Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
32
SECRET//NOFORN
UI and looking at the 'Last Run Time' field. If it
has run yet, either wait for it to run or re-install
with a different run time
� Check to see if the elsa task completed
successfully by double clicking on the task in the
taskschd.msc UI and looking at the 'Last Run
Result' field. If not, check that the Class ID in the
install script matches the GUID specified in the
patcher
4 Dll not loaded –
SvcHost Mode
� Check to see
i
f the elsa service a
p
p
ears in the
services.msc UI or task manager services tab.
If not, double check the install against the svchost
install procedure above
� Check to see if the elsa service is listed as
started in the services.msc UI or task manager
services tab. If not, manually start it using net
start <service name>
5 Dll not loaded – RunDll
Mode
� Double check the install against the svchost
install procedure above, particularly the
Control_RunDLL flag
6 No geo results in
decrypted log file
� Check to see
i
f wifi access
p
oints are
p
resen
t
. If
they are, use the processor to geolocate the results
� Check to see if elsa was configured with a
geolocation provider results. If not, re-patch and
reinstall
7 Fewer wifi results than
expected in decrypted
log file
� Check to see that
t
he log file size was not close
to the configured limit
� Check to see that if the wifi rssi threshold was
high (e.g. - 60 dBm or more). Re-patch and
reinstall with a very low (e.g. - 5 dBm) setting.
8 Alphanumeric (base64
encoded) values in
geolocation results
�
Check to see
i
f the al
p
hanumeric values match
any of the specific cases below
.
� This indicates a parser error, see 'interpreting
errors in Elsa xml files' below
� It is recommended that you configure Elsa to
retain wifi ap lists for geolocation using the
processor if these errors are common
9 'H4sI' in microsoft
location results
� This appears intermittently in microsoft results
and is believed to be a random server error.
Attempt to re-geo the result.
10 'b3VyY2U9 …' in
microsoft location
results
� This decodes to an alternate geolocation format
returned by microsoft. Although this is under
investigation it does not appear that a lat/lon is