Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EDDiscovery tries to access non-existent CAPI\status.json very often #2

Open
unfo opened this issue May 8, 2024 · 0 comments
Open

EDDiscovery tries to access non-existent CAPI\status.json very often #2

unfo opened this issue May 8, 2024 · 0 comments

Comments

@unfo
Copy link

unfo commented May 8, 2024

Do let me know if this is the wrong project, and this is should be reported in the main project.

Background: I was trying to figure out some problematic things with MS ProcMon for ED itself and found a misconfig in my environment. So I figured I'd have a look at what kinds of events EDDiscovery was spawning -- especially relating to things that are not successful events like missing files, or DLL hijack opportunities (infosec background).

What I discovered was that EDDiscovery keeps trying to open a non-existent file \Data\CAPI\status.json under the path of my portable installation of EDDiscovery 17.1.1.

And that this happens very frequently.

See attached CSV file for ProcMon log.

Row 1: Header
Row 2-29: Repeated attempts to read the status.json file within 3 seconds => NOT FOUND
Row 30: Empty space for easier legibility
Row 31-91: Repeated reads of status.json (which is empty) - 10 times within one second.

Example failed read:

"21.32.07,3602757","EDDiscovery.exe","29648","CreateFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

Example successful read:

"21.32.10,4318364","EDDiscovery.exe","29648","CreateFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Open No Recall, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"21.32.10,4318645","EDDiscovery.exe","29648","ReadFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","END OF FILE","Offset: 0, Length: 4 096, Priority: Normal"
"21.32.10,4318777","EDDiscovery.exe","29648","CloseFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","SUCCESS",""

eddc-data-capi-statusjson.CSV

Just wanted to report this as potentially misfiring configuration/loop etc.

I tried to find the relevant code in the main project or this, but could only find the stuff that reads the \Data\CAPI\something.cred file after I logged in with my Frontier CAPI -- I tried to see if logging in would cause the status.json to be created, but it only dropped the .cred file.

This is not causing any bigger issues, other than now knowing that it is trying to do that very very frequently and it annoys me 😅
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@unfo