Question Is CrystalDiskInfo still safe ?

Use tools/hash/built-in signatures to authenticate/verify.

Use VirusTotal. Upload the file, and almost certainly, you'll get the same link as above. If you do this for all your executables, it may put your mind somewhat at ease.

Also, if you press Alt+Enter on the file in File Explorer and click on the "Digital Signature" tab, it will show you the signer, which is "CrystalMark Inc." This is usually the signature that indicates the authentic author released the executable.
 
Well, I'd be cautious. Not only has the filename changed - this is what was seen in the recent change-log:

"
  • Added “CrystalMark Inc.” as copyright holder
  • Changed code signature to “CrystalMark Inc.”
"
[https://crystalmark.info/en/software/crystaldiskinfo/crystaldiskinfo-history/]

HZkIKqv.png


So - change in copyright holder, change in code signature + inclusion of ads? Not proof of anything malicious - but definitely signs of change that long-term users of the app may not be super comfortable with.
 
This site is like others in that they direct you to ad based downloads, to support their revenue.

If you aren't paying close attention, you end up with what you ended up with.

However, look for another link. They always provide another way to get the non ad based one on there. Something like "other downloads".
 
The "CrystalMark Inc." signage does seem a bit odd, although the developer did explicitly mentioned it. I don't think the certificate companies give these nilly-nally.
  • Did the developer really establish a company? This incurs expenses and may be unusual.
  • Has someone unknown bought the products? The developer didn't mention it.
  • Did he get a company to spot him a certificate? There are "CrystalMark Inc" in both Japan (the developer?) and the US, but this seems risky for companies.
Concerning ads, I still don't see them on both CrystalDiskInfo and CrystalMark Retro.
 
Took some time to dig into the app itself a bit deeper. The current files for download are located here:
https://sourceforge.net/projects/crystaldiskinfo/files/9.7.0/

I'm focusing specifically on the following:

Code:
CrystalDiskInfo9_7_0Ads.exe [SHA256: 92a1568bfe664c7a824e455501648d57419b9b1ad4927a44f29e7bdf1d3e777f]
CrystalDiskInfo9_7_0.zip [SHA256: e50f4fe5409487b83a2360e61cd33c0f949767b0e3e645f24782f60a78e6cf88]

Inside the .ZIP file are three main executables:

Code:
DiskInfo32.exe [SHA256: c13b2eb837d788159f4dd5e4648a05902c2d42fd2eb1242d8c2a30e36f560709]
DiskInfo64.exe [SHA256: 8029af001fbbd99ca3a179d547713dc3fa7283343688a2f481fe1568301622b0]
DiskInfoA64.exe [SHA256: a8f924ccfda6cb2c5d6f7a974d553660197e746cf6cdf360071e604b16cecfdd]

These binaries have the exact same hashes as the ones in the EXE installer.

Checking the EXE installer, it appears to be a standard Inno Setup installer containing all the program files found in the .ZIP archive, as well as an additional adware component.

This additional adware component is a file named 'ESTARTsetup.exe' [SHA256: 1b39d4493428a4279ae2b8f8bf38f1d407fec07e5d10d4b105b97c802c027251] which is also an Inno Setup installer, but this one is signed by 'GMO INSIGHT Inc.'.

(for those who wish to do further analysis on it, I have uploaded it here: https://gofile.io/d/lkxC2N)

This setup program is designed to drop two files into the following folder: '%programfiles%\GMO INSIGHT'

The files it drops are:
Code:
ESTARTsetup_no_uac.exe [SHA256: 91688346dee90eb3c385bfd1747c8063124b7495edfccd928971785157a248db]
eucsetupv4.exe [SHA256: 1ad7fa724f48e9d1af41d750ba1026608641ab0651e59696c9ae57f79d88696c]

The first is yet another Inno Setup installer & the second is an NSIS installer.

The first file internally contains a .URL file linking to the following: 'https://support.estart.jp/licenses/estart_app_license.txt'
Also - the install script internally references this URL: https://service.estart.jp/app/ (seemingly what will be displayed in the Windows Add/Remove Programs windows URL field for the entry made for this app).

The first file writes most of its contents to the following folder: '%localappdata%\GMO INSIGHT\' and the following registry key 'HKEY_CURRENT_USER\Software\GMO INSIGHT'.

It also contains a 'license.txt' file which (in part) has the following text:

Code:
8. Handling of Personal Information

For information on how we handle personal information about users in our services, please see our privacy policy (https://www.gmo-insight.jp/privacy). Users are deemed to have accepted the contents of the privacy policy.

The first file also drops this file:
E_START_App.exe [SHA256: 7e6c1d729914edf957448f09049ea790904f0360d98c57d4b4987e839018d1b5]
This file is signed by 'GMO INSIGHT Inc.'

This file may be a dropper for other files as well, but I was not able to quickly unpack it to see what else it may contain. The install script that drops that file also sets a system 'RunOnce' entry for a file named 'kaipoke_for_Windows_Installer_nouac.exe' - but I was unfortunately not quickly able to locate where that file was coming from.

That concludes my investigation of the first file. The second file was a bit more of a challenge because I was unable to quickly extract the installation script, but I did get all other files it deploys - which I will now list, along with the hashes:

Code:
EUCHelper.dll SHA256:6b07bfd8b54c64a74003c346b446eed2d6ccf48a3580d682644874f478bb8757
JusAdmin.exe SHA256:0c95b73047e74c2fe41547f91f73065e05dc0f51057d582c980e6f9f3eeeaca6
JWordUpdateCenter.exe SHA256:3262e72474a14f0a42760545cc3ef56b5ee46d6bce5f36232aefe682ac95d366
JWordUpdateCore.dll SHA256:5b5b703ebae366670084e27c27de0020f19fe4e9efeeac03accf9e976e883729
JWordUpdateNotifier.exe SHA256:01b9a66bff8ae6dc329a13d6384f1ffdd23aad08e66b644b59389a7d18fc2897
JWordUpdateService.exe SHA256:83c66684e574e687df8731272488cff3ba7834761915d47fc30432b453d69ffa
KaipokeHelpder.dll SHA256:ac961c1163a48d14cb1ea78beb233e795cd12f140c77003641cf0932e3b7f67e
KaiPokeWin.dll SHA256:9c10c1795cd0274ce8a2bdc6a9f9b8b107fba7635ae5ffbadd46916da4fbfc8b
libcurl.dll SHA256:e9c5c7f761abab3c63e7afecff62d668218b516f055019121bf1a02a7550de37
Microsoft.IdentityModel.Tokens.dll SHA256:f6bcd35b89cd3181eedeb900fc37da80ca8b24556f57f6f6c7c19c2ea3c9ab2a
Microsoft.Web.WebView2.Core.dll SHA256:1adc8ceb265b025b5ff45b631a34aa6330ca6bd64d393b99b92658041f980d5d
Microsoft.Web.WebView2.WinForms.dll SHA256:ebb77c94f90ab25eea07497c1ffa476c46348cea3f57fbae14c5bf9d1bb23377
msvcp140.dll SHA256:b2ca647916ee203b6831ed4924e4317b04fdded8ac6a2c41c29e73bc94b1ac29
newspushapp.dll SHA256:27842332127d89b1085a5e0fc29c52c6693cc30c6982b2e092da76f5eb1723a3
SearchAssistBarWindows.dll SHA256:59b341b95d84ce6b74d85e4c06239ff3d645441c12ab0e8feb681300ed250fa4
UIAutoma.dll SHA256:bdabaf0470344e964f8bc18928ee088027dec279bc90488f758b558a6f85aefa
uninstaller.bin SHA256:9ff861961509398214c471d2947cdff0c85f3a3e0733e16d873c6af284ee4f2c
uninstaller.exe SHA256:58fe938065fb33dcb5d593d49b928b77290877a778f994a69478cae2eca690fd
unknown SHA256:01bc9bb2b2618054c597fbc2d228d056a81a3690702c15a1b79b9a5cef5c3899
vcruntime140.dll SHA256:70878fd7d63280650356bc46577b989b1e48553cc19be77ec5dabece39f0f16d
WebView2Loader.dll SHA256:53dd9126a3c5d58776a274856af402edb7580b601f312ed5fa237befff065221

As I lack the installation script, I'm not 100% certain where on the disk these will try to deploy.

I did try running the EXE installer in a VM and interestingly enough - the install wizard never mentioned the adware components nor did they get deployed to the disk. I don't know if this was because the VM was detected, or if it was because I was using an English language OS. I suspect that for now - maybe the adware only deploys if the system language is set to Japanese. I have NOT confirmed this though. I've also not tried to intentionally install the adware in a VM to get a more complete picture of exactly what it does / where it deploys.

For now - I'd say the safest option is just to download the .ZIP archive and overwrite the files you already have installed on your system with the ones from the archive. This should (hopefully) get you the updated version of the app without the adware components. At the moment, it appears the adware is a completely separate package merely being bundled with the main app in the installer, not directly integrated into the main app itself.

Thus also - if you don't have the app installed yet and prefer the conveniece of an installer, you could always just run the installer for the last ad-free version available (9.6.3) [https://sourceforge.net/projects/crystaldiskinfo/files/9.6.3/CrystalDiskInfo9_6_3.exe/download] and then download the ZIP file of the latest version (9.7.0) [https://sourceforge.net/projects/crystaldiskinfo/files/9.7.0/CrystalDiskInfo9_7_0.zip/download] and then extract its contents into the install location, overwriting what was already there.

That's all I've got for now - hopefully the author of the program will provide a bit more clarity in a future posting on their website, or in later updates to the changelog.
 
Last edited: