Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: WinSxS folder

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Windows XP Professional

This thread has been marked as locked.
dmitriy1980 WinSxS folder
Member 9th Sep, 2009 01:43
Ranking: 0
Posts: 5
User Since: 28th Dec, 2007
System Score: N/A
Location: N/A
Lately Secunia PSI started complaining about 2 separate files which are located under C:\WINDOWS\WinSxS folder. After doing some research I found out that this is a needed folder and will always grow. (Some people have tens of GB occupied by the content of this folder). The only thing I don't understand is that all the resources are stating that this is a new concept of componentization that Microsoft created for Windows Vista and up. I'm on Windows XP; so, why do I have such a folder and is it safe to remove it? If not, how can I avoid PSI marking these 2 specific files as Insecure? I'm looking for an alternative suggestion to creating an 'Ignore Rule' under Settings.

pengwyn RE: WinSxS folder
Member 9th Sep, 2009 09:13
Score: 5
Posts: 24
User Since: 6th Mar 2009
System Score: N/A
Location: Sacramento, N/A
Last edited on 9th Sep, 2009 09:39
What two files is it?

Sounds like they are not updated.

I read your post, and I checked in my C:\WINDOWS\WinSxS\
And I see like backup copies of xml, c and cpp runtimes, gdi

Looks from just the way it's laid out, like we need the folder in my opinion.

On a side note,
I remember the gdi+ exploit, on a whim I fired up the SANS GDIScan program and found a boatload of vulnerable gdiplus.dll's (crazy I thought I was hella patched) but none of the ones in the WinSxS dir were vulnerable for me. And for anyone reading, I used these files in the WinSxS dir to patch what was in the GDIScan results.

My Wishlist: Be neat to see a clone of the SANS gdiscan built into PSI.

I would bet there are other runtimes in WinSxS which are on systems in applications and programs in non standard sub directories and have a version which is vulnerable. For example snag it had a gdiplus.dll
I would be guessing with gdiscan as a comparison. Anyway if the goal is to be secure, this would expedite bad runtime files. It's funny how the gdi plus exploit died down. but did it really go away?


Back to your question though, I wouldn't suggest deleting this folder without expecting to potentially have to reload all my runtimes again. If your going to do it, clone, or back up your system first.
Was this reply relevant?
+0
-0
Maurice Joyce RE: WinSxS folder
Handling Contributor 9th Sep, 2009 10:06
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 9th Sep, 2009 10:08
I cannot explain the use of the SxS folder any better than @tmalomas has done on another thread. He wrote:

"It may help to explain the purpose of the winsxs folder.

The 'sxs' in the folder name is short for 'side by side'. It is the means by which Windows allows several different versions of a library to be installed simultaneously.

Imagine I have two applications, A and B, both of which use a library L. A needs L version 1. B needs L version 2. If I were to update the library to version 2 in order to run B I run the risk of breaking A.

If L version 1 is installed in the winsxs folder and L version 2 directly in the Windows folder, A can continue to use Lv1 while B uses Lv2. The structure of winsxs is actually more complicated, but the detail isn't relevant to the problem described.

It is important to realise that Windows Update does not, and should not, update libraries in this folder because this might break application A."


As I proved with the another thread U can successfully removed items from the SxS folder that may be deemed insecure but I do urge caution.

Tinkering with MSXML/NetFramework/SxS folder without fully understanding the interactions with other elements or legacy issues could prove troublesome.

Edit.
If U post the paths to the 2 troublesome files it may help with the investigation.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
dmitriy1980 RE: WinSxS folder
Member 10th Sep, 2009 03:31
Score: 0
Posts: 5
User Since: 28th Dec 2007
System Score: N/A
Location: N/A
@Maurice: I understand the concept. But as I understand this was done for Win Vista and up, I'm still on XP.

I reran the scan and those 2 don't show up anymore.
Was this reply relevant?
+0
-0
TNO821 RE: WinSxS folder
Member 10th Sep, 2009 10:46
Score: 0
Posts: 5
User Since: 16th May 2009
System Score: N/A
Location: N/A
WinSxS is not new for Vista...it predates Vista by about 5 years. It was new for Windows XP, but the folder doesn't exist until you install something that uses it.

WinSxS was designed as a better way to allow applications to use different versions of shared files. Prior to Side-by-Side sharing, Windows 2000 (and Windows 98 Second Edition and Windows ME) used something known as .LOCAL isolation (with Windows Installer .msi installations, this .LOCAL is known as "Isolated Components"). If you ever look into an application's folder and notice a .LOCAL file, it's making use of .LOCAL isolation. For example, I use Ulead DVD Movie Factory for creating high quality Blu-ray AVCHD discs (it doesn't re-encode and reduce video quality the way many other products do...I tend to use Nero for other disc types) and I see a file named DVDMF.exe.local.

The DVDMF.exe.local file tells Windows 98 Second Edition or newer to look into the same folder for any needed .DLL, .OCX, or .EXE files. This allows Ulead to place the exact versions of all required files into this directory and not worry about any updates I might make to common folders such as C:\Windows\ or C:\Windows\System32\. If a needed file isn't found in the same folder, Windows resorts to normal search order to find it (often locating the file in a common folder such as System32).

One of the problems of this older .LOCAL approach is the sheer number of files that could be scattered all over your hard drive. If all of your applications were to use .LOCAL, you'd have many different versions of various .DLL and .OCX files all over your C:\Program Files\ application folders. This is both a waste of space as well as a potential security risk.

Windows Side-by-Side sharing (WinSxS) solves the space issue by creating strongly named folders for each version of a .DLL or .OCX file (I have one named "x86_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.0.6 000.16386_none_735d77df7a16028b"). The term "strongly named" just means that there's a unique identifier in the name to avoid any confusion. You could have dozens of applications that need a particular version of a file, and have it installed only once under the WinSxS folder. So it's much nicer with hard drive space than the old .LOCAL approach.

WinSxS is also better than .LOCAL in regards to security. If a really nasty bug is discovered, you only need to patch the file in one place (under the WinSxS folder), rather than find potentially dozens of copies scattered all across your C:\Program Files\ application folders.

As far as Secunia goes, I guess the real question is should we be changing the files under the WinSxS folder? Technically it defeats the purpose of the WinSxS folder (since we'd be messing with the version of the files...any change to a file has the potential to break an application that depends on it). But if the security vulnerability is severe, allowing for remote code execution for example, then I would recommend replacing the file with a newer patched version.
Was this reply relevant?
+0
-0
dmitriy1980 RE: WinSxS folder
Member 10th Sep, 2009 15:28
Score: 0
Posts: 5
User Since: 28th Dec 2007
System Score: N/A
Location: N/A
Thanks for a response. I use Win XP every single day at work and home for the past 7 years and I've never seen .LOCAL extention and have never seen WinSxS folder either. It says that this folder has been created 8/7/2009. I've not reinstall the system nor have I installed any new software. All I do is get Windows Updates. So, it must have came through it.
Was this reply relevant?
+0
-0
TNO821 RE: WinSxS folder
Member 10th Sep, 2009 15:37
Score: 0
Posts: 5
User Since: 16th May 2009
System Score: N/A
Location: N/A
Last edited on 10th Sep, 2009 15:38
Yeah, Windows Update or Microsoft Update is the likely source. Microsoft just updated the C++ runtimes (2005 and 2008 versions) to patch a vulnerability. I'm 99% sure their new versions use WinSxS.

You could check the Windows Update log and see if it installed new updates on the date that the WinSxS folder was created.
Was this reply relevant?
+0
-0
dmitriy1980 RE: WinSxS folder
Member 10th Sep, 2009 15:42
Score: 0
Posts: 5
User Since: 28th Dec 2007
System Score: N/A
Location: N/A
yes, there's a data for 8/7/09, but none of it references WinSxS. So, like I said this seems like a new concept for XP as it was created last month. As a matter of fact I just checked my work computer and it has 8/7/09 create date for this folder as well.

What's interesting is that this is not a Patch Tuesday when Microsoft deployed Windows Updates.
Was this reply relevant?
+0
-0
Maurice Joyce RE: WinSxS folder
Handling Contributor 11th Sep, 2009 01:45
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
The differences with the alleged dates for the XP SxS creation are interesting.

I have had this folder installed since 21 March 2008 which was the last time I did a clean XP install.

The Manifest & Policy sub folders also show that date. As would be expected, there are various other dates not least VC80 & VC90 which I manually updated to cure the reported ATL insecurities on 3 Sept 2009.

So many hot fixes were installed on 21st March which makes it difficult to ascertain exactly which fix installed it. I suspect C++ 2005.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Slamgeden RE: WinSxS folder
Member 11th Sep, 2009 09:14
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
What are the exact files detected?

--
Assorted Fnords.
Was this reply relevant?
+0
-0
Maurice Joyce RE: WinSxS folder
Handling Contributor 11th Sep, 2009 10:36
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Why do U want to know what files are detected? That has got nothing to do with this thread. What we are trying to establish is the pro's & con's of the SxS folder being used by Windows XP.

The SxS folder is full of files - which one are U interested in?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Slamgeden RE: WinSxS folder
Member 14th Sep, 2009 08:29
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
Since secunia seems to have fixed the issue with multiple file detection, they could likely fix this as well if we/I file a bug-report with the files being detected more than once, or in the WinSxS folder. That was my idea. ;)

--
Assorted Fnords.
Was this reply relevant?
+0
-0
Maurice Joyce RE: WinSxS folder
Handling Contributor 14th Sep, 2009 10:57
Score: 11569
Posts: 8,888
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Being a long time user I was not aware Secunia ever had a multiple scan problem.

In this instance they have withdrawn the scanning of the SxS folder pending further investigation.

The SxS (side by side)folder by default does have duplicates - that is not a secret. What Secunia are investgating is how to present the results & safe removal if that is necessary.

That still has nothing to do with this thread. What is being asked is how/when did this folder (SxS) appear in XP. It was created for Vista.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
TNO821 RE: WinSxS folder
Member 16th Sep, 2009 12:04
Score: 0
Posts: 5
User Since: 16th May 2009
System Score: N/A
Location: N/A
I wish the Vista WinSxS myth would stop being perpetuated.
WinSxS was not new for Vista. It was created for Windows XP. The folder doesn't show up until you install something that makes use of it. A simple Google search reveals people discussing it years before Vista appeared.
Was this reply relevant?
+0
-0
dmitriy1980 RE: WinSxS folder
Member 17th Sep, 2009 01:19
Score: 0
Posts: 5
User Since: 28th Dec 2007
System Score: N/A
Location: N/A
@TNO821: please provide an example. I've used XP for years and it appeared only last month.
Was this reply relevant?
+0
-0
TNO821 RE: WinSxS folder
Member 17th Sep, 2009 01:34
Score: 0
Posts: 5
User Since: 16th May 2009
System Score: N/A
Location: N/A
Last edited on 17th Sep, 2009 01:55
Okay, here's a WinSxS discussion from Jan 2005 (Vista wasn't released until Jan 2007):
http://www.pcreview.co.uk/forums/thread-432684.php

Just to be clear, Windows XP has always had the ability to use these Side-by-Side win32 assemblies. It was a new capability of Windows XP and could have been utilized since the day it was released in Oct 2001.

Very few developers make use of it but you can tell it's beginning to catch on, as evidenced by more people noticing the WinSxS folder.

And there's a very good reason no developer would use this when Windows XP was initially released: Windows 2000, Windows Me, Windows 98FE and SE and even Windows 95 were still supported by many software companies back in 2001. None of these older operating systems can use the Side-by-Side assemblies. Only Windows XP and newer can use them, thus it took several years for any developers to seriously consider using them. Once their product required Windows XP or newer, they could safely make use of Side-by-Side assemblies.

Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability