Software I tried was installed on Windows 7 (32bit). Here we go:
After OfficeScan Agent was installed I decided to check settings available there. (PccNT.exe) Opened from Windows tray and we are here:
As you can see I enabled 'Custom proxy settings' to add there multiple A-letters. Click 'Ok' to see:
I decided to debug this process. :)
(...but because I wasn't able to attach debugger to the target process - pccnt.exe...)
First of all I decided to run OS in 'safemode' to change Image File Execution Option:
(More about it you can check here or here.)
Checking in registry:
Ok, restarting to verify:
Looks good. When we will launch OfficeScan from the tray again, Windbg will be started. Checking proxy settings:
Unfortunately I wasn't able to catch the crash this way.
Next thing I decided to try I found in this book (quote from Google Books):
Ok, cool. In case of "remote kernel debugging" I found multiple hints in this series - if you're not familiar with it yet I strongly recommend you to check it.
After a while we should be here:
Next I was looking for pccnt.exe (using !process 0 0 pccnt.exe in Windbg):
Attach & go:
Because I saw fcWofieUI.dll in the crash-window I decided to ask Windbg to look for it, for example:
...somewhere in the breakpoints...:
Now, switch to (fcWofieUI.dll in) IdaPro:
Checking the graph:
So as you can see it should be easier to locate the bug using Reg*-related functions:
Checking regedit again:
User is not able to modify regedit value directly but it can be done using OfficeScan Agent ;)
And here (or here) you can find more details about the status code.
Maybe you'll find it useful.
Cheers
Brak komentarzy:
Prześlij komentarz