Like many other people in the world today, I decided to install IE7 on my
computer. Now, I am a diehard fan of Firefox but I need to keep abreast of
all different types of technology. This is why I was interested in
installing Internet Explorer 7.
Now, imagine my surprise when I was asked to validate my copy of Windows
before I continued to install Internet Explorer!
With the Windows Genuaine Advantage scandal still fresh in my mind, I was
curious as to what the installer was doing when it was "validating" my copy
of Windows.
I fired up filemon and regmon from Sysinternals to see what it was exactly
doing.
File and Registry Access
I put all of the results into an Excel file. Please note that I have
changed some of the information to protect my anonymity.
Most of the access was pretty routine but it did look at some stuff that I
thought was pretty strange. And some of which I thought was really none of
their business!
File Access
There were some very odd things happening as far as file access is
concerned. The first one that caught my attention was that it read
information from C:\WINDOWS\system32\OEMInfo.Ini. This file contains all of
the information about the manufacturer. In my case, I had a Dell system and
it included my make, model, service tag, and express service code for my
computer.
The other file that I thought was interesting was
C:\WINDOWS\system32\legitcheckcontrol.dll. There were a lot of different
file reads and queries to this file. When I looked at the file with a hex
editor, I was able to find a huge list of hardware manufacturers along with
a website address
http://stats.update.microsoft.com/r...vice.asmx. I
can't be certain but it looks like this file may be used to report hardware
usage information back to Microsoft.
There were other web addresses embedded into this file. Most were links to
certificate authorites but two others that looked rather suspicious were:
http://www.microsoft.com/SoftwareDi...onitorable
http://www.microsoft.com/SoftwareDi...EventBatch
A file that got a lot of attention during validation was one that was
installed by the IE installer; ligitlibm.dll. Under a hex editor, it
revealed different code, much of which would probably mean more to a real
programmer. But, what did catch my eye was a reference to a webpage:
http://go.microsoft.com/fwlink/?Lin...eckError=. Again, not
being a programmer, I do not know the purpose of this link but it could
definitely be used to report back to Microsoft.
The file system is not the only thing that was checked and modified during
validation. The registry had a good workout with 4216 registry events!
Again, like the file system access, most of it was pretty benign but some
of the information that it was checking for was, in my opinion,
inappropriate.
Here is a list of some of this items the validation accessed in my
registry:
Certificate Information
Machine Unique IDs
Session Information
System Architecture
Processor Type and Model
Logon Server
Internal Domain Name
Machine Name
TCP/IP Setup
I don't know about you, but I think that this may be a bit more than is
required for validating my version of Windows, especially when it has been
established that there are links in the software that it used for this
validation that point back to the Microsoft website.
Reporting Back
While performing the validation, I ran Wireshark, an ethernet sniffer. It
allowed me to see the data over the network in raw format as determine if
there were any attempts to "call home". I am happy to report that there did
not appear to be any such attempts. But, that does not mean that Microsoft
is off the hook.
There are other scenarious that I can think of where Microsoft would have
called home:
It found a pirated copy of Microsoft
During the actual install to add to its count
At a later time so as not to attract attention or during a Windows update
Conclusion
There are definitely some disturbing things happening behind the scenes on
your computer when you need to validate Windows during the installation of
IE7. This entire issue deserves some media attention and further research.
http://www.dailycupoftech.com/is-in...ing-on-me/
Leer las respuestas