Print Scout Application Injection through the Windows Registry

Problem:

You're wondering how can you disable Application Injection on a Pharos Print Scout so that it does not inject into running Windows processes.

Solution:

*This applies to both the Print Scout for Pharos Cloud and the Print Scout for HP Insights*

The Print Scout for Pharos Cloud products can be configured to not inject into running processes on the client. This can be helpful when endpoint security sees this as problematic or it causes undesired results in the actual application. For example, the Application Injection causes the application to quit abruptly or endpoint security products see this as problematic.

THE TECHNOLOGY

The Pharos Print Scout service on the Microsoft Windows client computer includes two special dynamic link libraries (DLLs) that serve to obtain the name of the application that generates the print job. The service monitors running Windows processes and “injects” these DLLs into those processes that are already running, as well as doing the same for processes that initiate after the employee logs into the computer. 

Injection is a common computing function. In fact, Microsoft Windows supports an injection function within its operation: LoadLibraryA(). At its most basic, it allows one running process (like the Print Scout) to load code into another process (like Notepad) and then execute it using the Windows CreateRemoteThread() call. By using LoadLibraryA(), we expose our activity to the operating system; we are not trying to hide. Using any of a number of available tools (like Microsoft’s Process Explorer utility), a systems administrator can quickly determine that our software is injected into another process (or not). Our DLL will also be present in “memory dumps” of injected applications.

…But what about security?

Doesn’t that make you a virus? Isn’t that all a security risk? Yes, it can be. Injection was (and in some cases, still is) a very common way to propagate computer viruses. At the same time, it’s how many applications get their work done, or allow extensible functions to be available for users; the add-ins function for many web browsers uses injection technology, for example. In short, it’s not the process that is dangerous, but the intent of the injected software.

Our DLLs are signed with a certificate obtained from a trusted third party so that those organizations using our software can be assured that the software is what it claims to be, and from whom. The signature of this certificate (the thumbprint) can be readily used to “white list” our application’s function (even the injection) within popular desktop security products from Symantec, McAfee, and others. To get back on track…

HOW IT WORKS

Once LoadLibraryA() is called for the Pharos injection DLL (we provide two: AppProfiler.x64.dll for 64-bit applications and AppProfiler.x86.dll for 32-bit applications), several things happen:

1. Attach to the other process. The OpenProcess() Windows function does this, creating a handle (entry point) so that we can interact with the process.

2. Allocate memory in the process. Nothing on a computer works if it doesn’t have the space to do so. The VirtualAllocEx() Windows function takes care of this for us, adding to the application’s memory overhead.

3. Copy (Inject) the DLL into the process. The Windows function WriteProcessMemory() handles this. At its most basic, the DLL is copied into the previously-allocated memory space.

4. Execute the DLL. Mentioned earlier, the CreateRemoteThread() function does this. At this point, the DLL is doing what its code is designed to do. 

So what, exactly, is the code doing?

The Process The Pharos Application Profiler DLLs have one purpose: look for Microsoft Windows commands that mean a document is being printed. To ensure that we are looking at the correct application, our injected DLL looks for two:

• CreateDC
• StartDocPrinter

CreateDC is a Graphic Device Interface (GDI) call. Generically, an application can call this command to attach to any graphic-based input or output device (scanner, digital camera, monitor, printer), but it always serves as the first-level call when/if a user is trying to print from a Microsoft Windows application. By tagging this command, we are reasonably sure that we will appropriately “tag” the print job with the correct initiating application.

StartDocPrinter is another GDI command that connects with the Windows Spooler system. This command performs the following on the workstation:

1. Opens the selected printer by name (using the OpenPrinter function in Windows)
2. Describes, using the DOC_INFO_1 structure, the job that will be printing.

In short, StartDocPrinter is the application’s way of telling the operating system that “something will be printing.” By first capturing the application issuing the CreateDC command, we are more able to focus attention for, and so capture, the StartDocPrinter event. The result is that we consistently and reliably capture the name of the application that is generating the print job.

How this can be done..

The Pharos Print Scout application has a way to manually exclude, or include, specific applications from the injection process when needed. This is done via the Windows Registry on a client by client machine basis. It is handled by the AppProfiler component of the Print Scout.

Under the below registry key:

SOFTWARE\WOW6432Node\PharosSystems\PrintAgent\AppTracking

1. Add: 'Exclusions' as a MultiString containing the string *

2. This will prevent all applications from being injected into.

3. Then reboot or restart the Print Scout services for this to take effect, restarting the whole client computer will also do the same.

For only excluding a specific executable (application), this can be done as well.

As an example: Disable app tracking for everything except notepad

SOFTWARE\WOW6432Node\PharosSystems\PrintAgent\AppTracking\Exclusions MultiString *

SOFTWARE\WOW6432Node\PharosSystems\PrintAgent\AppTracking\Inclusions MultiString notepad.exe

Please note: There is not a way, nor a need, to do this for the Print Scout client that runs on macOS X.