SystemSettings.exe Crashes windows 10

, , ,

 

Recreate problem: Start > Settings > Accounts = crashes
 
 
 
Event Viewer shows the following error:

Faulting application name: SystemSettings.exe, version: 10.0.14393.82, time stamp: 0x57a55dc6
Faulting module name: usercpl.dll, version: 10.0.14393.1198, time stamp: 0x590280e6
Exception code: 0xc0000005
Fault offset: 0x000000000000d337
Faulting process id: 0x31e0
Faulting application start time: 0x01d2fffc16cd4baf
Faulting application path: C:WINDOWSImmersiveControlPanelSystemSettings.exe
Faulting module path: C:WINDOWSSystem32usercpl.dll
Report Id: 34a5a1ac-6e28-468d-b57d-f88e297b6f83
Faulting package full name: windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: microsoft.windows.immersivecontrolpanel
What we see is the process “SystemSettings.exe” experiences a bugcheck  0xc0000005 when trying to access accounts.
 
 
 
 
Desired Outcome:
 
 

 

 

 

Initial Testing:

 

Remove security apps – same results
Created new vanilla Wim – same results
Remove from domain – works successful

 

Testing Next Steps:
Start blocking my test system from individual GPOs.
I was later pinpoint the exact GPO that was the cause of the problem. We have a rather lengthy security GPO in this environment that I inherited.

 

Deeper Troubleshooting:
everything in the GPO looked acceptable to me upon initial inspection. I next downloaded promon to get a trace of all the registry and file system activity of the process 
ProcDump Troubleshooting:
1.     Open command prompt as administrator
2.     Type “procdump.exe -ma -e -t systemsettings.exe”
3.     Reproduce the issue
4.     analyze the dump files.
 
 
 

 

 

Debug Notes:

 

 

Dump Name: systemsettings.exe_170801_094202.dmp
Computer Name: P974522
Windows 10 Version 15063 MP (4 procs) Free x64
Product: WinNt, suite: SingleUserTS
15063.0.amd64fre.rs2_release.170317-1834
Debug session time: Tue Aug  1 10:42:02.000 2017 (UTC – 4:00)
System Uptime: 3 days 23:01:11.214
Process Uptime: 0 days 0:00:02.000
  Kernel time: 0 days 0:00:00.000
  User time: 0 days 0:00:00.000
User Name: H93
PID: 0x2698 = 0n9880
Comment: ‘
*** “C:UsersH93DesktopProcdumpprocdump.exe” -accepteula -ma -j “C:Dumps” 9880 360 00000284D63B0000
*** Just-In-Time debugger. PID: 9880 Event Handle: 360 JIT Context: .jdinfo 0x284d63b0000′
User Mini Dump File with Full Memory: Only application data is available.
 
 
CONTEXT:  (.ecxr)
rax=00000000ffffffff rbx=00000284d5b0b930 rcx=00000284d86188f8
rdx=0000000000000020 rsi=0000000000000000 rdi=ffffffffffffffff
rip=00007ff9d86f8a3f rsp=000000cda4efe270 rbp=000000cda4efe2c0
r8=0000000000000000  r9=0000000000000006 r10=00000fff44e562aa
r11=0451044040040500 r12=0000000000000000 r13=000000cda4efe920
r14=0000000000000000 r15=0000000000000001
iopl=0         nv up ei ng nz ac po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010296
usercpl!CUserManager::_RemoveGuestTile+0x5b:
00007ff9`d86f8a3f 488364c35000    and     qword ptr [rbx+rax*8+50h],0 ds:0000028c`d5b0b978=????????????????
Resetting default scope
 
EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff9d86f8a3f (usercpl!CUserManager::_RemoveGuestTile+0x000000000000005b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000028cd5b0b978
Attempt to write to address 0000028cd5b0b978
 
0:043> k
Child-SP          RetAddr           Call Site
000000cd`a4efc918 00007ffa`3309dd20 ntdll!ZwWaitForMultipleObjects+0x14
000000cd`a4efc920 00007ffa`3309dc1e KERNELBASE!WaitForMultipleObjectsEx+0xf0
000000cd`a4efcc20 00007ffa`332a191c KERNELBASE!WaitForMultipleObjects+0xe
000000cd`a4efcc60 00007ffa`332a142f kernel32!WerpReportFaultInternal+0x4bc
000000cd`a4efd210 00007ffa`33056a6f kernel32!WerpReportFault+0x73
000000cd`a4efd250 00007ffa`3354da9d KERNELBASE!UnhandledExceptionFilter+0x2af
(Inline Function) ——–`——– ntdll!RtlpThreadExceptionFilter+0x27
000000cd`a4efd360 00007ffa`33536476 ntdll!RtlUserThreadStart$filt$0+0x38
000000cd`a4efd390 00007ffa`3354a08d ntdll!__C_specific_handler+0x96
000000cd`a4efd400 00007ffa`334b9c58 ntdll!RtlpExecuteHandlerForException+0xd
000000cd`a4efd430 00007ffa`3354910e ntdll!RtlDispatchException+0x368
000000cd`a4efdb40 00007ff9`d86f8a3f ntdll!KiUserExceptionDispatch+0x2e
000000cd`a4efe270 00007ff9`d86f8b7a usercpl!CUserManager::_RemoveGuestTile+0x5b
000000cd`a4efe2a0 00007ff9`d86f8dbe usercpl!CUserManager::_HandleGuestAccountTile+0x12a
000000cd`a4efe2e0 00007ff9`d870e739 usercpl!CUserManager::ResetUserData+0x1ce
000000cd`a4efe380 00007ffa`32f588d3 usercpl!CUserManagementWizards::GetUserManagerInstance+0x129
000000cd`a4efe450 00007ffa`32fbc93e rpcrt4!Invoke+0x73
000000cd`a4efe4a0 00007ffa`32ef91a4 rpcrt4!Ndr64StubWorker+0xbde
000000cd`a4efeb70 00007ffa`327c4d99 rpcrt4!NdrStubCall3+0xb4
000000cd`a4efebd0 00007ffa`32f43a2b combase!CStdStubBuffer_Invoke+0x59
000000cd`a4efec10 00007ffa`32867963 rpcrt4!CStdStubBuffer_Invoke+0x3b
(Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_76d9e92c799d246a4afbe64a2bf5673d>::operator()+0x2b
000000cd`a4efec40 00007ffa`32866286 combase!ObjectMethodExceptionHandlingAction<<lambda_76d9e92c799d246a4afbe64a2bf5673d> >+0x53
(Inline Function) ——–`——– combase!InvokeStubWithExceptionPolicyAndTracing+0x89
000000cd`a4efeca0 00007ffa`3286c75e combase!DefaultStubInvoke+0x216
(Inline Function) ——–`——– combase!SyncStubCall::Invoke+0x2c
(Inline Function) ——–`——– combase!SyncServerCall::StubInvoke+0x2c
(Inline Function) ——–`——– combase!StubInvoke+0x290
000000cd`a4efeeb0 00007ffa`328683ff combase!ServerCall::ContextInvoke+0x45e
(Inline Function) ——–`——– combase!CServerChannel::ContextInvoke+0x97
(Inline Function) ——–`——– combase!DefaultInvokeInApartment+0xb0
(Inline Function) ——–`——– combase!ClassicSTAInvokeInApartment+0x1e6
000000cd`a4eff190 00007ffa`328648aa combase!AppInvoke+0xa5f
000000cd`a4eff300 00007ffa`32803369 combase!ComInvokeWithLockAndIPID+0x57a
(Inline Function) ——–`——– combase!ComInvoke+0x1c0
000000cd`a4eff580 00007ffa`32802fe8 combase!ThreadDispatch+0x2b9
000000cd`a4eff650 00007ffa`3335bc50 combase!ThreadWndProc+0x198
000000cd`a4eff6f0 00007ffa`3335b5cf user32!UserCallWinProcCheckWow+0x280
000000cd`a4eff850 00007ff9`d870d2dc user32!DispatchMessageWorker+0x19f
(Inline Function) ——–`——– usercpl!Windows::Internal::ComTaskPool::CThread::_DispatchMessage+0x1a
000000cd`a4eff8d0 00007ff9`d870d761 usercpl!Windows::Internal::ComTaskPool::CThread::_WaitForThreadUpdate+0x70
000000cd`a4eff940 00007ff9`d870d13e usercpl!Windows::Internal::ComTaskPool::CThread::_ThreadProc+0x37d
000000cd`a4effa00 00007ff9`d870d259 usercpl!Windows::Internal::ComTaskPool::CThread::s_ExecuteThreadProc+0x12
000000cd`a4effa30 00007ffa`332b2774 usercpl!Windows::Internal::ComTaskPool::CThread::s_ThreadProc+0x9
000000cd`a4effa60 00007ffa`33510d61 kernel32!BaseThreadInitThunk+0x14
000000cd`a4effa90 00000000`00000000 ntdll!RtlUserThreadStart+0x21
 
0:043> .f-
0c 000000cd`a4efe270 00007ff9`d86f8b7a usercpl!CUserManager::_RemoveGuestTile+0x5b
0:043> dv
           this = 0x00000284`d5b0b930
         iGuest = 0n-1             ß failed to locate the index of the Guest account
              i = 0xffffffff
 
GPO Looks like this (wrong)
 
 
 
 

 

Cause:  The systemsettings.exe crashed because it could not identify the index of the guest account while loading user information.  In our environment the guest account is renamed by GPO to something different. This crash can happen if the following two conditions are met:
1. The guest account is disabled ore renamed
2. The number of profiles stored under the following key is more than 100:
a. HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionProfileList
 
Resolution:  Renamed the “***Guest” account to “Guest” and left the account disabled in GPO and we get the expected functionality.
 

 

 

Remediate unquoted service path vulnerability via compliance item.

, , , , , ,

Remediate unquoted service path vulnerability

I have now been to three different environments that have this vulnerability. In all three environments this was one of the top offenders per total count of vulnerability. This not something that is necessary a problem that will cause outages if not patched, but potential for malicious programs to run.There are already published posts with great explanation of the vulnerability from CommonExploits, and Tennable. The scope of this blog post will be how to identify the vulnerability, how to manually remediate it, and how to auto-remediate it via the compliance item.

 

To identify unquoted service path vulnerabilities locally on your system: 
Launch Elevated powershell > type the comand below

 

cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘

Below we see that we do have 1 item that is vulnerable. 

unquoted service path



This is what the ACAS Scans are finding however it does not tell you where to correct this within the registry. To remediate this we will have to locate the object within the registry and add quotes to the path. I  believe there is a way to configure reporting to be more verbose to include the registry location but I am unfamiliar with the ACAS tool. 

ACAS SCAN BEFORE IT IS FIXED

 

unquoted service path
Manual Fix
          Launch Regedit.exe as Admin
          Navigate to HKLMSystemCurrentControlSetServices
          Search by Edit > Find > and enter the vulnerability. For our example we will search “AERTSr64”
          Select the string for our vulnerability
          Add quotes around the value

 

unquoted service path
unquoted service path

ACAS SCAN AFTER IT IS FIXED

NOTE: there is no screenshot for finding this on ACAS scans as it is remediated
 

Automated Fix via Compliance Item

We will create a compliance Item to discovery systems with the unquoted service path vulnerability and then remediate it. 

Discovery Script 

 

$value = cmd /c  ‘wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:windows\” |findstr /i /v “””‘
if ($value -like “* *”)

 

   {

 

   1

 

   }

 

   else

 

   {

 

   0

   }

 

unquoted service path

Remediation Script 

Option Explicit
Const HKLM = &H80000002
Dim objWMIService
Dim colServices, objService
Dim strComputer
dim quote: quote=chr(34)
Dim strPathName
Dim strCommand,strArgs,message
Dim bBatch: bBatch = False
dim wshShell:Set wshShell = WScript.CreateObject(“WScript.Shell”)
Dim i, iCount, objReg
Dim bDebug:bDebug = False
‘If not CScript, re-run with cscript…
If (Not IsCScript()) Then
                For i  = WScript.Arguments.Count -1 to  0 Step -1
                                strArgs = WScript.Arguments(i) & Space(1) &  strArgs
                Next
                WshShell.Run “CScript.exe ” & quote & WScript.ScriptFullName & quote & space(1) & strArgs, 1, true
    WScript.Quit                  ‘…and stop running as WScript
End If
If WScript.Arguments.Count = 1 Then
                bBatch = True
                strComputer = WScript.Arguments(0)
Else
                strComputer = wshShell.ExpandEnvironmentStrings(“%COMPUTERNAME%”)
End If
If strComputer = “” Then WScript.Quit
strComputer = UCase(strComputer)
WMICX()
Main()
If Not bDebug Then
                WScript.Echo iCount & ” Unquoted Service Path(s) were fixed on ” & strComputer
End If
”””””’ Functions and Subs ”””””””””
Sub WMICX()
                ‘WMI connection
                On Error Resume Next
                Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\” & strComputer& “rootcimv2”)
                If Err.Number <> 0 Then
                                message = “Error reaching or connecting to ” & strComputer
                                If not bBatch Then
                                                MsgBox message, vbcritical + vbinformation,”Failure”
                                Else
                                                WScript.Echo message
                                End If
                                WScript.Quit(100)
                End If
                On Error GoTo 0
End Sub
Sub  Main()
                On Error Resume Next
                Set objReg = GetObject(“winmgmts:\” & strComputer & “rootdefault:StdRegProv”)
                Set colServices = objWMIService.ExecQuery (“SELECT pathname,displayname FROM Win32_Service”)
                iCount = 0
                For Each objService in colServices
                                strCommand = “”
                                strArgs = “”
                                strPathName = objService.PathName
                                ‘Parse the Pathname, which is the command
                                ‘This is a little complicated.
                                Dim iLastSlash, iProgEnd
                                ‘find the last character
                                iLastSlash = InStrRev(strPathName,””)
                                ‘look for a space beginning at last , put location in iProgEnd
                                iProgEnd = InStr(iLastSlash,strPathName,Space(1))
                              
                                ‘iProgEnd will be zero if no arguments
                                If iProgEnd > 1 Then
                                                strArgs= trim(Mid(strPathName,iProgEnd))
                                Else
                                                strCommand = strPathName
                                End        If
                              
                                If Left(strPathName,1) <> quote And InStr(strCommand,Space(1)) Then
                                                wscript.echo “Found ” & objService.DisplayName & ” Service with command line:” & _
                                                               VbCrLf & vbtab & objService.PathName
                                                FixService objService.Name, strCommand, strArgs
                                End If
                Next
End Sub
Sub FixService (strSvsName, strCommand,strArgs)
                If bDebug Then Exit Sub
                ‘add a space only if there are arguments
                If Len(strArgs) > 0 Then strArgs = strArgs & Space(1) & strArgs
                Dim strValue
                Dim strRegPath,strImagePath
                strRegPath= “SYSTEMCurrentControlSetServices”& strSvsName
                strImagePath = quote  & strCommand & quote & strArgs
                WScript.Echo “Setting Command line to ” & strImagePath
                objReg.SetExpandedStringValue HKLM,strRegPath,”ImagePath”,strImagePath
                iCount = iCount +1
End Sub
Function IsCScript()
    If (InStr(UCase(WScript.FullName), “CSCRIPT”) <> 0) Then
        IsCScript = True
    Else
        IsCScript = False
    End If

End Function

unquoted service path

 
  
At this point go ahead and deploy the configuration item you have just created. I would recommend only performing this against workstations but only after serious testing. 

Unfortunately I forgot to take a screenshot when I fist deployed this compliance item, but I do have one after half the systems checked for policy.

unquoted service path

 After systems get policy we are now looking at a very high remediation percentage.

unquoted service path
NOTE: this will run on its own automatically but you can individually set this to run. This will be by launching the configmr client > Configurations Tab > Select the compliance item > Evaluate
unquoted service path
This is what a successful report looks like for the configuration item.
unquoted service path

The compliance item can be downloaded on Technet here.

I would like to thank Khalid Al Alul, and Ricky Richard for their time in working on this configuration item.

SCCM Revoked Clients Registration

, ,

SCCM Revoked Clients Registration

I ran into an issue where a few sites would call my SCCM team indicating they were having client problems. They would say the clients do not have all action items and it has been over 2 hours since the system finished the OSD Process. I had a few initial thoughts but they all were wrong. First we verified that VMware tools on the MP was fine, boundaries were correct, and that the client was not stuck in provisioning mode. The next course of action was to connect to a machine, investigate the bad client and start checking log files.

The SCCM Client looked as below with certificate set to none as you can see below instead of self-signed. This points out the client has not yet registered with the MP.

SCCM Revoked Clients Registration

The next was to investigate the ClientIDManagerStartup.log which showed the error “Server Rejected registration Request: 3” This gave me the idea of clearing out the certs and trying to reinstall the client again.

SCCM Revoked Clients Registration

however this produced another GUID with the same error problem so the pointed me to check log files on the MP.

SCCM Revoked Clients Registration

This was quickly becoming a high exposure problem was our environment images anywhere between 25 – 175 machines a day. After a quick google search we were able to find a blog post where the solution was a few simple SQL lines.

The line below will identify systems that have revoked clients

Select * from ClientKeyData where isrevoked=1

SCCM Revoked Clients Registration

The line below will clear out the problematic requests. Once these are cleared the systems should be able to successfully register

Update ClientKeyData set isrevoked=0 where isrevoked=1

SCCM Revoked Clients Registration

Thanks to Emmanuel Rached blogpost below this was quickly resolved. The log files were screencaps from his blog post and everything else was from my environment. Please check out his blog as there is tons of other great stuff. https://www.emmanuelrached.com/2014/09/08/sccm-revoked-clients-registration/

ALSO CHECK: SQL Query to identify Win 10 security features for HP / DELL