You are browsing the archive for Archaeology.

Yet another secret of hosts file

February 18, 2021 in Anti-*, Anti-Forensics, Archaeology, Compromise Detection

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:


So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:


Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).


January 3, 2021 in Archaeology, LOLBins, Undocumented Windows Internals


Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂

Old Post

Have you ever got annoyed by this popup?

I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.

This one in particular is a lunch of:

MusNotificationUx.exe Dialog_EngagedFourthReminder 0

The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:

  • Dialog_AllowSchedulingFirstReminder
  • Dialog_AllowSchedulingForcedReminder
  • Dialog_AllowSchedulingPerAUPolicy
  • Dialog_AllowSchedulingRebootFailed
  • Dialog_AllowSchedulingSecondReminder
  • Dialog_AllowSchedulingThirdReminder
  • Dialog_AllowSchedulingWarning
  • Dialog_CantDownloadUpdate
  • Dialog_CantInstallUpdate
  • Dialog_DataMigrationFailed
  • Dialog_DownloadAvailable
  • Dialog_DownloadNeedUserAgreementPerCTA
  • Dialog_EngagedFourthReminder
  • Dialog_EnhancedEngagedAcceptAuto
  • Dialog_EnhancedEngagedForcedPrecursor
  • Dialog_EnhancedEngagedForcedWarning
  • Dialog_EnhancedEngagedRebootFailed
  • Dialog_EnhancedEngagedRebootImminent
  • Dialog_EnhancedEngagedRebootReminder
  • Dialog_EnhancedEngagedSecondRebootReminder
  • Dialog_ExpeditedReboot
  • Dialog_InstallNeedEula
  • Dialog_InstallNeedUserAgreement
  • Dialog_LowUptime
  • Dialog_PolicyDeadlineApproaching
  • Dialog_PolicyDeadlineEngagement
  • Dialog_PolicyDeadlineRebootFailed
  • Dialog_PolicyDeadlineRebootImminent
  • Dialog_PolicyDeadlineUserScheduled
  • Dialog_RebootActiveHoursForcedReminder
  • Dialog_RebootActiveHoursForcedWarning
  • Dialog_RebootActiveHoursImminent
  • Dialog_RebootActiveHoursUserSelected
  • Dialog_RebootDTU
  • Dialog_RebootForcedDTU
  • Dialog_RebootImminent
  • Dialog_RebootPolicyEnabledForcedWarning
  • Dialog_RebootPostponeMgmt
  • Dialog_RebootWarning
  • Dialog_ScheduleUpdate
  • Dialog_ScheduleUpdateFailed
  • Dialog_SuggestedActiveHours

You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.

MusNotificationUx.exe Dialog_CantDownloadUpdate 0

and others:

Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.

There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.

Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:

  • Toast_CompatIssue
  • Toast_DesktopKeepOnReminder
  • Toast_DownloadNeedMoreSpace
  • Toast_DownloadNeedUserAgreement
  • Toast_DownloadNeedUserAgreementPerCTA
  • Toast_DownloadNeedWifi
  • Toast_DownloadViaCellularNeedUserAgreement
  • Toast_EngagedFirstReminder
  • Toast_EngagedRebootFailed
  • Toast_EngagedRebootWarning
  • Toast_EngagedSecondReminder
  • Toast_EngagedThirdReminder
  • Toast_EnhancedEngagedRebootReminder
  • Toast_FailedDiskSpaceCheck
  • Toast_FairWarningDesktop
  • Toast_FairWarningLaptop
  • Toast_FairWarningPolicyNotifyDeadline
  • Toast_InstallBlocked
  • Toast_InstallNeedEula
  • Toast_InstallNeedMoreSpace
  • Toast_InstallNeedUserAgreementPerAUPolicy
  • Toast_KeepAliveOnBatteryWarning
  • Toast_LaptopPlugInReminder
  • Toast_LowUptime
  • Toast_MeteredConnection
  • Toast_NotifyToDownload
  • Toast_NotifyToInstall
  • Toast_OOBEDownloadInProgress
  • Toast_PersistentReadyToReboot
  • Toast_PolicyDeadlineEngagement
  • Toast_RebootActiveHoursForcedReminder
  • Toast_RebootActiveHoursImminent
  • Toast_RebootNeedUserAgreementPerAUPolicy
  • Toast_RebootOtherUsers
  • Toast_RebootReminder
  • Toast_SuggestedActiveHours
  • Toast_UpdateFailed

Last, but not least, there are some additional options the tool accepts, in particular:

  • RebootWithUXForceOthers
  • RebootWithUX
  • ClearActiveNotifications
  • QueryNotificationState
  • -Embedding
  • /CV – correlation vector
  • /MusUxStateString
  • /ToastAction, where the action can be one of these:
    • AlwaysAllowAutoUpdates
    • DeferRestartInHour
    • DeferRestartNow
    • ForcedRemRestartNow
    • ImmAnotherTime
    • ImmRestartNow
    • NotifyRestartNow
    • OthersPickTime
    • OthersRestartAnyway
    • RemPickTime
    • RemRestartNow
    • RemSnooze
    • RestartFailedRetry
    • RestartTonight
    • RestartWarningOption
    • Settings
    • Setup
    • SnoozeUx
    • SuggestedAHConfirm
    • SuggestedAHDontChange
    • WarnPickTime
    • WarnRestartNow
    • dismiss
  • eDTERestartTonight
  • /ToastLaunchTimestamp