O
OShah
Windows Messenger 5.0.0.468.
Windows Messenger creates a key called "HKEY_CURRENT_USER\S", whenever I
try to sign in and there is no internet.
Here is the contents of that key (on my system):
"AutodiscoveryFlags"=dword:80000000
"DetectedInterfaceIpCount"=dword:00000002
"LastDetectHighDateTime"=dword:01c49b38
"LastDetectLowDateTime"=dword:5c2c7db0
"LastDetectTime"="09/15/2004, 15:26:24 UTC"
"DetectedInterfaceIps"="0x5c00a8c0;0x201a8c0;"
"LastDetectUrl"=""
I correctly deduced that this was caused by an app that doesn't know the
difference between WCHARs and CHARs. I discovered that Windows Messenger
was the culprit (thanks to that LastDetectTime value).
When Windows messenger tries to sign in and can't, it goes through an
alternate connection strategy (just in case it was firewalled or proxied)
to get online.
It is one of these alternate strategies that creates the S key. So now all
that's left is to get the exact address of msmsgs which creates the key
(fire up WinDbg, press F5 whilst Breakpoints are on advapi32!
RegCreateKeyExA, analyse call stack).
The instruction is located at 0x10e60f5 (msmsgs+0xe60f5). Now my
decompilation skills may be absolutely horrible, but I believe the code at
this address should look similar to:
HKEY hkResult ;
DWORD dwDisposition ;
RegCreateKeyExA(HKEY_CURRENT_USER, L"Software\\Microsoft\\MessengerService
\\AutoProxyCache\\RAS", 0, NULL, 0, 0xf003f, NULL, &hkResult,
&dwDisposition) ;
Sure enough, msmsgs is trying to create a wchar_t key using a char
function. This leads to the S key I've got on my system. There must have
been some kind of casting going on here, because the only way to shut the
compiler up about this mistake, is to cast. Removing the cast should show
you why Messenger is writing to HKCU\S.
According to Jon ([email protected], watch wrap):
(see: http://tinyurl.com/4xhzd .)
he noticed something similar, but he had different reg values showing up.
Could my problem and his be related?
I wonder if Windows Messenger 6 has this problem.
--
------------------------------------------------------------------------
oshah
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:
Acrobat.exe
waol.exe
------------------------------------------------------------------------
Windows Messenger creates a key called "HKEY_CURRENT_USER\S", whenever I
try to sign in and there is no internet.
Here is the contents of that key (on my system):
"AutodiscoveryFlags"=dword:80000000
"DetectedInterfaceIpCount"=dword:00000002
"LastDetectHighDateTime"=dword:01c49b38
"LastDetectLowDateTime"=dword:5c2c7db0
"LastDetectTime"="09/15/2004, 15:26:24 UTC"
"DetectedInterfaceIps"="0x5c00a8c0;0x201a8c0;"
"LastDetectUrl"=""
I correctly deduced that this was caused by an app that doesn't know the
difference between WCHARs and CHARs. I discovered that Windows Messenger
was the culprit (thanks to that LastDetectTime value).
When Windows messenger tries to sign in and can't, it goes through an
alternate connection strategy (just in case it was firewalled or proxied)
to get online.
It is one of these alternate strategies that creates the S key. So now all
that's left is to get the exact address of msmsgs which creates the key
(fire up WinDbg, press F5 whilst Breakpoints are on advapi32!
RegCreateKeyExA, analyse call stack).
The instruction is located at 0x10e60f5 (msmsgs+0xe60f5). Now my
decompilation skills may be absolutely horrible, but I believe the code at
this address should look similar to:
HKEY hkResult ;
DWORD dwDisposition ;
RegCreateKeyExA(HKEY_CURRENT_USER, L"Software\\Microsoft\\MessengerService
\\AutoProxyCache\\RAS", 0, NULL, 0, 0xf003f, NULL, &hkResult,
&dwDisposition) ;
Sure enough, msmsgs is trying to create a wchar_t key using a char
function. This leads to the S key I've got on my system. There must have
been some kind of casting going on here, because the only way to shut the
compiler up about this mistake, is to cast. Removing the cast should show
you why Messenger is writing to HKCU\S.
According to Jon ([email protected], watch wrap):
(see: http://tinyurl.com/4xhzd .)
he noticed something similar, but he had different reg values showing up.
Could my problem and his be related?
I wonder if Windows Messenger 6 has this problem.
--
------------------------------------------------------------------------
oshah
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs:
Acrobat.exe
waol.exe
------------------------------------------------------------------------