none
Description of SCODEF and CREDAT RRS feed

  • Question

  • Does anybody know what the names SCODEF and CREDAT mean ?

    I understand that SCODEF refers to  PID  but what  does the CREDAT value refer to ?

    PLEASE NO LINKS.

    Hoping you can assist.

    Sunday, October 28, 2012 10:25 PM

Answers

  • It is not intended to be used outside Microsoft. IE's extension points are COM-based APIs. Why you look for those values? The command line got sent to LCIE frame process, not to the tab process where your addon is hosted.

    If you started IE you can use IWebBrowser2::PutProperty to pass a value to your IE addon. 



    Visual C++ MVP

    Sunday, October 28, 2012 11:14 PM
  • >What I was expecting to see was just iexplorer or iexplorer plus url? 

    Where you got the expectation from? There are a lot more command line switches documented in IE SDK. Anyway, those command line switches you mentioned are not documented, which means they are implementation details that can change in the next IE patch, and you know how often Microsoft release IE patches.

    Why you are interested in those parameters? You should be avoid using them in your code, along side with any other implementation detail you might know from Kasperky.



    Visual C++ MVP


    Monday, October 29, 2012 1:09 AM

All replies

  • It is not intended to be used outside Microsoft. IE's extension points are COM-based APIs. Why you look for those values? The command line got sent to LCIE frame process, not to the tab process where your addon is hosted.

    If you started IE you can use IWebBrowser2::PutProperty to pass a value to your IE addon. 



    Visual C++ MVP

    Sunday, October 28, 2012 11:14 PM
  • Thanks for quick reply.

    The reason for the question - Unknown command line parameters showing

    up in my Kasperky antivirus program.

    Do not like seeing parameters that I don't understand.

    I found this reference in the History section of Kaspersky :-

    C:\program Files\Internet Explorer\iexplore.exe SCODEF:2452 CREDAT:203009

                                                                                                           :137476

                                                                                                           :203010

                                                                                                           :203012

                                      also:-

    C:\program files\Internet Explorer\iexplorer.exe -ResetDestinationList
                                                                           -nohome

    What I was expecting to see was just iexplorer or iexplorer plus url?

    Is there a list to show me what these COM-based APIs do?

    Am I correct in saying that LCIE was first implemented in IE8.

    SCODEF means ? points to PID ?

    CREDAT means ? does what ?

    As you see from my reply I don't understand much about this process.

    Regards

    JIm.                                                              


    • Edited by Jimsrply Monday, October 29, 2012 12:59 AM
    Monday, October 29, 2012 12:56 AM
  • >What I was expecting to see was just iexplorer or iexplorer plus url? 

    Where you got the expectation from? There are a lot more command line switches documented in IE SDK. Anyway, those command line switches you mentioned are not documented, which means they are implementation details that can change in the next IE patch, and you know how often Microsoft release IE patches.

    Why you are interested in those parameters? You should be avoid using them in your code, along side with any other implementation detail you might know from Kasperky.



    Visual C++ MVP


    Monday, October 29, 2012 1:09 AM
  • SCODEF is the parent window PID.  Trying to find CREDAT now.

    This is specific to Iexplorer in WMI and Taskmgr.


    Mark Rowe MCPD:Windows, MCPD:Web, MCPD:Azure, MCTS:Biztalk http://MicrosoftIntegrationArchitect.com



    • Edited by Mark.Rowe Thursday, March 6, 2014 5:53 AM
    Thursday, March 6, 2014 5:44 AM
  • What Mark meant to say is "SCODEF" is an opaque token which may or may not be the same as a PID. CREDAT is also an opaque token whose definition is non-public and subject to change at any time.

    Thursday, March 6, 2014 9:37 PM
  • I'll tell you why I am interested: 

    I started my machine up from hibernate mode, and this started running.  It is running in the background with no indication on the task manager.  It's consuming 25% of my Core I5 (one cpu at 100%) and slowing things down.  

    This smacks of malware. 

    I am considering that maybe I should  disable or uninstall iexplorer somehow. Or write a program that kills iexplore as soon as it starts. 

    The comment above says: " not intended to be used outside Microsoft".

    Well I am outside of Microsoft and this is running.  It must be bad. 


    rwg

    Wednesday, April 9, 2014 2:23 PM
  • Then go to an IE user forum on microsoft answers.

    This forum is for help in writing software that extends IE's functionality, question about using IE itself are off-topic here.



    Visual C++ MVP

    Wednesday, April 9, 2014 2:42 PM
  • Not sure how no one has pointed this out yet but Jimsrply if you are showing "iexplorer.exe" beware that has a very high likelihood of being malware.  The only process name you should see is "iexplore.exe".
    Thursday, February 25, 2016 6:56 PM
  • Sheng you're right. But I think they would like to develop something to extend IE functionality as me.

    I just now looking for solution to catch and free a computer from DAVEBESTDEALS.COM virus / mailware.

    I want to extend my IE to find and eliminate attacks from this kind of codes as well.

    I got many processes like this: C:\program Files\Internet Explorer\iexplore.exe SCODEF:2140 CREDAT:267521 /prefetch:2

    Yes, I understand MS wanted to use these args internally but as we can see malicious developers use them to make some or more bad moments into our life. So we should know exactly how can we defend ourself as developers. We need a detailed description about these "not intended to be used outside Microsoft" parameters and the IE process workflow.

    Thank you.


    Csaba Marosi

    Tuesday, August 1, 2017 11:52 AM
  • If you are writing anti-malware you should work on the payloads, not their victims. E.g. if the payloads run a url via ShellExecute and the user's default browser is Firefox, you cold possibly have some strange Firefox command line. But any study you done on IE/Firefox command line would not help you to identify a payload that calls ShellExecute.


    Visual C++ MVP

    Thursday, August 3, 2017 5:03 PM
  • You're right in common cases and if we can't get the starter process id or any other data about the environment.

    I think, malicious developers can be efficient because they don't follow the rules, don't follow the official ways. Also I think we can get the starter process ID or something useful from the environment what would be very good to know for our investigations.

    So even if you don't want to press us into official ways where we can't find solutions against malicious developers, we should know the details in order to be creative.

    The first post was created five years ago. We need detailed documentation. Where can we find it?


    Csaba Marosi

    Saturday, August 5, 2017 5:52 PM
  • There is no documentation, and that is intentional. 

    Besides, why you think the command line parameters is important to malicious developers after what I had pointed out? If you have a fraudulent pizza order do you really need to know the pizza ingredients to investigate? There is NO difference between a legit pizza and a fraudulently ordered pizza.

    If you really want to reverse engineer start with the sample you get and find identifiable information (e.g. malicious url in script or executable). There is no future-proof way to defend yourself against malware. A sane malicious developer would do QA against anti-malware so a new malware does not get caught out of gate. 



    Visual C++ MVP






    Monday, August 7, 2017 2:16 PM
  • Excellent example.

    First of all, I would like to let you know that I appreciate your work as I appreciate my favorite pizza makers' work as well.
    It is obvious if I have a fraudulent pizza order I don't want to know the pizza ingredients to investigate, as I didn't ask the IE source code as well.
    But the environment is so important. Who took the order, when, in what manner, etc.

    To defend my environments I have to take attention to minimum two areas. How can I prevent successful attacks and what can I do if they are already in.
    My target with this question is definitely not to get the ingredients or source code. My target is to collect as much data as possible about the environment to develop my own defend processes what are unique and personalized enough to defend my environments.

    Suppose that I can understand you don't want to distribute the documentation. But please imagine that you are in our situation. What can we do, if we want to understand the attackers’ strategies and want to develop our own defending processes? Why should we work much harder just because you don't want to share the information "intentionally"?

    Can you imagine that you have minimum one pizza every day? I think we agree, in case of fraudulent pizza orders it would have strange if the pizza maker didn’t want to help you to find the person who sent the fraudulent pizza orders. The pizza maker would just tell you he didn't have any documentation related to orders and that is intentional. If you want to avoid similar situations in the future you should handle it yourself as you can. Would you be happy with such an answer?

    I think that is our common interest to fight against fraudulent persons. And we can do it much simple if we share the necessary information.

    We, customers, share information when we send personal or automated feedback about products or cases. We just ask a similar behavior from you.


    Csaba Marosi

    Monday, September 11, 2017 9:30 PM
  • Thank you Microsoft for keeping me in the dark wtf is going on.

    Heap spray blocked: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6220 CREDAT:18363642 /prefetch:2

    Heap spray blocked: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6220 CREDAT:21050478 /prefetch:2

    Heap spray blocked: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6220 CREDAT:18363619 /prefetch:2

    Heap spray blocked: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6220 CREDAT:18363609 /prefetch:2

    Yeah let's keep doing this over and over because MS won't share knowledge to understand and come to a root cause to fix it.

    Thought MS was all about the enduser experience and that is why so many security flaws? Not sharing so we can fix rather just have to re-image is not a preferred enduser experience!

    "There is no documentation, and that is intentional. " Sounds like MS is hiding more security flaws. Pentesters please exploit this and make it public so I can get patches sooner rather than later, please!


    • Edited by Jimmy.Dugan Tuesday, April 17, 2018 8:01 PM
    Tuesday, April 17, 2018 7:58 PM
  • If you want someone to interpret the logs, go find whoever is reporting the logs. I bet it is not Microsoft. 

    Again, command line parameters here has nothing to do with whatever going on your machine. Those are just fields used internally. Having internal fieldsnot a problem, it is a feature. You see internal fields all the time, If you deposit a check at a bank you may fill out a deposit form, and then a bank may write something on the fields that are marked internal use only. Having internal use only fields is not a exploitable security flaw. No do you have the right to know how those internal only fields are filled. Yes you may have a bad check, but there is no way to tell a bad check from a good check just by the looks. The bank has to actually try do the homework of contacting the issuer of the check and see if there are enough balance on the account. 

    Similaire if a security software wanna check if a process is good or bad, then the software would have to actually try do the homework of monitoring what the process does, like checking where the process is trying to write or which website the process tries to talking to. Trying to judging a process by name or parameter is like trying to tell if an accused person is guilty or innocent by looking at the first or last name of that person. Nobody has a name bias. Oh, almost nobody has a name bias, the thread starter obviously think the names can be a factor. No they don't. 

    Good that you have a software that monitors what a process does, instead of just judging by its name or command line parameters. You can order any Windows program to run with any command line parameters you can dream of, really, not just the ones that are designed by the program's author. Windows will start processes with command line parameters given by the user, no question asked. Trying to judge a process by command line parameters is a pointless exercise.

    BTW if an attacker can run IE with crafted command line on your machine, that is local code execution, at that point it is pointless to run IE, the attacker could just run a virus instead. 



    Visual C++ MVP




    Wednesday, April 18, 2018 3:39 AM
  • This (now 6-year) conversation is the perfect crystallization of everything that is wrong with the Microsoft ecosystem.

    Your software shows up in the users life, and the user wants to understand how and why. And not only do you not help them understand, you ridicule them for wanting to.

    --@wb

    Wednesday, November 7, 2018 6:01 PM
  • This (now 6-year) conversation is the perfect crystallization of everything that is wrong with the Microsoft ecosystem.

    Your software shows up in the users life, and the user wants to understand how and why. And not only do you not help them understand, you ridicule them for wanting to.

    --@wb

    Completely agree.

    Wednesday, November 21, 2018 3:43 PM
  • Studying the pizza won't help you on credit card fraud. Same as studying IE command line for unexpected IE popups. 

    There is NO IE command line argument for surprising popups. The virus writer could popup a Notepad window in the same way. You are just waiting your time by posting in an IE forum if you want to find the cause, just like in the case of credit card fraud you don't really care about how a pizza is produced. Ask in an anti-virus forum instead. 



    Visual C++ MVP


    Wednesday, November 21, 2018 7:11 PM
  • Worse - in my case I think I was hacked - I was getting a lot of NDRs for emails in Chinese.

    I upgraded to outlook 64 bit (having spent many 10 of hours going through fairly pointless exercises with will meaning MS support engineers in Mumbai who kept going round the same circles with profiles and registry keys).

    I have now proved that these two odd instances of iexplore are triggered when I start outlook 2016 64 bit (fully updated).

    having turned on folder protection I get this:

    C:\Program Files\internet explorer\iexplore.exe has been blocked from modifying %desktopdirectory%\昁ⷷ翾 by Controlled Folder Access.

      Detection time: 2019-01-06T14:55:10.409Z
      User: IanC\Ian
      Path: %desktopdirectory%\昁ⷷ翾
      Process Name: C:\Program Files\internet explorer\iexplore.exe
      Signature Version: 1.283.2306.0
      Engine Version: 1.1.15500.2
      Product Version: 4.18.1812.3

    and one of instances says this: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:15492 CREDAT:9474 /prefetch:2

    Incidentally, I don't get any comments from defender if I actually run iexplore (which I don't use - although one of the MS support guys wanted me to run it as I was having sign out problems from office 365 when using edge!).

    The defender warning and the instances of iexplore only appear when I start outlook 2016 (64 bit)! I have seem so old reports of people have extra iexplore linked to outlook 2016 64 bit.


    ICHC

    Monday, January 7, 2019 4:09 PM
  • that folder name looks like IBM Security Trusteer Rapport (https://answers.microsoft.com/en-us/protect/forum/all/possible-virus-or-hack-attempt/932186e2-f360-4ba1-b35d-7ee78505eeed). 

    This forum is not for virus. you'd better off visiting a computer security forum (perhaps this one? https://www.tenforums.com/antivirus-firewalls-system-security/97127-odd-defender-controlled-folder-access-alert-2.html). 

    As for why Outlook launches IE that way, you probably should ask in an Outlook forum (perhaps this one: https://social.technet.microsoft.com/Forums/office/en-US/df1b8ed1-ed28-4325-9698-559c23e43027/outlook-spawns-two-internet-explorer-processes?forum=outlook)

    This is after 1 minute on Google Search. I am no expert in any of the technologies mentioned in those posts and if you finished reading the posts listed above you probably know more than I do. 



    Visual C++ MVP




    Monday, January 7, 2019 4:24 PM