Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/sys/windows/registry: error reading/writing Windows Defender Registry #35730

Open
KyhleOhlinger opened this issue Nov 21, 2019 · 5 comments
Open

x/sys/windows/registry: error reading/writing Windows Defender Registry #35730

KyhleOhlinger opened this issue Nov 21, 2019 · 5 comments
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Windows
Milestone
Unreleased

Comments

@KyhleOhlinger
Copy link

What version of Go are you using (go version)?

$ go version
go version go 1.13.4 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/user/.cache/go-build"
GOENV="/home/user/.config/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/user/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/lib/go-1.13"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.13/pkg/tool/linux_amd64"
GCCGO="gccgo"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build848002775=/tmp/go-build -gno-record-gcc-switches"


However, the code was compiled to Windows executable using: env GOOS=windows GOARCH=386

What did you do?

The issue was raised on Go-Nuts: https://groups.google.com/forum/#!topic/golang-nuts/V-0GT02SMIs

I have been working with the Golang registry and noticed an issue when attempting to access / read from SOFTWARE\Microsoft\Windows Defender. The following code calls SOFTWARE\Microsoft\Windows NT\CurrentVersion and it outputs the correct information.

winInfo, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows NT\CurrentVersion`, registry.QUERY_VALUE)
check(err)
defer winInfo.Close()

CurrentVersion, _, err := winInfo.GetStringValue("CurrentVersion")
check(err)
fmt.Printf("Value: " + CurrentVersion +"\n")

-----------------
Output:
-----------------
Value: 6.3

However, when attempting to access the Windows Defender registry key using the following code, it doesn't return any information.

regInfo, err := registry.OpenKey(registry.LOCAL_MACHINE, `SOFTWARE\Microsoft\Windows Defender`, registry.QUERY_VALUE)
check(err)
defer regInfo.Close()

BackVersion, _, err := regInfo.GetStringValue("BackupLocation")
check(err)
fmt.Printf("Value: " + BackVersion)

-----------------
Output:
-----------------
The system cannot find the file specified.
Value:

I thought this may be an issue with permissions, so I checked the ACLs for the registry keys and all Authenticated Users do have read access to the object, and Adminstrators have Special permissions to the object. In order to confirm this, I used REG QUERY as shown below from a low privileged user account:

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /v BackupLocation
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
BackupLocation REG_SZ C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1909.6-0

After this I thought it may require signed Microsoft binaries in order to access the registry location, I then installed Registry Editor, a 3rd party viewer which was able to access the information. Finally, I thought it could be an issue with programming languages being unable to access the registry, so I tried it using the following Python code:

import errno, os, winreg

RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"CurrentVersion"))

RawKey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows Defender",0, winreg.KEY_READ)
print(winreg.QueryValueEx(RawKey,"BackupLocation"))

-----------------
Output:
-----------------
('6.3', 1)  
('C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.1909.6-0', 1)

The code above did return the correct information, which leads me to believe that there is an issue with the Golang registry implementation. Either that, or I am not using the registry correctly with Golang.

Any help would be greatly appreciated.

What did you expect to see?

I expected to see a value returned from the Windows Defender registry: HKLM\SOFTWARE\Microsoft\Windows Defender.

What did you see instead?

The following error was returned instead: The system cannot find the file specified
@KyhleOhlinger
Copy link
Author

Current Windows Version:
OS Name: Microsoft Windows 10 Enterprise OS Version: 10.0.18362 N/A Build 18362

@toothrot toothrot changed the title Golang Issue reading/writing Windows Defender Registry x/sys/windows/registry: error reading/writing Windows Defender Registry Nov 25, 2019
@gopherbot gopherbot added this to the Unreleased milestone Nov 25, 2019
@toothrot toothrot added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Nov 25, 2019
@toothrot
Copy link
Contributor

/cc @alexbrainman @bradfitz

@alexbrainman
Copy link
Member

@KyhleOhlinger I cannot reproduce your problem here.

I run https://play.golang.org/p/cco7-UO_j-E here, and I see this output

C:\>u:\test -test.v
=== RUN   TestALEX
    TestALEX: registry_test.go:21: got="C:\\ProgramData\\Microsoft\\Windows Defender\\platform\\4.18.1909.6-0" gottype=1
--- PASS: TestALEX (0.01s)
PASS

C:\>```

I also use Windows 10.

Alex

@KyhleOhlinger
Copy link
Author

@alexbrainman I wonder if it it not an issue with compilation. I am using the following to compile the binary on Linux and then I'm executing it on Windows:

go build env GOOS=Windows GOARCH=386 file.go

@alexbrainman
Copy link
Member

I wonder if it it not an issue with compilation.

I don't know what the problem is.

I am using the following to compile the binary on Linux and then I'm executing it on Windows:

Same.

Alex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. OS-Windows
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@toothrot @qmuntal @gopherbot @alexbrainman @KyhleOhlinger