Windows services names MUST be reserved, WSRN?

[iSergiwa]

Hello all

In Windows, I know that creating a new folder and name it "CON" is
prohibited (you can try it yourself) but many users who faced this case
(usually by accident) think that it is a windows bug! And many others think
that it's a windows trick or even more; a kind of magic!! << can you believe
that?!!!

In programming, every programmer knows this basic concept, that is using the
programming language "reserved words" as variables' names is prohibited as
they may conflict with eachothers!

In malicious software programming, we may all notice that those sick people
who develop such type of software usually use a simple-but-effective trick
in order to make their malicious programs hidden, unnoticed and hard to be
deleted or stopped! that is giving thire programs names that usually used by
windows system services! Names like services.exe, lsass.exe, winlogon.exe,
svchost.exe…

Well, I'm using Kaspersky Internet Security and I can count those too many
times when KIS asked me to unlock an infected exe file first because it's
being locked by another service or program and can't be deleted instantly.
and I can say that most of those times were because the malicious exe file
has a name of one of windows system services! (Email-Worm.Win32.Brontok.q is
a good examble)

Kaspersky (or any other AV software) has nothing to do with such
"vulnerability" of course, it's all about Microsoft. and yes I name it
"vulnerability" because it helps those sick people to take advantage of it
in spreading their sick programs!

Microsoft must develop a new term and call it "Windows Services Reserved
Names" (WSRN) or something like that and take the steps to prohibit giving
exe files names that are identical with it's own system services. Why NOT?!
such a procedure would help AVs software vendors and make it easy for them
to fight malicious software.

Thank you for reading and being patient

 

[Harry Johnston]

Well, I'm using Kaspersky Internet Security and I can count those too many
times when KIS asked me to unlock an infected exe file first because it's
being locked by another service or program and can't be deleted instantly.
and I can say that most of those times were because the malicious exe file
has a name of one of windows system services! (Email-Worm.Win32.Brontok.q is
a good examble)

No, Windows will not consider a file to be locked merely because it has the same
unqualified name as another file which is in use. Objects with the same name in
different places are not the same object; this really *is* a fundamental
programming concept!

The symptoms you describe would appear to be a problem with Kaspersky (or
perhaps just an issue with your particular computer) as I've never seen this
occur with any other AV program ... unless the virus had already infected the
computer before Kaspersky received definitions for it?

Unless the computer was already infected, Kaspersky should have prevented the
file from being opened in the first place. At the very least it should offer to
reboot the computer in order to delete the file.

(I believe sysinternals.com has a tool that will allow you to determine which
process has the file open, if you want to know.)

Microsoft must develop a new term and call it "Windows Services Reserved
Names" (WSRN) or something like that and take the steps to prohibit giving
exe files names that are identical with it's own system services. Why NOT?!

That's ridiculous. The advantages gained would be trivial, the hassle caused
would be enormous. Just for a start, what happens when a new version of the OS
comes out with new system filenames? Any existing application using any of the
new filenames wouldn't work any more.

It's enough of a problem to still have reserved device names left over from the
DOS days. It's a real pain when someone creates a file named CON; they're hard
to get rid of! IIRC, there are also viruses which take advantage of this
peculiarity to make it harder to deal with them.

Harry.

 

[iSergiwa]

No, Windows will not consider a file to be locked merely because it has the same
unqualified name as another file which is in use. Objects with the same name in
different places are not the same object; this really *is* a fundamental
programming concept!

Pardon me but if you'd given more attention to what you read you would realize that I didn't say that!

Actually I meant what you realized later here:

Unless the computer was already infected, Kaspersky should have prevented the
file from being opened in the first place. At the very least it should offer to
reboot the computer in order to delete the file.

Yes that's exactly what I wanted to say (thought it was implied clear).

In many cases, I was forced to do the hard work curing the computers that are infected because they were with no AV already installed on them at all, yes that's true, many people (thousands of them) don't know whether their computers need an AV software or not, and in best cases the virus difinitions are outdated because they (tens of thousands of them) don't know they have to update their AV regularly, and many others (milions) don't even know what a computer virus is!

When someone of those ask you for help for their computer has been infected with (Email-Worm.Win32.Brontok.q) what would you do?! Don't tell me you would install an AV at hand then update it's virus signatures then do a scan with it, you know this wont work because all the running exe files you need to delete are already started and locked, why locked? because they have the same names as windows services names!!!

So you should first do an OFFLINE scan with KAV rescue Disk or any other AV you prefer, and this barely does the work! not to mention the hard work needed with NTFS drives, set aside when you boot the computer back you would usually be faced with the same thing every time; the virus made some system restrictions in order to make himself hidden, those restrictions are usually the following :
1 - Disable Ctrl+Alt+Del >> so the user can't see the virus and the other running applications!
2 - Disable Folder Options >> so the user can't set the option to show hidden files!
3 -Disable Regedit >> so the user can't see what is going on in system startup!
and unfortunately, KAV or any other AV software has nothing to do with such restrictions and does nothing to re-enable them!

By the way, just in case you want to know, here you'll find a tiny tool that does the work, it Re-Enable all what the virus had disabled and brings every thing back. I designed this tool and published it for free for every one need to use it!

http://www.sergiwa.com/modules/mydownloads/visit.php?cid=2&lid=1


Now what do you think the cause of all that, yes it's the old trick, the Win32.Brontok.q divided himself into several objects in different places, every one of them has a name as one of the windows services ones so it's hard to delete it if its started in the first place!!! and if you tried to delete it or unlock it by one of the third parties unlockers, Windows wont let you!!!<< can you believe it? windows is helping the virus here!!!

That's ridiculous. The advantages gained would be trivial, the hassle caused
would be enormous.

What you named trivial is costing milions of dollars every day, reformatting the hard disks, losing data, losting time as not all users know how to deal with this problem manually, furthermore not all the support stuffs know what they have to do in such cases and most of them find that reformatting the hard disk and installing a fresh OS is the simple and the fast solution!

Just for a start, what happens when a new version of the OS
comes out with new system filenames? Any existing application using any of the
new filenames wouldn't work any more.

You're not talking about Microsoft are you? Microsoft? the company which created thousands of terms and IT standards and forced thousands of companies to follow it's standards would get stucked in such trivial case?!

I bet you that one of their inglorious engineers would find a solution in ... lets say five minutes

iSergiwa

 

[Harry Johnston]

When someone of those ask you for help for their computer has been infected
with (Email-Worm.Win32.Brontok.q) what would you do?! Don't tell me you would
install an AV at hand then update it's virus signatures then do a scan with
it, you know this wont work because all the running exe files you need to
delete are already started and locked, why locked? because they have the same
names as windows services names!!!

This is the problem in your reasoning. They are *not* locked because they have
the same name as windows services names. They are locked because the virus is
locking them. They'd be just as locked no matter what name they used.

What you named trivial is costing milions of dollars every day, reformatting
the hard disks, losing data, losting time as not all users know how to deal
with this problem manually,

... and how would your proposal help? Granted, it would block some existing
viruses, but believe you me they would all be rewritten and rereleased a lot
faster than any such change in Windows could be deployed.

Harry.

 

[iSergiwa]

This is the problem in your reasoning. They are *not* locked because they
have the same name as windows services names. They are locked because the
virus is locking them. They'd be just as locked no matter what name they
used.

You say to moi.. *NOT*?!

You know what Harry, in your first reply when you misunderstood me I
thought it was because you assumed I'm not a knowledgeable person. That was
ok to me and I execused you because you don't know me personally neither do
I. But now, I'm afraid you assume that there's thousands of readers who are
reading our discussion now are not knowledgeable too, to the degree you
might believe they can't realize at the first glance who's wrong and who's
right!

Well, as you assume us as not knowledgeable persons, I'm not going to
discuss the technical info with you about what determine the lock status of
every running service in windows xp niether at service startup nor when it's
running or at it's end. and I'm not going to prove any thing in such manner,
instead, I'll cut it short and give you a LIVE example you can try at home
while you're drinking a cup of black coffe!

You know the calculator right? that tiny utility that comes with windows xp,
ok. Go to system32 folder, you'll find it there. Make a copy of it on your
desktop and rename the copy from calc.exe to lsass.exe and then, RUN it!

Now press Ctrl+Alt+Del to bring up the Task Manager and move to 'Processes'
tab to see what processes are running. You'll find that there's "two copies"
of LSASS.EXE running, one as system process, and the other as user process!

Now try to stop the user process, don't be afraid it's not the LSA Shell
service, it's just an instance copy of the calculator, do STOP it!

Oops!

Windows says:

Unable to terminate Process
This is a critical system process. Task Manager cannot end this process.

Hmmm, Windows says that the calculator is a critical system process!!! <<
can you believe this!!!

Although it's only the calculator and it doesn't have any malicious routine
or any supporting malicious object locking it, it's LOCKED now anyway as you
can see!

Now who locked it? do you still think that it's *NOT* locked because it has
the same name as windows service name?!

Me? I can't answer such a question! it's beyond my knowladge as I'm not that
knowledgeable person!

Some one else please?

iSergiwa

 

[Harry Johnston]

You know the calculator right? that tiny utility that comes with windows xp,
ok. Go to system32 folder, you'll find it there. Make a copy of it on your
desktop and rename the copy from calc.exe to lsass.exe and then, RUN it!

Now press Ctrl+Alt+Del to bring up the Task Manager and move to 'Processes'
tab to see what processes are running. You'll find that there's "two copies"
of LSASS.EXE running, one as system process, and the other as user process!

I hardly know where to start.

(1) In your earlier posts you said that the file was locked because of the
filename; you didn't say that the process was locked. I'm not a mind reader!
What I said is true; the file is locked because a process has it open and the
name of the file is irrelevant to this.

(2) The process in this scenario isn't "locked". In fact there isn't even such
a thing as a locked process. The symptoms you describe are just a bug in task
manager. If you use another tool (such as pskill from sysinternals.com) you'll
be able to terminate that process just fine.

(3) The correct way for Microsoft to address this problem would be to fix the
bug in task manager, not to introduce a huge set of reserved filenames.

Harry.

 

[iSergiwa]

(1) In your earlier posts you said that the file was locked because of the
filename; you didn't say that the process was locked. I'm not a mind
reader! What I said is true; the file is locked because a process has it
open and the name of the file is irrelevant to this.

I'm sorry as assumed you as one of the mind readers!

(2) The process in this scenario isn't "locked". In fact there isn't even
such a thing as a locked process. The symptoms you describe are just a
bug in task manager. If you use another tool (such as pskill from
sysinternals.com) you'll be able to terminate that process just fine.

I'm using another tool too, it's TuneUp Process Manager, it gives a warning
similar to Task Manager, but with a dialogue box like yours with Yes & No to
stop the service, and i can stop it with no problems if i clicked yes. done?
lets see

Now suppose i'm a normal user who thinks that AV softwares are only made to
eat his cpu usage (those are thousands) or i'm a user who doesn't keep his
AV signatures up to date (those are tens of thousands) or I'm a user who
knows nothing about malicious programs or what a computer virus is (those
are milions), and suppose I read such a message from Task Manger and then
from TuneUp Process Manager! what do you think I would do? yes of course, I
wouldn't stop it as I think stopping it might be dangerous!!!

Kaspersky responses differently of course, I disabled Kaspersky online
protecttion, and then did some evil hex modification to the calc.exe file
(injected it with some evil bytes KAV knows very well) and then I renamed it
from calc.exe to lsass.exe and then I ran it, and re-enabled Kaspersky
online protection!

Once Kaspersky went alive, it gave an alert saying that my computer is
infected with a virus (a running module) and pointed to the lsass.exe (the
renamed calculator) and said that a special disinfiction procedure is
required which demands system reboot and I'm advised to close all other
applications!!!

Kaspersky says that the calculator needs a special disinfiction procedure!!!
<< can you believe this?

It's ironic because he doesn't say that when I don't rename the evil
calculator (the evil hex injected one)! it's simply delete the calc.exe
instantlay, now what makes him says that deleting the calcualtor needs a
special disinfiction procedure? Yes it's because the calculator has the name
lsass.exe!

Harry? still need more proofs?!

(3) The correct way for Microsoft to address this problem would be to fix
the bug in task manager, not to introduce a huge set of reserved
filenames.

Who said huge set? only 5 or 6 not more!!!

In the DOS era, we were not allowed to develop an aplication and name it's
main executable file as command.com or name one of our data files associated
with it as msdos.sys or io.sys or even config.sys or autoexec.bat and put it
in the root directory of our system drive! and we never asked why those
names are monopolized, we just accepted the situation as is and grew up with
the fear of playing with such names as if they are prohibited! and avoid
them as we avoid sins and errs!! so why do you argue me when I say that few
more monopolized names are needed for the sake of windows itself!!!

DO think of it dear Harry, it's the same believe me!

iSergiwa

 

[Harry Johnston]

Now suppose i'm a normal user who thinks that AV softwares are only made to
eat his cpu usage (those are thousands) or i'm a user who doesn't keep his
AV signatures up to date (those are tens of thousands) or I'm a user who
knows nothing about malicious programs or what a computer virus is (those
are milions), and suppose I read such a message from Task Manger and then
from TuneUp Process Manager! what do you think I would do? yes of course, I
wouldn't stop it as I think stopping it might be dangerous!!!

So perhaps Task Manager and TuneUp should be fixed? Or the users in question
should seek competent help?

Kaspersky says that the calculator needs a special disinfiction procedure!!!
<< can you believe this?

Perhaps Kaspersky should be fixed too.

Who said huge set? only 5 or 6 not more!!!

Why only those ones? There are hundreds of system files. Anyway, even one
reserved name is one too many.

In the DOS era, we were not allowed to develop an aplication and name it's
main executable file as command.com or name one of our data files associated
with it as msdos.sys or io.sys or even config.sys or autoexec.bat and put it
in the root directory of our system drive!

No, but you could put it anywhere else.

Harry.

 

[iSergiwa]

So perhaps Task Manager should be fixed?
So perhaps TuneUp should be fixed?
Perhaps Kaspersky should be fixed too?

Hey Harry, sounds like too much things should be fixed in your opinion! so
you are not that "windows-radical" person I thought, why not this one too?!

Why only those ones? There are hundreds of system files.

Because I'm *not* talking about advanced users like you who have hundreds of
windows services running in normal mode, I'm talking normal computers that
used by normal users which have only those 5 or 6 famous services running in
the normal use, and those users are the target of the malware authors! me,
for example, can never be tricked by such silly tricks even if I have no AV
installed, I would notice it at once!

No, but you could put it anywhere else.

Didn't I tell you that it's the same?

That's exactly what the malware authors do, they put thier sick programs
elsewhere. If I was a malware author, I wouldn't even try to name my exe
file as lsass.exe and put it in c:\windows\system32 folder, because the
original lsass.exe is there, and it runs from there, and because of that,
windows wont let me overwrite it. Instead, I would name it lsass.exe and put
it elsewhere! (c:\windows is the best place) once I could put it there and
ran it, it would be very difficult (for normal users) to get rid of it!

Harry, believe me, Win32.Brontok.q worm is following the same scenario, and
if it just couldn't be able to name itself as lsass.exe in the first place
it would NEVER had made this huge mess!

Harry, I think this thread has been reached it's end (at least from my
side), I was very happy discussing this issue with you, you were one of the
best people I have ever met who don't point fingers here and there but argue
for the sake of the facts!

Thank you

iSergiwa

 

[Harry Johnston]

Hey Harry, sounds like too much things should be fixed in your opinion!

As a general rule bugs should be fixed. Task Manager refusing to terminate
processes with the same name as system processes is definitely a bug. Analogous
statements apply to the third party software if I have correctly understood the
behaviour you were describing.

For various reasons I don't believe these bugs have quite the level of impact
you are claiming it does, but that doesn't mean they shouldn't be fixed. I
don't know how much Windows programming experience you've got, but please trust
me that it would be easy for these programs to check which directory the
executable was in, thus unambiguously distinguishing the real system processes
from the pretenders.

In the unlikely event that anyone else is still reading this thread, can anyone
confirm or deny that task manager has the same bug in Windows Vista?

I was wrong about this, of course, because the only files that are affected are
those that are considered special by task manager (and relevant third party
programs) which is presumably a relatively small set. My bad.

Harry, believe me, Win32.Brontok.q worm is following the same scenario, and
if it just couldn't be able to name itself as lsass.exe in the first place
it would NEVER had made this huge mess!

Personally I find this doubtful; having looked up the details, it seems to me
that the average user wouldn't be able to clean up such worms without assistance
regardless of this particular issue.

In any case, the point I'm trying to make is that it would be easier to fix the
bug in task manager than to meddle with the file system namespace, it would
address the stated problem just as effectively, and it wouldn't cause the
compatibility and management problems your suggestion would.

I don't think I mentioned that my day to day activities would definitely be
affected by being unable to create files named lsass.exe. It would interfere
with making backup copies of Windows systems, with creating and working with
Windows PE ... and of course it could make it hard for Microsoft to compile new
versions of Windows too!

Harry, I think this thread has been reached it's end [...]

Agreed. See you around.

Harry.