Having worked on many Windows XP to Windows 7 migration projects over the past 3 years I’ve seen a lot of nasty legacy apps. This makes a good case for being labelled the most interesting to get working. (To be polite 
)
It was a sales application, a wonderful mix of multiple technologies (The more the merrier, right?)
App highlights included:
- 16-bit front end built on Delphi, source code long since forgotten.
- Sync all usernames & passwords of the entire system to a local DB file stored in plain text.
- Hardcoded paths to jre\1.5 folder dispersed across multiple batch files, .JARs, .EXEs and NSF (Lotus Notes Databases)
- Sync data via Telnet sessions to iSeries mainframe receiving/sending ZIP files
- Components of application built on Lotus Notes with Domino backend, and extensive LotusScript and Java code used in synchronization process
- If DBASE style DB files + Lotus Notes database files were not providing enough places for local storage, add a local instance of SQL Server for good measure
- Some application configuration performed by VB.NET executables
With a bit of work, I managed to get it run nicely on Windows 7 32-bit. By putting a recent copy of Java binaries in the 1.5 folder + applying the following SHIMs the app was running nicely (note it required a version of Lotus Notes client that was not technically supported running on Windows 7 … but it hadn’t been supported on XP for many years either )
However one day as NSF files were syncing some users reported they were getting repeated UAC prompts. If not a local admin the only option for user was to click No, which also broke Notes replication. Viewing the “Show details” of option showed KB EXE files that were trying to launch. Checking the KBs they were Windows XP versions of the patches.
A quick ProcMon log and we can see Lotus Notes is the process launching these EXEs:
Unfortunately there was no immediately obvious check going on whether these updates would launch or not (i.e. a reg query if update had already been applied)
So to do further investigation I used SearchMyFiles (http://www.nirsoft.net/utils/search_my_files.html) to search the Lotus Notes directory for anything containing this filename. (Note: Many corporate networks block downloads from nirsoft.net as there are incredibly useful tools there but many can be used for nefarious purposes)
The reason I like SearchMyFiles is it searches binaries as well as text documents.
Ok so we found a hit:
I now turned to Ytria’s scanEZ software which allows me to open Lotus Notes database, read the schema, LotusScript, extract embedded files, etc, even if I don’t have design access to the database. (http://www.ytria.com/)
I used this tool to open the NSF from within Lotus Notes client:
I then used the full text search option, to find part of database containing the reference (You must use Create the Full Text Index before search functions)
This brought to me some Documents in a section called .SysAdditionalProcessing
Examining all 5 documents under .SysAdditionalProcessing I found there were 2x custom Lotus Scripts that were collecting info about the laptop and storing in the Lotus database, and 3x documents that installed Windows KBs.
We found a daylight patch:
And a security patch
We found code that checked for KB being installed via reg key and stored the info back in the Notes database:
lFunctionResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE, “SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB912475“, 0, KEY_QUERY_VALUE, lKeyHandle)
If lFunctionResult <> 0 Then
If lFunctionResult = 2 Then
‘The key doesn’t exist
docInfo.PATCH_KB912475_INSTALLEDDATE = “Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB912475 does not exist.”
Else
Call FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, lFunctionResult, 0, sErrorMessage, 2048, 0)
Error 9000, “Registry Error (” & Cstr(lFunctionResult) & “): ” & sErrorMessage
End If
Else
lValueLength = 2048
lFunctionResult = RegQueryValueEx(lKeyHandle, “InstalledDate”, 0, lDataType, sReturnedValue, lValueLength)
If lFunctionResult <> 0 Then
Call FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, 0, lFunctionResult, 0, sErrorMessage, 2048, 0)
Error 9000, “Registry Error (” & Cstr(lFunctionResult) & “): ” & sErrorMessage
End If
sValue = Left(sReturnedValue, lValueLength-1)
docInfo.PATCH_KB912475_INSTALLEDDATE = sValue
lFunctionResult = RegCloseKey(lKeyHandle)
End If
~
With this info found we could remove the files from the Notes Database and be done with it. But not being a Domino expert I passed that info back to Notes Developers on where the offending files were located.
In case that might take a while to resolve I also came up with an alternative. By applying the SpecificNonInstaller SHIM to these executables they would run, but not elevate. No UAC prompt, and being on the incorrect OS they do nothing then decide to exit, and do not interfere with the replication process.
The patch looked like this. Here it’s important to note that just adding multiple matching files to one instance of the SpecificNonInstaller SHIM does not work, it only works with the “primary” application specified.
Great detective work!