Programing

How to tell if a volume is Bitlocker protected with TPM and PIN

Ryan M. Hurst — Wed, 12 Nov 2008 10:47:57 GMT

Today I was presented with a question, how can I tell if the OS volume is protected with Bitlocker a TPM and a PIN.

Since I could not sleep (its 2:30AM right now) I figured I would throw together a quick and dirty script that checks for that, it was pretty easy to do.

I started with the documentation for Win32_EncryptableVolume which I recall seeing previously in a unrelated mail at some point, from there I discovered the GetKeyProtectors method, I then did a search on Live for GetKeyProtectors and VBSCRIPT that was scoped to Microsoft.com domains.

This got me a handful of samples, I took one hacked it up and came up with this:

' --------------------------------------------------------------------------------
' Get configuration we will need
' --------------------------------------------------------------------------------
' Get the OS System Drive
set shell = WScript.CreateObject( "WScript.Shell" )
strDriveLetter = shell.ExpandEnvironmentStrings("%SystemDrive%")

' Target computer name
' Use "." to connect to the local computer
strComputerName = "."

' --------------------------------------------------------------------------------
' Connect to the BitLocker WMI provider class
' --------------------------------------------------------------------------------

strConnectionStr = "winmgmts:" _
                 & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
                 & strComputerName _
                 & "\root\cimv2\Security\MicrosoftVolumeEncryption"
On Error Resume Next 'handle permission errors

Set objWMIService = GetObject(strConnectionStr)

If Err.Number <> 0 Then
     WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
     Wscript.Echo "Ensure that you are running with administrative privileges."
     WScript.Quit -1
End If

On Error GoTo 0

' --------------------------------------------------------------------------------
' Get a list of volumes that could be bitlocker protected.
' --------------------------------------------------------------------------------

strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
Set colTargetVolumes = objWMIService.ExecQuery(strQuery)

If colTargetVolumes.Count = 0 Then
    WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
    WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now check if it was protected with a TPM and a PIN
' --------------------------------------------------------------------------------

nKeyProtectorTypeIn = 4 ' type associated with "TPM and Pin" protector

nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)

If nRC <> 0 Then
WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
WScript.Quit -1
End If

' there should only be one volume found
For Each objFoundVolume in colTargetVolumes
    set objVolume = objFoundVolume
Next

' --------------------------------------------------------------------------------
' Now return what we found.
' --------------------------------------------------------------------------------
On Error Resume Next 'handle unitialized array

If IsNull(aKeyProtectorIDs(0)) Then
    WScript.Echo "This volume is NOT TPM and PIN protected."
Else
    WScript.Echo "This volume IS TPM and PIN protected."
End If

From the time I decided to write the script, to the time I wrote it and tested it was about 15 to 20 minutes; the samples were great, the MSDN documentation was pretty decent too; all this without ever doing anything with Bitlocker before, WMI is great stuff.

I may never use this but if nothing else it was quick and fun to throw together, maybe it will help you.

How to do away with the Delete/Resume/Restart Page...

Ryan M. Hurst — Mon, 07 Jul 2008 00:57:13 GMT

I don't know about you but I just hate the Delete/Resume/Start page in Media Center; I would prefer that when the video is done that it just take you back to the page that invoked the play operation in the first place.

This isn't so hard to do, all you need to do is wait for MediaTransport.PropertyChanged to file and when PlayState goes into the "Stopped" state navigate back to whatever page you feel is appropriate.

A generic way to get this page out of Media Center would be to call HistoryOrientedPageSession.BackPage every time the playback goes from Playing to Stopped.

While I have not tried this myself, this appears fairly straight forward and is probably safe to do at any time (given the nature of this state transition).

How to determine what content a MCE Extender supports...

Ryan M. Hurst — Sun, 06 Jul 2008 22:12:20 GMT

So your a Media Center add-in and you want to determine if a file is a supported format for the playback device that is being used at any given time, here is what you do:

First things first you should detect if your on a Extender or not you should make sure the Capabilities.IsConsole is false.

At this point you know your on a extender, the next thing need to do is check to see that the file you are about to play is supported by the the Extender, to do that you can use DeviceInfo.ProtocolInfo (), this will either return null which means you can assume a base set of capabilities (documented on here) or return a string which can be parsed to find out what "Content Types" the Extender supports.

What is a "Content Type" you ask? its a string that gives you a basic idea of what sort of content your looking at (obvious eh?) for a mpeg file it will be "video/mpeg".

You can determine the "Content Type" for a given file extension by looking in the registry under "HKEY_CLASSES_ROOT\.{FileExtension}" where {FileExtension} is the extension of the file in question, the value of "Content Type" will have what you need.

Another useful thing to know is the "PercievedType" for a given file, its very similar to "Content Type" in purpose but the king thing to understand is that the Videos Library in MCE uses this to determine if a given file is a "Video" or not, as such if you were to build a Video library of sorts what you would likely want to do is:

Find all content that has a PercievedType of Video
Identity which of those files are supported by the device being used at the time by checking the ProtocolInfo method.
Either filter out or disable content that is not supported by the current playback device.

As I said this approach isn't perfect, it has a couple short comings:

You are not guaranteed that a device will return you a ProtocolInfo string so you have to special case that with the default content types called out in the ProtocolInfo documentation.
Content Type, while useful isn't enough to tell you for sure the content will play, for example bit rate and other encoding options can make content not playable.

With that being said this is a fairly reliably means for you to filter out the cruft that will cause users of your add-ins problems, and you should consider implementing it if you create a library view in your application.

Automate the mundane for sanity sake (part 4)

Ryan M. Hurst — Sun, 22 Jun 2008 23:23:26 GMT

A recent change in My Movies results in users having to have the rips be conformant with the DVD standards, specifically it now requires that the VOB, IFO, and BUP files are in a VIDEO_TS folder.

I threw together a very basic script that can take folders that are in the form of sourcedir\moviename\dvdfiles to sourcedir\moviename\video_ts\dvdfiles.

As always use this script at your own risk, I have only done limited testing, but it worked on the two folders I tried .

To use this copy the following script to foo.vbs, put it in the root of your movies folder, open a command prompt in that directory and type "cscript foo.vbs" and you should be good to go.

I recommend trying it on a small folder set before you run it on your whole collection to make sure you would be happy with the results.

Dim FileSystem, szMovieFolder
szMovieFolder = "C:\test"
Set FileSystem = CreateObject("Scripting.FileSystemObject")

Dim Folder, File, Files, oMovieFolder, szFolderName, iEndOfShortFileName, szDestPath
Set oMovieFolder = FileSystem.GetFolder(szMovieFolder)

Set Folders = oMovieFolder.SubFolders

For Each Folder in Folders

szFolderName = szMovieFolder & "\" & Folder.Name

If (FileSystem.FileExists(szFolderName & "\" & "VIDEO_TS.ifo")) = True Then

  ' Looks like we have a movie name folder that directly contains a VIDEO_TS.IFO

  szDestPath = szFolderName & "\" & "VIDEO_TS"

  If (FileSystem.FolderExists(szDestPath)) = False Then

   ' Looks like it also does not yet have a VIDEO_TS folder

   FileSystem.CreateFolder(szDestPath)

   ' Now it does!

   Set Files = Folder.Files

   For Each File In Files
    bMove = False

    ' If its a VOB, BUP, or IFO move it.
    If InStr(1, LCase(File.Name), ".vob") <> 0 Then bMove = True
    If InStr(1, LCase(File.Name), ".ifo") <> 0 Then bMove = True
    If InStr(1, LCase(File.Name), ".bup") <> 0 Then bMove = True

    if bMove = True then
     ' ok lets move file
     wscript.echo "Moving '" & File.Name & "' to '" & szDestPath & "'"
     File.Move(szDestPath & "\" & File.Name)

    end if
   Next

  End If
End If
Next

Good luck.

OK, I admit it, I am twisted...

Ryan M. Hurst — Sun, 23 Mar 2008 01:22:27 GMT

I was catching up on reading blogs and such and ran across this post from Bruce Schneier over at Wired titled "Inside the Twisted Mind of the Security Professional".

The premise of this so aptly titled post is that security professional's just think differently, and that this difference is a trait that might just be innate in certain individuals; I have to agree.

I got into electronics (including computers) as a child as a means to figure out how they worked, it started by taking them apart and putting them back together; though in many cases I ended up with extra parts most of the time they went back together just fine .

I quickly learned that this was mostly a mechanical exercise, and that no amount of assembly and re-assembly would really tech me how these things worked; so I started looking at the software.

The interest in software was really again trying to understand how these magnificent boxes worked, I recall looking at the files that made up programs trying to understand their role and ultimately realizing for me to really understand how things worked I had to be able to re-produce approximations of them and so I taught my-self to program (Basic, Pascal, C, and c64 and x86 assembly).

Once I mastered the basics I came back to looking at these programs, trying to understand them and utilizing the basic understanding of computer architecture and programming I had amassed, from there I started trying to see how I could bypass the copy protections on games; it's really this that got me into computer security.

Here there was this commercial software developed by a mass of professionals designed to prevent me, a punk kid from doing something and I was able to by-pass it; I recall how proud I was of myself at first but this quickly lapsed as I realized problems like this were impassable, I was 10.

My friend Josh and I started fumbling around on bulletin boards across the nation, It remember going into a chat room with Josh and some guy offered us a step-by-step guide of sorts to log in and control phone switches as a means to make free international calls; he had written this guide based on a manual he stolen out of the back of a telephone operators truck, the inside cover of the manual included the default password for this switch.

I remember this guy telling us how he went about it, and how amazed he was when he found that most of the switches out there were based on this same system and no one changed the default password; this guy was not much older than us, maybe 15 or 16 but again clearly pleased with how he was able to figure this all out.

For me this was the beginning of understanding social and computer networking, and the beginning of me seeing myself as a "hacker".

As a "hacker", I prided my myself in my common sense and the lack of common sense in others; every where I went I was looking for flaws, things that other people missed.

I remember when we moved to our new house, my mom called the power and phone companies to have our service transferred, I listened to her side of the phone call and she never had to give them any private information; I was amazed. Several months later some kid picked on me at school so I called the phone and power company to have their service disconnected, it worked.

This view on life has continued to this day, I have of course grown up and no longer use my insights for evil (at least intentionally) but I thank my lucky stars I see the world the way I do.

As for this view of life being innate in some, as I said. I believe it is; however I also believe it can be learned though I don't know if it can be taught. As a "hacker" when I watch movies I look for the mistakes, the things that were of such a small detail that they were missed by the production staff, when I got married I started to share these findings with my wife who was always surprised I noticed such things.

However at one point in our marriage she started finding these flaws before I did and when we discuss strategy on issues she also now finds angles I may have missed; she tells me that this is something she has learned from me, all I can say is I certainly didn't mean to teach it as now she can use it against me

RFC 5216 is published!

Ryan M. Hurst — Sat, 22 Mar 2008 19:33:05 GMT

Previously I mentioned I was working on an update to RFC 2716 that process is now complete, the RFC number for this new work is 5216.

This update was really about adding clarifying text address common implementation issues, better aligning the specification with its dependent RFCs (like RFC 4346, RFC 3280, etc), updating to specification to represent actual implementation practices to aid in interoperability and of course improving security guidance for implementers.

To be clear, no new capabilities were added to this RFC; despite that the document increased 35.9934% in size (from 50.2 KB to 71.7 KB); larger doesn't always mean better but in this case I think it does.

My Netflix is dead, long live My Netflix.

Ryan M. Hurst — Sun, 10 Feb 2008 22:50:24 GMT

Back in 2004 ended up getting a cold or flu of some sort that kept me from going into work for a day or so and I used that time to throw together a Media Center add-in called My Netflix; I have done a few minor updates over the years (http://unmitigatedrisk.com/archive/2007/08/25/119.aspx) but my work has become increasingly demanding and finding the time to give the project the TLC it deserves has been difficult at best.

As a result I am now officially announcing the death of My Netflix, I will no longer fix anything no mater how minor; if you have issues I released it under the MSFT permissive license and the source is still available (http://www.unmitigatedrisk.com/mce/mynetflixsource.zip) so you can go to town if you like.

With that being said, My Netflix has also been re-born (http://www.anpark.com/index.php/2008/02/10/new-vista-media-center-plugin-mynetflix-beta/); a kind soul (Anthony Park) has done a bunch of what I wanted to see done and re-wrote the add-in as a MCML application giving it experience more consistent with MCE plus he added support for Watch It now.

I have not been a Netflix subscriber for some time (they started rate limiting me, I think this is a dishonest practice) so I switched to Blockbuster (which has its own issues but that's another post) but from the screen shots Anthony has done a great job; in fact I think I will sign up for Netflix on one of the trials and play with it.

I can't say how excited I am to see this happen :)

Thanks Anthony!

Thank goodness, finally a security silver bullet...

Ryan M. Hurst — Fri, 11 Jan 2008 03:04:18 GMT

Mike Howard just did a post about a company offering a certificication that "prooves" your secure.

Why didn't I think of that? Hehe...

Computer controllable energy monitors…

Ryan M. Hurst — Thu, 03 Jan 2008 21:28:28 GMT

For a while I have been considering doing a Windows Media Center add-in to monitor and graph home energy consumption (check out http://bwired.nl for my inspiration); the problem is that I have been unable to find energy monitors that are computer controllable, that is until just recently.

The Brueltech unit runs $399, while the TED runs ~~$144~~ $188; this isn’t really a apples to apples comparison though as the Brueltech unit supports Zigbee. For those not in “the know” Zigbee is a wireless mesh networking protocol (much like Z-Wave).

What this means is that instead of having to rely on a direct USB connection to the PC one can use a USB to Zigbee adapter to talk to the Brueltech unit to get the measurement updates wirelessly, very cool IMHO.

Another potential difference is quality of the components Brultech does some level of commercial monitoring and claims that (as an example) their induction measurement sensors of a higher grade/quality than most; but hey I work in software what do I know of such things .

When I tell people about my desire to do this project they normally ask me “why in the he-double-hockey-sticks would you want to do that?”; the answer to that question to some degree is because I can. After all every once in a while one must re-prove their uber geekiness; but there is more to it, studies have shown that having knowledge of electrical consumption and the associated costs alone can contribute to a reduction in electrical usage.

Then if one combines such a system with a automated home (via say Z-Wave devices) one can monitor usage in relationship to device power state to infer power consumption, with that data a intelligent system could make recommendations on changes in usage or automatically make adjustments in usage to reduce electrical use.

My plan (however half baked) started as a plan to develop a class library of sorts for home automation, a set of abstract base classes in .NET for interacting with devices independent of their protocols (X10, Z-Wave, Insteon, ZigBee, etc) the problem was that control without insight was not by itself compelling enough for me to undergo this project, the insights that these devices offer could change that equation enough to get me off my duff and do this.

Only time will tell, at $399 I will have to probably put the project on hold for a few months; maybe Brultech and/or TED will get me evaluation unit for cheap to play with.

[Update 1/11/08 2:16PM] I have had some great email exchanges with the folks at Brultech and they have been great; in this exchange I have learned more about the differences between the TED and the Brultech offering, some of which include:

The $144 price for the TED does not include software., the software is an additional $44.
~~The TED does not have the ability to download data from non-volatile memory (data logger).~~
The ECM-1220 processes the energy consumption for each panel phase individually; this is greatly convenient when it comes to analyzing which loads are operated. For instance, if the power of both phases increase simultaneously, it is safe to say that the load is a 240V load, narrowing down which load this may represent. The same applies for 120V loads. If a load cycles on phase A this eliminates the possibility of any 240V load or any phase B loads. Software can be developed to analyze the load signature of various appliances and generate an energy audit report. This would be useful in assessing various load efficiencies (appliance requiring maintenance or replacement).
The TED uses PLC (power line carrier) method of communication. This limits picking up the signal on 50% of the receptacles (on the same phase the MTU unit is wired to) without the adition of a inexpensive phase coupler. Even with this, some people have said that the signal from their TEDs will drop out occasionally.

Since in my application I plan on having a always on PC monitoring the device I am not sure there is a big value for the #2, that being said that is dependent on the reliability of the device advertising the energy usage (see #4 for a potential concern here).

#3 in particular sounds like a very important reason to consider the Brultech offering, the primary value of a project like this is analysis and not having discrete data per phase would certainly limit that ability.

More updates as I have them

[Update 2/12/08 2:16PM] I have finally heard back from the folks over at The Energy Detective, the manufacturers of the TED; they have finished their API but unfortunately the terms of the API prevent me from including support for their device in the project I have envisioned.

This is really unfortunate because it looks like a good device, and when designing an abstraction one really does need to validate that design with several implementations; oh-well.

With that being said they also corrected me on two points in the blog, I have ~~marked~~ these above; I apologize for spreading miss-information, that’s the wonderful thing about the web though, so much information you start to think you know it all .

In addition the above corrections they raised alternate perspectives on the values of the two different design properties offered by the Brultech product and their own:

Dual phase load monitoring - Knowing the load for any given circuit can be useful, but for the average user per-phase measurements is of little value.
PLC vs. ZIGBEE – PLC can be made to work across both phases through installing a very inexpensive impassive phase coupler more over in their experience the RF nature of ZigBee introduces as much or more problems than PLC.

The net of this is that I guess I will now have to start looking around for another device that I can design these classes around, again I will update you when I know more.

Were getting closer to a Internet Based DVR...

Ryan M. Hurst — Wed, 10 Oct 2007 01:08:18 GMT

A few weeks ago I blogged about Internet based DVRs (see: Internet based DVRs, are they the future? I think so.), well were getting pretty close to just that; take a look at the My TV Archive plug-in, if you combine that with Azureus and "broadcatching" your pretty darn close.

What else would you need? Well off the top of my head:

A service to detect new DVR-MS content and convert it to some format, preferably .MP4 (vs DiVX).
A 10' User Experience to schedule recordings (could simply configure BitTorrent or preferably have its own scheduler, possibly based on BitSharp).

Someone is going to do this and make a mint, maybe its time to leave MSFT for me to do something on my own