Hidden file repeatedly accessed

Because I DO think its important, I wanted to distill some points from another thread into a single post, and provide my thoughts. I am not trying to stir things up, nor beat a dead horse:

Quoted from Synetech:
“I recently tried out the latest versions of SlySoft’s apps and have noticed some unusual behavior…There is a new file…The ElbyCDIO service creates then accesses it every ten seconds in a seemingly infinite loop!..you could always stop the ElbyCDIO service and note that the polling stops, then run it again and note that it starts polling again”

Quoted from ArcCoyote:
“…it is in fact checked 10 seconds by the ElbyCDIO driver and is part of the trial period enforcement…I found this thread after discovering this behavior myself and posted to confirm this behavior was expected…”

Quoted from alan1476:
“…by the way it stops checking after your key has been verified after the trial period has ended…”

Quoted from Synetech:
“…I’m not sure what you mean; are you saying that it stops if you enter a key after the trial ends? What if you enter it before? Does it delete the file?..”

Quoted from alan1476:
“Noone can verify your finding because they do not exist…Now after 4 years this one user has found something that noone else can find…”

Quoted from Synetech:
“…it was confirmed that it has started with a recent version…it would not have been brought up in the ‘past 4 years’.”

Quoted from profcolli:
INSERT list of links referencing other programs (including Windows Update, and Windows indexing) exibiting similar activities
So, what’s to complain about? After 21 days you pay for it and it stops, or you uninstall it and it stops. Just like a thousand other programs…"

Quoted from NeoTrin2000:
“We know (or based on profcolli’s findings we are almost sure) this behavior is caused by Windows Indexing Services…”

Quoted from Synetech:
“For the record, I don’t use the Windows Indexing Service…”

Quoted from NeoTrin2000:
“…but are you 100% sure it’s disabled?”

Quoted from Synetech:
“Of course…”

Quoted from profcolli:
“…Elbycdio does a FASTIO_QUERY_STANDARD_INFO as part of its design to check whether drive access is required?”

Quoted from Synetech:
“…why was it added recently? …Was it part of a new protection defeat?”

Quoted from Seabrawk:
“Should he have not brought it to anyone’s attention (on this site) and simply uninstalled it?”

Quoted from alan1476:
“…He cant get an answer to something that does not exist. CloneDVD2 has not been updated for months…it only happening to 1 person, and I doubt that CloneCDhas anything to do with it, the program has not been updated recently…I use this program since it was released in 2002 and it never exibited this behavior. So there you have 1 user with a problem.”

I would first like to point out that I have run my own tests and have verified that what Synetech has asserted from the beginning is true: Windows indexing disabled, the temp file in the c:\Windows directory is accessed every ten seconds.

As pointed out by profcolli, the process of checking a file every ‘n’ seconds, is a process used by various applications, for various reasons. In the case of the Windows indexing service, I would imagine it is a result of attempting to index certain files and is therefore “expected”. It is in those cases where it is unexpected that some poeple have expressed distaste for this sort of behavior (such is the case for the Elby products, as well as the Gemini product linked by profcolli).

As quoted by alan1476, and ArcCoyote this may be some sort of hidden trial period enforcement, although I am not sure that much effort went into reseraching this assertion. It appears profcolli has provided a better explanation from a more informed source, which is that it was “part of its design to check whether drive access is required…”

This, however, would mean that the file would continue to be polled for eternity, as long as the software is installed on the machine, regardless of the registration status (this is untested), and begs the question “How did they do it before?”

In either scenario, I am unsure if I want many applications on my machine with this type of behavior, but to each their own. I just figured that some people may still be interested in this, and thought that the original thread was prematurely closed.

My honest advice is to ask m$ about their product…

Nonsense is why Alan closed the original thread… Oh and by request of the OP.

@seabrawk:
This is a good summary of the original thread, but the fact remains that programs that need drive access need some polling mechanism. Whether it is done transparently or not is a moot point. Hidden files are used by many applications, usually to prevent system problems that would result if a user “messed around” with them. ATI uses hotpolling extensively and you will have a hard time finding out how - if you disable it you may have problems switching from 2d to 3d applications, but on the other hand it gives you more control over overclocking. These are not the kinds of things you want to expose to inexperienced users. Elaborate Bytes and Slysoft are reputable companies with valuable products, but nobody is forced to use them.

Hidden does not necessarily mean bad (and repeated access for necessary system functions is what keeps your system functioning).

[QUOTE=seabrawk;1977923]As quoted by alan1476, and ArcCoyote this may be some sort of hidden trial period enforcement, although I am not sure that much effort went into reseraching this assertion. It appears profcolli has provided a better explanation from a more informed source, which is that it was “part of its design to check whether drive access is required…”[/QUOTE]It’s not, it is done by the DRIVER, not the application. The driver is used by multiple, but not all, applications, and therefore could not be responsible for license management. This is verified by monitoring and analyzing various activities (file, registry, network, pipe, etc. accesses) performed by the driver and the applications.

[QUOTE=seabrawk;1977923]This, however, would mean that the file would continue to be polled for eternity, as long as the software is installed on the machine, regardless of the registration status (this is untested), and begs the question “How did they do it before?”[/QUOTE]Exactly. I asked if maybe it is required to defeat some new super-protection but was once again rudely rebuffed. (In that other thread SlyFox1 is either lying or did not actually read the original thread (note the date of his post and the last post of the original thread). I suspect that alan is in fact SlyFox1 himself or a coworker of SlyFox1 at Elby/Slysoft, which would explain his irrational defensiveness.)

[QUOTE=seabrawk;1977923]In either scenario, I am unsure if I want many applications on my machine with this type of behavior, but to each their own. I just figured that some people may still be interested in this, and thought that the original thread was prematurely closed.[/QUOTE]Sorry, I was just so upset.

The most interesting thing about it though is Elby/Slysoft’s genius in using a random (or more likely hash) value for the filename of the temp file instead of using a standard name that contains the random/hash along with the other data. This way, it is next to impossible for people to look it up and find information on it.

Think about it: try to formulate a Google query for it. You cannot use the filename you have because the file has a different name on other systems. Google does not (currently) support regular expressions, so you cannot use that either. You cannot even use Google to search for parts of words like “c:\windows\s”. (This is all assuming that the person has even realized the format of the filename, which most people to inquire have not.) Most people will not have traced the file to the software that created it, so they will not likely have used the terms ElbyCDIO (although in most HiJackThis logs it comes up for obvious reasons), and probably not even SlySoft, CloneCD, AnyDVD, CloneDVDMobile, or VirtualCloneDrive. They may possibly not even have used hidden, system (the two attributes that are set on the file). The effective query is reduced to “Windows .TMP” which is more or less useless. In fact, you cannot even search on it in most forums because .TMP is “shorter than [the default] 4 letters [term-length minimum]”. Therefore it becomes really, really hard to find other pages where people have posted questions about the file.

Very clever (or should I say sneaky.)

However, if you finagle the query enough, you will find plenty of pages among the results where people have asked about it, and/or been advised to use an in-use file deleter on it, etc. Of course as time goes by and more people update to a version that causes it, and more people become more savvy and look in their Windows directories to clean out junk, it will become more visible.

Anyway, I have long since ceased using and thouroughly removed all traces of Slysoft and Elby’s apps, trial and paid ones alike. (Despite the waste, I think removing them is “worth every dime”.) Gone are anything that even remotely have to do with Slysoft or Elaborate Bytes: program files, drivers, installers, registry entires, ini files, services, web pages, pics, (file) locks, rocks, jocks, fox (and sheep), boogers, lugers, and even the kitchen sink. There are other software out there, including ones that are even better, including some open source, (read trust-worthy) ones. Thanks in fact to this very forum for leads.

This is a old debated issue that isn’t of concern for the most users whom use Slysoft software. If you have issues with such program, don’t use the program. As the previous thread was already closed by the MOD Alan.

http://club.cdfreaks.com/f18/conspicious-behavior-clonecd-possibly-other-slysoft-apps-234705/

[QUOTE=coolcolors;2013406]This is a old debated issue that isn’t of concern for the most users whom use Slysoft software. If you have issues with such program, don’t use the program. As the previous thread was already closed by the MOD Alan.

http://club.cdfreaks.com/f18/conspicious-behavior-clonecd-possibly-other-slysoft-apps-234705/[/QUOTE]

You don’ t read things that you reply to do you? You really should read a thread through before chiming in to avoid saying something foolish or redundant. Besides, the sword cuts both ways. If you don’t care, then keep using it. Why do you need to complain? There ARE people who care, so why would you try to shut them up? How would you like it if people tried to stifle your concerns? Just do a Google search and you will see that there are people who have this issue.

Oh, and for anyone that does have concerns and must use the software, simply create a folder with that filename. It seemed to work (as far as the testing that I had done at the time) just fine without successfully accessing the file. In fact I had even tried disabling the ElbyCDIO service altogether and it was still working.

I was doing some work with virtual-machines today. Since this topic came up earlier today (I don’t recall how or why), when I finished with the vms, before I wiped and reset them, I decided to give the Elby driver a last test for fun. I have good news and bad news.

The good news is that the filename of the “temp”file is not random and can easily be determined. It is derived from the serial-number of the boot-drive (for some reason). It is not actually a hash, but simply the eight-digit serial number XOR’d with the magic value 8af15bc6. So for example:

Open a command prompt (Run->cmd)
> dir c:\
Note the serial number (eg 1234-ABCD)
Run a calculator (eg Run->calc)
Enter Hex mode (eg Press F5 for Windows’ calc)
Enter the serial number (in this case 1234-ABCD)
Click XOR (or Press ^)
Enter the magic number 8af15bc6
Get result (eg Press Enter/click =)
Tada! Your “temp”file number (in this case 98C5F00B)
> dir c:\windows\S98C5F00B.tmp /a
> attrib c:\windows\S98C5F00B.tmp

(I still don’t know what the contents of the file are though, so if anyone figures it out I’d be curious to know.)

The bad news is that this realization messes up all of the previous explanations. I don’t know about any of you, but I for one rarely change the serial number (or even the volume label) of any of my drives, LET ALONE every ten seconds. It cannot logically be used to enforce the license (you can test this by altering the serial number), and even if it did, it could do it once on startup, not every 10 seconds for all eternity. It is not testing for the drive’s presence (why would it need to test the serial number to check for the drive’s presence, simply opening the device should be sufficient, and for that matter, why check the (hd) boot-drive at all, this is OPTICAL drive software.)

I cannot think of a reason to check the drive’s serial number every 10 seconds forever. Maybe it was some kind of debug function that they forgot to remove from the final code. #ifdef _DEBUG guys! In any case, I never said that it was in fact malware or a rootkit, and whatever the purpose for the infinite polling, it is unlikely to be for malicious purposes. My only beef is that it snuck in quietly (not in changelog), sort of hid (hidden and system), and forever eats resources for an unknown and unexplained reason.

For any programmers out there, it is trivial enough to patch the driver file to stop polling (don’t forget to update the checksum). However, that is probably against the EULA (ironic :p), but creating a directory by the same name is not, which sufficiently prevents the disk access without affecting function—although the polling continues, and in fact does TWO accesses every 10 seconds (that quickly fail instead of doing a read/write). Of course setting the ElbyCDIO service to disable stops the polling and doesn’t seem to stop any of the apps from working, at least not that I can tell.

Well, that’s it. I have provided you people with as much information and research on this topic as there is. You now have enough to make an informed decision. If you don’t mind files scattered on your hard drive in places they shouldn’t be and in your registry (I have seen orphaned reg entries from various SlySoft/Elby apps in inappropriate place, eg HKCU) and you want or need to continue using it, then that’s fine (hopefully it will be the only program stuck in an infinite-loop on your system), if not then that’s fine too.

I hope that I have helped anyone who did wonder about this and other people who attempt an Internet search for answers will somehow be led to these threads for enlightenment. (You never know, it could even drum you up a couple of sales.)

Either way, happy ripping.

(I wonder if Mark Russinovich faced this kind of resistance when he tried to help. )

I’ve been told that current versions of the ElbyCDIO driver no longer poll the file twice per second—no idea what version made the change. Apparently the driver now simply checks/creates it once on startup (of the driver or each app I don’t know), but then leaves it alone.

That’s very good because at one point it was apparently reading the file many, many times over and over. I checked the changelog to see if the change was mentioned, and the closest thing I could find was a brief line about performance increase for ElbyCDIO.

I’ve also read that the filename is no longer the serial number of the boot drive XOR’d with 0x8AF15BC6, with a .TMP extension, but rather a 16 hex character filename of unknown derivation (and no .TMP extension).

Anyway, I guess the infinite-reading was either some “clever” programming or copy-protection that they eventually decided against, or really was an oversight (eg missing #ifdef _DEBUG), and was eventually fixed. It’s still curious that they create an undocumented file in \Windows with unknown contents, but at least they aren’t reading it forever more.

wish i’d seen this earlier LOL, i stumbled across this discussion whilst looking for some other info.

The temp file in question has indeed ceased to be used, and was indeed used for the trial period protection, it was polled countless times constantly while in trial mode, and was locked to the ELBYCDIO service, it was as stated also different on every machine, i was not aware of the simple calculation they used and the drive serial to determine the file name, as stated it did have a .tmp file extension at one point and possibly even none at another…

it was only installed by AnyDVD and none of the other products that used the ElbyCDIO driver.

and if you think that this type of “hidden” file activity was bad, and you’ve used AnyDVD in trial mode lately… then you might want to do a search on your C drive for ADSfiles … yes, i said the C drive ! more specifically, attatched to it !

still, thanks for the entertaining read

Hey gunslinger, are you the same gunslinger from VideoHelp?

wish i’d seen this earlier LOL, i stumbled across this discussion whilst looking for some other info.

The temp file in question has indeed ceased to be used, and was indeed used for the trial period protection, it was polled countless times constantly while in trial mode, and was locked to the ELBYCDIO service, it was as stated also different on every machine, i was not aware of the simple calculation they used and the drive serial to determine the file name, as stated it did have a .tmp file extension at one point and possibly even none at another…

it was only installed by AnyDVD and none of the other products that used the ElbyCDIO driver.

and if you think that this type of “hidden” file activity was bad, and you’ve used AnyDVD in trial mode lately… then you might want to do a search on your C drive for ADSfiles … yes, i said the C drive ! more specifically, attatched to it !

still, thanks for the entertaining read :)[/quote]
Thanks Gunslinger, finally someone that knows his stuff. LOL.

Hey gunslinger, are you the same gunslinger from VideoHelp?

omg, i’d forgotten i was registered there !

i had a fairly large loss of data a while back in relation to browser bookmarks and login details etc (minor fubar in opera) … but yes, it appears i am registered there as “The_Gunslinger” as well, can’t remember when i was last there though

EDIT:

Thanks Gunslinger, finally someone that knows his stuff. LOL

after reading this one and replying, i went looking for the “other” thread mentioned …lol, you guys really went to town on that one … still, it made for a more entertaining read than this thread

Gunslinger is common screename, that is why you see, [B]The_ [/B]Gunslinger, or A Gunslinger, we have many in our database.

lol, probably a couple of them are me from when i forgot where i was registered ! (sorry :p)

FYI, there’s only one true 'guns1inger, over @ VideoHelp…