Once Windows has taken ownership of the TPM chip inside my computer is it still possible to create a persistent key inside it ? (Given that I don't have the Owner Password because Windows throws it aways after initializing the TPM).
Is the Storage Root Key (SRK) created by Windows inside the TPM protected with a pin code to perform cipher operations ? If it is where is that password stored in windows ?
Thx!
For those who pass by, It is possible.
I did a dual boot with a Windows 10 and an Ubuntu. I put the excellent tools developped here tpm2-tools on the Ubuntu and I got to insert my own persistent primary key inside the chip.
The funny/weird thing is that I can create that key and make it persistent under linux (with these tools) also under EFI with a program that I wrote. But under Windows I can't get it to work. I'm going to ask why on another post.
Related
Our application is installed on a client location. The application uses ProtectedData.Protect method to protect a key on the client machine and saves the output to a file. Following is the code :
ProtectedData.Protect(sampleHashKey, entropy, DataProtectionScope.LocalMachine);
where Entropy is a byte array.
The client has updated the Operating system on that machine to Windows 2016 Server and backed up the hash key file before doing so and reinstalled our software which created a new hash key file. The client replaced the new hash key file with the backed up file.
When the software tried to read the file, using the unprotect mechanism with the following code :
ProtectedData.Unprotect(sampleHashKey, entropy, DataProtectionScope.LocalMachine);
a CryptographicException was thrown with the error : Key not valid for use in specified state.
Why has this error occurred even if the file was created on the same machine with DataProtectionScope.Localmachine?
Will it not work cross OS on the same machine? Could someone explain me the issue?
Is there a way to add a (parametrized) Startup task to a Windows Azure Virtual Machine through the API? I need to execute a cmdlet after the machine has been started and the code depends on two parameters that will be different for each machine. I know this could be easily achieved for a Web/Worker role, but could it be done for Virtual Machines, as well?
For first-time runs of a VM, you can inject a startup task via CustomData. This works in both Linux and Windows VMs. You'll just need to properly base-64-encode your file (whether it's text or binary) based on the REST API docs.
CustomData is dropped into a file in a specific location, and you can have code that looks for this file, taking some type of startup action as appropriate:
Windows: %SYSTEMDRIVE%\AzureData\CustomData.bin
Linux: /var/lib/waagent/CustomData
Note: This will be added to the CLI as well (the pull request is already available - not sure if it's in the latest build.
EDIT Yes, customdata is now part of the Azure CLI, as a parameter to azure vm create, so no need to mess with base-64 encoding on your own :
No. currently there is no such feature provided out of the box.
However, given you will deal with VM anyway, you can create an image of your own. You can register a "Startup Task" in RunOnce registry key. And sysprep the OS with this settings.
This way you will basically have a startup task which will be executed when your machine boots for the first time and will not be executed on consequent VM restarts.
Taking parameters into the code for VM is not as easy for Web/Worker Role. For anything you want you have to query the Azure Management API directly. The only properties you can get from code running on an Azure VM are basically the normal OS properties - i.e. host name, host IP Address. You don't even know your cloud service name, nor your Virtual IP Address (this can be discovered via services as whatismyip.net or similar). So my approach would be to put parameters into an Azure Table Storage and use Machine Name as rowKey. So I can store any VM specific values based on VM Name. And my "Startup" task would query the Table storage, providing my host name as rowKey (and some common pattern for Partition Key), so it gets all required settings.
With IaaS Management Studio you can set a startup script that will run when your VM boot.
In summary, it activates remote powershell and run your script remotely when it detects the powershell port is open.
I am the developer of this tool, but I don't really get what you mean by "parametized", in other words you want your script to have access to the VM info ?
I am somewhat new to Registry Keys in Windows. What I want to do is add a registry key ONCE that will take effect on the local SYSTEM user (for as long as my program is installed). This registry key will need to be added through a batch file while logged on as a regular user (not the SYSTEM user). What I am doing exactly is running a batch script that creates a windows service. This service is running as the local system user. The service is trying to do something that requires a registry key to be set. I tried manually setting the registry key in HKEY_LOCAL_MACHINE but I am still hitting the roadblock when my service is run. Is this the correct place to change registry keys so that the local system account will see them? Any knowledge on the subject would be greatly appreciated!
I am testing Windows 7 file encryption. A test file was encrypted ( I see green colored file name). that file was shared across the network and it still can opened from other station. That green color file name is also viewable from other computer as well. What am I doing wrong? I admit that I don't know the encryption concept yet.
If I moved that file to shared folder of other computers, message appeared asking "Confirm encryption loss". How can I copy that file with encryption?
I know Truecrypt software but I am testing with Windows Encryption.
The NTFS file encryption is using your password hash to encrypt the file.
If you connect to the file from another computer you need to supply the user's password, which means the remote computer has the key to decrypt the file.
If you copy the file from the share to the local computer windows will save the key in the remote computer.
The whole idea in the filesystem encryption is that another user cannot use your encrypted files, or someone that get a hold on your hard-drive. But, if you're logged in, all the running applications that has been executed by you or have access to your token (for example, SYSTEM user) can access the file without ever knowing it is encrypted on the disk.
Be careful of encryption! Some encryption systems for Windows will automatically encrypt your files/folders for you. This is common in gov't/corporate computers. If you do NOT have this set, and then another user on your computer who DOES have this set accesses your file/folder, the file/folder can get encrypted with that other user's token, and then you won't be able to access your own file/folder!
This actually happened to me last week. Took a whole day to figure it out, because Windows won't tell you WHO encrypted the file, just that it wasn't done with your current token. Aaargh!
(This won't happen if permissions are set to ReadOnly, but in a collaborative environment sometimes permissions aren't set that way.)
I have a Windows service developed in VB.NET. This Windows service picks a file every night at 8 PM from copies a file from my C:\ftpDocs to Y:\FtpDocs folder.
Y: is a mapped drive which is \\sourceServer\Output files. When I run the same code from a VB.NET Windows application instead of a Windows service it is working absolutely fine. But from the service it is throwing access denied error accessing \\sourceServer\Output.
It seems the Windows service runs from C:\windows\system32. For this reason I tried changing the current directory to C:\ftpService (This is the folder where my application is).
To access the mapped drive I provide a userid and password which is not my Windows userid and password. Do you think this is the reason why it is not able to access it from the Windows service?
If yes, how is it working from Windows application? This issue is not going away for the past one month now.
What drives are currently mapped is maintained per user -- it'd be a big no-no for me to be able to access files on a share on which you have credentials just because we're both logged on at the same time.
Your service will need to map the share itself using saved credentials of some kind (you could hard code them, if you like, though that's not terribly secure and represents a maintainability burden besides). A good example of how to do this is here -- though, I haven't used this code, I've just read the article.
Typically a Windows service runs under an id whose credentials are not authorized to access files on the network. Try running your windows service under the domain account which can access the network files. Make sure that this account has access to both the network and local folders/files that it will be reading and writing.
Also, you'll want to use the UNC path, not a mapped drive. The mapped drive won't be mounted for the service.