This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 0%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello!
Summary:
The .CAB patch files apparently do not contain the same files that are stored to disk by this patch.
Setting:
For security reasons, we're analyzing the source of files that are being changed on a hd. In other words: if files are being changed, we have to find what the source of that new file is.
Occasionally we find files being replaced with apparently new versions, where we're not able to track the source.
Analysis:
Example: control.exe
On 08/11/2020 the file c:\windows\system32\control.exe has been changed on a Win 10 x64 2004 workstation. The file has a checksum that does not match any version of the file we have seen yet.
We check the checksum:
get-filehash -algorithm md5 C:\Windows\System32\control.exe
3011923664DA91ED45B0FA6AE852DD1A
We check the timestamp:
gci "C:\Windows\System32\control.exe"|Select-Object Name,LastWriteTimeUtc
control.exe 11.08.2020 18:50:04
This confirms the file has been replaced that day.
We're assuming that the file was updated by a Windows update. Therefore, we list the update history:
wmic qfe list
We can find that on this day, two updates were installed: KB4570334 and KB4566782. To verify that control.exe is from one of these updates, we now need to unpack the corresponding .cab files and (hopefully) find a file control.exe with the same hash.
So (on another Win10x64) we download those two patches and unpack them using the commands:
c:\Windows\System32\expand.exe Windows10.0-KB4566782-x64_PSFX.cab /f:* .\4566782\
and
c:\Windows\System32\expand.exe /r Windows10.0-KB4570334-x64.cab -f:* .\4570334
The result is that we do find versions of control.exe in the directory we've expanded the patch into, but none of them has the same hash as the file on the hd has!
What are the conclusions? Are we unpacking the wrong way? Are we unpacking on the wrong OS? Are there other sources where the file could be coming from? Is the file inside the patch but with a different name? Any idea?
Help will be appreciated!
Thanks in advance!!!
T.
BTW:
As much as I appreciate any help, let me please ask you to relate to the questions and don't give tips for how I could be verifying the file using different methods like e.g. with signtool. That doesn't help. We're using hash-based whitelisting. We have to find the origin of the file that is being put on our hd. If for example the Windows patching system does not provide the original file in the patch itself and maybe only assembles it at patch execution time, we need to know and figure out how this can be simulated to somehow make a patch produce the file, that eventually is stored on the system.
Hi
I’m sorry that this issue hasn’t been resolved.
As I understand it, you would like to check if the update is responsible for the change of files, and locate theses update? I believe this can be achieved by:
fsutil hardlink list c:\Windows\System32\expand.exe
For your reference: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-hardlink
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil
Besides, due to limited resources in the forum, I would also suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers/en-au?wa=wsignin1.0
Hi!
As I understand it, you would like to check if the update is responsible for the change of files, and locate theses update?
Not really.
In our high security environment only programs identified by their hash on a whitelist of trusted hashes can be executed. We need to calculate the hashes of updated files from Windows updates to add these hashes to the list of allowed hashes, otherwise Windows updates break the functionality, because an updated file has an unknown and thus blocked hash.
In the past, it worked for us to simply unpack Windows update .cab files and hash all contents of the path we have extracted the .cab into. The introduction of PSFX updates has broken this approach for us, because the update does not contain the full binary of the to be updated file, but only diffs.
andreiztm mentioned psfxwhitepaper which explains PSFX updates. There "Hydration and installation" explains the steps that the update performs.
We need to figure out how to reproduce these steps in our own code to be able to create the updated version of the binary by applying diffs. After doing that we can create the hash of the file.
Quoting from that whitepaper:
Hydrate each of necessary files using current version (VN) of the file, reverse differential (VN--->RTM) of the file back to quality update RTM/base version and forward differential (VRTM--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files. Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\WinSxS folder).
I think this is what we need to do with our own code.
So let me rephrase my question: Are there any tools or PowerShell commands or GIT repos for working with PSFX updates available? Or a in depth documentation of the file format so that we can write this ourselfes?
Hi
Based on my research, I’m afraid there isn’t a direct documentations or official tool for this, I’d still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-business
or
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers/en-au?wa=wsignin1.0
Thanks for your understanding and cooperation.
Torsten, that is not possible (replicating what PSFX does). We only ship deltas now and these deltas work like mentioned in the PSFX article.
Sounds to me that you should instead of developing your own hash checking solution use a feature like Code Integrity:
Your organization might require your PC to be enabled with a threat protection feature called code integrity. Code integrity checks the drivers and system files on your device for signs of corruption or malicious software. For code integrity to work on your device, another security feature called Secure Boot must also be enabled.
https://learn.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-code-integrity
If you open a support case on this, please let me know at astoica@
Thank you,
Andrei
Thank you for your reply and your time!
The .manifest files apparently contain sha256 hashes of the final patched files. That's something we can work with.
Code Integrity does not do the job for us for other reasons we cannot discuss here.