Jump to page content

No weird shit

Caveats

Most if not all pages are just rough notes, and these pages as a whole are far from complete. More notes will be added in time, eventually, maybe.

If, from reading these notes, you conclude that I am off my rocker, you won’t be the first, and you may even be right. These pages may simply position me as an acolyte to the late Gene Ray.

No doubt there are a dozen and one reasons why none of this would ever work, but perhaps somewhere deep down there is a tiny fragment that could be used for something.

Contents

Overview

Tell me if there is a polite way to express the same level of exasperation …

Part of the accountability principle is that everything within the system must make sense. Far too much time in IT is wasted on confusion caused by absurd implementations. Most such lunacy is going to be found under Microsoft Windows, where insanity, incompetence and laziness prevails.

There will be no such nonsense. Everything will be what it is and what it says on the tin. No black magic. No meaningless special cases.

Bad examples

Personal WindowsApps

In Windows, each user has a folder at %LOCALAPPDATA%\Microsoft\WindowsApps:

Various programs exist as 0-byte files. They can be executed (though most do nothing) but are otherwise totally impenetrable, even though you own them and have Full Control permissions assigned:

They also bypass (the valuable but sadly now scrapped) Software Restriction Policies system when configured to disallow the execution of applications from within a user’s profile.

There are no alternative data streams holding secret information: the files truly are completely empty:

Someone at Microsoft will have got a bonus for this. The very idea of placing actual applications inside the user’s AppData folder is absurd in itself. There needs to be a dedicated location for applications that is separate from the data pertaining to them.

Solving these kinds of problems is what the Multidimensional Filing System is all about. Dimensional projection provides a completely consistent way to have user-level applications without resorting to empty files.

Random staging files

On discovery of multiple occurrences of drivers being installed on a computer with random names such as:

C:\Windows\System32\drivers\mhcyhugd.sys

With the exception of one left-over Registry entry, these drivers would completely vanish. The verdict from one security analyst:

The observed random-name service installations align with transient driver staging attempts that were aborted and cleaned up by the system. This pattern is consistent with hardware or platform-level components (such as Intel NUC, Open GL, etc.) rather than malicious persistence. I've seen these random 8 character .sys files before.

In other words, there are (apparently) legitimate developers creating staging files disguised as malware. The Windows event log shows the drivers being installed but offers no clue as to the calling process or user session. There is no actual proof that this was legitimate, but the IT world—and particularly the Windows world—is so full of similar stupidity that there is never any way to be sure about anything. Windows is well-known to unpack software to a randomly-named folder at the root of some random drive and leave it there forever.

All staging processes that need to create temporary files must:

  1. Ensure that either the enclosing directory or the files themselves are meaningfully named, and
  2. Log exactly what took place, how and why

Random names are not inherently wrong, but if staging is taking place, put the files in a directory called “Staging” in a sensible place, and place any randomly-named items inside. The staging path need not be logged, but if there is some reason why a randomly-named driver must be installed, the corresponding log entry must note the package it relates to and that this is only a staging action. This is not to say that malware cannot lie about this, but at least you have much greater starting point of understanding what has taken place and why.