Highlighted
johnsonx Trusted Contributor.
Trusted Contributor.
404 views

filr 4.1.1 client periodically runs whoami.exe

since upgrading to Filr 4.1.1 client, I've noticed a console window popping up every half hour or so and disappearing immediately.  of course I didn't recognize immediately what it was, or what was doing it, and thought  I might have something bad on my system.

after much digging about and turning on process & command auditing, I found it's Filr doing it.  It launches "whoami.exe /groups", which then seems to launch conhost.exe (presumably doing something with the output of the whoami command).  indeed it does do it every 30 minutes exactly.

needless to say, I find this pop-up most disconcerting, though perhaps less so now that I know it's not something malicious.  this feels like a kludgy work-around to some problem

here's a few of the audit events:

Information,12/28/2019 12:38:20 PM

Process Information:
New Process ID: 0x2124
New Process Name: C:\Windows\System32\conhost.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0xfb0
Creator Process Name: C:\Windows\SysWOW64\whoami.exe
Process Command Line: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

 

Information,12/28/2019 12:38:20 PM

Process Information:
New Process ID: 0xfb0
New Process Name: C:\Windows\SysWOW64\whoami.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x2698
Creator Process Name: C:\Program Files\Novell\Filr\filr.exe
Process Command Line: whoami /groups

 

Information,12/28/2019 12:08:20 PM

Process Information:
New Process ID: 0x2edc
New Process Name: C:\Windows\System32\conhost.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x2e94
Creator Process Name: C:\Windows\SysWOW64\whoami.exe
Process Command Line: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

 

Information,12/28/2019 12:08:20 PM

Process Information:
New Process ID: 0x2e94
New Process Name: C:\Windows\SysWOW64\whoami.exe
Token Elevation Type: %%1938
Mandatory Label: Mandatory Label\Medium Mandatory Level
Creator Process ID: 0x2698
Creator Process Name: C:\Program Files\Novell\Filr\filr.exe
Process Command Line: whoami /groups

0 Likes
13 Replies
markusernst Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

Hi

Same here opened SR101276608681 'Flashing "whoami" ' some days ago

Markus

 

johnsonx Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

Markus,

Ok, cool.  Post back here with what you learn then.

Dave

 

0 Likes
greiner Honored Contributor.
Honored Contributor.

Betreff: filr 4.1.1 client periodically runs whoami.exe

Yes, i see every times the dos-box with call of whoami.exe, but i can't find the source. Now i am informed and wait of a solution.
thanks for this Information!
0 Likes
markusernst Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

Hi all

Bug 1159897 opened by support.

regards, Markus

0 Likes
johnsonx Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

I was debating between this being a kludgey bug fix, or leftover debugging code that was forgotten about.  Support opening it as a bug sort of suggests the latter.  However I guess it could be something like "we still need this whoami /groups function to solve some problem, but we need to make it run completely in the background"; so the bug is not the fact that it's doing it at all, but just the fact that it's visible.

I just wonder if they're going to consider this important enough to do a hot-fix/point release sometime soon, if it's going to wait for the next scheduled update.

Time will tell.

 

0 Likes
johnsonx Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

I will open an SR referencing that bug next week, to add another voice asking for the fix.  Everyone on 4.1.1 should do the same.

etrooton Contributor.
Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

Hi, same here. Yesterday got some time to check whats going on.

Happy New Year!!!

0 Likes
Knowledge Partner
Knowledge Partner

Re: filr 4.1.1 client periodically runs whoami.exe

I will be opening a critsit SR on this tomorrow, as this kludge steals the focus from fullscreen apps, which we totally can't tolerate in our environment.

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes

Re: filr 4.1.1 client periodically runs whoami.exe

Hi guys

Seeing same problem here, have created SR#101280133051,​ "FILR: Filr 4.1.1 client periodically runs whoami.exe - Critical​" today and asked for immediately escalation to "Critical".

Anyone received some form of solution?

 

Best regards

/Flemming

0 Likes
greiner Honored Contributor.
Honored Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

The Problem is that your running program lose the Focus!!!
0 Likes
markusernst Trusted Contributor.
Trusted Contributor.

Re: filr 4.1.1 client periodically runs whoami.exe

Hi

I got an updated version from support Yesterday. But updating an existing 4.1.1 installation failed. I have reported back and wait for a fixed version.

regards

Markus

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.