Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

The Case of the Mysterious Driver

The other day I used Process Explorer to examine the drivers loaded on a home system to see if I’d picked up any Sony or Starforce-like digital rights management (DRM) device drivers. The DLL view of the System process, which reports the currently loaded drivers and kernel-mode modules (such as the Hardware Abstraction Layer – HAL), listed mostly Microsoft operating system drivers and drivers associated with the DVD burning software I have installed, but one entry, Asctrm.sys caught my attention because its company information is “Windows (R) 2000 DDK provider”:



This is the company name included in the version information of drivers that have been based on sample code from the Windows 2000 Device Driver Kit (DDK) and it’s obviously unusual to see it in production images. The driver’s description is equally unenlightening: “TR Manager”. My suspicions aroused, I set about investigating.

My first step was to right-click on the entry and “Google” the driver image name. The resulting Google search reveals that others have this driver and that in some cases it had been identified as the cause of system crashes, but although several spyware databases have entries for it, none of the ones I checked conclusively tied the driver with an application or vendor.

I next looked for clues in the image itself by double-clicking on the driver entry in the DLL view to open the Process Explorer DLL properties dialog. The image page revealed nothing of interest other than the fact that the driver had been linked in December of 2004. I turned my attention to the Strings tab to look for some hint as to the driver’s reason for existence. None of the few intelligible strings Process Explorer found in the image were unique except for the last one:



When a driver compiles the linker stores the path to the debug information file it generates, which has the extension .pdb, in the image. The path in this case appears to include the name of a company, “AegiSoft”. However, the http://www.aegisoft.com/ web site describes Aegis Software, Inc. as a company that creates “powerful, sophisticated and easy to use trading software and services for financial companies that demand performance, robustness, availability, and flexibility.” That doesn’t sound like a company that ships device drivers.

On a whim I did a Google search of “aegis” and came across this January 2001 news item announcing RealNetworks’ acquisition of Aegisoft Corp. (notice the difference in name from Aegis Software, Inc.). I knew I had RealPlayer installed on the system so I ran RealPlayer and confirmed that it uses the driver by doing a handle search for “asctrm”, the name of the device object I had seen in one of the driver’s strings:




Newer versions of RealPlayer don’t appear to include a device driver, but I have an old version on this system. I haven't gotten new release notifications because after installing RealPlayer I always use Autoruns to delete the HKLM\Software\Microsoft\Windows\CurrentVersion\Run item that the RealPlayer setup creates to launch the Real Networks Scheduler at each boot. That Run entry, incidentally, is “TkBellExe”, another misleading label.

So the driver is not malicious after all (but is related to DRM, so agreement with that view depends on your feelings about DRM), however this example highlights the need for all software vendors (Microsoft included!) to clearly identify their applications and drivers in their version resources and in any associated Registry keys or values.

I’m still researching Vista User Account Control and so will blog on that in the near future.

posted by Mark Russinovich @ 3:52 PM

Comments:
Interesting, wonder if this will cause any stir at Real..
 
Thanks Mark, another excellent hands-on demonstration of malware hunting.
 
When I searched for "Asctrm.sys" using Google, it came up with a website that listed "Asctrm.sys" as being part of Real Player. So that wasn't so difficult to find, was it? :-)
 
Btw, Mark, why procexp90.sys does NOT have version info? :)
 
So that wasn't so difficult to find, was it? :-)

Well perhaps it wasn't. But then the article wouldn't have been half as interesting if it had finished after the first paragraph.
 
The process explorer driver does include version information, but Process Explorer can't find the infomration because the driver is deleted from disk after it loads. The version information is visible with the "lm kv" command in a kernel debugger.
 
So that wasn't so difficult to find, was it? :-)

I did see a couple of reader-supplied comments in one of the database entries on the asctrm driver indicating a connection with RealPlayer, but no confirmation and so didn't trust the information.
 
Very very interesting :-)

Which tool did you use to find strings in a binary file ? (the one which gave the output in mysteriousdriver2.gif).

Thank you
 
fascinating! i was not aware that you could use process explorer to see the drivers like this.

this is one of the things that makes your blog so useful, it is increadibly educational in how to use your utilities :)
 
Thanks a lot for the excellent tools and demos you provide on this web site!

Keep on explaining us Windows!
 
"However this example highlights the need for all software vendors (Microsoft included!) to clearly identify their applications and drivers in their version resources and in any associated Registry keys or values."


I agree completely, but my main problem is with the programs that install the drivers and applications so that they start automatically when the system loads.

For goodness sake, I don't WANT Realplayer or ITunes to load when my system starts. I would understand if the installation program gave me the OPTION of having those features enabled, but some programs have no way to disable the auto-start feature, even after installation. Furthermore, most of those applications automatically check on startup to see if their autostart registry key is still there, and if not, the program recreates it causing my manual removal of the entries to have no effect the next time the program is executed.

It seems like many programs take the approach, "I'll load myself at startup and run in the backgound so that the user thinks it's really cool that I can 'load' super fast." To me, the quick appearance of a program like this is not as important as overall system reaction speed.

Maybe I'm just different than everyone else, but I can see that at least someone out there has the same trouble I do...why else would there be programs like autoruns?


Some programs that I find to be offenders:

1. AOL (Aol Instant Messenger/AOL internet client software)
2. Real Player
3. Quick time
4. ITunes
5. Windows Messenger -- seems that unchecking "load at system startup" doesn't always work, but I'm not sure if that's because another program is loading it.


Now, most of these programs I haven't used in some time (I gave up a long time ago and went to Trillian, RealAlternative, etc) so they may have been improved since I last tried them. Also, I concede that some people want AOL to load at system boot. I just find it annoying that software venders think they know what is "best" for the user. I've "fixed" many computers. Usually, I get called over to someone's house because their system is "slow." More times than not, it is the many legitimate programs autostarting and running in the background that are slowing the computer down, not malware.
 
TkBellExe is a program that monitors media file associations and if anybody ever associates mp3 with some other application (the nerve!), Tinkerbell will reassign it back to RealPlayer. You agreed to run Tinkerbell as part of the license agreement you probably didn't read.
 
TkBellExe is a program that monitors media file associations and if anybody ever associates mp3 with some other application (the nerve!), Tinkerbell will reassign it back to RealPlayer.

I believe that it also manages the RealNetworks message center and performs auto-update checks.
 
Real Player and other malicious software from non-malicious software manufacturuers---

I also disable TKBellEXE (i.e. RealSched.exe) everytime I load RealPlayer on my computer or anyone else's computer I work on. The license agreement does actually say what the program is for, but to me it is malicious. Malicious software by my definition is anything that uses up system resources without providing any benefit to the USER. Many companies like Real Corp. install software that benefits them but not the user, and makes them run automatically. Most companies don't include information about such in their EULA's. I do give Real Corp KUDOS for putting it in the EULA, but I still don't agree to run that part of the software so I disable it.

RealSched.exe its intersting they say doesn't communicate with their servers, however they admist to such communcations, and they claim that RealSched just schedules when another portion of the software will do that communcation.

"8. SCHEDULER. An application Scheduler, known as "realsched.exe," is installed along with RealPlayer. Once installed, it runs independently of RealPlayer. The Scheduler does not collect personal information or communicate with RealNetworks' servers. It is used to remind AutoUpdate, Message Center and the Watch Folders feature to perform their tasks at pre-scheduled intervals. Scheduler also watches for and alerts RealPlayer to connection and disconnection of portable devices. You can control these activities via the Automatic Services section of the Preferences dialog, located under the Tools menu."

Of course what it scedules are all of the "AUTOMATIC COMMUNICATIONS FEATURES." described in Section 7a-e.

This is pre-assuming Real Corp tells the truth, but considering they don't as Marc put it "clearly identify their applications and drivers in their version resources and in any associated Registry keys or values." I don't know that I can trust them. Still, at least they did put it in their EULA which is more than most other companies do. And, their software doesn't cease to work without the offending component. So I just disable it and remove the file so it can't run.
 
Process Explorer 10.x driver's version information: (use livekd)

kd> lm v m procexp100
start end module name
f8beb000 f8beca00 PROCEXP100 (deferred)
Image path: \??\C:\WINDOWS\system32\Drivers\PROCEXP100.SYS
Image name: PROCEXP100.SYS
Timestamp: Fri Jan 06 17:04:34 2006 (43BEE972)
CheckSum: 00004A53
ImageSize: 00001A00
File version: 9.30.0.0
Product version: 9.30.0.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Sysinternals - www.sysinternals.com
ProductName: Process Explorer
InternalName: procexp.sys
OriginalFilename: procexp.Sys
ProductVersion: 9.30
FileVersion: 9.30
FileDescription: Process Explorer
LegalCopyright: Copyright (C) M. Russinovich 1996-2005
 
Mark uses RealPlayer? Has it stopped being a spyware-infested pile of poor programming since I last saw it?
 
RealPlayer certainly used to be a horrid festering pile, but the company has since cleaned up its act considerably.

I use RealPlayer for Linux every day to listen to net radio, and it's a wonderful piece of software - small, fast, light, with a consistent and well designed UI. It's even quite attractive without going overboard with totally native widgets.

In short, judge them by what they do today, not what they did yesterday (tempting though it is ...)
 
But ProcessExplorer 10.6 doesn’t show version information about C:\WINDOWS\system32\Drivers\PROCEXP100.SYS on my system. The Drivers directory doesn’t even contain such file. It’s so hard to find this file. I need to use Resouce Hacker to extract this file form Procexp.exe. Then I can see it’s version information.

I think this side effect exists because ProcessExplorer hasn’t got installer. Instead loads driver dynamically.

P.S. Sorry for my bad English.

Regard’s
j_marek
 
What is it with companies from that part of the world trying to foist their, often less than open, ways on the rest of us.

How about a bit of corporate morality from the US of A without having it forced on them by courts etc.
 
Mark, and what do you think about mandatory driver signing on Vista?

http://www.osronline.com/article.cfm?article=435
http://www.osronline.com/article.cfm?id=447

Does it stop rootkits, like Sony DRM ? If not, what is the reason for that "protection" ?
 
aaron, I too am bothered by those utils that feel they belong in the Run section somehow. In 99% of the cases, they don't!

IIRC, I also had to remove OpenOffice from the Run section, as well as the latest version of Adobe Acrobat Reader. I'm guessing that most "free" software vendors at this point feel they can act like jerks.

--
Rune
 
Hello Marks and Thanks a lot.
Just a question...
Can Process Explorer monitors process like counters in perfmon.msc? I'd like to monitor each process for a day or night whatever period, in order to locate the process who exceed 80 percent of time processor the cause of reduction of perfomance. (sorry for my english, I'm french :-p )
 
Cant understand why anybody would want to run Real*.* after their spyware tactics in the past...
 
you are my god mark!( spam spam spam )You teach me. you are sooo good!

gene converse
 
Hi Mark,

Just a question about the "infamous" TKBell.exe that launches the "realsched" task at boot time : I keep disabling it from autoruns, but as soons as I relaunch realplayer, it installs again. Is there a way to avoid this ?
 
Speaking of drivers... Is it possible to kill a KERNEL_DRIVER service that doesn't implement a stop function without having to reboot?
 
however this example highlights the need for all software vendors (Microsoft included!) to clearly identify their applications and drivers in their version resources and in any associated Registry keys or values.

taking a look straight off at ProcessExplorer (OH HOW I LOVE THESE WINTERNAL TOOLS!!)
MARK, PROCEXP100.SYS is not even Identified.
Just an observation :-)
 
Yes the good news is that you can stop those startups !

TKBell.exe + RealSched.exe + also Quicktimes qttask.exe can all be Renamed for eg - .exer. You will never be troubled again, unless you update of course, and they might install a replacement. But hey all is not lost, because if you create a dummy file with the Exact same names as those you Renamed, then they can't get replaced as 2 files of the same name arn't allowed to exist in the same location.

Actually you can use this trick for other pesky Apps too, and for all sorts of other blocking purposes, as i have !

In fact i think it might be possible to use this idea as some form of general Malware blocker. I've created a few Dummy files with the names of nasties and dropped into various locations in my PC. If any of those should ever, unlikely with my setup, try to get placed they will fail, and with a nice friendly Windows message to boot lol !

Have a nice peaceful stress free start up from now on.

Spanner

SpannerITWks
 
Hi, Mark,
Thank you for your high quality system tools.

I'm using process explorer now. I checked the System process and found one mysterious driver without any description and event without image file! So I can't hunt it.

Here is the simple text mode snapshot of this driver property.

Image:
Descrition: n/a
Company: n/a
Version: n/a
Time: n/a
Path:E:\Windows\System32\Driver\

Strings:
Error opening file

Could you help me to figure it out?
Thanks.

Aling

Email: alingsjtu at gmail.com
 
An excerpt from the article
"Eliminating Explorer's delay when deleting an in-use file" ;

"Now that we know which addresses to patch, we need to map those addresses into the kernel-mode area of the memory. This will allow us to lock the pages in memory, thus preventing them from being swapped out to disk. In this case the memory we're modifying is "backed" by shell32.dll. If it were to be swapped out, the memory manager would attempt to write the changes back to shell32.dll. This would most likely cause Windows File Protection to swing into action, which is something we want to avoid, since it would most likely undo the changes we're going to make."
http://www.codeproject.com/system/NoDeleteDelay.asp?df=100&forumid=219994

so my questions;
why WFP swings into action? isn't the driver just patching the memory but not the file? is swapping out a modified memory causes memory manager to write changes to the file? which file we are talking about? or WFP comes into action not only when a file is modified but also when the memory it has been mapped?

Thanks
 
Post a Comment

This page is powered by Blogger. Isn't yours?

RSS Feed

RSS
    2.0

Index

Full Blog Index

Recent Posts

Running as Limited User - the Easy Way
Using Rootkits to Defeat Digital Rights Management
Inside the WMF Backdoor
Rootkits in Commercial Software
The Antispyware Conspiracy
Sony Settles
Circumventing Group Policy as a Limited User
Premature Victory Declaration?
Victory!
Sony: No More Rootkit - For Now

Archives

March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer