Who is watching the store!

After loading my MSI file on a bunch of computers, my systems and drivers
were all working just fine except for one computer - drat.

I hooked up windbg to that computer and discovered that it was doing some
strange stuff, and when I thought I had identified a possilbe problem I blew
away the driver and replaced it only to discover that I'd made an error in
this analysis.

So 1st I loaded in a copy of the original driver by hand and things came
alive!
Then I reloaded from my msi file and things were still alive!

Conclusion: during the installation of the msi file, there was some
corruption of my file.

HERE IS WHERE IT GET's INTERESTING:

Experiment: Take an driver from c:\windows\system32\drivers and randomly
edit the file with a binary editor and do not update any checksums along
the way!.
Then try to load it.

In my case, I edited some text strings in the file, and I did not change the
file length.

It loads just fine. Did I hallucinate this? I thought a checksum would be
calculated over the entire file. Surely the system would be sensitive to
corruption from bad drivers as such. What about Security implications?

--
Gak -
Finecats

bburgin
Thu Sep 08 12:16:10 CDT 2005

------=_NextPart_0001_975AEAB1
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

If it's an in-box driver you were editing, then system file protection
(SFP) will silently restore the original in-box driver. The copy of the
original driver is stored in DllCache. If you want to disable SFP for this
file, boot in safe mode and then scrtach the cached copy of the file and in
any folders except system32\drivers.

Bryan S. Burgin
bburgin@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.
------=_NextPart_0001_975AEAB1
Content-Type: text/x-rtf
Content-Transfer-Encoding: 7bit

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\f0\fs20 If it's an in-box driver you were editing, then system file protection (SFP) will silently restore the original in-box driver. The copy of the original driver is stored in DllCache. If you want to disable SFP for this file, boot in safe mode and then scrtach the cached copy of the file and in any folders except system32\\drivers.
\par
\par Bryan S. Burgin
\par bburgin@online.microsoft.com
\par
\par This posting is provided "AS IS" with no warranties, and confers no rights.
\par
\par }
------=_NextPart_0001_975AEAB1--

usfinecats
Thu Sep 08 17:34:10 CDT 2005

And in the case of a new driver, say one that I've developed, what happens
then?
--
Gak -
Finecats


""Bryan S. Burgin [MSFT]"" wrote:

> If it's an in-box driver you were editing, then system file protection
> (SFP) will silently restore the original in-box driver. The copy of the
> original driver is stored in DllCache. If you want to disable SFP for this
> file, boot in safe mode and then scrtach the cached copy of the file and in
> any folders except system32\drivers.
>
> Bryan S. Burgin
> bburgin@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no rights

James
Thu Sep 08 18:38:07 CDT 2005

Unless you're in the class of drivers that SFP is concerned with, your
driver won't be affected.

You mentioned that the concerned driver is in c:\windows\system32\drivers.
Do you know for sure that the driver is loaded from there?

--
James Antognini
Windows DDK and WDK Support


This posting is provided "AS IS" with no warranties, and confers no rights.



"usfinecats" <usfinecats@nospam.nospam> wrote in message
news:90E12B72-D7FB-4CAE-AF00-683158D04570@microsoft.com...
> And in the case of a new driver, say one that I've developed, what happens
> then?
> --
> Gak -
> Finecats
>
>
> ""Bryan S. Burgin [MSFT]"" wrote:
>
>> If it's an in-box driver you were editing, then system file protection
>> (SFP) will silently restore the original in-box driver. The copy of the
>> original driver is stored in DllCache. If you want to disable SFP for
>> this
>> file, boot in safe mode and then scrtach the cached copy of the file and
>> in
>> any folders except system32\drivers.
>>
>> Bryan S. Burgin
>> bburgin@online.microsoft.com
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights

Maxim
Thu Sep 08 19:59:38 CDT 2005

IIRC \SystemRoot\Driver Cache\i386\driver.cab file is used by SFP to
restore the drivers.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

""Bryan S. Burgin [MSFT]"" <bburgin@online.microsoft.com> wrote in message
news:gYZRFkJtFHA.536@TK2MSFTNGXA02.phx.gbl...
> If it's an in-box driver you were editing, then system file protection
> (SFP) will silently restore the original in-box driver. The copy of the
> original driver is stored in DllCache. If you want to disable SFP for this
> file, boot in safe mode and then scrtach the cached copy of the file and in
> any folders except system32\drivers.
>
> Bryan S. Burgin
> bburgin@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no rights.

Alexander
Thu Sep 08 23:41:43 CDT 2005

You don't have to erase it from cache, if you just want to replace it in
safe mode. I boot to safe mode to replace NDIS.SYS to a chacked version for
NDISTEST.

""Bryan S. Burgin [MSFT]"" <bburgin@online.microsoft.com> wrote in message
news:gYZRFkJtFHA.536@TK2MSFTNGXA02.phx.gbl...
> If it's an in-box driver you were editing, then system file protection
> (SFP) will silently restore the original in-box driver. The copy of the
> original driver is stored in DllCache. If you want to disable SFP for
> this
> file, boot in safe mode and then scrtach the cached copy of the file and
> in
> any folders except system32\drivers.
>
> Bryan S. Burgin
> bburgin@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.

Bill
Fri Sep 09 15:58:34 CDT 2005

But I bet as soon as the system sees a bad checksum the file will be
replaced and you will get a false conclusion :)

Better hook up a debugger and shutdown SFP, or just replace the driver path
in the registry.

Bill M.

"Alexander Grigoriev" <alegr@earthlink.net> wrote in message
news:OcWuJjPtFHA.3548@TK2MSFTNGP11.phx.gbl...
> You don't have to erase it from cache, if you just want to replace it in
> safe mode. I boot to safe mode to replace NDIS.SYS to a chacked version
> for NDISTEST.
>
> ""Bryan S. Burgin [MSFT]"" <bburgin@online.microsoft.com> wrote in message
> news:gYZRFkJtFHA.536@TK2MSFTNGXA02.phx.gbl...
>> If it's an in-box driver you were editing, then system file protection
>> (SFP) will silently restore the original in-box driver. The copy of the
>> original driver is stored in DllCache. If you want to disable SFP for
>> this
>> file, boot in safe mode and then scrtach the cached copy of the file and
>> in
>> any folders except system32\drivers.
>>
>> Bryan S. Burgin
>> bburgin@online.microsoft.com
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>
>

usfinecats
Fri Sep 09 16:58:02 CDT 2005

Well, about the cache... I know for sure that I've replace drivers many times
while debugging my stuff by just copying a driver in
...\window\system32\drivers and then simply rebooting.
By copying, I mean copying when I'm in recovery mode and with the Explorer
also.
In this case, checksum is correct but nothing is being protected.
--
Gak -
Finecats


"usfinecats" wrote:

> After loading my MSI file on a bunch of computers, my systems and drivers
> were all working just fine except for one computer - drat.
>
> I hooked up windbg to that computer and discovered that it was doing some
> strange stuff, and when I thought I had identified a possilbe problem I blew
> away the driver and replaced it only to discover that I'd made an error in
> this analysis.
>
> So 1st I loaded in a copy of the original driver by hand and things came
> alive!
> Then I reloaded from my msi file and things were still alive!
>
> Conclusion: during the installation of the msi file, there was some
> corruption of my file.
>
> HERE IS WHERE IT GET's INTERESTING:
>
> Experiment: Take an driver from c:\windows\system32\drivers and randomly
> edit the file with a binary editor and do not update any checksums along
> the way!.
> Then try to load it.
>
> In my case, I edited some text strings in the file, and I did not change the
> file length.
>
> It loads just fine. Did I hallucinate this? I thought a checksum would be
> calculated over the entire file. Surely the system would be sensitive to
> corruption from bad drivers as such. What about Security implications?
>
> --
> Gak -
> Finecats

Alexander
Fri Sep 09 23:49:49 CDT 2005

The system doesn't see a bad checksum. It's just watching for the directory
changes.

"Bill McKenzie" <bm01_REMOVE_@csr.com> wrote in message
news:%234dEZEYtFHA.2792@tk2msftngp13.phx.gbl...
> But I bet as soon as the system sees a bad checksum the file will be
> replaced and you will get a false conclusion :)
>
> Better hook up a debugger and shutdown SFP, or just replace the driver
> path in the registry.
>
> Bill M.
>
> "Alexander Grigoriev" <alegr@earthlink.net> wrote in message
> news:OcWuJjPtFHA.3548@TK2MSFTNGP11.phx.gbl...
>> You don't have to erase it from cache, if you just want to replace it in
>> safe mode. I boot to safe mode to replace NDIS.SYS to a chacked version
>> for NDISTEST.
>>
>> ""Bryan S. Burgin [MSFT]"" <bburgin@online.microsoft.com> wrote in
>> message news:gYZRFkJtFHA.536@TK2MSFTNGXA02.phx.gbl...
>>> If it's an in-box driver you were editing, then system file protection
>>> (SFP) will silently restore the original in-box driver. The copy of the
>>> original driver is stored in DllCache. If you want to disable SFP for
>>> this
>>> file, boot in safe mode and then scrtach the cached copy of the file and
>>> in
>>> any folders except system32\drivers.
>>>
>>> Bryan S. Burgin
>>> bburgin@online.microsoft.com
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>
>>
>
>