PDA

View Full Version : WebCacheV01.dat



anon
12.03.19, 03:12
Internet Explorer 10 and above and programs that use the WinInet API on Windows may keep a list of cached resources inside the file WebCacheV01.dat, which persists across InPrivate sessions or even when if "delete browing history" is used, and is stored in plaintext.

https://www.sevenforums.com/browsers-mail/380399-webcachev01-dat-major-privacy-issue-how-delete.html
http://www.ericlawrence.com/eric/show.asp?entry=4/3/2013%205:27:00%20PM
https://articles.forensicfocus.com/2013/12/10/forensic-analysis-of-the-ese-database-in-internet-explorer-10/

I checked and confirmed this on my system. The file listed cached objects dating back to approximately two months ago, from both Internet Explorer and installers I ran, even though InPrivate is used at all times on the latter.

WebCacheV01.dat is locked by the CacheTask which runs as soon as a user logs in, so to delete (or open!) it without taking your system offline, you'll have to run something like this with administrative privileges.


tskill iexplore
schtasks /end /tn "\Microsoft\Windows\Wininet\CacheTask"
cd /d "%localappdata%\Microsoft\Windows\WebCache"
del /f /q *.*
rem Or maybe sdelete -r *.*
rem Or maybe for /f usebackq %a in (`dir /a /b`) do shred -fuzn 0 %a
schtasks /run /tn "\Microsoft\Windows\Wininet\CacheTask"

Renk
27.03.19, 03:56
For deleting WebCacheV01.dat, you can first end the processes Taskhost.exe and Dllhost.exe (*). Then deleting WebCacheV01.dat is possible, the problem being an other WebCacheV01.dat recreates shortly after that. Curiously, the new WebCacheV01.dat seems not empty (25MB)..

This file being in AppData\Local\Microsoft\Windows\WebCache, a solution may be to:
0) End Taskhost.exe and Dllhost.exe
1) Delete WebCacheV01.dat
2) Very quickly before it re-spawns, create a directory named WebCacheV01.dat
(for buying some time, it's possible to delete the directory WebCache itself first, send recreate it on the desktop with the WebCacheV01.dat directory in it, and move the directory WebCache into AppData\Local\Microsoft\Windows\WebCache).

For the moment, on my PC, this seems to work.

(*) sometimes not possible because Taskhost.exe and Dllhost.exe could run as SYSTEM and normally you can't end such processes even under an admin account. In that case a reboot may help.



NB1: WebCacheV01.dat didn't recreate, but in WebCache still contains files such as V01.chk, V01.log, V01.jrs and WebCacheV01.tmp, their weight being 512kB (the size of the file WebCacheV01.dat was 50MB).

NB2: I'm not able to open either the WebCacheV01.dat not the .chk/.log/.jrs/.tmp counterparts, so I'm unable to inspect them.

NB3: Since I have done that, my IE no more works, but this is not in itself much a problem (rather a relief).

NB4: On an other PC, I have tried to use Privazer (donor version) in order to get rid with this WebCacheV01.dat file. Privazer did remove WebCacheV01.dat. Again this file recreated, but this time, with size of 3 MB. I suspect it's a preallocated size, and that the file is in fact empty. Were it really the case, Privazer regular usage coud be a solution.

NB5: They seem to have found a more clean & smooth solution on www.tenforums.coml (https://www.tenforums.com/general-support/37841-disable-webcachev01-dat.html):


To disable webcache we need to
CacheTask“.
open Task Scheduler from Administrative Tools,
navigate to Microsoft > Windows > Wininet.
Stop and disable the task.

Second step is to delete the dcom
REGEDIT search for this GUID:{3EB3C877-1F16-487C-9050-104DBCD66683}
Delete this GUID
You will have to change the ownership to your user to be able to delete this key.



Worth noticing what follows:


I have noticed a huge change in web browsing behavior. Since stopping and denying access and deleting webcache, I traced my line using wireshark and have discovered something. My computer was being used as a cache server for Pictures to all sorts of pages. I do not get those "I" candy pictures in my web browser now.
I also noticed in wireshark how I was able to find the true IP of the servers hosting these Images and was able to block the nameserver in my host file.
I was not able to find the IP of these servers because I was being the host, it was my IP hosting data to the browser. I now understand why I had so many packets being sent from my computer ip to router.
On a personal side, I feel lot more secure now. WHY WOULD MS ENABLE THIS BY DEFAULT?

anon
30.03.19, 19:52
taskhost and dllhost are generic host processes (like svchost but with different functions) and should not be terminated based solely on their name. The proper way to end the WinInet task is detailed on the first post. As for dllhost, it must only be terminated if hosting the process with CLSID 3EB3C877-1F16-487C-9050-104DBCD66683, easily verified by checking its command line parameters.

If you use ShadowCopy or RawCopy, you can copy the cache files even if they are in use, and then use esentutl or ESEDatabaseView on them to read their contents. The carving tool mentioned in the paper (which can display "deleted" entries) is only available to licensed forensic investigators upon request and hasn't been leaked as far as I could find, but a simple strings dump will already show lots of interesting information.

Disabling the WinInet cache altogether is an extreme and potentially harmful solution. I think using full disk encryption and periodically shredding the offending files is a better compromise.


(*) sometimes not possible because Taskhost.exe and Dllhost.exe could run as SYSTEM and normally you can't end such processes even under an admin account. In that case a reboot may help.

RunAsSystem and RunFromToken will let you become SYSTEM and TrustedInstaller, a must-have for dealing with this sort of situation :richter: