Last Updated on February 15, 2024 by rudyooms
In this blog, I am going to take a closer look at another EPM “flight” (AKA new feature) that Microsoft seems to be working on in Endpoint Privilege Management(EPM). This feature is called ECS.
I am going to divide this blog into multiple parts
- It’s all in the name
- Enabling the EcsFlight
- It just died….
- The Flow behind the name
- The Flow Behind the Broken Service
In one of my last blogs, I showed you how you could enable a new feature in Endpoint Privilege Management (EPM) called “Support Approved on your own. I stumbled upon this feature while I was looking at some other files that appeared in the EPM agent folder. While looking at those new files, I stumbled upon some other nice “flights”, and Support Elevated was one of them.
This Support Approved feature was the most important one but that doesn’t mean the other important flights will be forgotten…
When spending time on each of those flights only 2 of them gave me the idea that Microsoft is indeed working on them
This blog post will focus on the Ecs Flight! Why? Because it got my attention the moment I noticed the mention of Skype in it. Yep Skype… you heard it right!
As I was describing in the EPM support elevated blog and in the introduction, I noticed some new files showing up in the EPM agent folder called EcsClient.dll and EpmEcs.dll.
As I didn’t know what they did, I decided to take a peek at them with the IDA tool. When opening the EcsClient.dll I immediately stumbled upon some functions called: DefaultInternalSkypeBaseUris and SkypeVersion
I was like, huh? I was starting to doubt myself. Did I open a wrong DLL file or something like that? Because I wasn’t expecting the good old Skype to be mentioned in Endpoint Privilege Management. When taking a closer look at those functions I noticed something even more interesting.
As shown above, that function is mentioning config.skype.net. Okay, that was something I again wasn’t expecting. What has Skype to do with EPM.? I guess to properly answer that question, we first need to know what ECS stands for right?
3. It’s all in the name
ECS… What is in the name? When trying to look up the actual name, while also trying to find out what those DLL files were doing, I ended up with 2 acronyms. (it could easily be something else also 🙂 )
Microsoft Experimentation and Configuration Service (ECS) and as shown below, the Enhanced Configuration Service, again… (ECS)
2 names that belong to the same acronym? That brings back memories of the MMP-C acronym…. But now we need to choose between them. What if I add this specific EcsClient config to the equation?
Disable Experiment And Rollouts… Mmm, guess what we get when we add all of the Skype mentions to it? The Microsoft Experimentation and Configuration Service. It’s a bit odd because, in the current docs, it’s only mentioned in combination with Edge.
If we take a closer look at the Microsoft Edge configurations and experimentation ms doc itself, we will find some interesting stuff. The first one is the Controlled Feature Rollout…
Rollout, where did we hear that one before? Owww right.
The second one is mentioning the experiments… Experiment flags are used to enable and Disable these features. Damn… Disable Experiments and Rollouts, sounds like we got a good match.
But I am not done, because this doc also mentions the fact that config.edge.skype.com is required to make sure clients can receive the payloads
Of course, I am going to assume that EPM, is NOT going to use the config.edge URL but a different one. So I guess it is safe to assume that EPM is going to use the same as Edge uses to make sure that some experiments can be enabled/disabled on the fly. Maybe I am totally wrong here but looking at the facts right now… I should be right.
4. Trying to enable the EcsFlight
I guess now I found out the name and probably the purpose of these ECS files, I guess it’s time to try to enable this flight. So let’s go to the Microsoft Flight Control Center to find out if we can launch this ECS flight on our own!
Just like we did to enable the support elevated flight, we are going to do the same for ECS. When we want to try to start the Ecs Client Setup, we first need to configure the 8b096dd2-7f12-4739-ac47-bb7869340df7 flight.
So, I did! As shown below, I configured the flight number with a value of 1.
After this value was configured, I tried to restart the EpmService but that ended up with a total failure
After adding the flight and trying to restart the EPMService, I ended up with a not-responding service. If we look at the EPMService event log, we will notice that it produces the error 0x80070002 (FileNotFoundException) when it doesn’t have the power to start.
5. It just died
So we need to add the flight number to the EPM registry node key but when added the EPMService doesn’t start. Mmmm, that’s going to be difficult.
I decided to take a look around at the Ecsclient.dll file. It’s pretty obvious that a new client needs to have a configuration, so I decided to take a look at one of the functions of this DLL file.
Within a couple of minutes, I had the idea that something called ecs.dat was missing on the device (which it indeed was) This could explain the error I got in the EPM log mentioning that the file was not found, right?
To be sure, I put Procmon in place and restarted the EPMService. It was pretty easy to spot what was missing and it wasn’t the ecs.dat file. Why it was easy? Let me show you!
I knew that it was going to write an event to the epmservice log file and I knew I needed to keep an eye out when the Epmservice was missing “something” AKA “Name not Found”
As shown above, just before the EPMservice failed to start and would log the error in the epmservice log file, it was trying to find a DLL file called, Newtonsoft.json.dll.
This Newtonsoft is a JSON framework for .NET and contains a lot of cool features
That name rings a bell or 2! In the ecsclient.dll we spotted it when it was trying to fetch the config. It was trying to trigger the Newtonsoft.json.jsontextwriter to write something to a file? I guess without it, that part of the code will fail and with it the EPMService will fail to start.
From there on it was pretty easy as looking up Newton in the ECS client code, it showed me a lot of hits so this DLL file should be quite important. Because it was missing in action I decided to just download the latest release from the GitHub page (after trying to manually copy and paste different versions of this newtonsoft DLL file in the epm folder)
After downloading the file, I extracted the version I needed (net40) and manually copied the Newtonsoft.json.DLL file to the EPMservice folder.
With this missing DLL file in place, I tried to start the EPMservice again. As shown below, this time it was pretty successful!
Even the EPMService event log now mentions the fact that it indeed tries to find the ECS Client configuration. (FetchConfig)
Guess what it got me! A nice new file called Ecs.dat, isn’t that just wonderful as that file was missing in action before?
If we take a closer look at what’s inside this DAT file, we will notice that it contains no configs at all.
So we finally got it up and running but what now? What can we do with it? I guess that’s something to find out for another blog. Because we have an empty config and I truly don’t know (for now) what to put in it.
But hey, we got the flight working, right? That’s gotta count for something.
Please Note: The same version of the newtonsoft.json file is also located in the IME Folder
6. The Flow behind the name
The flow behind how I got to the possible name of the acronym
7. The flow behind the broken service
The flow behind me trying to fetch the broken epmservice after trying to enable the ECS Flight!
I guess the Ecsclient is still work in progress, otherwise, that newtonsoft.json dll was already in place to do its job. So for now I guess we need to wait a bit longer until Microsoft finishes the job