question

ThorstenSchning-3782 avatar image
0 Votes"
ThorstenSchning-3782 asked ThorstenSchning-3782 published

Why does "CryptCATAdminEnumCatalogFromHash" return ERROR_NOT_FOUND (1062?) for non-interactive users?

The following code behaves differently for the SAME file for interactive and admin-users vs. non-interactive ones. It seems to ALWAYS succeed for admins, but for non-admins, restricted default users ONLY when they execute the code as part of an interactive logon session, shell etc. It fails when the same restricted default user is e.g. used to execute a task by the task scheduler after e.g. system boot. Additionally I'm not the only one with this problem.

cpp
/*
 * Enumerate catalog information that matches the hash.
 */
uint32_t iCat = 0;
HCATINFO hCatInfoPrev = NULL;
do
{
    /* Get the next match. */
    HCATINFO hCatInfo = g_pfnCryptCATAdminEnumCatalogFromHash(hCatAdmin, abHash, cbHash, 0, &hCatInfoPrev);
    if (!hCatInfo)
    {
        if (!fFreshContext)
        {
            SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> %u; iCat=%#x)\n", RtlGetLastWin32Error(), iCat));
            if (hCatInfoPrev != NULL)
                g_pfnCryptCATAdminReleaseCatalogContext(hCatAdmin, hCatInfoPrev, 0 /*dwFlags*/);
            g_pfnCryptCATAdminReleaseContext(hCatAdmin, 0 /*dwFlags*/);
            goto l_fresh_context;
        }
        ULONG ulErr = RtlGetLastWin32Error();
        fNoSignedCatalogFound = ulErr == ERROR_NOT_FOUND && fNoSignedCatalogFound != 0;
        if (iCat == 0)
            SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (%u)\n", ulErr));
        else if (iCat == 0)
            SUP_DPRINTF(("supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed %u\n", ulErr));
        break;
    }
    fNoSignedCatalogFound = 0;
    Assert(hCatInfoPrev == NULL);
    hCatInfoPrev = hCatInfo;

    /*
     * Call WinVerifyTrust.
     */
    [...]
    iCat++;
} while (rc == VERR_LDRVI_NOT_SIGNED && iCat < 128);


This is how a log looks like when verification succeeds:

supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000930 pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll
supR3HardNtViCallWinVerifyTrustCatFile: Cached context 0000000001433810
supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=0000000001433810
supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58


The following is the same file when verification fails:

supR3HardNtViCallWinVerifyTrustCatFile: hFile=0000000000000808 pwszName=\Device\HarddiskVolume4\Windows\System32\NetSetupShim.dll
supR3HardNtViCallWinVerifyTrustCatFile: Cached context 00000000019efab0
supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0
supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58
supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019ef030
supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019ef030
supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58
supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)
supR3HardNtViCallWinVerifyTrustCatFile: Cached context 00000000019eef70
supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019eef70
supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20
supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
supR3HardNtViCallWinVerifyTrustCatFile: New context 00000000019efab0
supR3HardNtViCallWinVerifyTrustCatFile: hCatAdmin=00000000019efab0
supR3HardNtViCallWinVerifyTrustCatFile: cbHash=32 wszDigest=668C2310EFB19B6732352E1B4C6B047E3037FC14D9878DA0CC690CFA6D37CE20
supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)
supR3HardNtViCallWinVerifyTrustCatFile -> -22900 (org 22900)


As one can see, the calculated digest etc. for the file is the same in both cases:

supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58

vs.

supR3HardNtViCallWinVerifyTrustCatFile: cbHash=20 wszDigest=592E7D18568150098B2F131AD72F2156D1CA3A58

So it's really the same file and proven that signature information is available in Windows catalogs at all. It only seems that for some reason it's not found/enumerated for restricted users, so the following errors are logged:

supR3HardNtViCallWinVerifyTrustCatFile: Retrying with fresh context (CryptCATAdminEnumCatalogFromHash -> 1062; iCat=0x0)
supR3HardNtViCallWinVerifyTrustCatFile: CryptCATAdminEnumCatalogFromHash failed ERROR_NOT_FOUND (1062)


According to MSDN, 1062 might be the following:

ERROR_SERVICE_NOT_ACTIVE
1062 (0x426)
The service has not been started.


Any idea what the not active service might be in the context of a restricted, non-interactive user and the called enumeration function? Any other idea about the root cause of this problem?


windows-serverwindows-api
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

XiaoweiHe-MSFT avatar image
0 Votes"
XiaoweiHe-MSFT answered ThorstenSchning-3782 commented

Hi,

Thanks for your post! According to your description, it seems the issue is code and development related, since Windows-server forum is mainly related to Windows Server system troubleshooting and management, development is out of our scope, so, it's recommended to turn to development-related forum for better help. Thanks for your understanding!

Thanks for your time!
Best Regards,
Anne


If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I tried to asked in MS dev-forums and things resulted here, because the other forums have been archived. So which should I use instead?

0 Votes 0 ·

Hi,

After consultation, the issue is related to the tag "windows-api-general", I added the tag for you. Then, this case will be routed to Windows-api-general engineer for better help. For your information.

Best Regard
Anne

1 Vote 1 ·

That tag makes more sense of course, seem to have missed it. Thanks!

0 Votes 0 ·
SongZhu-MSFT avatar image
0 Votes"
SongZhu-MSFT answered ThorstenSchning-3782 published

Permissions to Windows Services are restricted even for "Interactive Users":

SERVICE_ENUMERATE_DEPENDENTS: 0x8
SERVICE_INTERROGATE: 0x80
SERVICE_QUERY_CONFIG: 0x1
SERVICE_QUERY_STATUS: 0x4
SERVICE_USER_DEFINED_CONTROL: 0x100
READ_CONTROL, 0x20000

If you have a repro, it would be easy to verify if this is correct by changing the permissions on cryptsvc service to grant their user the above permissions and see if the code works.

We could also IDNA trace it to see where the error is originating.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@RussAndersson-0122 Hi, We tested the CryptCATAdminEnumCatalogFromHash function from a non-admin, and it worked for us. Can you reproduce the problem with this call? Or does the problem occur because of execute a task by the task scheduler after e.g. system boot?

0 Votes 0 ·

I don't have a repro, things simply fail as described in my setup for VirtualBox. Regarding permissions, I don't think that it's about perms for the service itself, but instead might have something to do with perms of starting COM-services. I filed a bug for VBOX for this as well.

The signature verification used by HARDENING of VBOX relies on some COM-component and default security settings of those only allow SYSTEM, ADMINISTRATORS and INTERACTIVE to activate those. I have documented that in the related ticket #20340 already. When using task scheduler with my restricted user it's no member of any of these groups, therefore necessary components might not get activated and signatures can't be checked. Though, I couldn't find the exact component responsible yet to try with manually changed perms on that.


0 Votes 0 ·