Our software does not attempt to access Winlogon.exe.
Why did I ask Platte that question? I hope you'll bear with me while I give a little background since that will help in following this discussion. Although my computer expertise is somewhat limited, I do enjoy playing with them, and my 10 year old PC has been tinkered with primarily so that I can run a choice of operating systems. As a result it contains a stack of hard drives most of which are also partioned. My original 13GB drive is still my 'C' Drive though, even if it distinctly temperamental these days. Having more than one hard drive offers other advantages beyond easily being able to install a new OS if the fancy takes me. I'm able to store my personal files on a different drive to the one used by the OS which means they don't go down if my OS gets corrupted. Most importantly, it means that I can back up files (or entire disks) from one drive to another. If a hard drive were to fail completely, I can entirely restore its content onto a replacement (that's saved my life on a couple of occasions). That's the reason I'm able to switch between running Windows with Platte installed and running it without. I run Windows XP Pro (my main OS) on my C drive, which also has most of the other software I run, but it does not have personal files for any of the User Accounts; my own 'Stephen's Documents' for example is two hard disks further down on my 'G' drive.
When I installed the Platte software, I created a new User Account specifically for the purpose. That account, including its personal files is entirely on the 'C' drive, as is the Platte software. Since Windows, the Platte files and all the necessary user account files are on the 'C' drive, it should not be necessary for the Platte software to access any of my other disks.
Among the diagnostic utilities I enjoy playing with are several from the wonderful Sysinternals website (linked on my sidebar); it's such a useful site I'll put up a separate post about it in due course. Their 'Process Monitor' utility is probably definitive in that it displays a list of every action taken by the processor in real time; it quickly becomes a staggeringly long list.
I was running Process Monitor one day for some other reason (but when Platte was on my PC) and I noticed that Platte's main executable file, the pm_proc1.exe, was referencing the winlogon.exe file found in the System32 folder at regular intervals (approximately 1 minute apart). So what is the winlogon.exe file? It's part of Windows, and it's an extremely important one; it is Windows own security system. It stores the user passwords and is the file that controls the permissions; that means that it determines which user is able to access which files or programs, and which programs are themselves able to access other files. Essentially, it's the file that is able to grant 'access all areas' passes or not as appropriate; 'Guest' users get 'upper balcony, rear' and no more .
Since I didn't really understand why the Platte software should wish to access the file, I asked Platte about this when I sent them a list of queries recently. As you will have seen at the top of this post, their answer was unequivocal; their software "does not attempt to access Winlogon.exe".
Well, here's a screenshot, taken from a process log generated by Process Monitor. Look at sequence number 354571:
I have to admit that the process logs tend to be pretty much at the limit of my computing knowledge and sometimes slightly beyond it. More often than not I can follow a process through easily but not always. But even with my limited ability in this area it does look as though pm_proc1 is indeed accessing in some way the winlogon.exe file. I don't know why it should do so but it may well have a link with the following -
At present I have set my PC to start Process Monitor running each time I log in. I have put a filter on the logs, so that they only shows activity by the Platte software (this is an awful lot easier than trawling through a list that may consist of upward of a million actions, believe me). The following screenshots were taken a couple of evenings ago, all the accounts had already displayed billing reminders earlier in the day.
First I opened the account that I had installed Platte in. There is minimal activity (there would be more if a bill were to be displaying, but even then that is easy enough to follow):
Only 6 actions, two clusters of 3, and nothing to be concerned about. I had allowed the log to cover a full 10 minutes since I logged in, and those 6 actions are drawn from a total of 702,099 processor actions (displayed in the bottom left-hand corner of the window).
Next I re-ran the Process Monitor software, and went across and opened my own account. Much more activity; when I returned this is what I saw:
pm_proc1.exe appears to be checking out all my disks, C, F, G, H, I and J (look at the top half of the log). A couple of seconds later (that's a long time in computing terms) it's carrying out another check:
Then it moves on with Registry activity before checking out each partition individually:
And again:
Now we find it looking at the winlogon.exe (starting with sequence number 283927):
Now though, we come to the bit that concerns me. The Platte software shows an interest in my personal Documents folder (sequence number 611057 at the top, then 611067):
Now that I certainly don't understand. Why on earth should the Platte software want to show any sort of interest whatever in my Documents folder? Is that why it's referencing the winlogon.exe file?
I have to admit that I don't entirely follow what Platte is attempting to do here. But I do know that the other software I run on my computer hasn't shown any similar unexplained search round my computer, nor interest in my Documents folder. So why should the Platte?
It seem to me that Platte have some serious explaining to do if those who choose to install their software are to feel entirely safe in doing so. Hopefully they will read this and come up with an explanation.
(31st January): I have now taken a different route into my accounts and got slightly different results. I started this time by going into the account I administer my computer from and got a third sequence (I've adjusted column widths to help with reading all the full paths):
This time the route to the documents folder is significantly quicker (sequence number 199600) and no referencing of the different drives precedes it - there's predominantly registry activity. The Admin Documents folder is three disks down from the C drive. When I subsequently went into the account where Platte had been installed, there was merely the six lines of processing that turned up four days ago. So why does the Platte account not attract the same level of activity from the Platte software?
For those with an interest in such matters, the Process Monitor software downloads here.
These remaining screenshots follow on from the original sequence and show the activity when my account displays that repeat bill reminder; I find this entirely straightforward and easy to follow:
Comment on this post (particularly technically informed comment) is welcome. Please make it via my email, indicating any linkback URL you would like included.
No comments:
Post a Comment