This part is more about archaeology than anything else.
The built-in SHIM database includes a number of test shims, which I will cover below.
On Windows XP, you will find these two:
So, if you happen to name your executable one of these:
- WindowsXPAppsHelpMechanismBlockedTestApp.exe
- WindowsXPAppsHelpMechanismTestApp.exe
you can immediately see their effect after you try to run them on XP:
WindowsXPAppsHelpMechanismBlockedTestApp.exe
WindowsXPAppsHelpMechanismTestApp.exe
On Win7 we got a few more:
- AppsHelpMechanismTestAppBadMsg.exe
- AppsHelpMechanismTestAppBadMsgBlocked.exe
- WindowsXPAppsHelpMechanismBlockedTestApp.exe
- WindowsXPAppsHelpMechanismTestApp.exe
The first one runs with no issues.
The second one is blocked without any indication.
The visible messages are as follows:
WindowsXPAppsHelpMechanismBlockedTestApp.exe
WindowsXPAppsHelpMechanismTestApp.exe
Finally, on Win10 it goes as follows:
- AppsHelpMechanismTestAppBadMsg.exe
- AppsHelpMechanismTestAppBadMsgBlocked.exe
- BlockedTestApp_AMD64.exe
- BlockedTestApp_AMD64_ANY.exe
- BlockedTestApp_WOW64.exe
- BlockedTestApp_X86_AMD64.exe
- BlockedTestApp_X86_ANY.exe
- BlockedTestApp_X86_WOW.exe
- WindowsXPAppsHelpMechanismBlockedTestApp.exe
- WindowsXPAppsHelpMechanismBlockedTestApp2.exe
- WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe
and visible outputs are:
AppsHelpMechanismTestAppBadMsgBlocked.exe /
BlockedTestApp_WOW64.exe /
BlockedTestApp_X86_AMD64.exe /
BlockedTestApp_X86_ANY.exe /
BlockedTestApp_X86_WOW.exe /
WindowsXPAppsHelpMechanismBlockedTestApp.exe /
WindowsXPAppsHelpMechanismBlockedTestApp2.exe /
WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe
Okay. That’s it.
Hmm not really… digging through internals of SDB on Windows 10 one more time I gathered the following (and hopefully complete) list of all the the test suite items:
- AppsHelpMechanismTestAppBadMsg.exe
- AppsHelpMechanismTestAppBadMsgBlocked.exe
- BlockedTestApp_AMD64.exe
- BlockedTestApp_AMD64_ANY.exe
- BlockedTestApp_WOW64.exe
- BlockedTestApp_X86_AMD64.exe
- BlockedTestApp_X86_ANY.exe
- BlockedTestApp_X86_WOW.exe
- WICAMockAppReinstallUpgrade.exe
- WICAMockAppReinstallUpgrade2.exe
- WICAMockAppReinstallUpgrade3.exe
- WICAMockAppReinstallUpgradeInfo.exe
- WICAMockAppReinstallUpgradeWarn.exe
- WICAMockAppReinstallUpgradeWarnBackup.exe
- WindowsTH_BlockedSetupTestApp.exe
- WindowsTH_TestApp_HardBlock_FWLink.exe
- WindowsTH_TestApp_HardBlock_KBArticle.exe
- WindowsTH_TestApp_HardBlock_NoInfo.exe
- WindowsTH_TestApp_HardBlock_StoreId.exe
- WindowsTH_TestApp_HardBlock_Wildcard1.exe
- WindowsTH_TestApp_HardBlock_Wildcard2.exe
- WindowsTH_TestApp_SoftBlock_FWLink.exe
- WindowsTH_TestApp_SoftBlock_KBArticle.exe
- WindowsTH_TestApp_SoftBlock_NoInfo.exe
- WindowsTH_TestApp_SoftBlock_StoreId.exe
- WindowsXPAppsHelpMechanismBlockedTestApp.exe
- WindowsXPAppsHelpMechanismBlockedTestApp2.exe
- WindowsXPAppsHelpMechanismBlockedTestAppSpecific.exe
- WindowsXPAppsHelpMechanismTestApp.exe
- WindowsXPAppsHelpMechanismTestApp2.exe
- WindowsXPAppsHelpMechanismTestAppSpecific.exe
So, how could you use it for malicious purposes? I dunno… One thought I have is about emulators. If you created a child process using one of these names (creation of such process should fail by SHIM design), could you use the successful exitcode from that process to detect an emulator?
