eddiscovery / capi Goto Github PK

Do let me know if this is the wrong project, and this is should be reported in the main project.

Background: I was trying to figure out some problematic things with MS ProcMon for ED itself and found a misconfig in my environment. So I figured I'd have a look at what kinds of events EDDiscovery was spawning -- especially relating to things that are not successful events like missing files, or DLL hijack opportunities (infosec background).

What I discovered was that EDDiscovery keeps trying to open a non-existent file \Data\CAPI\status.json under the path of my portable installation of EDDiscovery 17.1.1.

And that this happens very frequently.

See attached CSV file for ProcMon log.

Row 1: Header
Row 2-29: Repeated attempts to read the status.json file within 3 seconds => NOT FOUND
Row 30: Empty space for easier legibility
Row 31-91: Repeated reads of status.json (which is empty) - 10 times within one second.

Example failed read:

"21.32.07,3602757","EDDiscovery.exe","29648","CreateFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

Example successful read:

"21.32.10,4318364","EDDiscovery.exe","29648","CreateFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Open No Recall, Attributes: n/a, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened"
"21.32.10,4318645","EDDiscovery.exe","29648","ReadFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","END OF FILE","Offset: 0, Length: 4 096, Priority: Normal"
"21.32.10,4318777","EDDiscovery.exe","29648","CloseFile","C:\Users\<username>\Downloads\EDDiscovery.Portable.17.1.1\Data\CAPI\status.json","SUCCESS",""

eddc-data-capi-statusjson.CSV

Just wanted to report this as potentially misfiring configuration/loop etc.

I tried to find the relevant code in the main project or this, but could only find the stuff that reads the \Data\CAPI\something.cred file after I logged in with my Frontier CAPI -- I tried to see if logging in would cause the status.json to be created, but it only dropped the .cred file.

This is not causing any bigger issues, other than now knowing that it is trying to do that very very frequently and it annoys me 😅