Category Archives: Computers

Windows 10 Snipping Tool is leaking your username and/or your full name

If you are concerned about privacy then you probably know that it isn’t good idea to use your real name as a Windows account name. Not only Windows contains security flaws that can steal your username, but it is prominently displayed on your laptop’s sign-in screen, and any person who is behind you knows your first name and last name.

Windows 10 sign-in
Windows 10 sign-in

Today’s story is about Windows 10 built-in tool that is used to take screenshots – Snipping Tool. It is very convenient software utility that allows you to capture full-screen images of your PC’s display or just a window or a part of it.

Windows 10 Snipping Tool
Windows 10 Snipping Tool

It is very easy and convenient to take a snip and share it in the internet. However, when you are sharing it in the form of JPG image, you are leaking your username or full name (in case you use it as sign-in or account name in Windows 10). Thankfully save as JPG is not the default setting for saving images, the PNG is. But also note that there is no any option or indication that your name will be embedded into image metadata also know as Exif Header.

I have created Capture.jpg image as an example using Windows 10 test account with the name of fictitious character – Drip Leaker Junior to illustrate the leak. After saving .jpg image on the storage, click right mouse button on it and choose Details tab. You will see your name under Authors property.

Capture.JPG properties
Capture.JPG properties

Fortunately there is an option to “Remove Properties and Personal Information” in the same Details tab as shown in the screenshot above. But unfortunately it does not remove information completely. That would be fun if NSA was behind this, but most probably this is just a bug that causes your name leakage hidden from you but visible to any computer savvy person.

So what happens after you click on the “Remove…” link? It asks you to create copy with all possible properties removed or allows you to remove selected properties from the original file. See the screenshot below.

Remove Properties window
Remove Properties window

It doesn’t matter which option you choose, the personal information is not removed. It seems removed if you open file properties again (right click on the file, and choose Details tab). But isn’t. Your username/full name is still embedded into JPG file.

Seems that Authors property is removed
Seems that Authors property is removed

To understand what is happening behind the scenes you will need some file viewer or better – Hex Editor. A program or App that can show contents of any file in byte or character representation. Using a such app can reveal information that usually is not visible to naive user.

Now if you look at the original Capture.jpg file using a such tool, you will notice embedded username in 3 places. See the hex dumps below.

00000850 00 00 00 00 00 00 00 00 ........
00000858 00 00 00 00 00 00 00 00 ........
00000860 00 00 00 00 00 00 00 00 ........
00000868 44 72 69 70 20 4C 65 61 Drip Lea
00000870 6B 65 72 20 4A 75 6E 69 ker Juni
00000878 6F 72 00 00 00 01 EA 1C or....ê.
00000880 00 07 00 00 08 0C 00 00 ........
00000888 08 70 00 00 00 00 1C EA .p.....ê

00001090 00 00 00 00 00 00 00 00 ........
00001098 00 00 00 00 44 00 72 00 ....D.r.
000010A0 69 00 70 00 20 00 4C 00 i.p. .L.
000010A8 65 00 61 00 6B 00 65 00 e.a.k.e.
000010B0 72 00 20 00 4A 00 75 00 r. .J.u.
000010B8 6E 00 69 00 6F 00 72 00 n.i.o.r.
000010C0 00 00 FF E1 0A 6B 68 74 ..ÿá.kht
000010C8 74 70 3A 2F 2F 6E 73 2E tp://ns.

000012A8 79 6E 74 61 78 2D 6E 73 yntax-ns
000012B0 23 22 3E 3C 72 64 66 3A #">Drip
000012C0 4C 65 61 6B 65 72 20 4A Leaker J
000012C8 75 6E 69 6F 72 3C 2F 72 unior</r
000012D0 64 66 3A 6C 69 3E 3C 2F df:li></
000012D8 72 64 66 3A 53 65 71 3E rdf:Seq>

When you use feature “Remove Properties and Personal Information”, it removes last entry, around 012B0 address, but leaves other two untouched. Also, notice 0x00 between characters in the second hex dump. Most probably it is Unicode version of the author.

Why I didn’t report this bug to Microsoft? I actually did report the same bug for Windows 8 about five years ago, and the fix never came…

So what can you do to prevent your personal information leakage? Maybe stick to the .png format (the default one) which seems to not have this bug. Or try to submit bug to Microsoft. Perhaps you will have better luck than me.

Software used to in the tests – fully patched Windows 10 Pro 64-bit, Version 1803 (OS Build 17134.167). Hex Editor used – freeware Febooti HEX Editor.

P.S. If you are wondering what happens when you click on the Help link from the Remove Properties window called “What personal information might be in a file?”, it leads to https://go.microsoft.com/fwlink/?LinkId=517009 that redirects to the root page of Windows 10 support – https://support.microsoft.com/en-us/products/windows?os=windows-10 which of course doesn’t have any useful information. This may be related to the fact that somehow Microsoft is not dedicating enough resources to software testing, but that’s the story for another time.

Windows Update – Service not running or Windows System apps appear as from unknown publisher

There are two symptoms to the same problem in Microsoft Windows:

  1. Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer
  2. When you Run As Administrator mmc.exe, notepad.exe, regedit.exe and any other program, you get — Do you want to allow the following program from an unknown publisher to make changes to this computer?

These errors started to appear after one of the Intel RAID 1 (Intel ICH8R/ICH10R SATA RAID controller) drives have failed, and was replaced with the new drive. The RAID rebuilt was successful, however the above symptoms have appeared.

Where is the problem?

Windows Cryptographic Services. The service have two folders under Windows/System32 directory:
C:\Windows\System32\catroot
and
C:\Windows\System32\catroot2

One of them have the log file – edb.log, that was full of the error messages.

CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1900 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #901 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1921 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #911 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #755 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #969 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6724 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6918 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #7075 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #3454 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #2702 encountered JET error -583

Also in the GUID-named subfolders there are two database files called “catdb”.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
and
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

They both were missing. Folders were empty… And do not try to copy them from another PC. It would not work. Windows will automatically delete them after Cryptographic Service is started.

Where is the solution?

Update your RAID driver! Yes simple as that, update driver (to at least version: 11.7.0.1013 from 12/3/2012), and these files are regenerated automatically. On modern Intel i7 CPU it took about 1 hour.

P.S. I believe that this applies not only to Windows 7, but also to Windows 8.1 and Windows 10.
P.S.S. Running Microsoft Windows Resource Checker (SFC.exe) does not do anything useful in this case.

MikroTik local link up / down on high traffic

One of our RouterBOARD routers – MikroTik RB750 (mipsbe with Atheros 7240 switch) running the version v6.35.2 (latest version) have been constantly crashing on high network load. One particularly interesting note is that it crashed on traffic that goes through the internal switch but not on other traffic.

The log file shows the following pattern:
may/13 21:23:17 interface,info ether1-gateway link up (speed 100M, full duplex)
may/13 21:23:17 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:23:17 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:24:21 system,info sntp change time May/13/2016 21:23:38 => May/13/2016 21:24:21
may/13 21:26:22 interface,info ether2-master-local link down
may/13 21:26:22 interface,info ether4-slave-local link down
may/13 21:26:24 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:26:24 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:29:16 interface,info ether2-master-local link up
may/13 21:29:16 interface,info ether4-slave-local link down
may/13 21:29:17 interface,info ether2-master-local link down
may/13 21:29:18 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:29:18 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:36:01 interface,info ether4-slave-local link down

A little search on the internet shows that we are not alone. Port flapping is widespread in MikroTik world. There are many reports with the similar problem dating back to 2011, but there are no solution:

My guess is that switch chip is broken / dead /malfunctioning / buggy. Or the switch “part” of MikroTik router is sensitive to voltage / current changes.

But anyway, we solved this by disabling the switch and changed each port to different subnet (Bridging also may work). Now all the traffic is sent through the CPU, and even when MikroTik advertises, that switch have wire-speed, we noticed that traffic-through-CPU have even better performance.