I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:
There are at least two different ways to invoke it:
MSOXMLED.EXE /verb open [URL] MSOXMLED.EXE /verb [anything] /genverb open [URL]
and the file is being downloaded to the InetCache folder:
The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn. As such it doesn’t work on systems where IE is removed (thx to @NathanMcNulty for confirming this and reminding me about two different paths below).
The actual MSOXMLED.EXE binary is located in these two places (64- and 32-bit version):
MSOXMLED.EXE /verb open file://c:\windows\notepad.exe
does work, but we get a dialog box below (rendering this technique useless):
It could possibly work with some Registry tweaking, but have not invested time in checking it yet. Other option could be adding other extension handler.
Lame, not very ‘finesse’, but at least documented.
Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way 🙂
Old Post
Have you ever got annoyed by this popup?
I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of MusNotification.exe and MusNotificationUx.exe.
The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the UserProcess:: GetNotificationCommandLineArguments routine inside the MusNotification.exe:
Dialog_AllowSchedulingFirstReminder
Dialog_AllowSchedulingForcedReminder
Dialog_AllowSchedulingPerAUPolicy
Dialog_AllowSchedulingRebootFailed
Dialog_AllowSchedulingSecondReminder
Dialog_AllowSchedulingThirdReminder
Dialog_AllowSchedulingWarning
Dialog_CantDownloadUpdate
Dialog_CantInstallUpdate
Dialog_DataMigrationFailed
Dialog_DownloadAvailable
Dialog_DownloadNeedUserAgreementPerCTA
Dialog_EngagedFourthReminder
Dialog_EnhancedEngagedAcceptAuto
Dialog_EnhancedEngagedForcedPrecursor
Dialog_EnhancedEngagedForcedWarning
Dialog_EnhancedEngagedRebootFailed
Dialog_EnhancedEngagedRebootImminent
Dialog_EnhancedEngagedRebootReminder
Dialog_EnhancedEngagedSecondRebootReminder
Dialog_ExpeditedReboot
Dialog_InstallNeedEula
Dialog_InstallNeedUserAgreement
Dialog_LowUptime
Dialog_PolicyDeadlineApproaching
Dialog_PolicyDeadlineEngagement
Dialog_PolicyDeadlineRebootFailed
Dialog_PolicyDeadlineRebootImminent
Dialog_PolicyDeadlineUserScheduled
Dialog_RebootActiveHoursForcedReminder
Dialog_RebootActiveHoursForcedWarning
Dialog_RebootActiveHoursImminent
Dialog_RebootActiveHoursUserSelected
Dialog_RebootDTU
Dialog_RebootForcedDTU
Dialog_RebootImminent
Dialog_RebootPolicyEnabledForcedWarning
Dialog_RebootPostponeMgmt
Dialog_RebootWarning
Dialog_ScheduleUpdate
Dialog_ScheduleUpdateFailed
Dialog_SuggestedActiveHours
You can pick up any of them and run via a similar invocation using MusNotificationUx.exe e.g.
MusNotificationUx.exe Dialog_CantDownloadUpdate 0
and others:
Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day.
There also seem to be a possibility of a Lolbin as the invocations of MusNotificationUx.exe via MusNotification.exe refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory — still a questionable programmer’s choice prevalent in many native OS binaries.
Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:
Toast_CompatIssue
Toast_DesktopKeepOnReminder
Toast_DownloadNeedMoreSpace
Toast_DownloadNeedUserAgreement
Toast_DownloadNeedUserAgreementPerCTA
Toast_DownloadNeedWifi
Toast_DownloadViaCellularNeedUserAgreement
Toast_EngagedFirstReminder
Toast_EngagedRebootFailed
Toast_EngagedRebootWarning
Toast_EngagedSecondReminder
Toast_EngagedThirdReminder
Toast_EnhancedEngagedRebootReminder
Toast_FailedDiskSpaceCheck
Toast_FairWarningDesktop
Toast_FairWarningLaptop
Toast_FairWarningPolicyNotifyDeadline
Toast_InstallBlocked
Toast_InstallNeedEula
Toast_InstallNeedMoreSpace
Toast_InstallNeedUserAgreementPerAUPolicy
Toast_KeepAliveOnBatteryWarning
Toast_LaptopPlugInReminder
Toast_LowUptime
Toast_MeteredConnection
Toast_NotifyToDownload
Toast_NotifyToInstall
Toast_OOBEDownloadInProgress
Toast_PersistentReadyToReboot
Toast_PolicyDeadlineEngagement
Toast_RebootActiveHoursForcedReminder
Toast_RebootActiveHoursImminent
Toast_RebootNeedUserAgreementPerAUPolicy
Toast_RebootOtherUsers
Toast_RebootReminder
Toast_SuggestedActiveHours
Toast_UpdateFailed
Last, but not least, there are some additional options the tool accepts, in particular:
