View Full Version : Very important suggestions to improve RunAlyzer
Hi,
RunAlyzer is very promising and has a lot of potential, but unfortunately it is not yet usable if you run it under WinPE 2.0 (also called WinPE 2006).
To me, these suggestions are not only important, but extremely critical:
1) Check digital signatures of files and highlight in green those that belong to Microsoft. Or, alternatively, allow us to hide legitimate Microsoft signed entries.
2) The "file info" and "version info" tabs in the Services window do not work often. Check for example the "secdrv" entry. The tabs are empty!
3) Allow us to hide all the entries located in drive X: (it just clutters the screen, and we don't need to see them at all)
4) The "delete" button in the Services window does not work under WinPE. It appears to delete, but in reality it does not work. The "Save changes" button is always grayed out and cannot be clicked.
If you could fix those problems, it would be absolutely wonderful. I've been searching for years for a program like Sysinternals Autoruns that could work under WinPE 2.0.
Your program is the closest I've found, but it's still not there yet. I really hope it will one day become truly useful for WinPE users.
Thanks a million.
Best regards.
1. Signatures in general are already shown through a small symbol next to one of the columns (company name imho) :)
But even with Vista, where Microsoft requires every program that wants to get "Certified for Vista" to be codesigned, 90% of all their own operating system files are NOT codesigned, thus making a filter based on the quite useless.
1.b. You can hide all green entries at list, see the "Hide legit" buttons.
2. Yes, we need to improve the mechanism to find files that are not specified through a full path.
3. You already can, through the Search & Filters pane at the bottom (have to know some regular expressions though). And, you can collapse any drives group, so it should be sufficient to just collapse the X: group, and one single line surely does not clutter the screen to much.
4. Save Changes is probably just for the start type and error control setting (see Service Info panel); will have to check why the delete button does not work...
Sir,
1. Signatures in general are already shown through a small symbol next to one of the columns (company name imho) :)
But even with Vista, where Microsoft requires every program that wants to get "Certified for Vista" to be codesigned, 90% of all their own operating system files are NOT codesigned, thus making a filter based on the quite useless.
The signature that you're currently checking is only the one that can be verified by right-clicking the file and going to the "Digital Signatures" tab?
If so, there's another method to check the signature that perhaps you may not be using yet.
Take a look at this utility:
http://www.microsoft.com/technet/sysinternals/Security/Sigcheck.mspx
That tool is able to check the signature of all files, even those that don't have a "Digital Signatures" tab in Windows Explorer.
I think it works by reading the windows catalog files that are located in "C:\WINDOWS\system32\CatRoot\"
The biggest one is nt5.cat, and it contains the digital signatures of all Windows files.
Perhaps you'll need to use this function:
http://msdn2.microsoft.com/en-us/library/aa388208.aspx
And here's what sigcheck passes to WinVerifyTrust when checking C:\Windows\System32\notepad.exe, for example:
(this info was posted by a moderator of sysinternals forum, so I trust it to be correct):
WINTRUST_DATA members and values
cbStruct=48
pPolicyCallbackData=0x00000000
pSIPClientData=0x00000000
dwUIChoice=2 //WTD_UI_NONE
fdwRevocationChecks=0 //WTD_REVOKE_NONE
dwUnionChoice=2 //WTD_CHOICE_CATALOG
pCatalog=0x0012e570
--->cbStruct=36
--->dwCatalogVersion=0
--->pcwszCatalogFilePath=0x0012e5ec "C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5.CAT"
--->pcwszMemberTag=0x0012e594 "8CD65FA193E9D11D5C1D946CFC003FB03F21D2F2"
--->pcwszMemberFilePath=0x0012f73c "c:\windows\system32\notepad.exe"
--->hMemberFile=0x00000000
--->pbCalculatedFileHash=0x0012e55c
--->cbCalculatedFileHash=20
--->pcCatalogContext=0x00000000
dwStateAction=1 //WTD_STATEACTION_VERIFY
hWVTStateData=0x00000000
pwszURLReference=0x00000000
dwProvFlags=0
dwUIContext=0 //WTD_UICONTEXT_EXECUTE
Thanks again,
Regards.
Well, most of our code is written to be as platform independent as possible, so what we do is actually read the ASN1 part of the file. Authenticode inside the file is the way Microsoft requires from other manufacturers ;)
WinVerifyTrust doesn't work on 9x based systems. Does it work on PE? Even for inactive partitions? If I would need to guess, I would guess that this only works for the currently active system. Might be an advantage there, so I'll take a look at that function, but I wouldn't put too much expectations into it.
Hi,
WinVerifyTrust doesn't work on 9x based systems. Does it work on PE? Even for inactive partitions? If I would need to guess, I would guess that this only works for the currently active system. Might be an advantage there, so I'll take a look at that function, but I wouldn't put too much expectations into it.
Yes, WinVerifyTrust does work under WinPE, and it does work for inactive systems.
The way to run sigcheck under WinPE is to give it the -c parameter. I use the following command line:
sigcheck -c C:\WINDOWS\system32\CatRoot\{guid}\nt5.cat *.*
And it always works correctly.
Regards.
Using sigcheck is not really an option - executing an external application for every single file in test would slow things down dramatically. But I found out how WinVerifyTrust can be passed the path to the catalog imho, so it should be possible if we can detect the path in non-standard ways (which shouldn't be a problem since it seems kind of fixed).
BTW: I did create this feature request (http://forums.spybot.info/project.php?issueid=144) about it :)
Thanks a million! I really appreciate your efforts.
I use WinPE a lot and I'll find RunAlyzer extremely useful with those improvements!
Thanks again,
Regards.
Showing which files are certified makes it easier for every user to distinguish between entries :)
(though even bad files can be certified, so it's not a 100% truth)
And btw, I found the service-delete bug and fixed that as well.
Need to discuss when to release a new version now / if there are any further changes required for a possible opening of the classification database as discussed in that other recen topic.
Showing which files are certified makes it easier for every user to distinguish between entries :)
(though even bad files can be certified, so it's not a 100% truth)
Yes, malware can also be digitally signed. The signature by itself doesn't guarantee that the file is safe.
However, I think it's fair to assume that we all trust files signed by Microsoft to be non-malicious, so I think that files correctly signed by Microsoft should always be marked green. Even those that you haven't catalogued yet.
If they come from Microsoft and the signature is correct, then they should always be highlighted in green.
What do you think?
Regards.