2006 6:57:00 PM by Dicer
So how does one disable this one?
It doesn't appear in autoruns ...
8/16/2006 3:19:00 AM by Anonymous
Now that we know which addresses to patch, we need to map those addresses into the kernel-mode area of the memory.