Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
WindowsPersistenceMechanismFiles - Hunt Error
See original GitHub issueGreetings, I believe I found an issue or a bug concerning a Google Rapid Response hunt and the way some clients are working. I wish to run the “Collectors>ArtifactCollectorFlow>WindowsPersistenceMechanismFiles” hunt. As of now, I am only trying to run it locally and limiting the hunt to around two hours, 10 clients, and only my computer running the agent. However this task, while it appears as completed, offers a load of errors concerning some registry lookup. I believe it is either related to the hunt not finding the files it is looking for, or to a lack of permissions on the client. The hunt provides with error logs on the Admin UI in this particular hunt. I am sending you a sample of the output. The entire log consists of that same error pattern:
2018-02-15 20:49:01 UTC Artifact WindowsAppInitDLLs data collection failed. Status: message GrrStatus { cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u”File not found: message PathSpec {\n path : u’HKEY_USERS\\\\S-1-5-21-812718187-1142311462-14044502-9073\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs’\n pathtype : REGISTRY\n}” network_bytes_sent : 358 status : IOERROR }.
2018-02-15 20:49:01 UTC Artifact WindowsAppInitDLLs data collection failed. Status: message GrrStatus { cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u”File not found: message PathSpec {\n path : u’HKEY_USERS\\\\S-1-5-21-812718187-1142311462-14044502-10284\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs’\n pathtype : REGISTRY\n}” network_bytes_sent : 359 status : IOERROR }.
2018-02-15 20:49:01 UTC Artifact WindowsAppInitDLLs data collection failed. Status: message GrrStatus { cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u”File not found: message PathSpec {\n path : u’HKEY_USERS\\\\S-1-5-21-1094346107-1713775765-2398829250-500\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs’\n pathtype : REGISTRY\n}” network_bytes_sent : 360 status : IOERROR }.
2018-02-15 20:49:01 UTC Artifact WindowsAppInitDLLs data collection failed. Status: message GrrStatus { cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u”File not found: message PathSpec {\n path : u’HKEY_USERS\\\\S-1-5-21-812718187-1142311462-14044502-9073\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs’\n pathtype : REGISTRY\n}” network_bytes_sent : 345 status : IOERROR }.
2018-02-15 20:49:01 UTC Artifact WindowsAppInitDLLs data collection failed. Status: message GrrStatus { cpu_time_used : message CpuSeconds { system_cpu_time : 0.0 user_cpu_time : 0.0 } error_message : u”File not found: message PathSpec {\n path : u’HKEY_USERS\\\\S-1-5-21-812718187-1142311462-14044502-500\\\\Software\\\\Wow6432Node\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows\\\\AppInit_DLLs’\n pathtype : REGISTRY\n}” network_bytes_sent : 357 status : IOERROR }.
In order to resolve this issue, I was looking into Windows’ Process Monitor. It encountered many anomalies when it comes to the client accessing various registries. I am also providing you with a screenshot of an example of errors coming up (Excluding success log entries):
It would be a pleasure to provide any information if necessary. Thank you very much for your time.
Issue Analytics
- State:
- Created 6 years ago
- Comments:8 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
The GRR server does not know in advance which directories/registry keys are available on the client, so therefore every defined registry key in the artifact (in the current case WindowsCommandProcessorAutoRun is searched.
You do not find the key “HKEY_USERS\\S-1-5-80-1044544286-2763731348-267423293-2293503259-2593316332” in the registry? THAT would be strange 😃 GRR enumerates all the SIDs (user ids) and reads the registry keys/values then.
Why the hunt stops at “AUTORUN” is not clear to me - according to the error log, only the artifact “AUTORUN” was stopped but that doesn’t mean the whole hunt is stopped. Maybe someone else can jump in 😃
Hello everyone! Me and my teammates believed to have found a simple fix to our issue: Enabling “IGNORE_INTERPOLATION”.
We would like to know, in general, what this option does. I’ve had trouble finding the relevant documentation to this.
Thank you for your time!