-
October 21st, 2007, 11:32 AM
#1
"Windows Automatic Update" or a backdoor
I have four partitions on my computer, say c,d,e and f.Out of these windows is installed on c drive.
And I have two users on my computer, one is admin and another is InternetUser.I have configured the Internet User in such a way that it has zero permissions on my system except that it can be used to surf the net(with some defined firewall rules) and save a few files on its desktop.Except this it can't do anything on my computer.
I use internet only from InternetUser.
But still windows is able to "automatically update" my system.How can it write(update) my system from InternetUser and that also remotely.I think windows has some backdoor preinstalled on the OS.How can I find more about it,so that I can "update" others computers remotely.
Also I think that if I use a kernel level debugger(like Softice or Windbg) and monitor the system while it is connected to internet,I could find out more about this "automatic update".Had anybody done it before?
-
October 21st, 2007, 12:15 PM
#2
I think that Windows Updater runs as "system" if it is activated, so it doesn't matter which user is actually logged in.
To find out how to remotely update computers on a network, go to the MS update site and select the " use administrator options" down the left hand side.
-
October 21st, 2007, 02:31 PM
#3
See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.
The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.
svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).
If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
October 21st, 2007, 03:01 PM
#4
Yes, there are quite a few applications that check for updates and even apply them automatically. Antivirus products do it, ZoneAlarm firewall, et cetera.
All you need to do is open a connection to an ISP. Provided that the task was initially set up with adequate permissions, it will run as soon as any user makes the connection.
To find the programs and files being used by Windows Update, search your Windows partition for wu*.*
-
October 21st, 2007, 04:26 PM
#5
Originally Posted by jockey0109
See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.
The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.
svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).
If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).
wuauclt.exe is the windows update automatic update client. That program maintains the local database of windows updates. The database (as well as update downloads) is stored in %windir%\softwaredistribution. You can safely delete this folder. The next time wuauclt is run, it will recreate it.
svchost controls both wuauclt and BITS (background intelligent transfer service) svchost will run wuauclt depending on your automatic update settings.
You can stop both of these one or both of these services from running by going to into services.msc and setting the Automatic Update and Background Intelligent Transfer Service (BITS) to either manual or disabled. I think that if you you set it to disabled, then you will not be able to use the Windows Update website either.
You can also control the windows update settings via the gpedit.msc or the way jockey0109 describes.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
October 21st, 2007, 03:18 PM
#6
Can't we get into this "system account" ?
-
October 21st, 2007, 03:31 PM
#7
No, not by "normal methods" as it isn't a regular user account, but you can "hack" it:
http://tech-hutblog.blogspot.com/200...m-account.html
I can't say I can think of why you would want or need to do this though.
-
October 21st, 2007, 06:06 PM
#8
Yes, as far as the %systemroot%\SoftwareDistribution is concerned about it, I was aware about it (had applied updates to a newly installed OS copy from that of an already existing one on the same machine ) Now, yes thats the way update takes place. I did not know about the BITS (thanks for that). But my intension was not to tell him that how Windows update takes place in particular. Since he asked about a backdoor, I thought it would have been better to tell about the system account.
Of course for most of the things that WIndows does, there is either a way from the policy side (gpedit) or the service side (services).
And as far as this is concerned:
I would certainly ask the person who wrote it if he has tried it himself or not. As far as my small knowlege goes and as per my experience too! ; system account is not able to start ANY PROCESS WITH A VISIBLE WINDOW! If you try to start Explorer.exe under system account, slowly and slowly your desktop will go away, then you will see the buttons of minimize, restore and close balkening out, takbar giogng away, many services will start crashing ans so on.
Thats not the way you hack into your SYSTEM account. Yes, the at command can be used to run programs with SYSTEM privileges but you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.
Thats as per my experience. Tell me if anyone else has got a success in running it that way! I would like to know HOW!!!
"Everything should be made as simple as possible, but not simpler."
- Albert Einstein
-
October 21st, 2007, 06:47 PM
#9
Originally Posted by jockey0109
Yes, as far as the %systemroot%\SoftwareDistribution is concerned about it, I was aware about it (had applied updates to a newly installed OS copy from that of an already existing one on the same machine ) Now, yes thats the way update takes place. I did not know about the BITS (thanks for that). But my intension was not to tell him that how Windows update takes place in particular. Since he asked about a backdoor, I thought it would have been better to tell about the system account.
Thats not the way you hack into your SYSTEM account. Yes, the at command can be used to run programs with SYSTEM privileges but you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.
Thats as per my experience. Tell me if anyone else has got a success in running it that way! I would like to know HOW!!!
I was just trying to elaborate on what you had said about windows update. In this instance, it is important to tell them how windows update works and which services/programs are involved. I was explaining how windows update works so they can understand that it is a normal system function and not some backdoor.
BTW: You can run a program as system that has visable windows, etc.
Do the following.
Log on as admin, or "run as" the command prompt as admin.
Make sure the task scheduler is running.
create a task using the at command to start taskmgr one minute from your current time.
at 13:48 /interactive taskmgr
(you have to change the 13:48 to be whatever is one minute past your current time)
one minute later, it will open the task manager. if you look at processes, it will be running as SYSTEM. from there, you can use the new task button under the applications tab to start any program under the same SYSTEM privledges. Whatever you want. cmd, internet explorer, firefox, whatever. As you know, all those programs have visible windows.
Last edited by phishphreek; October 21st, 2007 at 06:59 PM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
October 21st, 2007, 06:31 PM
#10
you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.
but "a visible window and dialogue boxes" are not required to understand the working of some process.One can always start the process inside the kernel level debugger and monitor its behaviour.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By carenath in forum Operating Systems
Replies: 8
Last Post: January 8th, 2006, 06:03 AM
-
By Negative in forum Microsoft Security Discussions
Replies: 25
Last Post: June 28th, 2004, 02:28 PM
-
By Nokia in forum Tips and Tricks
Replies: 4
Last Post: June 18th, 2004, 04:24 PM
-
By -DaRK-RaiDeR- in forum Newbie Security Questions
Replies: 9
Last Post: December 14th, 2002, 08:38 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|