Cross referencing Sony rootkit cloaked CLSID WinXP registry keys

[Pamela Fischer]

How do mere mortals find the actual "product owner" of scores of cloaked
CLSID registry keys which the SysInternals rootkit revealer revealed?

The background on this simple question is lengthy (and in the public record
already) - essentially, I ran Mark Russinovich's SysInternals rootkit
decloaker ( http://www.sysinternals.com/utilities/rootkitrevealer.html )
which found scores of cloaked Windows XP registry keys & files containing a
universally unique identifier (UUID) in the form of an 8-4-4-4-20 hex class
id which I still don't now know what to do with.

Here is just one example cloaked CLSID key I am trying to figure out what
product line it belongs to.

- HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
\InprocServer32* 6/16/2004 9:19 PM 0 bytes Key name contains embedded nulls
(*)

To find the product associated with that unique class id, I searched the
Microsoft CLASSID web site
http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas
sid.mspx
but I didn't find any lookup table cross referencing these unique 40 hex
characters to a unique product line.

What am I missing?
Does such a cross-reference table actually exist?
How are we supposed to figure out the product owner of these 40 character
hex class ids?

Thank you in advance for your assistance to me and all with this question,
Pamela Fischer

 

[Pamela Fischer]

Thank you, Pamela

Hi Vrokok,

I don't understand your idealized comment above.

Apparently, Pinnacle Studio 9 is using Microsoft ineptware to hide its
registration keys from the user.

It's beginning to seem more and more likely this particular cloaked key
reported by the Sysinternals RootKit Revealer is the result of Microsoft
ineptware. It seems, that, in the SOFTWARE hive, the InprocServer32 key
is defined somehow on my system as a 15 character long string where
Microsoft says it should be only 14 characters long; so not only can you
not open the key in REGEDIT
(http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#
6776) but it also remains hidden from view
(http://www.sysinternals.com/Information/TipsAndTrivia.html#HiddenKeys).

All this I only gathered haphazardly after googling for the specific
CLSID. At the moment, I tentatively conclude this particular rogue
ImprocServer32 registry entry "might" be related to Pinnacle Studio 9
hidden registration keys as reported in the Sysinternals blog forum
articles http://www.sysinternals.com/forum/forum_posts.asp?TID=1955&PN=1
and http://www.sysinternals.com/Forum/forum_posts.asp?TID=1731&PN=0&TPN=2
and http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&PN=1 and
http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#6776

Also, Ben Fulton, in the UK, seems to have run into this hidden
registration key http://www.developerfusion.co.uk/forums/topic-28065 and
its reputed Sony-like ineffective ineptware uninstaller
http://www.pinnaclesys.com/PublicSite/us/Products/Consumer+Products/Home+
Video/Studio+Advanced+Video+Solutions/Studio+Plus+version+9
+Support/Download+Area/Tools/Registry+Cleaner+for+Studio+Products+-
+RegDelete+version+9_x.htm?mode=documents

However, all this is very hit or miss (as reported to Mark Russinovich at
http://www.sysinternals.com/forum/forum_posts.asp?TID=2510&PN=1&TPN=1 ).

Given the unique explanation of the CLSID key
(http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/com/html/4edbbd9d-7ea1-4476-aee7-eaf30e54db8d.asp) why isn't there an
easy to find cross-reference lookup table?

How are mere mortals supposed to look up scores of these issues?
Where is the unique product-to-CLSID cross reference table out there?

Thanks to experts, in advance, for helping me, and all others,
Pamela Fischer

 

[George Hester]

Pamela if the Root kit revealer found anything then I would reinstall. On
this system which doesn't do much on the Net it came up empty. As for the
answer to your question you could look at the file the CLSID pertains to in
the registry. Then go to that file and right-click choose Properties and if
there is a version tab read the copyright holder.

 

[David Candy]

CLSIDs are randomly generated by whoever wants one. There is no requirement (or means) to report generation of a clsid to MS. In fact the whole thing is designed to not require a central repositary.

 

[Pamela Fischer]

My initial-comment refered to your posting of all that information.
Once again, thanx.

Thanks. I do post as much detail as I can so the next gal who searches
for this exploit can start off with much more than I did. The hope is we
can improve our collective knowledge, bit by bit, in every post!

Apparently, in this particular case, the makers of Pinnacle Studio 9 (and
others) have exploited the fact that 15-character "illegal" software
registration values in the Inprocserver32 key remain cloaked and hidden
from the user even if the user knows about the existance of the key!

We even get an error when we try to open the key in WinXP regedit!
So, we can't even delete the key easily.

Just as with Sony cloaking ineptware, the makers of Pinnacle Studio 9 are
appareantly exploiting known Microsoft Windows XP registry weaknesses.

However, according to the SysInternals web page
(http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&get=last#6776
), there is a possible method to remove this particular cloaked registry
entry.

1. Make a backup of the WinXP registry with ERUNT (whatever that is).
2. Open the backed up software file/hive with a hex editor.
3. Search for the entries {47629D4B-2AD3-4e50-B716-A66C15C63153}.
4. In the text panel, note the textstring “InprocServer”.
5. Note the hex value 0F (15) just before that textstring.
6. Change (edit – Overwrite String) this value in 0E (14).
7. Change all similar entries found (as many as 12).
8. Save this “software” file/hive.
9. Restore the registry & reboot.
10. Open the registry with regedit.
11. Now you can finally delete the now-uncloaked entries.
12. Optionally, run the registry optimizer NTREGOPT.
13. Reboot and this particular cloaking problem is resolved.

All this work to resolve just one cloaked CLSID tells me life would be
easier for all of us if we at least had a lookup table for CLSID to
product "owners".

Does this CLSID to OWNER lookup table exist anywhere on the Internet?

Pamela Fischer

 

[Pamela Fischer]

Look at the file the CLSID pertains to in the registry.
Then go to that file and right-click Properties.
If there is a version tab read the copyright holder.

Hi George Hester,

In a sane world, this would be our first logical choice.

However, the makers of Pinnacle Studio (like the makers of the Sony
ineptware cloaking) have taken advantage of an exploit of the Microsoft
Windows XP operating system to disable this simple sane lookup.

When we navigate to the specified key in regedit, we get an immediate
error upon clicking on the key. So, even if we know this particular key
is cloaked (which the SysInternals rootkit revealer correctly revealed),
we can not view the key or the value of the key.

Is this cloaking issue getting insane or what?

By exploiting this registry weakness, simply assigning Inprocserver32 a
15 character hex number instead of a 14-character hex number,
automagically cloaked the software registration keys.

We can't even easily remove them!

Everywhere we look, we find exploits upon exploits of the Microsoft
Windows operating systems. This one exploit alone took me hours to find
out. I have about 19 more to go in my registry.

Wish me luck (please help where you can as others will certainly follow).

Pamela Fischer

 

[Pamela Fischer]

CLSIDs are randomly generated by whoever wants one.
There is no requirement (or means) to report generation
of a CLSID to Microsoft or to anyone else.
The process is designed to not require a central repository.

Oh my. I was afraid of that answer.
Our worst fears are coming to fruition.

Considering Google failed us on this CLSID-to-Owner search, is there at
least a common place where we are supposed to go to report suspicious
CLSID exploit shenanigens such as the one I just found with Pinnacle
Studio CLSID {47629D4B-2AD3-4E50-B716-A66C15C63153} search?

For example, if I hadn't gone directly to Mark Russinovich's forum on the
SysInternals web site forum and searched there, I'd never have made the
connection of this cloaked exploited registry key to Pinnacle Studio in
the first place.

Considering there is no way to even OPEN the key (which, of course, was
the intent of the malware makers of Pinnacle Studio in using the exploit
in the first place), what our our options?

How does this look as a first pass CLSID-to-Owner generator?
1. Search for the CLSID in google web & google groups
(e.g., 47629D4B-2AD3-4E50-B716-A66C15C63153 )

2. Search for the CLSID in www.sysinternals.com forums
(e.g., http://www.sysinternals.com/Forum )

3. Attempt to determine CLSID registry entry information
(note that some cloaked CLSID keys prevent this!)

4. If you must, work on a hexedited copy of the registry
(this is the only known working approach to date)

5. Search for files of the same date on your PC
(this is how folks found this CLSID to be Pinnacle Studio 9)

6. ??? any other methods to cross reference CLSID's ???

Experts are asked to supply other ways of determining who the unique
owner is of any particular cloaked CLSID so that the rest of us mere
mortals can determine who is messing with our systems with malware!

Frustrated & fatigued yet finally learning something fun,
Pamela Fischer

 

[Peabody]

Pamela Fischer says...

When we navigate to the specified key in regedit, we get
an immediate error upon clicking on the key. So, even if
we know this particular key is cloaked (which the
SysInternals rootkit revealer correctly revealed), we
can not view the key or the value of the key.

Is this cloaking issue getting insane or what?

By exploiting this registry weakness, simply assigning
Inprocserver32 a 15 character hex number instead of a
14-character hex number, automagically cloaked the
software registration keys.

We can't even easily remove them!

Pamela, this may be a dumb suggestion, but can you Export
the keys? If you can export these entries to a file you can
look at and edit as text, then maybe you can do something
with it. If you can't click on the entry itself, maybe you
could click on its parent and export that whole section,
then fix it in the .reg file, deleted it from the registry,
and then Import the fixed version back in.

Well, it was just a thought.

 

[George Hester]

What makes you think Pinnacle is part of this type of vandalism? I know
about Sony but I have not heard about Pinnacle. The way you get rid of
something like that in the registry is saving a piece of the hive wiithout
that particular key and then importing that hive. Those here know better
then I do I hope someone can explain how to do it better but that is what
you will need to do.

 

[pamelafiischer]

Can you Export the keys?

I could not select the InprocServer32 key (due to the exploit
previously noted preventing any such action) but I could select the key
above it and export that branch as text:

File->Export->Save as type->Text files (*.txt)->Selected Branch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}

The problem was, no matter how many times and ways I tried exporting
this key, I just got cryllic looking gibberish of the format:
ÿþK€e€y€ €N€a€m€e€:€ € € € € € € €
€ €
€H€K€E€Y€_€L€O€C€A€L€_€M€A€C€H€I€N€E€\€S€O€F€T€W€A€R€

What are we doing wrong?
Why can't we export as text this key without getting gibberish as a
result?

For every action there is an equally confusing reaction,
Pamela Fischer

 

[pamelafiischer]

What makes you think Pinnacle is part of this type of vandalism? I know
about Sony but I have not heard about Pinnacle.

The same software RootKit Revealer from Mark Russinovich's SysInternals
web site that first found the Sony BMG First 4 Internet deceit also
listed these Avid Pinnacle Studios key as rootkit cloaked.

And they *are* cloaked. But why?
Apparently, for whatever deceitful reason, Avid Pinnacle Studios
doesn't want you to know what they've done to your registry. But the
rootkit revealer program noticed the sleight of hand.

I've been told the following:
"The kernel uses strings that follow the Pascal convention (first
character = length).
All user mode programs that access the registry (e.g., regedit or most
3rd party tools)
do so via Win32 API calls. These can only process zero terminated
strings.
Trying to open a registry key that does not have a zero terminated
name will fail.
The [cloaked] Pinnacle key can not be viewed, modified, or even easily
removed
by the typical user due ot the exploitation by Pinnacle Studios of this
Windows weakness."

So the simple answer to your question is that the well respected
SysInternals program is reporting this Pinnacle Studios activity as a
root kit cloaked key (as far as I can tell).

The question is now:
Why is Pinnacle Studios doing this illegal exploit of Windows in the
first place?
Pamela Fischer

 

[Paul-B]

The question is now:
Why is Pinnacle Studios doing this illegal exploit of Windows in the
first place?
Pamela Fischer

Silly question, but has anyone actually asked Pinnacle what this is all
about?

 

[Peabody]

(e-mail address removed) says...

I could not select the InprocServer32 key (due to the exploit
previously noted preventing any such action) but I could select the key
above it and export that branch as text:

File->Export->Save as type->Text files (*.txt)->Selected Branch
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C 15C63153}

The problem was, no matter how many times and ways I tried exporting
this key, I just got cryllic looking gibberish of the format:
ÿþK€e€y€ €N€a€m€e€:€ € € € € € € €
€ €
€H€K€E€Y€_€L€O€C€A€L€_€M€A€C€H€I€N€E€\€S€O€F€T€W€A€R€

What are we doing wrong?
Why can't we export as text this key without getting gibberish as a
result?

For every action there is an equally confusing reaction,
Pamela Fischer

I think that's just unicode format, which has two bytes for every
character.

If you will load that .txt file into Notepad, then Save As, and select
ASCII, all of that extra stuff should be removed in the newly saved
file.

 

[pamelafiischer]

If you just want to prove that it's the Pinnacle software program, why not
take a machine with a clean copy of Windows freshly installed and install
the Pinnacle Studio 9 onto it?

The somewhat spotty evidence at this point seems to indicate it is an
illegal syntactical use of the Windows XP registry so that Avid
Pinnacle Studio can "hide" information from the user as explained in
the SysInternals forum:
http://www.sysinternals.com/forum/forum_posts.asp?TID=2510&PN=1&TPN=1
http://www.sysinternals.com/forum/forum_posts.asp?TID=1955&PN=1
http://www.sysinternals.com/Forum/forum_posts.asp?TID=1689&PN=1
http://www.sysinternals.com/Forum/forum_posts.asp?TID=1731&PN=0&TPN=2
etc.

FWIW, I find these registry keys causing problems even after doing the
above and uninstalling the Studio 9 program.

These illegal syntax keys can not be edited, modified, changed, nor
removed by the user and apparently even the Pinnacle uninstaller cannot
remove them as far as I can ascertain.

Pamela

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*

 

[pamelafiischer]

Silly question, but has anyone actually asked Pinnacle what this is all about?

Not I. A developer, perhaps from Pinnacle, did respond and confirm the
illegal syntax insertion - but we don't know how to remove, modify,
view, or change the keys yet for a layperson (it can be done by writing
C code but that is crazy).

I wish Pinnacle Studio developers would read the syntax rules for
registry keys before creating illegal keys on purpose just so that they
won't work normally.

Pamela

 

[pamelafiischer]

(e-mail address removed) says...

I think that's just unicode format, which has two bytes for every
character.

If you will load that .txt file into Notepad, then Save As, and select
ASCII, all of that extra stuff should be removed in the newly saved
file.

That unfortunately gave the same output gibberish.

Exporting the key as a "reg" file worked but put nothing in the key.
--- < start > ---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}]

--- < end > ---

I'm going to look for a hex editor to see what is inside that file!

Pamela

 

[Jim Cladingboel]

Excuse this interruption, but what does all of this have to do with Windows ME ?

--
Jim, in sunny Brisbane, Oz.

(e-mail address removed) says...

I think that's just unicode format, which has two bytes for every
character.

If you will load that .txt file into Notepad, then Save As, and select
ASCII, all of that extra stuff should be removed in the newly saved
file.

That unfortunately gave the same output gibberish.

Exporting the key as a "reg" file worked but put nothing in the key.
--- < start > ---
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}]

--- < end > ---

I'm going to look for a hex editor to see what is inside that file!

Pamela