Skip to content

Instantly share code, notes, and snippets.

@m417z

m417z/_details.md

Last active April 26, 2023 05:27
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save m417z/3248c18efd942f63013b8d3035e2dc79 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save m417z/3248c18efd942f63013b8d3035e2dc79 to your computer and use it in GitHub Desktop.
Download ZIP
Suspected inconsistency in a Windows update
Raw
_details.md

A Windows update file hash inconsistency

A while ago, I encountered some inconsistencies in Windows update file hashes. Specifically, for several files, the SHA256 hash in the manifest file didn't match the MD5 hash of the file itself. These were some language resource files which I didn't have on my computer, and which I didn't find on VirusTotal. Back then, I didn't research this further.

With one of today's updates, it happened again, this time with a file which I could find on my computer, wfascim_uninstall.mof. I'm not sure whether it's an actual inconsistency or my lack of understanding of the update package format. I'm publishing this in case somebody, possibly from Microsoft, would like to check it out.

If that's a real inconsistency, it's slightly concerning, since I rely on it for Winbindex, and it's not always possible to detect it.

Update details

Attached files

  • arm64_networking-mpssvc-wmi_31bf3856ad364e35_10.0.22000.1880_none_15bf322afdee9314.manifest

    • The manifest file which contains the SHA256 hash of wfascim_uninstall.mof, among other files and hashes.
    • The hash is of wfascim_uninstall.mof as stored in the manifest file is zuUBvkUyBxxv4d8pM9mPj8y6SAPeSBdGgIOGwyRa1qc= (base64-encoded).
    • The decoded SHA256 hash is cee501be4532071c6fe1df2933d98f8fccba4803de481746808386c3245ad6a7.
    • The size of the file with this hash is 6870 bytes.
    • VirusTotal link.

  • wfascim_uninstall.mof.xxd

    • The content of the wfascim_uninstall.mof file as stored in the update package. That's not the actual file but a patch delta file.

  • wfascim_uninstall.mof.dd.txt

    • The metadata that was extracted from the wfascim_uninstall.mof patch delta file with the help of DeltaDownloader.
    • The file MD5 hash, according to the metadata, is 9E51833F306F8C5C59BC8F041A9EC1BB.
    • The file size is 6732, which doesn't match the file size of the file with the SHA256 hash from the manifest file.
    • VirusTotal link.
Raw
arm64_networking-mpssvc-wmi_31bf3856ad364e35_10.0.22000.1880_none_15bf322afdee9314.manifest
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v3" manifestVersion="1.0" copyright="Copyright (c) Microsoft Corporation. All Rights Reserved.">
<assemblyIdentity name="Networking-MPSSVC-WMI" version="10.0.22000.1880" processorArchitecture="arm64" language="neutral" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" />
<dependency discoverable="no" resourceType="Resources">
<dependentAssembly dependencyType="prerequisite">
<assemblyIdentity name="Networking-MPSSVC-WMI.Resources" version="10.0.22000.1880" processorArchitecture="arm64" language="*" buildType="release" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS" />
</dependentAssembly>
</dependency>
<file name="wfascim.dll" destinationPath="$(runtime.wbem)\" sourceName="wfascim.dll" importPath="$(build.nttree)\" sourcePath=".\">
<securityDescriptor name="WRP_FILE_DEFAULT_SDDL" />
<asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
<dsig:DigestValue>cDI8ERynzpWoJiXKQee15pCOxjderhmmHw6hepPnrDQ=</dsig:DigestValue>
</asmv2:hash>
</file>
<file name="wfascim.mof" destinationPath="$(runtime.wbem)\" sourceName="wfascim.mof" importPath="$(build.nttree)\" sourcePath=".\">
<securityDescriptor name="WRP_FILE_DEFAULT_SDDL" />
<asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
<dsig:DigestValue>m6gm7Z8wnxmH+fzggNS7Pr9DA3tMMljyKe7u0qBHgCQ=</dsig:DigestValue>
</asmv2:hash>
</file>
<file name="wfascim_uninstall.mof" destinationPath="$(runtime.wbem)\" sourceName="wfascim_uninstall.mof" importPath="$(build.nttree)\" sourcePath=".\">
<securityDescriptor name="WRP_FILE_DEFAULT_SDDL" />
<asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
<dsig:DigestValue>zuUBvkUyBxxv4d8pM9mPj8y6SAPeSBdGgIOGwyRa1qc=</dsig:DigestValue>
</asmv2:hash>
</file>
<mof name="$(runtime.wbem)\wfascim.mof" uninstallmof="$(runtime.wbem)\wfascim_uninstall.mof" />
<registryKeys>
<registryKey keyName="HKEY_CLASSES_ROOT\CLSID\{227C5B36-F148-4B4B-AEC1-943E394D9885}">
<registryValue name="" valueType="REG_SZ" value="Microsoft Windows Firewall WMI Provider" />
<securityDescriptor name="WRP_KEY_DEFAULT_SDDL" />
</registryKey>
<registryKey keyName="HKEY_CLASSES_ROOT\CLSID\{227C5B36-F148-4B4B-AEC1-943E394D9885}\InprocServer32\">
<registryValue name="" valueType="REG_EXPAND_SZ" value="%systemroot%\system32\wbem\wfascim.dll" />
<registryValue name="ThreadingModel" valueType="REG_SZ" value="Both" />
</registryKey>
</registryKeys>
<trustInfo>
<security>
<accessControl>
<securityDescriptorDefinitions>
<securityDescriptorDefinition name="WRP_KEY_DEFAULT_SDDL" sddl="O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:P(A;CI;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;CI;GR;;;SY)(A;CI;GR;;;BA)(A;CI;GR;;;BU)(A;CI;GR;;;S-1-15-2-1)(A;CI;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)" operationHint="replace" />
<securityDescriptorDefinition name="WRP_FILE_DEFAULT_SDDL" sddl="O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:P(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;GRGX;;;BA)(A;;GRGX;;;SY)(A;;GRGX;;;BU)(A;;GRGX;;;S-1-15-2-1)(A;;GRGX;;;S-1-15-2-2)S:(AU;FASA;0x000D0116;;;WD)" operationHint="replace" description="Default SDDL for Windows Resource Protected file" />
</securityDescriptorDefinitions>
</accessControl>
</security>
</trustInfo>
</assembly>
Raw
wfascim_uninstall.mof.dd.txt
### Header
FileTime: 21.07.2017 23:20:20
Version: 245
Code: Raw
Flags: DELTA_FLAG_IGNORE_FILE_SIZE_LIMIT, DELTA_FLAG_IGNORE_OPTIONS_SIZE_LIMIT
TargetSize: 6732
HashAlgorithm: CALG_MD5
Hash: 9E51833F306F8C5C59BC8F041A9EC1BB
Raw
wfascim_uninstall.mof.xxd
$ xxd wfascim_uninstall.mof
00000000: af58 edd2 5041 3330 0012 8beb 7702 d301 .X..PA30....w...
00000010: b07e 4000 0043 260d 1c00 1402 9e51 833f [email protected]&......Q.?
00000020: 306f 8c5c 59bc 8f04 1a9e c1bb 0117 b703 0o.\Y...........
00000030: 0061 4483 3400 9081 00 .aD.4....
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment