enum_applications shows many (but not all) doubled entries

[jeffmcjunkin]

Steps to reproduce

How'd you do it?

1. Gained a windows/meterpreter session
2. meterpreter > run post/windows/gather/enum_applications

Expected behavior

See one entry per application, like the following mockup:

Installed Applications
======================

 Name                                                            Version
 ----                                                            -------
 FileZilla Client 3.37.4                                         3.37.4
 Google Chrome                                                   75.0.3770.100
 Google Update Helper                                            1.3.34.11
 Microsoft OneDrive                                              18.151.0729.0012
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148

Current behavior

Most applications are listed twice:

Installed Applications
======================

 Name                                                            Version
 ----                                                            -------
 FileZilla Client 3.37.4                                         3.37.4
 FileZilla Client 3.37.4                                         3.37.4
 Google Chrome                                                   75.0.3770.100
 Google Chrome                                                   75.0.3770.100
 Google Update Helper                                            1.3.34.11
 Google Update Helper                                            1.3.34.11
 Microsoft OneDrive                                              18.151.0729.0012
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148
 Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  9.0.30729.4148
 Microsoft Visual C++ 2017 Redistributable (x64) - 14.16.27029   14.16.27029.1
 Microsoft Visual C++ 2017 Redistributable (x64) - 14.16.27029   14.16.27029.1
 Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810   14.12.25810.0
 Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810   14.12.25810.0
 Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810  14.12.25810
 Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810  14.12.25810
 Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810     14.12.25810
 Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810     14.12.25810
 Notepad++ (32-bit x86)                                          7.7.1
 Notepad++ (32-bit x86)                                          7.7.1

System stuff

Metasploit version

msf5 > version
Framework: 5.0.36-dev-
Console  : 5.0.36-dev-

I installed Metasploit with:

• Omnibus installer (nightly)

OS

Running Metasploit on Ubuntu 16.04.6 x64.

Interestingly, this doesn't seem to be due to x86 and x64 (WOW6432Node) entries in the registry. With Notepad++, for example, I searched the entire registry for Notepad++ (32-bit x86) and only found one entry, under HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++

[dwelch-r7]

Installed Applications
======================

 Name                                                                Version
 ----                                                                -------
 Microsoft OneDrive                                                  19.232.1124.0008
 Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508      14.20.27508
 Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508      14.20.27508
 Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508         14.20.27508
 Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508         14.20.27508

yup getting the same sort of thing

funny how OneDrive only showed up once though, everything else is doubled, wonder if that could help point us in the right direction on what the root of the issue is

[dwelch-r7]

It looks like the crux of this issue is from applications either being installed for all users or for the current user, if it's only installed for the current user (like OneDrive is from my limited googling) it'll show up once, but if it's installed for all users it'll show up twice

we seem to pick out the installed applications from these keys:

      'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
      'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
      'HKLM\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',
      'HKCU\\SOFTWARE\\WOW6432NODE\\Microsoft\\Windows\\CurrentVersion\\Uninstall',

HKLM vs HKCU, all users vs current
All of that seems fine to me, should be a simple case of just not adding duplicate entries

EDIT:
uhhh ok so I made no changes and it fixed itself?

Installed Applications
======================

 Name                                                                Version
 ----                                                                -------
 Docker Desktop                                                      2.2.0.3
 Java 7 Update 67 (64-bit)                                           7.0.670
 Java SE Development Kit 7 Update 67 (64-bit)                        1.7.0.670
 Microsoft OneDrive                                                  19.232.1124.0008
 Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.20.27508  14.20.27508.1
 Microsoft Visual C++ 2019 X64 Additional Runtime - 14.20.27508      14.20.27508
 Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.20.27508         14.20.27508
 Microsoft Visual C++ 2019 X86 Additional Runtime - 14.20.27508      14.20.27508
 Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.20.27508         14.20.27508
 VMware Tools                                                        11.0.0.14549434

No changes to the module that is, this is the same VM I was using earlier but with a few more applications installed, notably VMware Tools

@jeffmcjunkin do you have anymore information you can give us? like the target you were running the module against? was it a VM? what windows version?

[jeffmcjunkin]

It was a VM, at the time Windows 10 x64 Enterprise 1903, now 1909.

I see the same fixed behavior now. Maybe it was gremlins? Or some separate fix resolved this as well?

[dwelch-r7]

@jeffmcjunkin thanks for getting back, I'm gonna go ahead and close this issue out since it seems to be working(?) now, if it crops up again let us know and we can take another crack at figuring out how to reproduce it

[jeffmcjunkin]

I'm sad to say I see this issue again, this time on Windows 10 20H2 with the latest omnibus installer:

Windows 10 Enterprise x64 20H2:

C:\>ver

Microsoft Windows [Version 10.0.19042.685]

Debian 10 x64:

msf6 exploit(windows/http/icecast_header) > version
Framework: 6.0.22-dev-
Console  : 6.0.22-dev-
msf6 exploit(windows/http/icecast_header) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_applications
[...skipped...]
 FileZilla Client 3.37.4                                                        3.37.4
 FileZilla Client 3.37.4                                                        3.37.4
 GnuWin32: Make-3.81                                                            3.81
 GnuWin32: Make-3.81                                                            3.81
 Google Chrome                                                                  87.0.4280.88
 Google Chrome                                                                  87.0.4280.88
 Google Update Helper                                                           1.3.36.51
 Google Update Helper                                                           1.3.36.51
 IntelliTraceProfilerProxy                                                      15.0.18198.01
 IntelliTraceProfilerProxy                                                      15.0.18198.01
 KeePass Password Safe 2.42.1                                                   2.42.1
 KeePass Password Safe 2.42.1                                                   2.42.1
 Kits Configuration Installer                                                   10.1.18362.1
 Kits Configuration Installer                                                   10.1.18362.1
[...skipped...]

[jeffmcjunkin]

Ah! It does matter whether you're in a native architecture process or not. Maybe it's the 32-bit translation layer?

Excerpt after run migrate -n spoolsv.exe:

 FileZilla Client 3.37.4                                                        3.37.4
 GnuWin32: Make-3.81                                                            3.81
 Google Chrome                                                                  87.0.4280.88
 Google Update Helper                                                           1.3.36.51
 HxD Hex Editor 2.4                                                             2.4

[jeffmcjunkin]

Beep boop, I think this issue should've been re-opened, as shown above it may be related to 32-bit translation layers.

[adfoster-r7]

@jeffmcjunkin I haven't looked into this yet, but if the output duplication is caused by the issue you're suggesting - would you want the table to reflect that, or just skip duplicates?

[jeffmcjunkin]

Personally, I'd either skip duplicates (probably easiest) or avoid the 32-bit registry translation layer (which may be worth solving, to be a template for other modules, if this affects other modules).