Ok so that is a bad title… really bad but I am an in an extremely humorous mood. First it is friday, second my morning was much better than average, third I had a blast driving around the last two days, fourth I am going to Virginia next week for work and will be able to see my world famous Aunt Linda for a couple of days as well as the Cherry Blossoms in Washington D.C., and finally… one of my tools is apparently being hunted down and killed by a major antivirus vendor.
The tool isn’t one that most of the Active Directory community (my main community) seems to be readily aware of but is actually one of the most popular tools I have in downloads while at the same time being the tool with the distinction of being the one I actually hate the fact that I ever made available. This hate stems from the fact that I get more cranky nasty emails about it than any other tool, in fact, I would say that it is about 5 to 1 in terms of the number of issues people have with that tool over others. I think the reason is because it is used in a lot of desktop work and the number and quality of admins using it is substantially different from those using my server type utilities. If the tool was that difficult to use and it sucked that bad, I would fix it. It doesn’t (suck), the issue is mainly with some of the people using it and their misconceptions on how things work. MSFT really never made it a point that people understand Windows in order to admin it, just be able to start it. 🙂
If you aren’t familiar with it, the tool stands for Create Process As User which is exactly the API call it does NOT use to complete its work…. At one point it did use it… I think…. Well maybe not…Â I don’t recall any more. I think I started to use it but then realized I didn’t want to and never renamed the folder the POC[1] code was in…. Anyway it really uses CreateProcessWithLogonW which is similar to but actually is NOT CreateProcessAsUser.
I originally wrote the tool because I was running RUNAS with the /NETONLY switch way too much and it annoyed me to keep typing that and I didn’t want to batch it and I wanted some other frills so I wrote CPAU which by default creates a process with network creds, not interactive creds. Why is this cool and why/when do you want use /NETONLY with RUNAS? Because when you are in a large environment you will often have to deal with lots of different machines that may not necessarily have trusts and in order to tap those machines easily you want to use network credentials which are not actually used until you touch the foreign machine. One of the additional cool things is you can use a JOB file with CPAU which has the creds and command embedded in it in an encoded format (yes encoded, not encrypted, suck it up) and you just type something like cpau -dec -file cmd1.job and it will fire the command and no one can see the creds and you didn’t have to remember them. Usually I have it firing command prompts to be quite honest. If it works with them, I am happy with how the tool performs.
Anyway this tool gained massive popularity with folks doing logon scripts who wanted to raise the current security context to admin to do something. It even made it into the list of cool tools on the Novell site which kind of made me laugh too. Anyway, many of the people for some reason neglect to read any of the usage or the web page or even the messages the tool itself displays…
G:\MultiMedia\Music>cpau -u joe\joe -p nottonto -ex cmd
CPAU V01.11.00cpp Joe Richards (joe@joeware.net) November 2005
Current Security Context: JOE\$schmuck
WARN:
WARN: This will not be an interactive authentication. This means
WARN: that the credentials are only valid for connecting to remote
WARN: resources, locally you will have the credentials CPAU was
WARN: launched with. If you need the specified credentials to work
WARN: on the local machine you need to use -LWP or -LWOP options.
WARN:Process Created…
The command completed successfully.
Â
…and end up emailing me telling me the tool doesn’t work because they don’t have admin rights locally and by gosh they should because that is the ID they entered… No kidding, we are talking about 15 emails a week minimum where that complaint comes through and I my response is, did you happen to type cpau /? and read it? Sometimes I am less nice, depends on if I have exceeded answering the question more than 20 times that week.
It is also popular with people trying to do things out of IIS or the scheduler in different security contexts. Microsoft fixed the lot of them trying to do that with recent security changes which made the API call being used off limits to the LocalSystem account. It can be fixed so it works but it is massive work and it isn’t anywhere near to getting on the current list to be worked on. I don’t need it myself; I wouldn’t use the utility that way.
So anyway… the reason for the post. 🙂
I start peeking at my forums and noticed
Subject: McAfee detects CPAU.EXE as unwanted CPAU-tool
As the bank I am working for updated thier virus def’s, CPAU was brutally deleted from my workstation. April 11, 2006.
Not yet from the servers were I run it though.
I have to say I read that and laughed pretty hard for quite a bit. Why did I laugh you didn’t ask?
First because I really dislike McAfee to be absolutely honest. I dislike their products. I have had far more issues with their products than they have ever helped me with. I, in fact, can’t think of a single good thing I might have thought about saying about them at any point in the last at least 5-6 years. This was just reason++ to dislike them more.
Second because it is just hilarious to me. This isn’t even one of the really dangerous tools I write.
So as I start to seriously contemplate the “issue” I figure, “ah it isn’t me or CPAU they are targeting, it is just probably that API call…” So I go search the McAfee site and find
http://vil.nai.com/vil/content/v_138855.htm
For those too lazy to click (Hi Deano), here it is
Tool-CPAU
Type Program
SubType Tool
Discovery Date 03/09/2006
Length
Minimum DAT 4714 (03/09/2006)
Updated DAT 4714 (03/09/2006)
Minimum Engine 4.4.00
Description Added 03/09/2006
Description Modified 03/09/2006 9:10 AM (PT)Aliases N/A
That is pretty directed, especially when you consider the naming piece I discussed above (I bet you wondered why I mentioned that…). I love the complete lack of decent info. Well done McAfee (Read that with your best Eddie Izzard accent with smirk). It isn’t like I am so hard to track down. If there is a utility out there that I wrote in the last five years that doesn’t have my email address on it that is displayed prominently I want it found and shot. I put my email address on those things so people CAN ask me questions. You have no idea how many emails asking me, “Hey how do I get that really useful free tool you spent all of that time writing to not say your name and email address, it bothers me and I don’t want people seeing it….” Well maybe they don’t write it in quite that way but that is what they should be thinking…  because that is the response they are 99.99% likely to get from me. Keep writing and asking though, I can say no a lot.
So I sent a nice email to the McAfee vendor support to ask, hey guys what’s up? We shall see if I get more than an automated, we have received your email message. To this point, I haven’t even received that.Â
So to recap quickly…. A tool that I never should have released to the general public because it has become a nightmare to support and takes a ton of my time such that I get even less work done because people can’t read the directions or don’t understand what they are trying to do is now being deleted off of machines by a crappy antivirus product run by people and corporations all over the place. How can I not laugh nonstop at that.
What is the upshot of all of this… what am I going to do to “fix” it? Why absolutely nothing. I will tell McAfee they shouldn’t do what they are doing but I will not argue with them about it, no benefit to me and I don’t think I could convince them anyway, this is the least of their problems. If their customers have an issue with it, their customers will have to tell them, this isn’t a malfunction of CPAU, this is a malfunction of McAfee – I will not insert myself in the middle of it. My recommendation for a fix? Bounce McAfee out the door… I admit a part of me wants to fix CPAU so they can’t detect it and further, it will remove McAfee when it sees it loaded but that is just me thinking funny thoughts. I won’t do that with my apps. I don’t want people not trusting them. I might as well just not publish any tools for folks to use at that point.
  joe
Â
[1] Proof Of Concept
Â
I guarantee the network guys at McAfee use tools from this site so they should really try and help out here. I’m a fan of Symantec myself and it has saved me a few times back in the napster hey day when I wasn’t as careful as I should have been. Come on I needed that Poison song haha
Have fun in VA, I’m in northern VA and I’m sure you will have plenty to do. Not sure where your aunt lives but if you are into space and planes then you should visit the new Air and Space museum right outside Dulles Airport (this museum is an extension of the Air & Space Museum in DC)
http://www.nasm.si.edu/udvarhazy/