Today, I was looking at artifacts created by various processes and spotted this intriguing entry:<\/p>\n\n\n\n
- HKLM\\Software\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\<some hash-like looking value><\/li><\/ul>\n\n\n\n
Knowing that Windows programmers love hashes, I was curious what this entry is for, and obviously, how to calculate the hash it refers to.<\/p>\n\n\n\n
A quick test followed for a couple of popular programs, and I got these results:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/02\/sqm1.png\")
<\/a><\/figure>\n\n\n\nNow that I had a few test values, I looked at the code of ntdll.dll (where I eventually traced the code responsible for these callouts to), and quickly discovered the routine. The hash type used here is known as UHash (I googled the constants used by the algorithm, and this is the name of the function that I found). <\/p>\n\n\n\n
It basically takes the filename of the process (anything that follows the last directory separator), then iterates through it starting from its end (from a file extension), and then each character is upper-cased (Unicode!), and then added to the UHash<\/a> formula. <\/p>\n\n\n\n
You can see the full algo in a script here<\/a>.<\/p>\n\n\n\n
When ran with example process names as in the screenshot above, we get these values:<\/p>\n\n\n\n
- 494A65DD – powershell.exe<\/li>
- 4DA42CDB – calc.exe<\/li>
- DA0C75C2 – cscript.exe<\/li><\/ul>\n\n\n\n
The more troubling question is the meaning of it all. This, I frankly don’t know. There are a couple other keys associated with SQM in the same Registry branch e.g. DisabledSessions<\/em> (under the same node). Googlign around and digging in the ntdll.dll shows that SQM seems to be dependent on Customer Experience settings i.e. CEIPEnable entry described here<\/a>:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/02\/sqm2.png\")
<\/a><\/figure>\n\n\n\nSo, I guess the DisabledProcesses<\/em> \/ DisabledSession<\/em> entries could be flags that remove _some_ processes from active SQM monitoring (in a more granular way). And all in all, something that we probably want to completely disable via a higher-level CEIPEnable<\/em> value, and others in the same location e.g.:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/02\/sqm3.png\")
<\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"Today I came across Registry entries that I have not seen being documented anywhere before, so decided to throw a quick & dirty post about it. One of the less known\/understood components of Windows is SQM. SQM stands for “Software … Continue reading