Windows Update – Service not running or Windows System apps appear as from unknown publisher

There are two symptoms to the same problem in Microsoft Windows:

  1. Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer
  2. When you Run As Administrator mmc.exe, notepad.exe, regedit.exe and any other program, you get — Do you want to allow the following program from an unknown publisher to make changes to this computer?

These errors started to appear after one of the Intel RAID 1 (Intel ICH8R/ICH10R SATA RAID controller) drives have failed, and was replaced with the new drive. The RAID rebuilt was successful, however the above symptoms have appeared.

Where is the problem?

Windows Cryptographic Services. The service have two folders under Windows/System32 directory:
C:\Windows\System32\catroot
and
C:\Windows\System32\catroot2

One of them have the log file – edb.log, that was full of the error messages.

CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1900 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #901 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1921 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #911 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #755 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #969 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6724 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6918 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #7075 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #3454 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #2702 encountered JET error -583

Also in the GUID-named subfolders there are two database files called “catdb”.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
and
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

They both were missing. Folders were empty… And do not try to copy them from another PC. It would not work. Windows will automatically delete them after Cryptographic Service is started.

Where is the solution?

Update your RAID driver! Yes simple as that, update driver (to at least version: 11.7.0.1013 from 12/3/2012), and these files are regenerated automatically. On modern Intel i7 CPU it took about 1 hour.

P.S. I believe that this applies not only to Windows 7, but also to Windows 8.1 and Windows 10.
P.S.S. Running Microsoft Windows Resource Checker (SFC.exe) does not do anything useful in this case.

MikroTik local link up / down on high traffic

One of our RouterBOARD routers – MikroTik RB750 (mipsbe with Atheros 7240 switch) running the version v6.35.2 (latest version) have been constantly crashing on high network load. One particularly interesting note is that it crashed on traffic that goes through the internal switch but not on other traffic.

The log file shows the following pattern:
may/13 21:23:17 interface,info ether1-gateway link up (speed 100M, full duplex)
may/13 21:23:17 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:23:17 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:24:21 system,info sntp change time May/13/2016 21:23:38 => May/13/2016 21:24:21
may/13 21:26:22 interface,info ether2-master-local link down
may/13 21:26:22 interface,info ether4-slave-local link down
may/13 21:26:24 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:26:24 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:29:16 interface,info ether2-master-local link up
may/13 21:29:16 interface,info ether4-slave-local link down
may/13 21:29:17 interface,info ether2-master-local link down
may/13 21:29:18 interface,info ether2-master-local link up (speed 100M, full duplex)
may/13 21:29:18 interface,info ether4-slave-local link up (speed 100M, full duplex)
may/13 21:36:01 interface,info ether4-slave-local link down

A little search on the internet shows that we are not alone. Port flapping is widespread in MikroTik world. There are many reports with the similar problem dating back to 2011, but there are no solution:

My guess is that switch chip is broken / dead /malfunctioning / buggy. Or the switch “part” of MikroTik router is sensitive to voltage / current changes.

But anyway, we solved this by disabling the switch and changed each port to different subnet (Bridging also may work). Now all the traffic is sent through the CPU, and even when MikroTik advertises, that switch have wire-speed, we noticed that traffic-through-CPU have even better performance.

WordPress still insecure by design

Some major WordPress design flaws have led to widespread attacks on our and your servers. The only hope is reasonably long and strong passwords or WordPress security plugins.

The first flaw. By default WordPress have enabled “feature”, when you visit your blog with author query string appended, it nicely reveals your usernames. For example, if you have:

http://blog.example.com

just add

http://blog.example.com/?author=1

and default WordPress installation redirects you to the:

http://blog.example.com/author/admin/

In you need next valid username, change 1 to 2:

http://blog.example.com/?author=2

The second flaw. WordPress have two separate login error messages:

ERROR: Invalid username

and

ERROR: The password you entered for the username admin is incorrect.

So basically, you can check if particular username is valid.

The third flaw. Many users use .htaccess to secure the wp-admin directory, but WordPress coders decided to include public accessible script in the admin folder. So securing admin folder breaks your site in many ways. Of course you can write more advanced .htaccess rules, but it is not excuse for including public script in the admin folder.

Both front-end and back-end Ajax requests use admin-ajax.php

Forth flaw. Allow hackers to iterate hundreds of usernames/passwords in the single web request (system.multicall), and do it via public accessible script, that is not hidden behind wp-admin folder. Just brilliant! By the way, flaw is still not fixed, and even if you have not so popular site, you will still see your log files full of password guessing requests from different IP addresses:

10.20.30.40 - - [13/Oct/2015:17:26:55 -0400] "POST /xmlrpc.php HTTP/1.0" 200 561 "-" "-"

Note, that IP 10.20.30.40 is given as an example.

Read more about this system.multicall thing here: Brute Force Amplification Attacks Against WordPress XMLRPC

The fifth flow (and not the last). If you have some flaws / vulnerabilities, please share them in comments. Of course only publicly known ones. If you have newly discovered flaw, use proper disclosure channels.