question

Torsten-2627 avatar image
0 Votes"
Torsten-2627 asked saldana-msft edited

updates - new file on hd cannot be found in patch.cab

Hello!

Summary:
The .CAB patch files apparently do not contain the same files that are stored to disk by this patch.

Setting:
For security reasons, we're analyzing the source of files that are being changed on a hd. In other words: if files are being changed, we have to find what the source of that new file is.

Occasionally we find files being replaced with apparently new versions, where we're not able to track the source.

Analysis:
Example: control.exe

On 08/11/2020 the file c:\windows\system32\control.exe has been changed on a Win 10 x64 2004 workstation. The file has a checksum that does not match any version of the file we have seen yet.

We check the checksum:

 get-filehash -algorithm md5 C:\Windows\System32\control.exe
 3011923664DA91ED45B0FA6AE852DD1A

We check the timestamp:

 gci "C:\Windows\System32\control.exe"|Select-Object Name,LastWriteTimeUtc
 control.exe 11.08.2020 18:50:04

This confirms the file has been replaced that day.

We're assuming that the file was updated by a Windows update. Therefore, we list the update history:

 wmic qfe list

We can find that on this day, two updates were installed: KB4570334 and KB4566782. To verify that control.exe is from one of these updates, we now need to unpack the corresponding .cab files and (hopefully) find a file control.exe with the same hash.

So (on another Win10x64) we download those two patches and unpack them using the commands:

 c:\Windows\System32\expand.exe Windows10.0-KB4566782-x64_PSFX.cab /f:* .\4566782\

and

 c:\Windows\System32\expand.exe /r Windows10.0-KB4570334-x64.cab -f:* .\4570334

The result is that we do find versions of control.exe in the directory we've expanded the patch into, but none of them has the same hash as the file on the hd has!

What are the conclusions? Are we unpacking the wrong way? Are we unpacking on the wrong OS? Are there other sources where the file could be coming from? Is the file inside the patch but with a different name? Any idea?

Help will be appreciated!

Thanks in advance!!!

T.

BTW:
As much as I appreciate any help, let me please ask you to relate to the questions and don't give tips for how I could be verifying the file using different methods like e.g. with signtool. That doesn't help. We're using hash-based whitelisting. We have to find the origin of the file that is being put on our hd. If for example the Windows patching system does not provide the original file in the patch itself and maybe only assembles it at patch execution time, we need to know and figure out how this can be simulated to somehow make a patch produce the file, that eventually is stored on the system.










windows-10-generalwindows-10-securitywindows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Torsten-2627 avatar image
1 Vote"
Torsten-2627 answered Torsten-2627 edited

I found that PSFX updates include a manifest where the sha256 is included in base64.

That's exactly what I was asking for!


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaleKudusi-MSFT avatar image
0 Votes"
DaleKudusi-MSFT answered

Hi
You could try:
fsutil hardlink list c:\Windows\System32\expand.exe
to see which is currently corresponding to which.

Also, you could compare the file size between the ones on your drive and the ones you downloaded (the same version) to see if there are any corrupted files.

If there is any problem try:
sfc\sannnow

I hope this information above can help you.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

andreiztm avatar image
0 Votes"
andreiztm answered Torsten-2627 commented

That method will no longer work, since we switched to the new packaging technology for updates called PSFX starting with 1809 version:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461
https://docs.microsoft.com/en-us/windows/deployment/update/psfxwhitepaper

To validate if the update in question shipped a version of the file you want to check, please refer to the file information csv linked in each article.

Thanks,
Andrei

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Would the LCU contain all versions of the file that the PSFX update creates? So would I be able to unpack the LCU update, create a list of all hashes from its contents and then check if the hash of that newly updated version of control.exe is on that list? That way I'd just have to find a different update format (LCU) of the same update to be able to verify the file that's being replaced with the PSFX update? If so, will the LCU be released at the same time as the PSFX?


To validate if the update in question shipped a version of the file you want to check, please refer to the file information csv linked in each article.

I cannot see how the file information csv would help to validate the file. Just because a file is being listed as updated doesn't validate the version of the file that we find on the hd. If the the file information csv contained hashes, it would help, but it doesn't.

0 Votes 0 ·
Torsten-2627 avatar image
0 Votes"
Torsten-2627 answered

That method will no longer work,

OMG, that changes everything.


new packaging technology for updates called PSFX starting with 1809 version

Would the "full update (also referred to as a latest cumulative update, or LCU)" contain all versions of the file that the PSFX update creates? So would I be able to unpack the LCU update, create a list of all hashes from its contents and then check if the hash of that newly updated version of control.exe is on that list? That way I'd just have to find a different update format (LCU) of the same update to be able to verify the file that's being replaced with the PSFX update? If so, will the LCU be released at the same time as the PSFX?


To validate if the update in question shipped a version of the file you want to check, please refer to the file information csv linked in each article.

I cannot see how the file information csv would help to validate the file. Just because a file is being listed as updated doesn't validate the version of the file that we find on the hd. If the the file information csv contained hashes, it would help, but it doesn't.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Torsten-2627 avatar image
0 Votes"
Torsten-2627 answered Torsten-2627 commented

I just found out that the LCU updates are only released twice a year and not at the same time when a SSU update is being released. So LCU updates won't help us.

As I understand the PSFX whitepaper, the SSU update contains the diffs to all files which are updated. So if there was a tool (like expand?) which supports the new PSFX format to work with a local RTM baseline version of a file that's about to be updated, that tool should be able to create the new "control.exe", of which I then could calculate the hash and then compare that with the hash of the file in question on the HD of the opriginal computer, right?

Is there such tool or PowerShell module available?

Which code does actually perform the diff?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi
You could check out Compare-Object in PowerShell
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/compare-object?view=powershell-7

Also: https://www.enclavesecurity.com/comparing-two-files-powershell/

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

I hope this information above can help you.

0 Votes 0 ·

Thanks for your help, but how can this help me? I know how to compare files. But to compare two files, I need two files (A and B) that I can compare. andreiztm pointed out that an SSU update does not contain "real" files which could be extracted for comparison to be used as file "B". Instead a SSU update only has diffs that are being used in a (yet to me unclear manner) for creating new files based on the RTM version of the file and the diff from the update. So to have a file, which I can use for comparison, I would have to create the "new" updated file myself. Which I'd be happy to do, if I could figure out how to. That's why I asked if there was a tool for that.

0 Votes 0 ·
DaleKudusi-MSFT avatar image
0 Votes"
DaleKudusi-MSFT answered

Hi
I’m sorry that this issue hasn’t been resolved.
As I understand it, you would like to check if the update is responsible for the change of files, and locate theses update? I believe this can be achieved by:
fsutil hardlink list c:\Windows\System32\expand.exe
For your reference: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-hardlink
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil

Besides, due to limited resources in the forum, I would also suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below:
Global Customer Service phone numbers
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers/en-au?wa=wsignin1.0


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Torsten-2627 avatar image
0 Votes"
Torsten-2627 answered DaleKudusi-MSFT commented

Hi!

As I understand it, you would like to check if the update is responsible for the change of files, and locate theses update?

Not really.

In our high security environment only programs identified by their hash on a whitelist of trusted hashes can be executed. We need to calculate the hashes of updated files from Windows updates to add these hashes to the list of allowed hashes, otherwise Windows updates break the functionality, because an updated file has an unknown and thus blocked hash.

In the past, it worked for us to simply unpack Windows update .cab files and hash all contents of the path we have extracted the .cab into. The introduction of PSFX updates has broken this approach for us, because the update does not contain the full binary of the to be updated file, but only diffs.

andreiztm mentioned psfxwhitepaper which explains PSFX updates. There "Hydration and installation" explains the steps that the update performs.

We need to figure out how to reproduce these steps in our own code to be able to create the updated version of the binary by applying diffs. After doing that we can create the hash of the file.

Quoting from that whitepaper:

Hydrate each of necessary files using current version (VN) of the file, reverse differential (VN--->RTM) of the file back to quality update RTM/base version and forward differential (VRTM--->R) from feature update RTM/base version to the target version. Also, use null differential hydration to hydrate null compressed files. Stage the hydrated files (full file), forward differentials (under ‘f’ folder) and reverse differentials (under ‘r’ folder) or null compressed files (under ‘n’ folder) in the component store (%windir%\WinSxS folder).

I think this is what we need to do with our own code.

So let me rephrase my question: Are there any tools or PowerShell commands or GIT repos for working with PSFX updates available? Or a in depth documentation of the file format so that we can write this ourselfes?






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi
Based on my research, I’m afraid there isn’t a direct documentations or official tool for this, I’d still recommend that you open a case to Microsoft for further professional help.
https://support.microsoft.com/en-us/help/4341255/support-for-business
or
https://support.microsoft.com/en-us/gp/customer-service-phone-numbers/en-au?wa=wsignin1.0

Thanks for your understanding and cooperation.

0 Votes 0 ·
andreiztm avatar image
0 Votes"
andreiztm answered Torsten-2627 commented

Torsten, that is not possible (replicating what PSFX does). We only ship deltas now and these deltas work like mentioned in the PSFX article.

Sounds to me that you should instead of developing your own hash checking solution use a feature like Code Integrity:
Your organization might require your PC to be enabled with a threat protection feature called code integrity. Code integrity checks the drivers and system files on your device for signs of corruption or malicious software. For code integrity to work on your device, another security feature called Secure Boot must also be enabled.
https://docs.microsoft.com/en-us/mem/intune/user-help/you-need-to-enable-code-integrity

If you open a support case on this, please let me know at astoica@

Thank you,
Andrei

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply and your time!

The .manifest files apparently contain sha256 hashes of the final patched files. That's something we can work with.

Code Integrity does not do the job for us for other reasons we cannot discuss here.


1 Vote 1 ·