What are these "Impersonate" keys about?

[Guest]

I have an Averatec C3500 Tablet XP PRO computer that has a new hard drive and
motherboard. It has not been on the Internet. I have installed Norton
Internet Security from disk, and also, the MSI Installer Update (downloaded
to another computer and transferred by disk).

Can anyone educate me about the appearance of these two files, HIVESFT.INF,
and HIVESYS.INF, that include these keys with "Impersonate" in them?

From Hivesft.inf

HKLM,"SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\cscdll","Impersonate",0x00010001,0

HKLM,"SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\ScCertProp","Impersonate",0x00010001,1

HKLM,"SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\SensLogn","Impersonate",0x00010003,1

HKLM,"SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\wlballoon","Impersonate",0x00010001,1



From HiveSys.inf

HKLM,"SYSTEM\CurrentControlSet\Control\Lsa","ImpersonatePrivilegeUpgradeToolHasRun", 0x00010003, 1

Thanks in advance.

 

[Wesley Vogel]

http://groups.google.com/group/micr...e754c?lnk=st&q=&rnum=1&hl=en#f1981050ecfe754c

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Harry Johnston]

I have an Averatec C3500 Tablet XP PRO computer that has a new hard drive and
motherboard. It has not been on the Internet. I have installed Norton
Internet Security from disk, and also, the MSI Installer Update (downloaded
to another computer and transferred by disk).

Can anyone educate me about the appearance of these two files, HIVESFT.INF,
and HIVESYS.INF, that include these keys with "Impersonate" in them?

I can confirm that those two files exist on the Windows XP installation CD, and
contain the lines you list. Normally they won't be left on a computer after a
successful installation, but if Windows was preinstalled by the OEM it may
depend on how they configured the installation.

Is there any particular reason why you are concerned about these files?

Harry.

 

[Guest]

Hi Harry,

As to the Why, please see the post in the similar question I just made today.

I appreciate you who answer, and especially those who offer kindness rather
than condescenscion (as have you.)

 

[Harry Johnston]

As to the Why, please see the post in the similar question I just made today.

OK. Those particular files (and registry entries) are safe; they're a normal
part of Windows. (Of course, malware could also create registry entries that
would look similar, but these ones are OK.)

In this context, "Impersonate" is a technical term referring to a normal part of
the way the operating system works - if you're interested there's some
information about it here:

<http://en.wikipedia.org/wiki/Token_(Windows_NT_architecture)>

As to your wider problem, I did have one other thought - theoretically it is
possible for a compromised USB or firewall device to take control of a computer
simply by being plugged into it. I think you mentioned having an external disk
drive, and you probably have various other external devices too; perhaps one of
them has been compromised?

If you can find any evidence that this is the case, there will almost certainly
be quite a number of security researchers interested to examine the device in
question; if there's malware out there actually using this vulnerability people
will want to know more about it. There have been no known attacks, but the
vulnerability has been known about for several years.

Harry.

 

[Guest]

As to your wider problem, I did have one other thought - theoretically it is
possible for a compromised USB or firewall device to take control of a computer
simply by being plugged into it. I think you mentioned having an external disk
drive, and you probably have various other external devices too; perhaps one of
them has been compromised?

The short answer is that this machine is not *now* networked in any (known)
way, other than through my ISP and a router.

When this problem began, 18 months ago, I had two computers plugged into the
same router, with a backup hard drive plugged into one of them. I knew I had
a virus problem, and I wasn't able to remove it using Norton's regular
procedures. Norton insisted I complete yet another online scan if they were
going to continue to offer support. I had already done so earlier, and
gotten a "clean" scan, even though I could tell there was funny business
going on. (That was the reason why I was calling them in the first place.)

That scan, which is supposed to take five minutes or less, was still going
on after an hour and a half. At bedtime, it still wasn't done. So I left the
machines on, with the online scan running. In the morning, I came down to a
screen saying the scan was clean, and virtually all my data and programs had
been erased.

If you can find any evidence that this is the case, there will almost certainly
be quite a number of security researchers interested to examine the device in
question;

I am not quite sure that my case is what you are describing. What I do have
on the backup hard drive is virtually everything that was on the hard drive
of one of the two computers that was corrupted. (I have reformatted hard
drives on a total of five machines over and over and over, always getting the
same result--madness.) As this thing has hung around, this system seems to
get more and more sophisticated. A month or two after I made this copy of
just about everything on that hard drive, I tried to do the same thing, and I
couldn't have access.


if there's malware out there actually using this vulnerability people

will want to know more about it. There have been no known attacks, but the
vulnerability has been known about for several years.

Again, I am not sure this is exactly the situation you are describing, but I
have saved a lot of files, and made a lot of notes. I appreciate that you
seem to take this seriously.

Cheers, Sue

 

[Harry Johnston]

I am not quite sure that my case is what you are describing. What I do have
on the backup hard drive is virtually everything that was on the hard drive
of one of the two computers that was corrupted.

I'm suggesting that the firmware in the external disk drive (or another USB or
Firewire device) might contain malicious code which takes over your computer as
soon as you plug the drive in. In this scenario the malicious code isn't on the
disk drive in the sense of being contained in one or more of the data files,
it's in the electronics around the disk drive.

This is unlikely - no such attack has ever been seen - but is theoretically
possible.

If you install your computer from the Microsoft-provided CD, without connecting
it to any network or plugging any devices into it (the mouse and keyboard are
OK) does it show signs of infection?

Harry.

 

[Guest]

If you install your computer from the Microsoft-provided CD, without connecting
it to any network or plugging any devices into it (the mouse and keyboard are
OK) does it show signs of infection?

The short answer is a qualified no. Qualified, because as you know I have
been doing the same thing (reformatting the hard drive and hooking up to the
Internet to get updates) and expecting a different result for a long time. So
you know I am crazy.

The longer answer may be more interesting to you, I hope. I have had two HP
printers, one a 1012, I believe (it died a few months ago, and is gone...)
which I replaced with a 1020. Both of them seem to be keystones in closing
the whole system, and I had even contacted HP about the possible security
issue with the 1012.

After I get the expired security certificate for the Microsoft Update
ActiveX control, and the first three updates (WGA, Installer 3.1 v2, and
some other Installer-related update I can't recall at this moment) the 13
"subscriber" accounts don't appear until after I hook up these printers.

At one point, in desperation, I even bought a Mac, and as soon as I would
hook up the printer after a reformat, I would see the creation of 13
subscriber accounts and certain other inexplicably similar behaviors to my PC
experience--ON A MAC!. Yes, you are reading correctly -- I reformatted a Mac
hard drive multiple times, many under telephone supervision from Cupertino.
The guys at the store where I bought it saw exactly what I was talking about
when I brought it back to the store. When *they* reformatted and hooked up to
their Net connection, the signs were gone.

The installation of the printer driver is one of the things that is
particularly suspicious. According to HP, that printer should be 100%
plug-and-play on any XP machine with SP2, and when I first got the 1012, it
was. After my problem manifested in late 2005, it would take three runs to
get the installation done. 1) A "found new hardware" balloon would pop up,
and the usual plug and play routine would run. Just as the "Your new printer
is installed balloon appeared, 2) a whole new "Detected new printer" balloon
would pop up, and I would be prompted to install the printer using a driver.
The machine couldn't find a suitable driver in its own files (although it had
just done so, apparently) AND it couldn't find one online, either. So I would
be forced to use the manufacturer-provided disk. After that installation ran,
I could print any document I wanted, but, after restart, 3) I would get a
prompt that some file was missing (the exact file is in my notes somewhere)
and the only place I was ever able to find that was by browsing my
manufacturer disk. I explained all this to HP, via e-mail, and they
responded that no one had ever heard of such a thing, thanks for your
business.

I tried bypassing all this by going to HP's website and downloading the
latest driver on disk, but I had basically the same experience when I did
that.

As this "system" has evolved, I don't have the 3-step process, I just have
no choice but to install from the manufacturer disk. Even if I download the
HP driver on disk, I am still prompted to insert the manufacturer's disk in
order to get a successful installation.

Here is my hypothesis about what goes on there: HP has on its disks a
horrible "order reminder" function that I believe is a helpful pathway for
this invader. The invader has a "rock in the door" with its three bogus XP
updates and this order reminder thing helps it along. That's why I have to
have the manufacturers' disk to proceed, and I can't just use the downloaded
driver. The downloaded driver doesn't include that "value add."

Last but not least, I have this old Windows 98 Dell Inspiron laptop that I
have been limping along with while I try to figure out what to do about
connecting my Averatec with its new motherboard and hard drive to the net
safely. I use Firefox, and Avast and firewall software. I learned the other
day that if I tried to use that 1020 printer offline, that is, while I wasn't
connected to the Internet, the jobs would simply queue up, with the status of
"Waiting for operator approval" or something like that. As soon as I got on
the Net, the jobs printed.

As I have said before, I may not have all the right language for describing
what is happening, but I have observed and documented it in a lot of detail.
It is great to have your insight, Harry.

Cheers, Sue

 

[Guest]

There are a couple of other things going on with the Averatec C3500 tablet
computer in question in this thread.

--When I re-imaged the drive and went to administer users, I saw a user
called something like something.asp. I deleted that user, and all the files
associated with it. I also created a new account with administrator
privileges, and deleted the original "owner" account and its files. When I
rebooted, I don't get the "Welcome" screen where you click on your name, nor
do I go immediately to the desktop (which is what I expected and have
observed on others' machines when there is only one user.) Instead, I get a
"Log on to Windows" box, with the username and password blanks.

--Just now I logged into safe mode (not safe mode with networking), where I
got the same "Log on to Windows" box. This is not what usually happens, in
my experience. What usually happens is that you see a "Welcome"-type screen
where you can either click on as "Administrator" or any of the usernames that
have admin privileges.

Just as a reminder, this is a machine that has not been on the Internet,
other than perhaps at the repair depot, since it got a new hard drive and
motherboard.

Thanks so much to all who answer here.

Cheers, Sue

 

[Poprivet]

There are a couple of other things going on with the Averatec C3500
tablet computer in question in this thread.

WHAT thread? You posted a new message instead of repyling, which would have
kept you connected to the thread! Jeez,

 

[Guest]

Forgive me, what I see looks like what seems to be a thread. I changed the
subject line, but all of this is about the same complex of situations on the
same machine. I did have the experience of a two-day delay on when I tried to
post this, and so there are actually three threads about this, but as far as
I can tell there's nothing I can do about that. Thanks.

 

[Poprivet]

I suspect what you are calling "threads" are in reality only single
messages. Regardless, your post appears on the newsgroup as a brand new
message with nothing to relate it to who/what you were responding to.
Somehow you need to be sure you use Reply, as you did with this latest
message. This latest message appeared correctly on the newsgroup, directly
under my reply to you, and indented, making it obvious you had responded to
me, and it included what I wrote to you.
Your first post wasn't like that; it was a brand new post. I have no idea
how hte system you are using works, but it might have made it a new message
because you changed the subject line. You should never change a subject
line because that's what keeps the posts together with each other anyway,
especially in the archives.
I could change the subject line and not mess up the thread, but you may
not be able to, without messing up the thread since you're using internet
access to get to the newsgroups.

Luck,
Pop`