The secret of Google Desktop Search
de parvis grandis acervus erit
July 18th, 2006
:: Ignore the warning left by google
Directory of D:\Program Files\Google\Google Desktop Search
01/08/2006 10:17 386 aa ### WARNING - Do not
01/08/2006 10:17 386 ab ### move or delete these
01/08/2006 10:17 386 ac ### files - your system
01/08/2006 10:17 386 ad ### may stop working
01/08/2006 10:17 572 ae ###
01/08/2006 10:17 386 af ### To uninstall use
01/08/2006 10:17 386 ag ### Add-Remove programs
01/08/2006 10:17 386 ah ### in the control panel
01/08/2006 10:17 386 ai ### or run
01/08/2006 10:17 572 aj ###
01/08/2006 10:17 572 ak ### GoogleDesktopSetup.exe -uninstall
01/08/2006 10:17 572 al ###
:: Steps to reproduce:
-Install GoogleDesktopSearch (V3 or V4)
-Reboot
-Kill all processes related to GoogleDesktopSearch:
for %i in (GoogleDesktop GoogleDesktopIndex GoogleDesktopCrawl GoogleDesktopDisplay) do pskill %i
or
taskkill /F /IM goog*
-rd /s /q "%programfiles%\Google"
-reboot
:: SYMPTOMS
Explorer.exe won't launch anymore. It crashes all the time w/o any error displayed or logged, whatever the user profile loaded.
:: Despite the 2 classical launch points:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Google Desktop Search" = ""D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"AppInit_DLLs" = "D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"
:: Another mysterious launch point has been used:
a TreatAs key under the "Microsoft Browser Architecture" has been added and points the CLSID representing the "Google Desktop IE Plugin" dll file loaded by the above "AppInit_DLLs" value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\TreatAs
REG_SZ {6233543C-2323-456A-A169-2E9C5E6E977B}
:: SOLUTION: just delete the TreatAs key, explorer reappears!
reg delete "\\targetcomputer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\TreatAs" /f
:: Winsock LSP integration :[
Check that GDS hasn't been inserted in the winsock2 stack:
netsh winsock show catalog find /i "google"
If your winsock stack got corrupted or you've found an entry in the protocol catalog of your winsock2 parameters, you can reset it like this:
netsh winsock reset
reboot
:: Another useful link about GDS security threat
http://safecomputing.umich.edu/tools/download/gd_security.pdf
de parvis grandis acervus erit
July 18th, 2006
:: Ignore the warning left by google
Directory of D:\Program Files\Google\Google Desktop Search
01/08/2006 10:17 386 aa ### WARNING - Do not
01/08/2006 10:17 386 ab ### move or delete these
01/08/2006 10:17 386 ac ### files - your system
01/08/2006 10:17 386 ad ### may stop working
01/08/2006 10:17 572 ae ###
01/08/2006 10:17 386 af ### To uninstall use
01/08/2006 10:17 386 ag ### Add-Remove programs
01/08/2006 10:17 386 ah ### in the control panel
01/08/2006 10:17 386 ai ### or run
01/08/2006 10:17 572 aj ###
01/08/2006 10:17 572 ak ### GoogleDesktopSetup.exe -uninstall
01/08/2006 10:17 572 al ###
:: Steps to reproduce:
-Install GoogleDesktopSearch (V3 or V4)
-Reboot
-Kill all processes related to GoogleDesktopSearch:
for %i in (GoogleDesktop GoogleDesktopIndex GoogleDesktopCrawl GoogleDesktopDisplay) do pskill %i
or
taskkill /F /IM goog*
-rd /s /q "%programfiles%\Google"
-reboot
:: SYMPTOMS
Explorer.exe won't launch anymore. It crashes all the time w/o any error displayed or logged, whatever the user profile loaded.
:: Despite the 2 classical launch points:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Google Desktop Search" = ""D:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"AppInit_DLLs" = "D:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"
:: Another mysterious launch point has been used:
a TreatAs key under the "Microsoft Browser Architecture" has been added and points the CLSID representing the "Google Desktop IE Plugin" dll file loaded by the above "AppInit_DLLs" value
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\TreatAs
REG_SZ {6233543C-2323-456A-A169-2E9C5E6E977B}
:: SOLUTION: just delete the TreatAs key, explorer reappears!
reg delete "\\targetcomputer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\TreatAs" /f
:: Winsock LSP integration :[
Check that GDS hasn't been inserted in the winsock2 stack:
netsh winsock show catalog find /i "google"
If your winsock stack got corrupted or you've found an entry in the protocol catalog of your winsock2 parameters, you can reset it like this:
netsh winsock reset
reboot
:: Another useful link about GDS security threat
http://safecomputing.umich.edu/tools/download/gd_security.pdf
posted by Emin at 6:58 AM
0 comments
