.NET Questions and Solutions

Symptoms
A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) attacks when the computer is powered-on or in the Standby power state, including when the desktop is locked.
BitLocker with TPM-only authentication allows for a computer to enter the power-on state without any Pre-boot authentication. Therefore, an attacker may be able to perform DMA attacks.
In these configurations, an attacker may be able to search for BitLocker encryption keys in system memory by spoofing the SBP-2 hardware ID by using an attacking device that is plugged into a 1394 port.
This article applies to the following systems: Systems that are left powered-on. Systems that are left in the standby power state. Systems that use the TPM-only BitLocker protector.
Resolution
1394 Physical DMA
Industry standard 1394 controllers (OHCI compliant) provide functionality that allows for access to system memory. This functionality is provided as a performance improvement. It enables large amounts of data to transfer directly between a 1394 device and system memory, bypassing CPU and software. By default, 1394 Physical DMA is disabled in all versions of Windows.There are two options to enable 1394 Physical DMA: An administrator enables 1394 Kernel Debugging. Someone with physical access to the computer connects a 1394 storage device that complies with the SBP-2 specification1394 DMA Threats to BitLocker
BitLocker system integrity checks protect against unauthorized Kernel Debugging status changes. However, an attacker can connect an attacking device into a 1394 port, and then spoof an SBP-2 hardware ID. When Windows detects SBP-2 hardware ID, it loads the SBP-2 driver (sbp2port.sys), and then instructs the driver to allow for the SBP-2 device to perform DMA. This enables an attacker to gain access to system memory and search for BitLocker encryption keys.

Symptoms
If the last two or more components in a path match MS-DOS device names, you may receive an error message on a blue screen similar to the following example:

A fatal exception 0E has occurred at (address) in VXD (FSD) + (address). The current application will be terminated.
* Press any key to terminate the current application. * Press CTRL+ALT+DEL to restart your computer. You will lose any unsaved information in all applications.
Press any key to continue NOTE: The VXD in question is a File System Driver (FSD) from the list in the “More Information” section of this article.
If you do not restart your computer at this point, subsequent blue screen error messages occur and the computer does not shut down properly. It may be necessary to interrupt power to the computer to reset it successfully.
Alternatively, if your computer has a large amount of memory (for example, 192 MB), the mouse pointer may be displayed as an hourglass over the taskbar and you may be unable to run additional programs. The computer eventually becomes unresponsive to mouse and keyboard input.
Resolution
MS-DOS device names are reserved words and cannot be used as folder or file names. When parsing a reference to a file or folder, Windows correctly checks for the case in which a single MS-DOS device name is used in the path, and treats it as invalid. However, Windows does not check for the case in which the path includes multiple MS-DOS device names. When Windows attempts to interpret the device name as a file resource, it performs an illegal resource access operation that usually results in the computer becoming unresponsive.
Because you cannot create files or folders that contain MS-DOS device names, it is unusual for a user to try to gain access to one under normal circumstances. The chief threat posed by this vulnerability is that a malicious user can entice a user to attempt such an access. For example, if a Web site operator hosts a hyperlink that references such a path, when the user clicks the link, the computer may hang. Likewise, a Web page or HTML e-mail message that specifies a local file as the source of rendering information can cause the user’s computer to hang when it is displayed. If this happens, you can put the computer back into normal service by restarting it.

Symptoms
When you insert a PC Card device into your computer, you may experience one of the following symptoms:A “fatal exception” error message is displayed on a blue screen.Your USB device(s) do not function.Msgsrv is listed as “not responding” in Task Manager.
NOTE: To start Task Manager, press and hold down the CTRL+ALT keys, and then press the DELETE key once.
Resolution
This problem can occur if the PC Card insertion causes a rebalance of system resources for the USB host controller.