Tag Archives: Windows

Windows 10 Snipping Tool is leaking your username and/or your full name

If you are concerned about privacy then you probably know that it isn’t good idea to use your real name as a Windows account name. Not only Windows contains security flaws that can steal your username, but it is prominently displayed on your laptop’s sign-in screen, and any person who is behind you knows your first name and last name.

Windows 10 sign-in
Windows 10 sign-in

Today’s story is about Windows 10 built-in tool that is used to take screenshots – Snipping Tool. It is very convenient software utility that allows you to capture full-screen images of your PC’s display or just a window or a part of it.

Windows 10 Snipping Tool
Windows 10 Snipping Tool

It is very easy and convenient to take a snip and share it in the internet. However, when you are sharing it in the form of JPG image, you are leaking your username or full name (in case you use it as sign-in or account name in Windows 10). Thankfully save as JPG is not the default setting for saving images, the PNG is. But also note that there is no any option or indication that your name will be embedded into image metadata also know as Exif Header.

I have created Capture.jpg image as an example using Windows 10 test account with the name of fictitious character – Drip Leaker Junior to illustrate the leak. After saving .jpg image on the storage, click right mouse button on it and choose Details tab. You will see your name under Authors property.

Capture.JPG properties
Capture.JPG properties

Fortunately there is an option to “Remove Properties and Personal Information” in the same Details tab as shown in the screenshot above. But unfortunately it does not remove information completely. That would be fun if NSA was behind this, but most probably this is just a bug that causes your name leakage hidden from you but visible to any computer savvy person.

So what happens after you click on the “Remove…” link? It asks you to create copy with all possible properties removed or allows you to remove selected properties from the original file. See the screenshot below.

Remove Properties window
Remove Properties window

It doesn’t matter which option you choose, the personal information is not removed. It seems removed if you open file properties again (right click on the file, and choose Details tab). But isn’t. Your username/full name is still embedded into JPG file.

Seems that Authors property is removed
Seems that Authors property is removed

To understand what is happening behind the scenes you will need some file viewer or better – Hex Editor. A program or App that can show contents of any file in byte or character representation. Using a such app can reveal information that usually is not visible to naive user.

Now if you look at the original Capture.jpg file using a such tool, you will notice embedded username in 3 places. See the hex dumps below.

00000850 00 00 00 00 00 00 00 00 ........
00000858 00 00 00 00 00 00 00 00 ........
00000860 00 00 00 00 00 00 00 00 ........
00000868 44 72 69 70 20 4C 65 61 Drip Lea
00000870 6B 65 72 20 4A 75 6E 69 ker Juni
00000878 6F 72 00 00 00 01 EA 1C or....ê.
00000880 00 07 00 00 08 0C 00 00 ........
00000888 08 70 00 00 00 00 1C EA .p.....ê

00001090 00 00 00 00 00 00 00 00 ........
00001098 00 00 00 00 44 00 72 00 ....D.r.
000010A0 69 00 70 00 20 00 4C 00 i.p. .L.
000010A8 65 00 61 00 6B 00 65 00 e.a.k.e.
000010B0 72 00 20 00 4A 00 75 00 r. .J.u.
000010B8 6E 00 69 00 6F 00 72 00 n.i.o.r.
000010C0 00 00 FF E1 0A 6B 68 74 ..ÿá.kht
000010C8 74 70 3A 2F 2F 6E 73 2E tp://ns.

000012A8 79 6E 74 61 78 2D 6E 73 yntax-ns
000012B0 23 22 3E 3C 72 64 66 3A #">Drip
000012C0 4C 65 61 6B 65 72 20 4A Leaker J
000012C8 75 6E 69 6F 72 3C 2F 72 unior</r
000012D0 64 66 3A 6C 69 3E 3C 2F df:li></
000012D8 72 64 66 3A 53 65 71 3E rdf:Seq>

When you use feature “Remove Properties and Personal Information”, it removes last entry, around 012B0 address, but leaves other two untouched. Also, notice 0x00 between characters in the second hex dump. Most probably it is Unicode version of the author.

Why I didn’t report this bug to Microsoft? I actually did report the same bug for Windows 8 about five years ago, and the fix never came…

So what can you do to prevent your personal information leakage? Maybe stick to the .png format (the default one) which seems to not have this bug. Or try to submit bug to Microsoft. Perhaps you will have better luck than me.

Software used to in the tests – fully patched Windows 10 Pro 64-bit, Version 1803 (OS Build 17134.167). Hex Editor used – freeware Febooti HEX Editor.

P.S. If you are wondering what happens when you click on the Help link from the Remove Properties window called “What personal information might be in a file?”, it leads to https://go.microsoft.com/fwlink/?LinkId=517009 that redirects to the root page of Windows 10 support – https://support.microsoft.com/en-us/products/windows?os=windows-10 which of course doesn’t have any useful information. This may be related to the fact that somehow Microsoft is not dedicating enough resources to software testing, but that’s the story for another time.

Windows Update – Service not running or Windows System apps appear as from unknown publisher

There are two symptoms to the same problem in Microsoft Windows:

  1. Windows Update cannot currently check for updates, because the service is not running. You may need to restart your computer
  2. When you Run As Administrator mmc.exe, notepad.exe, regedit.exe and any other program, you get — Do you want to allow the following program from an unknown publisher to make changes to this computer?

These errors started to appear after one of the Intel RAID 1 (Intel ICH8R/ICH10R SATA RAID controller) drives have failed, and was replaced with the new drive. The RAID rebuilt was successful, however the above symptoms have appeared.

Where is the problem?

Windows Cryptographic Services. The service have two folders under Windows/System32 directory:
C:\Windows\System32\catroot
and
C:\Windows\System32\catroot2

One of them have the log file – edb.log, that was full of the error messages.

CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1900 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #901 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #1921 encountered JET error -583
CatalogDB: 18:50:01 AM 05/16/2016: catadnew.cpp at line #911 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: JetInit Corruption
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #755 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #969 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6724 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #6918 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #7075 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #3454 encountered JET error -583
CatalogDB: 18:50:02 AM 05/16/2016: catdbsvc.cpp at line #2702 encountered JET error -583

Also in the GUID-named subfolders there are two database files called “catdb”.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
and
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb

They both were missing. Folders were empty… And do not try to copy them from another PC. It would not work. Windows will automatically delete them after Cryptographic Service is started.

Where is the solution?

Update your RAID driver! Yes simple as that, update driver (to at least version: 11.7.0.1013 from 12/3/2012), and these files are regenerated automatically. On modern Intel i7 CPU it took about 1 hour.

P.S. I believe that this applies not only to Windows 7, but also to Windows 8.1 and Windows 10.
P.S.S. Running Microsoft Windows Resource Checker (SFC.exe) does not do anything useful in this case.

MS-DOS (cmd.exe) prompt introduction

This article is from our Febooti archive, it was relevant then, and I think that it is still relevant today.

If you remember the computers of an earlier day then you surely remember the old MS-DOS. If you are of the more recent generation of computer users then you have also probably seen, used or at least heard of MS-DOS. If you are not one of the aforementioned, MS-DOS is an acronym for Microsoft Disc Operating System. This is just yet another Microsoft operating system.

However, unlike the Microsoft operating systems, you are probably used to, Microsoft Windows 95, XP, Windows 7 or Windows 8, for example, you won’t see any neat little graphics to which you are able to click. These newer operating systems are often times called Graphical User Interfaces, or GUI. MS-DOS does not care about anything called an icon, wallpaper or screen saver. Rather than being considered as a Graphical User Interface MS-DOS is what is known as a command-line interface (CLI). You type commands on what is called the command line.

When using a command-line operating system, you enter commands to accomplish tasks. Once you have worked with this type of system you would soon realize that there are many command combinations that you enter frequently. This is where the use of batch files becomes ingenious in that when you want the computer to perform a given combination of commands an abundant number of times, a batch file can store the details of that command combination for swift execution.

Therefore a batch file is a sequence of commands you would typically enter in a command prompt. Batch files are often used to start programs and run utilities. This is because batch files can allow these events to happen with fewer commands. Automation is possible as well to further the advantages of batch. Batch files accomplish all of this while remaining relatively small in file size.

Now, how does this relate to Batch scripts? Once you make a script (program), it will run in this screen. Not exactly. We won’t run our scripts in the actual MS-DOS, more of a watered down readily accessible version Windows provides us. The command prompt – this is where you will see any output produced. This screen, among being called a command prompt, is often referred to as simply a DOS prompt, command line or a MS-DOS prompt.

You are also able to open and modify programs from the command prompt. When writing batch scripts you will soon become quite familiar with this screen. Since most of us are using Windows XP, 7 or 8 that will be the primary operating system for which the examples herein will be for. However when worthy, references will be made towards previous versions of Windows. So, to actually run the batch scripts we make we need to be able to access the command prompt.

Run cmd in Windows 8.1
Run cmd in Windows 8.1
Run cmd in Windows XP
Run cmd in Windows XP

How to get MS-DOS prompt? To access the command prompt you simply click the Start button in the lower left hand corner of the screen followed by clicking on the Run… option. On newer Windows 8 and 8.1, just press Windows key on the keyboard, and type CMD.exe

When you do this, a small box will appear in the lower left hand corner of the screen. To access the command prompt simply type cmd (Windows XP, Vista, 7).

The command prompt is similar to MS-DOS. The command prompt is a great tool that has many great uses. One way of harnessing those uses in one file and not having to type the command for that use each time is through a batch file.

Next article tomorrow.

This article is from our Febooti archive, it was relevant then, and I think that it is still relevant today.

Edit Oct 17, 2014: added link to the next article.