Re: AV in rsaenh.dll
- From: thewanz <thewanz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 4 Dec 2006 21:57:02 -0800
After deleting the profile I messed around with the cryptography classes
making myself owner of those keys in the registry. Upon reboot, my machine
would bsod then reboot itself over and over again. After unsuccessfully
attempting to boot into safe mode, I chose "Last settings that worked" from
the boot list. My machine rebooted and I was able to access and install most
of the updates from WU. I don't know why, I just experienced what happened.
Thank you all very much for your help!
Wnz
"Robert Aldwinckle" wrote:
"thewanz" <thewanz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:4B809972-0B89-4B1A-B7E5-FD1F6E637C5A@xxxxxxxxxxxxxxxx
Deleting the profile also did not work.
Question: If this is a registry setting, is there anyway to reset sections
of it (such as the cryptography section) or import settings and keys from a
different machines running the same OS (or svr 2k3)?
The only other initialization that I'm aware of I have only seen used
in fixie.inf when that was done during a boot.
initpki.dll has two other entry points: DllInstall and InitializePKI
With the DllInstall you would expect to be able to do:
regsvr32 /i initpki.dll
or
regsvr32 /n /i initpki.dll
but they always fail for some reason. I have never tried using the
old fixie.inf (adding registry entries which get executed during a boot)
approach with IE7 but they do work with IE6sp2. I know this because
I installed IE6sp1 standalone into XP before adding XPsp2.
That installs setupwbv.dll which allows the normal IE Repair to be used.
Of course, since the calls are being executed during a boot where there are
no diagnostics doesn't prove that they work any better there than the manual
execution via regsvr32.exe. However, there is some kind of parameter given
by the fixie.inf which may be impossible to provide otherwise:
<example>
HKLM,"Software\Microsoft\Windows\CurrentVersion\RunOnceEx\103","003",2,"%11%\initpki.dll|DllInstall|i,A"
</example>
I have never been able to figure out what that extra i,A does.
The i by itself is evidently common to using DllInstall but the ,A
is unique to the initpki.dll value.
<digression>
Hmm... that same command was also used in the [Crypto.AddReg]
section of fixie.inf. The section itself is obviously inapplicable to XP,
however, since it would also execute pstores.exe -install which I only
saw used by NT4.
XP does have pstorec.dll I wonder how that gets used?
Tasklist shows that only OE is using that one.
However, lsass.exe is using one called pstorsvc.dll
"Protected Storage Server" -- I don't know; this may just be how
AutoComplete data including AutoComplete passwords are kept.
Its relation to RSA routines could be incidental if any.
</digression>
Seeing the other initpki entrypoint suggests the possibility of doing
regsvr32 /n /i:InitializePKI initpki.dll
but I have no idea what that might do (apart from the implication given
by its name. <w>) Please make sure you have your system backed up
and know how to use it if you try experimenting with that. ; )
My guess is that it would fail the same way that the DllInstall does
but who knows?
Going back to your dump, you had symbols enabled, I think?
I'd be interested in seeing the Stack Back Trace of the crashing
thread. It might give me some more ideas.
Also, I suspect that you might find more knowledgeable help,
e.g. more awareness of how rsaenh.dll fits in with these other
pieces, in a Security NG.
HTH
Robert
---
- References:
- Re: AV in rsaenh.dll
- From: Robert Aldwinckle
- Re: AV in rsaenh.dll
- From: Robert Aldwinckle
- Re: AV in rsaenh.dll
- Prev by Date: Using MS update
- Next by Date: Re: MSXML 4.0 SP2 Security Update
- Previous by thread: Re: AV in rsaenh.dll
- Next by thread: KB922760-second offer to download
- Index(es):
Relevant Pages
|
