Windows 10:命名程序main.exe会使其弹出 [英] Windows 10 : naming programs main.exe cause them to show pop up
问题描述
在Windows 10上,当我们创建名为 main.exe 的程序或将程序重命名为 main.exe 时,该程序将显示一个弹出窗口,如下所示:
有2个弹出窗口,与可以显示的弹出窗口不同:
-游戏栏一(法文和英文版):
-屏幕截图之一:
(英语:按Win + Alt + PrintScreen截屏)
我最初在使用python和cx_freeze时发现了问题,
我已经在多个程序上进行了测试,包括(如上所示)将notepad ++.exe重命名为main.exe ,并且每次出现一个弹出窗口时,
我们还可以注意到弹出窗口是交替出现的(弹出一个游戏,然后弹出一个sreenshot,然后弹出一个游戏...)
我通过虚拟盒运行Windows10,但是如下所述,该问题也发生在物理计算机上.
关于这是怎么发生的任何想法?
注意:: BoltClock 也对其进行了测试(在物理计算机上),在他的计算机上,此行为仅与"Main.exe"一起发生,而在我的计算机上,该行为发生了"main"的大写/小写发行版(即:它与main.exe,Main.exe甚至是MaIN.exe)
我在周末进行了一些挖掘,发现2000多个特殊的exe名称将触发相同的行为,而不仅仅是main.exe.
Explorer有一个名为BroadcastDVR的组件(位于twinui dll中),在创建进程时,它将把可执行文件的属性与游戏的商店"进行比较,如果存在匹配项,则会启动GameLauncher.exe
由于比较比较隐藏在RPC调用之后,因此无法确定比较的位置.RPC调用是要反转的PITA.
无论如何,explorer.exe在以下文件C:\Users\YOUR_USERNAME\AppData\Local\Microsoft\GamesDVR\KnownGameList.bin(C:\Windows\broadcastdvr中有副本)上都有一个句柄,该文件列出了触发XBox记录器弹出窗口的所有特殊可执行文件.您可以在此处看到main.exe条目(条目#1007):
我已经编写了010个模板文件来分析条目列表,并且它在计算机上附带2089个条目.通过反转二进制文件,我看到了三种类型的条目:
-
简单"一个,其中可执行文件名称上只有一个匹配项. 例如:
main.exe或ai.exe -
一种更复杂的文件,其中在可执行文件名称上存在匹配项,并且exe的存储路径必须包含一些字符串. 例如:
acu.exe必须位于Assassin's Creed Unity的子文件夹中. - 有些条目具有要匹配的其他字符串,但是我还没有找到如何触发它们的游戏DVR弹出窗口.
NB:Win32子系统不区分大小写,因此有意义的是可执行文件名称的大小写无关紧要.
这是模板(您可以从此处安装010 Editor ,我有一个评估期想):
typedef struct {
BYTE Reserved[0x300];
}HEADER;
typedef struct {
WORD ByteLen;
BYTE RawString[ByteLen];
//local string sName=ReadWString(RawString);
} GAME_WSTR <read=ReadGame>;
typedef struct {
DWORD Reserved;
DWORD ByteLen;
BYTE RawString[ByteLen] <fgcolor=cLtRed>;
} OPTION_STR <read=ReadOption>;
typedef struct {
local int StartAddr = FTell();
DWORD EntrySize;
// Executable game name
GAME_WSTR GameName <fgcolor=cLtBlue>;
// Optional magic
if (ReadUShort() == 0xca54)
WORD OptReserved;
// Optional structs based on switch values
WORD AdditionalNamesCount;
WORD SwitchOption2;
// Additional names (probably like a hint).
local int i =0;
for (i = 0; i < AdditionalNamesCount; i++){
OPTION_STR Option;
if (ReadUShort() == 0xca54)
WORD OptReserved;
}
// Look for a magic
local int Find20h = 0;
while(!Find20h){
Find20h = (0x20 == ReadByte());
BYTE Res;
}
GAME_WSTR GameId;
WORD Reserved;
// Sometimes there is an additionnal name
// sometimes not. I check the current entry
// is at less than the EntrySize declared.
if (FTell()-StartAddr < EntrySize)
{
switch (SwitchOption2)
{
case 3:
OPTION_STR Option3;
break;
case 2:
OPTION_STR Option2;
case 1:
break;
}
}
} ENTRY <read=ReadGameName>;
string ReadOption(OPTION_STR &Game)
{
local wstring GameName = L"";
local int i ;
for (i= 0; 2*i < Game.ByteLen; i++){
WStrcat(GameName, Game.RawString[2*i]);
}
return WStringToString(GameName);
}
string ReadGame(GAME_WSTR &Game)
{
local wstring GameName = L"";
local int i ;
for (i= 0; 2*i < Game.ByteLen; i++){
WStrcat(GameName, Game.RawString[2*i]);
}
return WStringToString(GameName);
}
string ReadGameName(ENTRY &Entry)
{
local string GameName = ReadGame(Entry.GameName);
local string OptionGameName = "";
if (Entry.AdditionalNamesCount)
OptionGameName = " : "+ReadOption(Entry.Option);
return GameName + OptionGameName;
}
//------------------------------------------
LittleEndian();
Printf("Parse KnownGameList.bin Begin.\n");
HEADER UnkwownHeader <bgcolor=cLtGray>;
while(1)
{
ENTRY Entry <bgcolor=cLtPurple>;
//Printf("Entry : %s -> %d.\n",ReadGameName(Entry) ,Entry.AdditionalNamesCount);
}
Printf("Parse KnownGameList.bin End.\n");
如果此行为使您烦恼,则可以始终通过将ShowStartup注册表项设置为0来全局禁用它.它位于HKEY_CURRENT_USER\Software\Microsoft\GameBar中.
我还没有找到如何专门禁止可执行文件触发它的方法,但是仅通过查看twinui中的机器代码就可以实现.
安全事项
在这种情况下,仅通过更改可执行文件的名称就可以启动进程.那可能很危险.
游戏启动器命令行位于HKEY_LOCAL_MACHINE\Software\Microsoft\GameOverlay中,需要管理员级别写入,因此此处无法进行UAC或完整性级别绕过.
(我没有找到msdn的权威链接,所以在这里有一个SO答案来确认它:BoltClock also tested it (on a physical machine) and found that, on his machine this behavior is only happening with "Main.exe" while, on my machine the behavior happened whatever may be the uppercase/lowercase distribution of the "main" (IE: it works with main.exe,Main.exe or even MaIN.exe)
I've done some digging over the weekend and I have found over 2000 special exe names which will trigger the same behaviour, not just main.exe.
Explorer has a component called BroadcastDVR (located in the twinui dll) which, upon a process creation, will compare the executable properties against a "store" of games and will launch GameLauncher.exe if there is a match.
I've not managed to pinpoint where the comparison is done since it's hidden behind a RPC call, which is a PITA to reverse.
Anyway, explorer.exe has a handle on the following file C:\Users\YOUR_USERNAME\AppData\Local\Microsoft\GamesDVR\KnownGameList.bin (there is a copy in C:\Windows\broadcastdvr) which list all the special executables which triggers the XBox recorder popup. You can see the main.exe entry here (entry #1007):
I've written a 010 template file to parse the entry list and it comes with 2089 entries on my computer. From what I've seen by reversing the binary file, there is three types of entry:
the "simple" one where there is only a match on the executable name. For example :
main.exeorai.exethe more complex one where there is a match on the executable name and the path where the exe is stored must contains some strings. For example :
acu.exemust be located in a subfolder ofAssassin's Creed Unity.- Some entries have additionals strings to match, but I haven't found how to trigger the game DVR popup for them.
NB : the Win32 subsystem is case-insensitive so it makes sense that the executable name's case does not matter.
Here is the template (you can install 010 Editor from here, there is an evaluation period I think) :
typedef struct {
BYTE Reserved[0x300];
}HEADER;
typedef struct {
WORD ByteLen;
BYTE RawString[ByteLen];
//local string sName=ReadWString(RawString);
} GAME_WSTR <read=ReadGame>;
typedef struct {
DWORD Reserved;
DWORD ByteLen;
BYTE RawString[ByteLen] <fgcolor=cLtRed>;
} OPTION_STR <read=ReadOption>;
typedef struct {
local int StartAddr = FTell();
DWORD EntrySize;
// Executable game name
GAME_WSTR GameName <fgcolor=cLtBlue>;
// Optional magic
if (ReadUShort() == 0xca54)
WORD OptReserved;
// Optional structs based on switch values
WORD AdditionalNamesCount;
WORD SwitchOption2;
// Additional names (probably like a hint).
local int i =0;
for (i = 0; i < AdditionalNamesCount; i++){
OPTION_STR Option;
if (ReadUShort() == 0xca54)
WORD OptReserved;
}
// Look for a magic
local int Find20h = 0;
while(!Find20h){
Find20h = (0x20 == ReadByte());
BYTE Res;
}
GAME_WSTR GameId;
WORD Reserved;
// Sometimes there is an additionnal name
// sometimes not. I check the current entry
// is at less than the EntrySize declared.
if (FTell()-StartAddr < EntrySize)
{
switch (SwitchOption2)
{
case 3:
OPTION_STR Option3;
break;
case 2:
OPTION_STR Option2;
case 1:
break;
}
}
} ENTRY <read=ReadGameName>;
string ReadOption(OPTION_STR &Game)
{
local wstring GameName = L"";
local int i ;
for (i= 0; 2*i < Game.ByteLen; i++){
WStrcat(GameName, Game.RawString[2*i]);
}
return WStringToString(GameName);
}
string ReadGame(GAME_WSTR &Game)
{
local wstring GameName = L"";
local int i ;
for (i= 0; 2*i < Game.ByteLen; i++){
WStrcat(GameName, Game.RawString[2*i]);
}
return WStringToString(GameName);
}
string ReadGameName(ENTRY &Entry)
{
local string GameName = ReadGame(Entry.GameName);
local string OptionGameName = "";
if (Entry.AdditionalNamesCount)
OptionGameName = " : "+ReadOption(Entry.Option);
return GameName + OptionGameName;
}
//------------------------------------------
LittleEndian();
Printf("Parse KnownGameList.bin Begin.\n");
HEADER UnkwownHeader <bgcolor=cLtGray>;
while(1)
{
ENTRY Entry <bgcolor=cLtPurple>;
//Printf("Entry : %s -> %d.\n",ReadGameName(Entry) ,Entry.AdditionalNamesCount);
}
Printf("Parse KnownGameList.bin End.\n");
If that behavior annoy you, you can always globally disable it by setting the ShowStartup registry key to 0. It is located in HKEY_CURRENT_USER\Software\Microsoft\GameBar.
I haven't found how to disable specifically an executable from triggering it, but I might be possible just by looking at the machine code in twinui.
Security matter
We have a situation where we can launch a process just by changing the name of an executable. That might be dangerous.
The game launcher command line is located in HKEY_LOCAL_MACHINE\Software\Microsoft\GameOverlay which needs admin level to write into, so there is not UAC or Integrity level bypass possible here.
(I did not found an authorative link from the msdn, so here a SO answer confirming it : What registry access can you get without Administrator privleges?)
这篇关于Windows 10:命名程序main.exe会使其弹出的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
