{"id":7653,"date":"2021-01-03T23:31:56","date_gmt":"2021-01-03T23:31:56","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=7653"},"modified":"2021-01-05T11:49:36","modified_gmt":"2021-01-05T11:49:36","slug":"amusingnotification","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2021\/01\/03\/amusingnotification\/","title":{"rendered":"aMus(ing)Notification"},"content":{"rendered":"\n<p><strong>Update<\/strong><\/p>\n\n\n\n<p>Added <em>Dialog_RebootDTU<\/em>, <em>Dialog_RebootForcedDTU, RebootWithUXForceOthers<\/em>, and a few more items that I apparently missed. Thanks to <a href=\"https:\/\/twitter.com\/0gtweet\">@0gtweet<\/a> who spotted some of the missing items, and rebooted his box on the way \ud83d\ude42<\/p>\n\n\n\n<p><strong>Old Post<\/strong><\/p>\n\n\n\n<p>Have you ever got annoyed by this popup?<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_1.png\" alt=\"\" class=\"wp-image-7654\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_1.png 680w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_1-300x105.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/a><\/figure>\n\n\n\n<p>I got curious where they come from and after running sysmon I quickly discovered they come from the invocation of <em>MusNotification.exe<\/em> and <em>MusNotificationUx.exe<\/em>.<\/p>\n\n\n\n<p>This one in particular is a lunch of:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">MusNotificationUx.exe Dialog_EngagedFourthReminder 0<\/pre>\n\n\n\n<p>The Dialog_xxx is a very unique keyword, so after quick search I discovered the whole gamut of similar messages hidden inside the <em>UserProcess:: GetNotificationCommandLineArguments<\/em> routine inside the <em>MusNotification.exe<\/em>:<\/p>\n\n\n\n<ul><li>Dialog_AllowSchedulingFirstReminder<\/li><li>Dialog_AllowSchedulingForcedReminder<\/li><li>Dialog_AllowSchedulingPerAUPolicy<\/li><li>Dialog_AllowSchedulingRebootFailed<\/li><li>Dialog_AllowSchedulingSecondReminder<\/li><li>Dialog_AllowSchedulingThirdReminder<\/li><li>Dialog_AllowSchedulingWarning<\/li><li>Dialog_CantDownloadUpdate<\/li><li>Dialog_CantInstallUpdate<\/li><li>Dialog_DataMigrationFailed<\/li><li>Dialog_DownloadAvailable<\/li><li>Dialog_DownloadNeedUserAgreementPerCTA<\/li><li>Dialog_EngagedFourthReminder<\/li><li>Dialog_EnhancedEngagedAcceptAuto<\/li><li>Dialog_EnhancedEngagedForcedPrecursor<\/li><li>Dialog_EnhancedEngagedForcedWarning<\/li><li>Dialog_EnhancedEngagedRebootFailed<\/li><li>Dialog_EnhancedEngagedRebootImminent<\/li><li>Dialog_EnhancedEngagedRebootReminder<\/li><li>Dialog_EnhancedEngagedSecondRebootReminder<\/li><li>Dialog_ExpeditedReboot<\/li><li>Dialog_InstallNeedEula<\/li><li>Dialog_InstallNeedUserAgreement<\/li><li>Dialog_LowUptime<\/li><li>Dialog_PolicyDeadlineApproaching<\/li><li>Dialog_PolicyDeadlineEngagement<\/li><li>Dialog_PolicyDeadlineRebootFailed<\/li><li>Dialog_PolicyDeadlineRebootImminent<\/li><li>Dialog_PolicyDeadlineUserScheduled<\/li><li>Dialog_RebootActiveHoursForcedReminder<\/li><li>Dialog_RebootActiveHoursForcedWarning<\/li><li>Dialog_RebootActiveHoursImminent<\/li><li>Dialog_RebootActiveHoursUserSelected<\/li><li>Dialog_RebootDTU<\/li><li>Dialog_RebootForcedDTU<\/li><li>Dialog_RebootImminent<\/li><li>Dialog_RebootPolicyEnabledForcedWarning<\/li><li>Dialog_RebootPostponeMgmt<\/li><li>Dialog_RebootWarning<\/li><li>Dialog_ScheduleUpdate<\/li><li>Dialog_ScheduleUpdateFailed<\/li><li>Dialog_SuggestedActiveHours<\/li><\/ul>\n\n\n\n<p>You can pick up any of them and run via a similar invocation using <em>MusNotificationUx.exe<\/em> e.g.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">MusNotificationUx.exe Dialog_CantDownloadUpdate 0<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_2.png\" alt=\"\" class=\"wp-image-7655\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_2.png 680w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_2-300x77.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/a><\/figure>\n\n\n\n<p>and others:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_3.png\" alt=\"\" class=\"wp-image-7656\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_3.png 680w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_3-300x86.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_4.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_4.png\" alt=\"\" class=\"wp-image-7657\" width=\"500\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_4.png 680w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2021\/01\/MusNotification_4-300x77.png 300w\" sizes=\"(max-width: 680px) 100vw, 680px\" \/><\/a><\/figure>\n\n\n\n<p>Apart from being a gimmick these invocations could be a good social engineering add-on to malware repertoire, and would certainly add a lot of credibility to rogue antispyware software back in a day. <\/p>\n\n\n\n<p>There also seem to be a possibility of a Lolbin as the invocations of <em>MusNotificationUx.exe<\/em> via <em>MusNotification.exe<\/em> refer to %SYSTEMROOT% environment variable as opposed to path retrievwed using GetSystemDirectory &#8212; still a questionable programmer&#8217;s choice prevalent in many native OS binaries.<\/p>\n\n\n\n<p>Finally, there is also a whole list of Toast_* invocations, which I have not figured out yet how to execute properly:<\/p>\n\n\n\n<ul><li>Toast_CompatIssue<\/li><li>Toast_DesktopKeepOnReminder<\/li><li>Toast_DownloadNeedMoreSpace<\/li><li>Toast_DownloadNeedUserAgreement<\/li><li>Toast_DownloadNeedUserAgreementPerCTA<\/li><li>Toast_DownloadNeedWifi<\/li><li>Toast_DownloadViaCellularNeedUserAgreement<\/li><li>Toast_EngagedFirstReminder<\/li><li>Toast_EngagedRebootFailed<\/li><li>Toast_EngagedRebootWarning<\/li><li>Toast_EngagedSecondReminder<\/li><li>Toast_EngagedThirdReminder<\/li><li>Toast_EnhancedEngagedRebootReminder<\/li><li>Toast_FailedDiskSpaceCheck<\/li><li>Toast_FairWarningDesktop<\/li><li>Toast_FairWarningLaptop<\/li><li>Toast_FairWarningPolicyNotifyDeadline<\/li><li>Toast_InstallBlocked<\/li><li>Toast_InstallNeedEula<\/li><li>Toast_InstallNeedMoreSpace<\/li><li>Toast_InstallNeedUserAgreementPerAUPolicy<\/li><li>Toast_KeepAliveOnBatteryWarning<\/li><li>Toast_LaptopPlugInReminder<\/li><li>Toast_LowUptime<\/li><li>Toast_MeteredConnection<\/li><li>Toast_NotifyToDownload<\/li><li>Toast_NotifyToInstall<\/li><li>Toast_OOBEDownloadInProgress<\/li><li>Toast_PersistentReadyToReboot<\/li><li>Toast_PolicyDeadlineEngagement<\/li><li>Toast_RebootActiveHoursForcedReminder<\/li><li>Toast_RebootActiveHoursImminent<\/li><li>Toast_RebootNeedUserAgreementPerAUPolicy<\/li><li>Toast_RebootOtherUsers<\/li><li>Toast_RebootReminder<\/li><li>Toast_SuggestedActiveHours<\/li><li>Toast_UpdateFailed<\/li><\/ul>\n\n\n\n<p>Last, but not least, there are some additional options the tool accepts, in particular:<\/p>\n\n\n\n<ul><li>RebootWithUXForceOthers<\/li><li>RebootWithUX<\/li><li>ClearActiveNotifications<\/li><li>QueryNotificationState<\/li><li>-Embedding<\/li><li>\/CV &#8211; <a href=\"https:\/\/github.com\/microsoft\/CorrelationVector\">correlation vector<\/a><\/li><li>\/MusUxStateString<\/li><li>\/ToastAction, where the action can be one of these:<ul><li>AlwaysAllowAutoUpdates<\/li><li>DeferRestartInHour<\/li><li>DeferRestartNow<\/li><li>ForcedRemRestartNow<\/li><li>ImmAnotherTime<\/li><li>ImmRestartNow<\/li><li>NotifyRestartNow<\/li><li>OthersPickTime<\/li><li>OthersRestartAnyway<\/li><li>RemPickTime<\/li><li>RemRestartNow<\/li><li>RemSnooze<\/li><li>RestartFailedRetry<\/li><li>RestartTonight<\/li><li>RestartWarningOption<\/li><li>Settings<\/li><li>Setup<\/li><li>SnoozeUx<\/li><li>SuggestedAHConfirm<\/li><li>SuggestedAHDontChange<\/li><li>WarnPickTime<\/li><li>WarnRestartNow<\/li><li>dismiss<\/li><\/ul><\/li><li>eDTERestartTonight<\/li><\/ul>\n\n\n\n<ul><li>\/ToastLaunchTimestamp<\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update Added Dialog_RebootDTU, Dialog_RebootForcedDTU, RebootWithUXForceOthers, and a few more items that I apparently missed. Thanks to @0gtweet who spotted some of the missing items, and rebooted his box on the way \ud83d\ude42 Old Post Have you ever got annoyed by &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2021\/01\/03\/amusingnotification\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,64,67],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7653"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=7653"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7653\/revisions"}],"predecessor-version":[{"id":7663,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/7653\/revisions\/7663"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=7653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=7653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=7653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}