Phase 1: "We do not support running in a virtual machine" was the message shown to 5 senior staff, doing a very expensive certification test. They went to the test operator's website and downloaded a package to run, that would do the testing on their machine. Their physical company laptop.
So why was the test software detecting a virtual machine? First, why is it asking? It's because a virtual machine running inside another cannot be locked-down to just the test interface. There was someone proctoring the test and this would let you browse the web and cheat the test when not looking
Why did it detect the company laptop as a virtual machine? We're not getting into that, but it's something I built and deploy. Unfortunately, it means all programs thinking your computer is a virtual machine. But we can't have that. Unfortunately, this was not designed to ever be removed...
The staff are at a hotel at an event. They can only do this test under a proctor, do not have personal laptops with them, and are running out of time. And their machines are all littered with signals, only one of which the test software needs to convict them. I need to reverse this. Somehow.
How this is deployed I can't get into but it's very, very convoluted to simply override or even then reverse. I spend 40 on that. It's not working, for other complicated reasons involving Notepad++ and XML syntax. Going to have to have the users reverse out the most likely signals as local admin.
Eliding all the more prominent signals removal which don't help, we get into "HKLM\HARDWARE" For context, you can do Windows professionally for 30 years and never touch this or know what it's for. There's quite simply literally no reason for you to ever be here. Unless you're doing devious shit...
Lol I am none of those but I saw that and thought RegEdit immediately...
I walk the users through haphazardly the basics of using RegEdit and what to remove. We are against the fucking clock, I'm spamming out stuff I developed years ago. Unfortunately, a line wraps on a text chat. And a user deletes a major superseding registry key instead of a subkey. Then they reboot.
Part my calculation for the actual great danger I was putting these users' machines in, is that windows designed to suffer a mistake in this area. Its recovery model explicitly covers this and has since Windows XP. So I was a bit cavalier, trading clarity for expeditiousness. But it needs something.
And what it needs are prior recovery states. For some reason, this user's machine has no registry backups or restore points. It boots, you see the little wheel, then a perfect black screen. No worries. Just trigger a recovery menu with two aborted boots with the power button. But it doesn't work.
User makes executive decision to immediately headHQ for Helpdesk assistance while I continue to bang my head on fixing the rest of the team. (One was not at convention turns out) Eventually we call it as over mutually. Their PCs were probably hardware-banned anyway. Rescheduled. It's fine. But...
[Note this is about troubleshooting theory and process narrative, not simple technical solution, something many acknowledge is little-taught formally and people have difficulty finding] As I finish, the user has been at Tier1 Helpdesk for 20 min. They are already in safe mode past Bitlocker/LAPS.
Why couldn't they just live boot a clean copy of Windows from USB?
This is getting good
Oh, no
Or working on Kinect for Windows like I was.
Was Livecd/usb on bare metal an option if you had more time?
Uuuh, this is pretty smart, how did you do it?
"we're not getting into that" cuz its anti-malware?
🍿
With Core Isolation, aren't all machines virtual machines? :)
do you perhaps do any deception-based hardening?