Results 1 to 6 of 6

Thread: Problem loading/unloading domain account registry hives

  1. #1
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default Problem loading/unloading domain account registry hives

    Hi PepiMK,

    I have discovered another problem with hive loading/unloading. In this case the accounts on the machine are domain accounts. The users login to the domain controller using thier account on the server. This means the profile folder(s) under Documents and Settings on the workstation are in the form Domainname.Username.

    I login to a workstation using the Domain Administrator account. When I run Spybot the other user accounts are loaded into HKEY_USERS in the form of PE_C_Domainname.Username. I am not sure why the SID is not used for the other accounts? If I examine the following registry key, the other user accounts have a SID so why isn't Spybot using it?

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]

    To make matters worse, the PE_C_Domainname.Username hives are not unloading when terminating Spybot. This further confirms my findings that no PE_C_ hives are getting unloaded in my thread.

    http://forums.spybot.info/showthread.php?t=43902

    This is a real problem because we are right back to user hives being locked by Spybot if the user accounts are domain accounts. If a user logs out and another logs in, then the new user will have a temporary profile created because thier hive is locked.

    Would you please step through the code and find out why none of the PE_C_ hives get unloaded. They used to get unloaded most of the time until the change to using SID's. Now they never do. While your in the code can you determine why Domain user accounts do not get loaded with thier SID? I look forward to your reply and thanks for your support...
    Last edited by MrGreg; 2009-01-23 at 05:52.

  2. #2
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Hmmm...

    Microsoft usually recommends o use the API, not registry; thanks for that reg location anyway, might come in helpful at some point

    Spybot is using the LookupAccountNameW API call to determine SIDs, which usually has a broader scope, since it even works for user accounts without a profile. But, and there was the problem: it needs a backslash instead of the dot to separate domain and username.

    As for debugging, the code you know from 1.6.1 is basically gone, replaced by the new hive manager. Which will btw also write a "warning" entry for each unsuccessful load/unload operation into the system event log, which includes the error message. Example:
    C:\Tools\Analysis\BrowserCI\BrowserCI.exe:
    Error user loading hive D:\Users\Default\ntuser.dat
    The process cannot access the file because it is being used by another process.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #3
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    HI PepiMK,

    Thanks for your reply. I think using the API call is definately the way to go. I had a look at the syntax for LookupAccountName API. I see what you mean...

    lpAccountName [in]
    A pointer to a null-terminated string that specifies the account name.

    Use a fully qualified string in the domain_name\user_name format to ensure that LookupAccountName finds the account in the desired domain.
    This of course is the reason that Domain based account names are not being loaded by thier SID. It seems to me that your code will have to replace the period with a backslash for the API call to get the SID for Domain based accounts. Will you be making this change?

    I automate weekly scans with a scheduled task. Currently I cannot do weekly scans on machines that contain domain based accounts with this problem. The hives will load as PE_C_ hives and not be unloaded thus locking user account hives. I am guessing that this problem also exists for the new hive manager. I hope you will fix this.

    With all of these changes, I would guess that there will be a new release canidate for 1.6.1? Is there any timeline as to when the new release canidate will be ready? Thanks for your support...
    Last edited by MrGreg; 2009-01-23 at 15:16.

  4. #4
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    That change was already made

    An excerpt from our code testing:
    Code:
    ===mounting/unmounting===
    ====htExternalSystem====
    (+++ Good) [00:00.000] RegHiveManager.FindHiveFiles
    (+++ Good) [00:00.000] cross-check count
    (+++ Good) [00:01.359] RegHiveManager.MountSpecificHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    (+++ Good) [00:00.563] RegHiveManager.UnmountAllUnusedHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    ====htExternalUsers====
    (+++ Good) [00:00.109] RegHiveManager.MountSpecificHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    (+++ Good) [00:00.219] RegHiveManager.UnmountAllUnusedHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    ====htSystemUsers====
    (+++ Good) [00:00.219] RegHiveManager.MountSpecificHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    (+++ Good) [00:00.265] RegHiveManager.UnmountAllUnusedHives
    (+++ Good) [00:00.000] RegHiveManager.GetLoadedHiveInfos
    (+++ Good) [00:00.000] cross-check count
    All types of hives do load and unload properly now.

    Just splitting user account handling to separate handling of system users vs. domain users will have to wait until 2.0.

    And the final build will be 1.6.1.44 and should be available Monday
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  5. #5
    Member
    Join Date
    Oct 2007
    Posts
    55

    Default

    Hi PepiMK,

    If I understand you correctly, 1.6.1.44 will still load Domain user hives as PE_C_ but the new hive manager will ensure that they are unloaded when Spybot terminates. I will look forward the final build of 1.6.1. Thanks...

  6. #6
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Well, I did some last minute updates yesterday since I couldn't stand the "inperfect" feeling...
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •