Download Mcafee Unlock User Interface Regedit

  1. The McAfee Anti-Virus filter scans incoming HTTP requests and their attachments for viruses and exploits. For example, if a virus is detected in a MIME.
  2. I needed to change a few settings on a McAfee VirusScan Enterprise 8.7.Oi client. However there was a password protection in place that locks the user interface and nobody around that could tell me the password.
About Virtualization, VDI, SBC, Application Compatibility and anything else I feel like

Reset the User Interface password in the. Resources to help you upgrade to the latest versions of McAfee. Home Knowledge Center Downloads Service Requests.

  • ' href='https://www.remkoweijnen.nl/blog/'>Home
Author: Remko Weijnen9Dec

I needed to change a few settings on a McAfee VirusScan Enterprise 8.7.Oi client. However there was a password protection in place that locks the user interface and nobody around that could tell me the password. So what to do?

Right, we check out where this password is stored and how we can get rid of it!

I openend vsplugin.dll in Ida Pro and searched for related strings such as password, lock etc.

I found out that vsplugin.dll calls some interesting exports in shutil.dll called UIP, UiLockInfoLoad1 and UiLockInfoValidate1.

I searched further in shutil.dll and concluded that the password is stored in the UIP value under HKLMSoftwareMcAfeeDesktopProtection registry key.

The value is an MD5 Hash of the password so we cannot decrypt it. So I tried one of the many MD5 hash databases on the net but I couldn’t find the original string for the password.

This happens because the MD5 hash tables are all based on ASCII and McAfee uses a Unicode string type. Eg the word password would be stored like this in hex:

We can of course build our own Unicode hash/rainbow table but an easier solution is to write a known MD5 hash to this registry value. For instance the MD5 hash for the Unicode string password is: b081dbe85e1ec3ffc3d4e7d0227400cd.

Another bypass would be to delete the UIP value and set the UIPMode to 0 which disables the user interface password completely. Note that when an EPO server is in place it will always periodically overwrite the settings with those defined in it’s policies.

I’ve also seen that shutil.dll exports a function called UiLockInfoValidate1. This functions checks if the given MD5 hash exists in the Global Atom Table in the from UIP-<hash>.

The Atom seems to be used as a Single Sign on for the user interface unlock. Once you’ve entered the password in one module, it will also unlock the other modules. Possibly we could abuse this system by writing our own hash to the Global Atom Table but I didn’t investigate this further.

Share this:

Like this:

LikeLoading...

Related

Please consider donating something (even a small amount is ok) to support this site and my work:
Filed under: GeneralUnlockRSS feed for comments on this postTrackBack URI
    Helge KleinDecember 9th, 2011 at 16:491

    Very cool 😉 Keep on blogging!

    yogeshSeptember 28th, 2012 at 16:152

    “McAfee Anti User Password key

    shashikantOctober 16th, 2012 at 13:163

    Can you please tell me how to unlock McAfee 11.6 user interface.

    no oneAugust 2nd, 2015 at 22:404

    This is valid for McAfee before version 8.8

    After 8.8 the value is additionally encoded in UIPEx key
    Reportedly hashed like this:
    Base64(SHA1(unicode(“x01x0fx0dx33″ + password))).
    Good luck!


Leave a reply

  • Entries (RSS)
  • Comments (RSS)

Profile


Top Posts

  • RNS 315: Enable the hidden bluetooth carkit
  • Query Active Directory from Excel
  • Default username password HP Storageworks P2000
  • Enable Developer mode on VW Discover Pro with VCDS
  • Update AMD Display Driver under BootCamp
  • How rdp passwords are encrypted
  • Debugging Tools for Windows Direct Download
  • The case of the Slow Xerox Universal Print Driver
  • Trick to Export Private Key from Certificate Request
  • Patch Windows 2008 Terminal Server to allow more than 2 concurrent sessions

Recent Comments

Laurent Daudelin on Update AMD Display Driver under BootCampSorin Srbu on Determining if Battery Backed Write Cache is installedBelkin Support on silly issue with DHCP reservation on Netgear WNDR3700 routerMatty Ice on ClickOnce Applications in Enterprise EnvironmentsGiovanni on Google Earth fix for XenApp, RDSH & Horizon

Featured Downloads

  • ExeToPosh0.2.zip (7747 downloads)
  • AMD Radeon Crimson ReLive (2151 downloads)
  • Google Earth Compatibility Fix for Horizon, RDSH and XenApp (2825 downloads)
  • test-file (2516 downloads)
  • mstsc.exe build 6.1.7600.16385 (42699 downloads)
  • mage (3578 downloads)
  • DecryptPITFile.zip (3413 downloads)
  • rc4.zip (3396 downloads)
  • CtxPassCom.zip (3493 downloads)
  • SetMixedCode.zip (2794 downloads)
  • Donate


    Blogroll

  • Andrew Morgan
  • Oracle Unlock User

  • Arnout’s blog
  • Assa’s Blog
  • Barry Schiffer
  • Delphi Praxis
  • Ingmar Verheij
  • Jedi Api Blog
  • Jedi API Library
  • Jeroen Tielen
  • Kees Baggerman

  • Categories


    Archives

    • March 2018 (1)
    • January 2018 (4)
    • December 2017 (3)
    • April 2017 (1)
    • March 2017 (5)
    • February 2017 (4)
    • May 2016 (3)
    • March 2016 (1)
    • October 2015 (2)
    • September 2015 (1)
    • January 2015 (1)
    • August 2014 (1)
    • July 2014 (8)
    • May 2014 (1)
    • November 2013 (1)
    • October 2013 (2)
    • September 2013 (3)
    • August 2013 (4)
    • June 2013 (2)
    • May 2013 (3)
    • April 2013 (5)
    • March 2013 (5)
    • February 2013 (1)
    • January 2013 (5)
    • December 2012 (9)
    • November 2012 (3)
    • October 2012 (3)
    • August 2012 (4)
    • July 2012 (2)
    • June 2012 (1)
    • May 2012 (6)
    • March 2012 (13)
    • February 2012 (12)
    • January 2012 (9)
    • December 2011 (9)
    • November 2011 (4)
    • October 2011 (5)
    • September 2011 (10)
    • August 2011 (10)
    • July 2011 (2)
    • June 2011 (8)
    • May 2011 (12)
    • April 2011 (4)
    • March 2011 (14)
    • February 2011 (8)
    • January 2011 (32)
    • December 2010 (23)
    • November 2010 (19)
    • October 2010 (10)
    • September 2010 (6)
    • August 2010 (1)
    • July 2010 (1)
    • June 2010 (6)
    • March 2010 (7)
    • February 2010 (3)
    • December 2009 (3)
    • November 2009 (11)
    • September 2009 (2)
    • July 2009 (1)
    • June 2009 (5)
    • May 2009 (1)
    • April 2009 (2)
    • March 2009 (3)
    • February 2009 (6)
    • January 2009 (3)
    • December 2008 (8)
    • November 2008 (5)
    • October 2008 (3)
    • September 2008 (3)
    • August 2008 (3)
    • June 2008 (6)
    • May 2008 (2)
    • April 2008 (3)
    • March 2008 (5)
    • January 2008 (3)
    • December 2007 (3)
    • November 2007 (13)
    • October 2007 (10)

    Site Admin powered by WordPress Theme

    %d bloggers like this:

    I needed to change a few settings on a McAfee VirusScan Enterprise 8.7.Oi client. However there was a password protection in place that locks the user interface and nobody around that could tell me the password. So what to do?

    Right, we check out where this password is stored and how we can get rid of it!

    I openend vsplugin.dll in Ida Pro and searched for related strings such as password, lock etc.

    I found out that vsplugin.dll calls some interesting exports in shutil.dll called UIP, UiLockInfoLoad1 and UiLockInfoValidate1.

    I searched further in shutil.dll and concluded that the password is stored in the UIP value under HKLMSoftwareMcAfeeDesktopProtection registry key.

    The value is an MD5 Hash of the password so we cannot decrypt it. So I tried one of the many MD5 hash databases on the net but I couldn’t find the original string for the password.

    This happens because the MD5 hash tables are all based on ASCII and McAfee uses a Unicode string type. Eg the word password would be stored like this in hex:

    We can of course build our own Unicode hash/rainbow table but an easier solution is to write a known MD5 hash to this registry value. For instance the MD5 hash for the Unicode string password is: b081dbe85e1ec3ffc3d4e7d0227400cd.

    Download Mcafee Unlock User Interface Regedit

    Another bypass would be to delete the UIP value and set the UIPMode to 0 which disables the user interface password completely. Note that when an EPO server is in place it will always periodically overwrite the settings with those defined in it’s policies.

    I’ve also seen that shutil.dll exports a function called UiLockInfoValidate1. This functions checks if the given MD5 hash exists in the Global Atom Table in the from UIP-<hash>.

    The Atom seems to be used as a Single Sign on for the user interface unlock. Once you’ve entered the password in one module, it will also unlock the other modules. Possibly we could abuse this system by writing our own hash to the Global Atom Table but I didn’t investigate this further.

    Was once an enthusiastic PepperByte employee but is now working elsewhere. His blogs are still valuable to us and we hope to you too.