« Archives in July, 2011

LANDesk SoftMon Monitoring Information

LANDesk Softmon.exe monitors application execution and logs usage information in the registry. The following information is logged to the registry: Current Duration, Current User, First Started, Last Duration, Last Started, Total Duration, and Total Runs. This information is useful to determine application usage and location of said applications.

The monitor information can be found in the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\LANDesk\ManagementSuite\WinClient\SoftwareMonitoring\MonitorLog\]

Each log entry receives a new key, an example would be C:/Program Files/Microsoft Office/OFFICE11/EXCEL.EXE.

Under this application name key you may see the following registry values, not all values are available:
Current Duration
Current User
First Started
Last Duration
Last Started
Total Duration
Total Runs

Unfortunately, if an application is no longer available the usage information still lives on in the registry. This may give you inaccurate usage information if you solely rely on this data. I would recommend checking to see if the application still exists in the path specified by the key to determine if the application is still available on the PC.

How do you determine Last Duration?
1) Extract the Last Duration REG_BINARY value in Hex.
Example: 20 F2 96 1E A6 00 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 00 a6 1E 96 F2 20
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Last Duration in seconds. In this example the result will be 71347.778 seconds.

How do you determine Total Duration?
1) Extract the Total Duration REG_BINARY value in Hex.
Example: 10 B1 AD D9 CB 09 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 09 CB D9 AD B1 10
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Total Duration in seconds. In this example the result will be 1077113.505 seconds.

How do you determine Current Duration?
1) Extract the Current Duration REG_BINARY value in Hex.
Example: 80 97 6A 76 2F 00 00 00
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
00 00 00 2F 76 6A 97 80
4) Click the Dec radio to switch the decimal.
5) Divide the decimal number by 10,000,000
You will now have the Current Duration in seconds. In this example the result will be 20385.016 seconds.

How do you determine Last Started?
1) Extract the Last Started REG_BINARY value in Hex.
Example: 40 4D C8 A0 55 45 CC 01
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
01 CC 45 55 A0 C8 4D 40
4) Click the Dec radio to switch the decimal.
5) Use this decimal number in a Filetime converter utility to get the date and time.
I found a useful converter at: http://www.silisoftware.com/tools/date.php
The input format is filetime and key the decimal into the date field.
6) Click convert and you have the Last Started date.

How do you determine First Started?
1) Extract the First Started REG_BINARY value in Hex.
Example: 50 0D CE 02 00 09 CC 01
2) Open Windows Calculator in Scientific mode and choose Hex and Qword radio buttons
3) Enter the Hex from right to left into the calculator:
01 CC 09 00 02 CE 0D 50
4) Click the Dec radio to switch the decimal.
5) Use this decimal number in a Filetime converter utility to get the date and time.
I found a useful converter at: http://www.silisoftware.com/tools/date.php
The input format is filetime and key the decimal into the date field.
6) Click convert and you have the First Started date.

How do you determine the Current User?
1) Extract the Current User REG_SZ value in a string value.

How do you determine Total Runs?
1) Extract the Total Runs REG_DWORD in a decimal value to get the total number of executions.

You may be asking why I would go through so much trouble to determine the usage of an application on a computer. Well, I come from the background that if you can keep a computer clean that it will perform the best. By using this information, I can determine if the application needs to be reinstalled on a replacement PC or if it needs to be uninstalled on a current PC. By using this information you may find how and when a user uses an application.

** Note this information is provide for educational purposes only. **

Philips Zymed Site Encryption

I am in the process of upgrading the Philips Zymed Holter system including a new Central Link. I have a list of site codes, user id, and passwords for all my locations, but since I was not the originator of the document and could not verify the passwords were entered correctly in the spreadsheet I set out to decrypt the password and site information. The Philips Zymed Central Link software stores the site information in the registry for version 2.8 and in a configuration files under “all users” on version 2.9.

On my version 2.8 system I found the key located in the registry located under the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Zymed\. I exported the entire Zymed sub key structure. You will see a value labeled RemoteConfig under HKEY_LOCAL_MACHINE\SOFTWARE\Zymed\Zybit Central\0.1\Configure. You will see a hex encoded string. Using my 17 years of experience, I started by looking for a pattern in the hex encoded string and found a pattern.

I started to decipher the encryption by adding a new site to my site list and providing a known key sequence to the description and password. I entered the entire alphabet in uppercase and lowercase. I noted the offset in the letter that was entered and the encoded hex value that it produced. I noted all of the values entered and went a head with replacing all of the values in the registry export with the known values. After going through a few iterations of the offsets you start to see the site code, descriptions, and password being revealed.

After more evaluation the encoding algorithm is simply an offset within a byte. To decrypt a value you simply need to know a little subtraction and hex to ASCII conversion. The base of the encryption starts with 255 (FF) as it’s offset. You take the a sample value like BE and subtract it from FF. So it is FF-BE=41 HEX or 65 ASCII. This is the value A.

Needless to say, I was able to successfully verify my spreadsheet full of site information before I migrated to the new server.

You may be asking yourself why didn’t you just export and re-import the registry? It is because version 2.9 does not store the RemoteConfig in the registry anymore.

** Note this information is provide for educational purposes only. **