Very dangerous hacking ? Surprising relationship between cygwin and Microsoft

akiki@free.fr akiki@free.fr
Mon May 11 16:25:01 GMT 2020


Hi, 

On doing an habitual "cygcheck -rs", I was interrogated and ALARMED to see some register keys speaking cygwin : 

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\
microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cygwin.com 
(default) = 0x00000000 
NumberOfSubdomains = 0x00000001 

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\
microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cygwin.com 
(default) = 0x00000000 
NumberOfSubdomains = 0x00000000 

Examining the registry under cygwin:
      cd /proc/registry/HKEY_CURRENT_USER/... ; 
Positioned on Internet Explorer\, 
I found 4 sub-keys : DOMStorage DomStorageState EdpDomStorage Main 

These keys are very populated : 
"ls -lR|wc -l" give me 1285 lines, and I can read many traces of my use of internet about bank vpn ... 

For DOMStorage an EdpDomStorage a list of URL is indicated with dates between July 2019 and Apr 2020 

The values attached to cygwin.com URL as for others are 4 bytes values - no clear meaning. 

To conclude, Microsoft spy and register all sites you access, cygwin.com in particular. 
I hope only with Edge, but I am not sure of that. 

I have never see in cygcheck, such reference to cygwin with chrome, firefox , opera ...
May be something is done to mask them.

Sorry for my bad English. 


More information about the Cygwin mailing list