Open-AudIT

What's on your network?
It is currently Thu Apr 26, 2018 6:24 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 
Author Message
PostPosted: Fri Feb 25, 2011 12:46 pm 
Offline
Newbie

Joined: Tue Feb 22, 2011 3:25 am
Posts: 7
Because of an assumption built into the WinAPI for registering services, the RemCom service (RemComSvc) may not be able to run on a 64-bit machine, so audit.exe / audit.pl will not be able to audit the target 64-bit Windows machine.

The problem manifests itself with the following messages when audit.exe trys to audit a W64 machine:

Quote:
Couldn't start remote service
The system cannot find the file specified.

The issue is documented in several places on the net. Basically, when the service is registered, Windows addeds a WOW64 flag to the service definition in the target machine's registry. This flags tell Windows to look for the service binary. Here is a discussion by another person that that encountered this behavoir:

http://social.msdn.microsoft.com/forums ... 948de8cf19

Possible solutions are:
  • Modify RemCom to delete the WOW64 key before starting the service. Unfortunately this approach would reguire the Remote Registry service to be running, which is not the case on most systems.
  • Create a 64-bit version of RemCom. Have the 32-bit version of RemCom check the architecture and have it invoke the 64-bit version when appropriate.
  • Create a 64-bit version of RemCom. Modify audit.pl/audit.exe to invoke the 32- or 64-bit RemCom when appropriate.

My approach was the last one. I didn't want to modify RemCom since it hasn't been changed since 2006. Building a 64-bit binary from the source was easy enough.

Modifying audit.pl & creating a new audit.exe was a bit of a pain since it required additional ActiveState tools that I didn't have immediate access to.

If anyone else has an alternative means of working around this issue, please pass it along!

Regards,
Steve


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 1 post ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group