Why is DNS apparently involved in issuing "dir" on Windows 10?

For complicated reasons, I have been forced to make an identical copy of cmd.exe and rename it to cmd-2.exe, which I put as a shortcut on the Taskbar to have them "grouped" in different taskbar groups.

Sometimes, I forget about this, and to open a new cmd.exe I middle-click that Taskbar icon to open a new cmd.exe. I then type a command such as dir and it spits out a bunch of nonsense, including: DNS bad key, which only happens if I accidentally use cmd-2.exe, not if I open the "real" cmd.exe, so it's not a "practical" problem.

However, I wonder why that message is ever printed at all. Is it apparently failing to do some kind of DNS lookup or something? Why is DNS involved at all with issuing dir to list files on my local computer? I have no network set up, no cloud drives, nothing like that whatsoever. It scares me that (apparently) there are DNS queries being made when I issue dir.

Maybe DNS bad key refers to something completely unrelated to the Domain Name System? I don't know what a "bad key" would even be in that context.

Khalid

Posted 2020-02-10T11:09:28.060

Reputation: 699

41What other nonsense do those commands spit out? – user1686 – 2020-02-10T11:41:15.157

15Exactly how did you make the shortcut? – Moab – 2020-02-10T11:41:35.647

2not saying this is the case here, but these subsystems that call subsystems that call subsystems for no good reason, with some of them being known attack vectors, at least in some contexts, are not a recipe for security. 99.999% of the time, no issue, but the 0.001% is what helps crackers. – JL Peyret – 2020-02-11T22:36:12.840

What are crackers gonna do though, crack your software and use it for free.. A financial security risk... huh. The hackers might hack in and steal your data, study your habits before attack, etc... another security risk!! Cracker gonna keep cracking though!! – Pimp Juice IT – 2020-02-12T04:03:40.100

8Why was my comment explaining my downvote reason, deleted? – Ian Kemp – 2020-02-12T10:03:12.693

This looks like an XY problem, where a hack to solve the original problem causes this interesting problem. The answers are great, but I propose the OP also ask the original problem in a separate question.

– Jonathan – 2020-02-12T11:35:31.340

2@IanKemp Because professional and responsible curation is not welcoming. Moderators do not accept anything other than praise/compliments. – Asteroids With Wings – 2020-02-13T13:52:01.197

1@AsteroidsWithWings But downvoting without explaining why is also considered unwelcoming, so whatever I do, I'm a Bad Person. Guess I'll stop contributing then shrug. – Ian Kemp – 2020-02-13T14:22:21.493

@IanKemp That's pretty much what I did ;) – Asteroids With Wings – 2020-02-13T15:24:12.547

Answers

206

The second cmd.exe fails to locate and subsequently load the localized strings from the cmd.exe.mui satellite resource library.

Here is what it really attempts to say, taken from a 10.0.18362.1 (160101.0800):

0x235F: "Volume in drive %1 is %2"
0x235B: "Volume Serial Number is %1"
0x2339: "Directory of %1"

This is actually the first three lines of a plain dir command output.

This is a funny one. There are no entries for messages numbers 0x235F and 0x235B in the default system message table. So for the first two outputs, you get that cryptic message as shown in @harrymc's console screenshot.

But for 0x2339, there is an entry in the default system message table, physically stored in KernelBase.dll.mui pointing to the text "DNS bad key":

It just so happens to share the number of the "Directory of %1" line of the command processor's resources: a fallback not anticipated by the developers of cmd.exe. So the DNS reference is just a coincidence, it could be anything.

Note that the proper message contains a variable argument (the directory name), while the DNS message doesn't. I guess that's why there is no more output after that - it might just terminate.

dlatikay

Posted 2020-02-10T11:09:28.060

Reputation: 771

5Reading how you got to the bottom of this is just so cool. I'm amazed such a cryptic event can be so easily traced. Thanks for a great and thorough answer! – Zimano – 2020-02-12T15:55:58.827

@Zimano, where are you reading how they got to the bottom of it? – Pod – 2020-02-12T16:05:29.650

1@Pod In the answer we're commenting on. The answerer explains exactly how they found the cause of the symptoms OP is experiencing. Do you feel the question is still unanswered or..? I'm not sure I understand the reason behind your comment. – Zimano – 2020-02-12T17:01:52.110

Sorry, perhaps it's a difference in language. Their answer didn't say "how" they came to this conclusion, it simply presented the conclusion. I thought there might be a blog post somewhere showing the "journey" they took to figuring it out :) – Pod – 2020-02-12T17:05:31.860

@Pod Oh I understand :-) The answer indeed doesn't get to the 'bottom of it' completely. I guess it depends on the reader's prior knowledge of mui resource files. – Zimano – 2020-02-12T17:16:47.790

110

I have managed to duplicate the problem:

(I agree that the messages are not very informative.)

The problem is that starting from Vista all the text messages are compiled into a separate file, so Windows would search for a message file with your new CMD name and would not be able to find it.

It is not enough to copy cmd.exe to cmd-2.exe. You also need to copy in the folder %WinDir%\System32\en-US (or your language) the file cmd.exe.mui to cmd-2.exe.mui, otherwise you will get these crazy messages anytime that cmd-2.exe needs to issue a message.

Note : "DNS" here does not refer to the internet Domain Name System. This is just a coincidence.

harrymc

Posted 2020-02-10T11:09:28.060

Reputation: 306 093

6@ThorbjørnRavnAndersen Not CMD.exe, but Windows. CMD.exe simply asks the system for a string resource with a specified ID in the current user's language. It's Windows that does the searching and fallback handling. – Tom Lint – 2020-02-11T16:27:25.880

So... what does it stand for? "Directory Name Search" maybe? – Darrel Hoffman – 2020-02-13T18:06:14.377

@DarrelHoffman: Your guess is as good as mine. – harrymc – 2020-02-13T18:19:51.943

2I think the message does refer to DNS in the usual sense. @dlatikay's answer demonstrates it is essentially randomly picked from a list of kernel messages and the others nearby in the list look likely to refer to the Domain Name System. – Bob Sammers – 2020-02-14T09:46:59.943

@BobSammers: I also thought about it, but decided against, since proper DNS does not have the concept of "key". – harrymc – 2020-02-14T09:48:48.367

2That depends on what you mean by "proper", I suppose. Windows supports DNSSEC (which uses keys). That is a standard, not just a Microsoft construct. It is speculation as to what these messages definitely refer to, of course, as well as going off-topic a little bit! – Bob Sammers – 2020-02-14T10:49:31.757