In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.
Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:
s:\windows\system32
So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:
Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).
Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂
Old Post
Have you ever got annoyed by this popup?
I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.
The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:
Dialog_AllowSchedulingFirstReminder
Dialog_AllowSchedulingForcedReminder
Dialog_AllowSchedulingPerAUPolicy
Dialog_AllowSchedulingRebootFailed
Dialog_AllowSchedulingSecondReminder
Dialog_AllowSchedulingThirdReminder
Dialog_AllowSchedulingWarning
Dialog_CantDownloadUpdate
Dialog_CantInstallUpdate
Dialog_DataMigrationFailed
Dialog_DownloadAvailable
Dialog_DownloadNeedUserAgreementPerCTA
Dialog_EngagedFourthReminder
Dialog_EnhancedEngagedAcceptAuto
Dialog_EnhancedEngagedForcedPrecursor
Dialog_EnhancedEngagedForcedWarning
Dialog_EnhancedEngagedRebootFailed
Dialog_EnhancedEngagedRebootImminent
Dialog_EnhancedEngagedRebootReminder
Dialog_EnhancedEngagedSecondRebootReminder
Dialog_ExpeditedReboot
Dialog_InstallNeedEula
Dialog_InstallNeedUserAgreement
Dialog_LowUptime
Dialog_PolicyDeadlineApproaching
Dialog_PolicyDeadlineEngagement
Dialog_PolicyDeadlineRebootFailed
Dialog_PolicyDeadlineRebootImminent
Dialog_PolicyDeadlineUserScheduled
Dialog_RebootActiveHoursForcedReminder
Dialog_RebootActiveHoursForcedWarning
Dialog_RebootActiveHoursImminent
Dialog_RebootActiveHoursUserSelected
Dialog_RebootDTU
Dialog_RebootForcedDTU
Dialog_RebootImminent
Dialog_RebootPolicyEnabledForcedWarning
Dialog_RebootPostponeMgmt
Dialog_RebootWarning
Dialog_ScheduleUpdate
Dialog_ScheduleUpdateFailed
Dialog_SuggestedActiveHours
You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.
MusNotificationUx.exe Dialog_CantDownloadUpdate 0
and others:
Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.
There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.
Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:
Toast_CompatIssue
Toast_DesktopKeepOnReminder
Toast_DownloadNeedMoreSpace
Toast_DownloadNeedUserAgreement
Toast_DownloadNeedUserAgreementPerCTA
Toast_DownloadNeedWifi
Toast_DownloadViaCellularNeedUserAgreement
Toast_EngagedFirstReminder
Toast_EngagedRebootFailed
Toast_EngagedRebootWarning
Toast_EngagedSecondReminder
Toast_EngagedThirdReminder
Toast_EnhancedEngagedRebootReminder
Toast_FailedDiskSpaceCheck
Toast_FairWarningDesktop
Toast_FairWarningLaptop
Toast_FairWarningPolicyNotifyDeadline
Toast_InstallBlocked
Toast_InstallNeedEula
Toast_InstallNeedMoreSpace
Toast_InstallNeedUserAgreementPerAUPolicy
Toast_KeepAliveOnBatteryWarning
Toast_LaptopPlugInReminder
Toast_LowUptime
Toast_MeteredConnection
Toast_NotifyToDownload
Toast_NotifyToInstall
Toast_OOBEDownloadInProgress
Toast_PersistentReadyToReboot
Toast_PolicyDeadlineEngagement
Toast_RebootActiveHoursForcedReminder
Toast_RebootActiveHoursImminent
Toast_RebootNeedUserAgreementPerAUPolicy
Toast_RebootOtherUsers
Toast_RebootReminder
Toast_SuggestedActiveHours
Toast_UpdateFailed
Last, but not least, there are some additional options the tool accepts, in particular:
