Komodia's Redirector troubleshooting guide

From Komodia
Jump to: navigation, search

When deploying a product for end user there are many variance such as pre-existing LSPs, trying to install from non-admin user, security products, system corruption and more, this guide will go over which logs the Redirector creates, their location and why they are needed.

These logs should not be confused with the "sniffing" log: Komodia's Redirector installation guide#Log_control.

Common problems

Installation

The most common "problem" we see in failed installation is because of executing the install/uninstall process without giving UAC privileges. The confusion is because admin user is not UAC enabled by default. The UAC dialog is the one asking for more privileges before installing a software. More on UAC

Browsers not intercepted

Any process that is open during the LSP install will not be intercepted, make sure to close any running network process.

SSL Error dialog

SSL Certificate error during browsing means the root CA wasn't installed correctly, the SDK installs the certificate on startup, but it will not do so for Firefox and Opera if they are running during the startup process, also IE and Chrome may not use the new root CA if they were open as well, the solution is to close all browsers on first install.

Not intercepting localhost

The SDK only intercepts localhost when it's enabled to do so, it's enabled in the code only.

Not intercepting services

The SDK is configured to either intercept or not intercept services, this can be changed, also you can use the custom flag intservices and set it to 1, this will inverse the SDK default behavior.

No traffic is intercepted at all

First you need to make sure that you receive traffic:

If you don't get traffic then check the following items:

  • If using LSPs, that they are registered by running the register LSP app from the command prompt:
    • Using: "registerlsp -p"
    • On 64bit machines also check 64 bit LSP: "registerlsp64 -p"
  • If using WFP, you can check if it's installed and running from the WFP button on PCController.
  • If using WFP, make sure you clicked on save after setting the interception rules.
  • Redirector is not in disable mode, press on the "Toggle disable mode" on PCController to see if it's bypassed or not.
  • Check Redirection rules, that they are matching the traffic you planned to intercept.
  • Check that the browsers have no proxy configured, and if they do, check if the proxy port is inside your redirection rules or not.
    • If the 3rd party proxy is on the local machine, make sure you're not intercepting it as well, causing an infinite loop.
  • Run "netstat -ao" from command prompt and see which ports the app you're trying to intercept is using, see that they match the interception rules.
    • Also see which other application is generating traffic, see if the traffic was intercepted by a 3rd party and is sent to the Internet via a transparent proxy.

DLL framework is not working

Check the following items:

  • After you set the DLL you pressed save and restarted the service.
  • Check in the logs under c:\windows\temp\pcproxy.log that the DLL was loaded correctly, sometimes DLL are compiled in a way that they have dependencies issues.
  • Check that the SDK receives traffic at all, if not troubleshoot with the above methods.

Can't break point into the DLL with a debugger

Check the following items:

  • That you receive traffic.
  • That the DLL is loaded correctly.
  • That you break pointed into pcproxy.exe

Internet breaks instantly or after a period of time

Usually the case is that the client's logic (DLL or COM framework) fails in a way, for example, NewConnection function returning false or crashes.

To verify, install the SDK but don't deploy the software or DLL, and see of traffic is intercepted.

Logs

Uploading logs to server

The logs can be uploaded to Komodia's server using the syntax:

PCProxy /UploadLogs

The server is not monitored, so you will need to contract us to look at the logs.

Which logs are always present and which should be enabled

  • LSP Installer log - Always enabled.
  • LSP log - Disabled.
  • Service install log - Enabled.
  • Service running log - Partially enabled.

Logs location summary

Under the installing user %temp% directory you have:

  • RegisterLSP.log
  • PCProxy.log
  • PCProxyr.log

(PCProxy would be replaced with the binary name you are using)

Under windows temp directory, which is usually: c:\windows\temp you have:

  • PCProxy.log
  • PCProxyr.log

Enabling LSP log

32bit OS

Normal log

To enable the log add the value (DWORD): lsplog to the key: HKEY_LOCAL_MACHINE\Software\Komodia

Verbose log

To enable the verbose log (usualy based on request from Komodia's personal) add the value (DWORD): lspverbose to the key: HKEY_LOCAL_MACHINE\Software\Komodia

64bit OS

Normal log

To enable the log add the value (DWORD): lsplog to the key: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Komodia

Verbose log

To enable the verbose log (usualy based on request from Komodia's personal) add the value (DWORD): lspverbose to the key: HKEY_LOCAL_MACHINE\WOW6432Node\Software\Komodia

Enabling full service log

32bit OS

The full service log includes details about the interception rules, to enable it add the value (DWORD): pcproxy to the key: HKEY_LOCAL_MACHINE\Software\Komodia

64bit OS

32bit PCProxy

The full service log includes details about the interception rules, to enable it add the value (DWORD): pcproxy to the key: HKEY_LOCAL_MACHINE\Software\WOW6432Node\Komodia

64bit PCProxy

The full service log includes details about the interception rules, to enable it add the value (DWORD): pcproxy to the key: HKEY_LOCAL_MACHINE\Software\Komodia

LSP installation

RegisterLSP.EXE or it's DLL or COM equivilence creates a log called "RegisterLSP.log" under the %temp% directory of the installing user, this log has the following information inside:

  • OS (and 32/64 bit)
  • Was it UAC provided (on Vista and above OS)
  • RegisterLSP location
  • Working directory
  • Existing security products (that the RegisterLSP is aware of)
  • Install outcome

LSP installation problems are seen right away in the install log.

Service installation

The service creates an install log under the %temp% directory of the installing the user, the log name is usualy the process name with the letter 'r', for example the default log name for: "PCProxy.exe" is "PCProxyr.log", this name can be changed for clients with the source code.

This log has the following information inside:

  • OS (and 32/64 bit)
  • Was it UAC provided (on Vista and above OS)
  • Redirector location
  • Working directory
  • Install outcome

Service run log

The service creates a run log under the %temp% of the running user, because the Redirector is a service under the Local System account this temp directory is c:\windows\temp

The log contains the steps taken to run the process.

What to do with the logs

In case of a problem, make sure to collect these three logs and you can always forward them to Komodia's support personal for further assistance.

Other topics

DCOM event message

On some computers DCOM error events may appear in event log, to resolve this:

  1. Go to Administrative tools, select component services, in component services directory select computers, then My Computer, now select DCOM Config.
  2. In DCOM Config, highlight PCProxy, right click and select properties and then the security tab.
  3. In the Launch and Activation Permissions select edit
  4. Add the Group named ?Service? and select all four permissions for the service (local launch, remote launch, local activation, remote activation).
  5. Reboot and problem should now disappear.

Suggestion for a loopback test

Some users may want to implement a method to check they still have network after the LSP is installed in case there is some sort of conflict, this method is not 100%, but there are some issues that have to be addressed to make the loopback test more reliable, these are the steps to take:

  1. Before installing the LSP save name and addresses of all interfaces (can be done with IP Helper API)
  2. Contact your web server, send some data, and see that you get an expected result back.
  3. Install the LSP.
  4. If you are in the same app that made the test, make sure to unload Winsock and then reload it, so the new LSP will be loaded as well.
  5. Verify that the network didn't change, if it did, you may not have Internet and the test will fail regardless of the LSP state.
  6. Do the web server test again, if there was no reply it may be that there's no Internet connection or there was a LSP conflict.

32bit and 64bit

If you changed processes from 32bit to 64bit or vice versa on the same machine, make sure you uninstalled the process of the original version.

Watchdog

Here is a list of some common problems when using the Komodia's Watchdog and how to resolve them.

SDK is not protected

You can delete registry keys belonging to the SDK, delete the service or the LSP with netsh. You need to check that:

  1. You installed the WD.
  2. You called "Add redirector rules" (which adds the rules to protect the SDK).
  3. You uploaded the rules to the WD.

I added registry rules but they aren't protected

When adding registry rules you usually also wants to protect all subkeys and values, in that case you need to add * or \* to the end of the key.

Also not that some registry keys are links (HKEY_CURRENT_USER and HKEY_CLASSES), the WD is a driver and sees only real keys, so you need to give it the full key and not the links.

I tried to protect a directory, but it isn't protected

The WD doesn't support in protecting directories.

I tried using the 64bit WD but I'm getting errors

When you try to install the WD when it's not signed correctly (signed and cross signed), or not signed at all you will get error 577 and a warning from the OS, you can verify it if you boot with digital driver signature enforcement turned off, if the driver loads then, you know it's your signature.

I signed my 64bit WD but it's not protecting or I'm still getting errors

Doing a cross sign is not simple, and it may have been done incorrectly (not using the correct cross sign cert), or it's not done from XP, you can read more about it here: why you should sign from a XP machine.

My 32bit WD works perfectly on XP/Vista but some registry keys are not protected on Win7

There are two drivers for 32bit, one for XP/Vista and one for Win7, make sure you deploy them correctly.