{"id":3655,"date":"2016-06-02T00:20:07","date_gmt":"2016-06-02T00:20:07","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3655"},"modified":"2016-06-02T01:07:25","modified_gmt":"2016-06-02T01:07:25","slug":"beyond-good-ol-run-key-part-40","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/06\/02\/beyond-good-ol-run-key-part-40\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 40"},"content":{"rendered":"<p>And here we are&#8230; another round anniversary&#8230;<\/p>\n<p>To celebrate this special event, I have prepared a special dish for Windows 10 lovers \ud83d\ude42<\/p>\n<p>To inaugurate the celebration:<\/p>\n<ul>\n<li>Create C:\\Program Files\\Internet Explorer\\suspend.dll<\/li>\n<li>Profit<\/li>\n<\/ul>\n<p>Yup. It will launch anytime user starts IE. And when they exit it (the life of a DLL&#8230;).<\/p>\n<p>To continue the festivities:<\/p>\n<ul>\n<li>Create phoneinfo.dll anywhere the PATH points to, or inside the c:\\windows\\system,\u00a0C:\\Windows\\System32\\wbem or on the Desktop &#8211; IE will try really hard to load it:<br \/>\n<a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/06\/phoneinfo.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3656 size-full\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/06\/phoneinfo.png\" alt=\"phoneinfo\" width=\"584\" height=\"172\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/06\/phoneinfo.png 584w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/06\/phoneinfo-300x88.png 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><\/a><\/li>\n<li>Profit<\/li>\n<\/ul>\n<p>Yup. It will launch anytime user starts IE too. And yup, when they exit it too.<\/p>\n<p>It does work for 64-bit processes too.<\/p>\n<p>And the final fanfares&#8230;<\/p>\n<p>When your program crashes on Windows 10, werfault.exe will attempt to load loads of non-existing debugging extensions.:<\/p>\n<ul>\n<li>C:\\Windows\\SYSTEM32\\WINXP\\uext.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\uext.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\arcade\\uext.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\pri\\uext.dll<\/li>\n<li>C:\\Windows\\System32\\uext.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\arcade\\uext.dll<\/li>\n<li>C:\\Windows\\System32\\uext.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\WINXP\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\arcade\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\pri\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\System32\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\SYSTEM32\\winext\\arcade\\ntsdexts.dll<\/li>\n<li>C:\\Windows\\System32\\ntsdexts.dll<\/li>\n<\/ul>\n<p><strong>Bonus #1:<\/strong><\/p>\n<p>The phoneinfo.dll DLL seems to be used by a lot of processes (it is actually loaded by urlmon.dll, so lots of processes are affected).<\/p>\n<p><strong>Bonus #2:<\/strong><\/p>\n<p>Cursory analysis of code that is responsible for loading this DLL indicates that it&#8217;s most likely code used on Windows phones-only and it&#8217;s just the DLL is not present on Desktop Windows (yet the code loading the phantom DLL remained). The DLL is responsible for telling the urlmon what Phone Manufacturer and Model to add to one of the internal User Agent strings inside the urlmon library<\/p>\n","protected":false},"excerpt":{"rendered":"<p>And here we are&#8230; another round anniversary&#8230; To celebrate this special event, I have prepared a special dish for Windows 10 lovers \ud83d\ude42 To inaugurate the celebration: Create C:\\Program Files\\Internet Explorer\\suspend.dll Profit Yup. It will launch anytime user starts IE. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/06\/02\/beyond-good-ol-run-key-part-40\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3655"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3655"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3655\/revisions"}],"predecessor-version":[{"id":3662,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3655\/revisions\/3662"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}