nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Why does Help / About Quicken Shows Windows 10 Enterprise on Windows 10 Pro

Steve54@

Here is a bit of trivia. Help / About Quicken shows Windows 10 Enterprise. But I have Windows 10 Pro.

From Windows Settings:

Edition Windows 10 Pro
Version 21H1
Installed on ‎4/‎2/‎2021
OS build 19043.1320
Experience Windows Feature Experience Pack 120.2212.3920.0

Find more posts tagged with

Accepted answers

All comments

Chris_QPW

Yeah, for whatever reason Quicken's about doesn't get this right. In truth I don't think there is anything in Home, Pro, Enterprise differences that matter to Quicken.

I believe they may be pulling it from the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion > ProductName = Windows 10 Enterprise

Where for more accuracy they can pull it from this one instead:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion > ProductName = Windows 10 Pro

Just a WAG.

Steve54@

BK,

Your WAG is good. Here is what I found.

I checked the key in Windows 10 64bit 21h1. As you did, I found ProductName as "Windows 10 Enterprise". The 64 bit question is why? Because Quicken is a 32-bit app. It apparently doesn't check to see if its on a 64-bit OS. See below.

I searched for WOW6432 and found this in Microsoft's documentation. "This registry key is typically used for 32-bit applications on 64-bit machines. If they're present on x86 machines, they don't cause any issues as they aren't used." See https://docs.microsoft.com/en-us/troubleshoot/windows-client/application-management/wow6432node-registry-key-present-32-bit-machine This is not true for Quicken 32-bit: it does use these registry keys.

Now we have the answer to a trivia question. This begs a couple of questions. Are there other more serious bugs lurking because Quicken uses the wrong Registry keys? And when will Quicken become a 64-bit app?

Steve

Chris_QPW

Steve54@ said:

And when will Quicken become a 64-bit app?

Steve

The answer is probably never.

Not only are there no compelling reasons to go to 64-bit for Quicken, and tons not too (32-bit version would have to built too doubling the work, testing, ...), Quicken is dependent on an obsolete database that clearly can't be ported to 64-bit, and there are probably other such components in Quicken like that.

This of course has been discussed many times:
https://community.quicken.com/discussion/7885036/i-want-64-bit-quicken-for-windows

Steve54@

Wow, this hits the real issue with using 32 bit software. Its not about memory size. Its about concerns for security of the embedded obsolete software. Using obsolete embedded software. My privacy and security antenna just lit up.

Is it true that quicken is using an obsolete database? Going to 64 bit isn't just about the memory size. It is about using modern software development tools and data bases that have modern security systems built in. So lets talk about the security problems that are likely latent in an old database software. Is that "obsolete" software even being maintained? I hope this is just an urban legend.

Steve

Steve54@

See the article at https://www.softwaretestingnews.co.uk/the-risks-of-obsolete-software-platforms/ to understand the risks of obsolete software.

Chris_QPW

I can't be absolutely sure and Quicken Inc is never going to tell you, but I'm about as sure as you can be without inspecting the code that they are using the same database that they were at least 20 years ago.
And the company that supplied it to them long ago dropped support for it.

If I was to worry about security of using Quicken it certainly wouldn't be because of the database. And of the things that might be security risks 64-bit isn't going to change it. This isn't a "database server/service", this is an embedded database. If one is expecting an non hackable data file, even after a hacker has got access to your machine, then you have come to the wrong place.

It is Quicken the "program" and the servers that needs to keep up with security updates and such. And of course the user needs to keep their machine properly patched to do the best you can to keep them out of your machine.

Credentials. Stored in the Password Vault, and on servers (Direct Connect in Password Vault, Express Web Connect/Mobile/Web on the servers). The Password Vault is an encrypted section of the data file. It gets it security not from a database, but from that encryption. Pick your poison, Direct Connect/Encrypted local, Express Web Connect, not stored local, but on two servers, Quicken Inc's and Intuits. Also note this: https://community.quicken.com/discussion/7882641/qcs-express-web-connect-is-cloud-sync
Network connection. Quicken uses the standard Windows SSL network connections. There isn't any reason to believe that on a properly patched Windows machine that connecting using the 32-bit API is any less secure than the 64-bit one.
Access to the data file itself. Clearly the best defense here is to keep your machine secure. The Quicken data file is just one file that if a hacker has access to your machine could copy off of it and work on hacking it on their machine. I don't stake too much in the password you can put on it given that Quicken Inc can remove it for people that forget their password (which BTW isn't true of the Password Vault, which tells me it is real encryption with no backdoors). Some people keep their data file in encrypted folder and such for this reason. But lets face it if a hacker is "looking over your shoulder" they will have plenty of opportunity to get at that file while you access it.
Attachments are encrypted, but note that the Quicken data file is basically the key. In other words if look at the QDF using 7-Zip you will see that the attachments are in a separate folder and are encrypted, but if you can open that data file in Quicken then you can get Quicken to show you any of them you like.

Ps56k2

Chris_QPW said:

I can't be absolutely sure and Quicken Inc is never going to tell you, but I'm about as sure as you can be without inspecting the code that they are using the same database that they were at least 20 years ago.
And the company that supplied it to them long ago dropped support for it.

Just out of curiosity - what DB library do you think they are using ?

My old legacy stuff was the classic dBase and Sybase

Chris_QPW

Ps56k2 said:
Just out of curiosity - what DB library do you think they are using ?
My old legacy stuff was the classic dBase and Sybase

I don't really know. I do know that years ago someone suspected that is was one that Oracle had created.

Chris_QPW

Steve54@ said:

See the article at https://www.softwaretestingnews.co.uk/the-risks-of-obsolete-software-platforms/ to understand the risks of obsolete software.

I was thinking about this and decided I should say something about one's "risk profile".

Running obsolete software doesn't directly cause a security problem.

For some consulting work I do I have to run Windows XP in a virtual machine, because that is the last operating system the software will run on. So what kind of security risk is this?

The virtual machine has no access to the Internet. Short of a physical machine that is connected to nothing other than power, this about as secure as you can make a machine. For a hacker to get at a machine they either have to have access to it physically or through a network.

The average person's security risks are based on the access to the Internet. You use a web browser, you use email, you use texts, ... Each of these "exposes" you a bit to the outside world/hackers.

But by far the thing that really raises the risk level is if you "announce" your presence to the world. As, you put up a website or any service that is outward accessible.

@Steve54@ You will notice that the article you posted is talking about businesses. These businesses raised their risk profile in immensely by doing two things. One just having services like a website or a business application that had a database (including an email server) that could be accessed from outside of the business network. And then on top of that, they had obsolete, and non current patched software in these programs that the outside world had access to.

Steve54@

Running Windows XP in a virtual machine is secured by whatever the version of the host OS runs the VM. What this has to do with running the latest version of Quicken (R36.38) natively on Windows 10 21H1 I don't understand. Someone made the statement that Quicken uses an obsolete database. My concern is about using OBE databases.

The problem with running obsolete software is twofold. 1) there are latent bugs in any code. 2) Newer software was developed to current standards for security. Current compilers use improved garbage collection, check for pointer errors and memory leaks, encryption keys are longer and more secure. Are older versions of TLS and SMB used if there is a web interface? I could go on.

Obsolete software means the code base is frozen in time with no updates. That means there are likely known bugs that have not been fixed. A honey pot for hackers. For example, in a more trusting past the databases did not include encryption and if they did the encryption was less secure.

Are my credentials' for my financial institutions saved in clear text in the Quicken database on Quicken cloud? On my PC? If it uses encryption, does it use an old standard for key length such as 128 bit or less? Anything less than 256 bit keys (current standard) are fairly easy to hack. Were all memory leaks and memory pointer errors fixed before this version or are there latent bugs? If not, are there later versions of the database where the bugs were fixed. If so, that means that those bugs are likely public knowledge.

It certainly would be great to have a Quicken employee weigh in.

Chris_QPW

Steve54@ said:

It certainly would be great to have a Quicken employee weigh in.

No employee has ever given any kind of direct answer on such questions. Their security policy seems to be "security is not telling the user how we do things".

But from that they have said, passwords are stored in the "Password Vault" which is encrypted (for Direct Connect, for Express Web Connect they are no longer stored there, but are on their servers, and on Intuit servers). What kind of encryption? They have never said. But is quite clear that the "Password Vault" is "separate" from the main database, at least in the way it is secured.

And for the rest, you say that the Windows XP virtual machine is secured by the host OS, well that is true of the Quicken data file too. Just as any file on your machine is.

The main distinction between the Quicken data file and say "Exchange" or "SQL Server", web server, ... is that Quicken's database can't be "reached" from the outside of your machine. Those other programs listen for commands from other machines and as such can be tricked into doing the "wrong thing". Quicken's database has no such interface.

Is it possible to hack a Quicken data file/database. There hasn't been any reports that it has happened, but I certainly wouldn't put it past a professional hacker to be able to do it. Just as I wouldn't put it past the same person hacking almost any file on my machine if they got access to it.

If I was judging the difficultly of hacking the Quicken data file in comparison to say my encrypted Password Manager files, I would think that the Quicken data file would be easier.

If one wants to be told that the Quicken data file is protected in the same way as a Password Manager files are they are going to be out of luck, because that is clearly not the case. If you lose your password for your data file, Quicken Inc can remove it. Clearly not the same level of protection that my Password Manager puts on its files. Now if you lose the password for the Quicken Password Vault they can't remove the password on that, you have to recreate it. So that "looks more secure", but they have never stated what encryption they use. And note it is entirely possible that over the years this part has been changed, and is kept up to current standards.

Personally I have looked at binary dump of the Quicken database and there isn't anything in there that is in clear text. I didn't go on tor try to figure out anything more about it, but one only has to use some simple logic to understand that there is no way it is "secure" if a hacker gets access to it on your machine.

Lets start with a Quicken data file without a password on the data file. Clearly if they have the data file and Quicken they can read anything in it with the exception of the Password Vault. Lets try it with a password. First off the very fact that Quicken Inc can remove that password suggests at a minimum they have a backdoor, but more likely it isn't true encryption, just Quicken refusing to read the data file until you give the password. But lets imagine it is true encryption. If a hacker is on your machine, they can easily setup a key logger and log what password you give to open that data file.

In security there is a basic rule, you have to have physical security first. If a person has physical access to your machine, all bets are off. Well these days "physical" can also refer to a person that has access to your machine through a network or a program running on your machine. Once they get that access, all bets are off. As you can see from the above example with that access they don't even need to hack the Quicken database since they can get the password to open it. And yes with the Password Manager, if you use a master password to open it, they can do the same with it.

I'm going to end my part of this by saying that if you are comfortable with the fact that Quicken is a mix of new and very old code, then your only real choice is not to use it.