The data is stored in XML and the data stored is unsurprising considering the context we have so far. The configuration file is stored at %windir%\WaaS\Services\ alongside a few additional files. Check if the details of the windows service WaaSMedicSVC, match what’s listed in a configuration file.This is short and readable (besides the weird usage of the registry instead of a Mutex object) and the core function is clearly Upfc::PerformDetectionAndRemediationIfNeeded. Call Upfc::PerformDetectionAndRemediationIfNeeded.Mark that upfc is running through the registry.Check if another instance is in progress through the registry.The rough pseudo code is as follows (omitting error checking and logging) The main function of upfc.exe is very readable in IDA. Opening up UPFCĪt some point, we need to open up the program in a disassembler. Plugins implement different functionalities such as checking executable file health (signatures and metadata), correctness of background scheduled tasks and services.īut all this is can be talked about in a future blog post. Without knowing anything about that particular service, the subkeys suggest there exists a mechanism for the WaaSMedic service. Upfc doesn’t seem to have interesting values, most seem related to when it runs.īut WaaSMedic sounds interesting. Looking at registry keys, we see upfc.exe accesses Computer\HKEY_LOCAL_MACHINE\SYSTEM\WaaS and its sub keys Upfc and WaaSMedic. Onwards to observe what the executable actually does when running. Strings like “antimalwareLight” provide context, for example, that upfc happens early in the boot process (but we knew that.) but again nothing helpful for understanding upfc itself. This tells us what WaaSMedic relates to, Windows Update health check, but not what this executable actually does.Ī few more strings give us pointers to related programs or services, such as sihclient.exe, or “antimalwareLight” that provide context on where upfc fits in in the grand scheme of Windows. From this string, we can assume that upfc.exe relates to “ Windows Update Medic Service (WaaSMedicSVC)”. A single string provided a strong clue, “ Microsoft-Windows-WaasMedic-Enable-Remediations”. Running strings on the executable file provided no clear answers. The next step, was running strings on the executable, hoping for some hints or a full answer. There are hints that upfc.exe is part of the Windows Update process, but no explanation for it’s role. However, there are less than 400 results and none of them answer precisely what the executable does. When faced with an unknown binary, a good search engine should be your first port of call. What the heck is that and what does “Updateability from SCM” even mean? This happens very early in the boot process. After a small bit of scrolling I see upfc.exe, and I think what the heck? To find interesting tidbits of information, I filter by username and process start time and get going. Upon loading the procmon boot log, there is a huge deluge of data. In this post I will describe the service, it’s task and try to answer the question whether there exist any security issues in this service. I discovered this process is part of the Windows Update self healing mechanism. This time, I found a small service, named upfc.exe. You can do the equivalent process using bootchart in Linux based systems. Every time I do so, I run into something neat that lead me to discover a small new service in Windows. This is a good technique to know what actually runs on your Windows computer and learn new stuff. Every once in a while, I run procmon (Process Monitor) on boot, searching for new things that run as SYSTEM.
0 Comments
Leave a Reply. |