During development I often use Fiddler, a great tool to monitor http connections on your machine. Every few seconds or so there was an http request with a User-Agent of 'DavClnt' trying to connect to 'HS1', a machine that used to be a Windows Home Server but which no longer exist.

Surely it doesn't really hurt anybody to have a random http call, but I liked to get rid of it.

Fiddler was showing me the process that initiated the request, it was wmplayer.exe or "Windows Media Player"

I first searched the registry to occurrences of 'HS1', even though I had uninstalled the Home Server Connected from the machine, I found a few places with references to the home server. Deleting them however did not help.

Using a different user account, the http requests did not happen, so it must had something to do with my main user account. I deleted all the Windows Media Player settings under AppData but that also did not help.

Then I used Process Monitor, set the filter to Process Name = wmplayer.exe and indeed the process tried to access certain shares on HS1 but I could not find any clues to where the settings for these operations were.

I then searched for files in my user directory that have the string HS1 and found:

C:\Users\username\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

One of my libraries still had a location on a share on the home server. I removed that location and finally the http requests stopped.

 

The special folders in Windows 7 such as 'My Music, My Documents, My Pictures or my Videos' be default point to Folders under the users home directory such as C:\users\username\Documents or C:\users\username\Music.

I have all my music, videos and photos on separate drives but like to point the special folders to these locations.

In the GUI this is pretty straight forward, right click on the special folder in question and then on the 'Location' tab. Just change the path to the new desired path and OK the dialog.

However there are quite a few of these special folder I like to change, plus I have to change them for several users on several computers and this every time I reinstall an OS.

The location of the special folders is defined in the registry under the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\

There, we have a sub keys: "User Shell Folders" and "Shell Folders", we need to change the information in both places. Here is an example of a batch file to change the locations for Favorites and Videos:

reg.exe ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Favorites /t REG_EXPAND_SZ /d "F:\Users\Joe\Favorites"

reg.exe ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /f /v Favorites /t REG_SZ /d "F:\Users\Joe\Favorites" 
reg.exe ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v "My Video" /t REG_EXPAND_SZ /d "M:\Media\Videos"

reg.exe ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /f /v "My Video" /t REG_SZ /d "M:\Media\Videos"

After you run this batch file under the user account for which you want to make the changes, log off that user and back on again and the changes should be in affect.
 

At a client of mine we recently found out that some of the Scheduled tasks on some Windows 2008 Servers failed without us noticing, because they wouldn't report to the event log which is monitored.

The event log entries that the Task Scheduler write are useless because even though they have the exit code of the task, they are of the informational type regardless of the exit code.

So I wrote a small tool that monitors the "Last Run Result" of the tasks on a local machine and sends an email if the result was unexpected.

To learn more and download this tool, go to the Motash page

 

Setup:

Windows 7 Ultimate 64 Bit
Microsoft Natural Ergonomic Keyboard 4000 V1.0
Microsoft IntelliType Pro 7.0 installed

The last one is to be able to use the extra keys at the top of the keyboard 

The other day I installed an optional update via Windows Update:

"Microsoft - Other hardware - Microsoft Hardware USB Mouse"

along with some other updates and it installed fine.

However I noticed that the keys at the top of the keyboard are no longer have my user-defined settings.

I opened the keyboard properties via control panel and the tab for the "key Settings" have been gone.
I also noticed that the IType.exe process was not running.

Furthermore there was no trace of IntelliType being installed on the machine.

Ok, I downloaded the latest version of IntelliType (8.0.225.0) but when installing it I got a generic
message with the error code 1603 and the setup failed.

I spend some time researching this online and locally but did not find anything.

C:\Windows\inf\setupapi.dev.log has lots of entries about it but no pointer to want went wrong.

Uninstalling the old version was no option, as it did not show up anywhere.

After searching the registry I found two keys:
HKEY_CURRENT_USER\Software\Microsoft\IntelliType Pro
HKEY_CURRENT_USER\Software\Microsoft\Intellipoint Intellitype Pro Auto Update

I renamed these entries and to my surprise the setup now worked. Even my original key settings are back.

Strange...

 

Recently I saw some people complaining about the Gmail user interface: Jeff @ Coding Horror, there was also a reference to this in one of the Mix 10 talks but I can't remember which one, because I watched too many of them.

So all the super smart guys now work for Google, but even they don't always get it right.

There are many factors that make up good software and one of them is to follow the standards of the Operating system it runs on.

Here are two examples of why I don't like some Google Software.

There is a process named "GoogleToolbarNotifier.exe" on the computer I am sitting at. I guess this has something to do with the Google Toolbar in web browsers. I do not run a browser though. So lets open Task Manager to kill the process: "Access Denied". What, why can't I kill it. It runs under my own user account and I should have all the rights to stop it.

The only way to kill it is to use a really low level StopProcess API that is usually not available to the end-user.

The other example is the Chrome browser. So far I had only used the portable version of it, which is not installed on the computer. Yesterday I installed the normal version and in the setup wizard chose to not create entries in the Start menu entries or on the desktop. After the wizard was finished I tried to start the browser and had a hard time finding it. Nothing in "Program Files", it turned out it was installed under my user profile directory which is according to Microsoft for application data and settings but not for executables.

Also because as I usually installed Software as an administrator, my normal user account who is not an admin, did not have access to the Software. I had to run setup again under my normal user account, download the whole package again from Google and then ended up with a second copy of the application on my hard drive.

There is actually a standalone installation package for Chrome, but it is not mentioned on the Chrome pages and you have to google with Bing for it.

The fact that the setup wizard doesn't allow me to choose a destination for the software I install, pisses me off. What if I have my user profile on a remote network drive? This is now filled up with Google junk.

Don't get me wrong, Chrome seems to be a nice browser but until Google gets its act together I will not install it on my computers. At least I can use the portable version.

 

Some third party Windows Services think they are very important.
They do not give you the option to stop them in the Services MMC console.
You can kill the process using Process Explorer but you get an "Access Denied" message or the services are coming back right away after you killed them. That is because they have their Recovery options set to "Restart Service". When you try to changes this or even disable the service, you get an another "Access Denied".

One way around this is, to open Autoruns.exe, go to the Services tab and double-click the entry in question. This will open the registry editor with the key for the service selected. Delete the "FailureActions" value, this will reset the recovery options to the default which is 'do nothing', now you can kill the services and it wont come back.

If you want to disable it, set the Start value from 2 (Automatic) to 4 (Disabled).

However they are services that think they are super important, one of these is "Service for G-Buster Browser Defense". Access to its configuration in Windows tools is denied. When you change the start value in the registry to 'disabled', within seconds it is changed back to 'Automatic'.
This is done by the winlogon.exe process, one of the core Windows services. A dll of the G-Buster software 'gbiehAbn.dll' is loaded into the winlogon.exe process. (I think this happens because of the entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn\DllName). The Software also comes with a kernel mode driver that starts even earlier in the startup process. However it does not come with an un-installer.

The Software comes from a Brazilian bank and does not seem to do any harm.

Deleting the FailureActions registry value and killing the process with RootkitUnhooker.exe works, but so far I have not figured out how to get rid of it permanently.

 

The first thing I do when getting to a new public XP machine is to run a few batch files to stop a whole bunch of processes that are not needed while I do my work.

This only works if I am an administrator, but sadly enough on most public machines this is still the case.

Also most machines run DeepFreeze, so any changes I make are undone at the next reboot.

The batch files I am using are:

• FixRegistry.cmd fixes some things in the registry, which makes it easier to execute the other batch files.
• saj.cmd (stop-all-junk): stops unneeded services and kills many common unwanted applications
• sas.cmd (stop-all-services): stops additional services that are not really needed.
• sarj.cmd (stop-all-root-junk): Stops some processes that I can not stop as a normal admin, I need to run it with this special command:
  psexec.exe -s C:\bin\sarj.cmd
  

This runs the batch as the "System" user, make sure you use the full path to the batch file.

You can download the batch files from my download page.

If you don't already have the SysInternals PsTools package, you can download it here
 

I use a whole bunch of the Sysinternals tools on my USB stick when checking computers for viruses and fixing other problems. On every new computer, each of the tools first pops up the Microsoft License Agreement box which you have to agree to. It is just one click but it gets annoying over time.

So I use a small batch file "FixReg.cmd" which among other things has the following lines:

reg.exe ADD HKCU\Software\Sysinternals\PsKill /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PsList /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PsInfo /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PSexec /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Explorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Monitor"  /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autoruns"         /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\TCPView"          /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RootkitRevealer"  /v EulaAccepted /t REG_DWORD /d 1 /f 

I run this on every new computer before I do anything else. After all I have already read and agreed to the license terms more than once. As you can see from the HKCU registry hive, each user has to agree separately.

When using the psexec.exe tool with the -s switch to run a command prompt under the almighty System account, you first have to agree to the License Agreement, which is fine. But then when you want to work with additional Sysinternals tools within the System console, you have a problem. When starting pskill.exe for example, the program tries to pop up the License Agreement dialog box. This does not work because the system account session does not have a desktop at this point and the program hangs because nobody can ever agree to the License Agreement.

To fix this, add a few more lines to the FixReg.cmd batch:

reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PSexec /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsKill /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsList /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsInfo /v EulaAccepted /t REG_DWORD /d 1 /f

The System account looks in the HKEY_USERS\.DEFAULT section of the registry for any settings it should use.

Now you can kill processes that you couldn't kill as normal administrator:

psexec.exe -s cmd.exe 
pskill.exe badprogram.exe 
exit

To agree to all current Sysinternal tools use the following batch file (copy it into a text file, name it 'eula.cmd' and double-click it)

reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AccessEnum" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdExplorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdInsight" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdRestore" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autologon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autoruns" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\BgInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\BlueScreen" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\CacheSet" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ClockRes" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Contig" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Coreinfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Ctrl2cap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DebugView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Desktops" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Disk Usage" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Disk2vhd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DiskExt" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Diskmon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DiskView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\EFSDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Handle" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Hex2dec" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Junction" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LDMDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ListDLLs" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LiveKd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LoadOrder" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LogonSessions" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\MoveFile" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\NTFSInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PageDefrag" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PendMoves" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PipeList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PortMon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ProcDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Explorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Monitor" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ProcFeatures" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsExec" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsFile" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsGetSid" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsKill" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsLoggedOn" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsLogList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsPasswd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsService" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsShutdown" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsSuspend" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsTools" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RAMMap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RegDelNull" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RegJump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RootkitRevealer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ShareEnum" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ShellRunas" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Sigcheck" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Streams" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Strings" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Sync" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\TCPView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\VMMap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\VolumeId" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Whois" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\WinObj" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ZoomIt" /v EulaAccepted /t REG_DWORD /d 1 /f

 

I listen to most of the popcasts on the Twit network since 2006 and really like them, they are not super technical like most others I listen to, but they are very entertaining. However the hosts keep repeating the same incorrect statements about Microsoft Windows over and over again which is a bit annoying. The statements below are not quotes but I paraphrased them from memory.

1. Microsoft Beta Software has active debug code and runs slower than the RTM version.
The versions Microsoft releases as public betas are retail code, meaning there is no debug code active and it works just as the final version, otherwise it would be a bad test version. Windows debug versions are called "Checked builds" and are usually for driver developers, these may run slower than the retail version. You can still download and install the Windows debug symbol files for any normal Windows version to troubleshoot certain problems.

2. Windows is an old OS which carries a lot of baggage with it. OS X is shiny and modern.
OSX is based on BSD Unix, first release in 1977 and NextStep, first released in 1989. Windows NT has ideas from DEC’s VMS but was designed and built in the early 90s and released in 1993. Of course OS X was only released in 2000 and incorporates some modern technologies (as do the current versions of Windows NT).

3. Windows is a single CPU platform OS limited to Intel’s 386 platform
Windows NT was especially designed and built as a portable OS. So far it ran on Intel 386, Mips, Dec Alpha, IBM Power PC and Inter Itanium. OS-X on the other hand ran on Power PC and 386 only. Using NT’s architecture it is relatively easy to port it to other platforms. However Microsoft stopped support for less popular CPUs over time.

4. Security and networking in Windows was an afterthought.
The first NT based Windows (3.1) was designed as a multiuser, multiprocessor and multiplatform network operating system and had all the standard security and networking features from the start: Access Control List, user account management, a secure filesystem, TCP/IP stack etc.

5. Microsoft merged the Windows 9x and Windows 2000 code bases to form a common new Windows version with the best of the two previous families.
AFAIK, no code from Windows 9x made it into XP, it was just a tuned Windows 2000 with some extra features. Some of these were first introduced in Windows ME but that doesn’t mean they used the code. Microsoft also increased compatibility with older Win16 applications and games in XP.

6. "New is bad", it's untested and insecure
This claim by Steve Gibson especially against Windows Vista is laughable, Vista is soo much more secure than XP on any level. Leo would say Windows 2000 was more secure when comparing it to XP. Are you kidding me? XP had tons of problems but only a few of them were specific to it, most of the problems were also in 2000. And 2000 has many problems that were fixed when XP came out. So does Mr. Gibson want us to wait until version 3 of his new Cryptolink product before buying it? Surely version 1 and 2 are new and therefore bad and insecure!

7. It is crazy to put the graphics subsystem and its drivers into the kernel.
That was also the opinion of the NT architects in the early 90s, so they put the graphics subsystem into user mode in NT 3.x It turned out that the hardware at the time was not fast enough for a complex OS like NT. So for NT 4.0 they moved the graphics into the kernel, a move not uncontroversial at the time. But it improved graphics performance even though it meant a less stable kernel, problems with drivers and even Blue Screens of Death. In Windows 2000 and XP the architecture was largely unchanged but for Vista they made some big changes. With current hardware fast enough, they moved the graphics subsystem back out of the kernel into user mode. This is one reason why a new driver model was needed. Of course, "new is bad" (see 6) so Mr. Gibson is still using a ten year old OS with the graphics in the kernel.

8. The registry is the root of all evil in Windows
In over 17 years of working with the registry I never had a corrupt one and any other major problems with it, and I hack around inside it quite a bit. Compare it with working with the old ini files or any flat file configuration system. Putting all of the LocalMachine hive into files would be a big mess. How would you protect a single value from being changed, while other values remain writeable? The registry has ACLs on each value. How do you remotely access the configuration of a computer without granting file access? For application level settings, Microsoft promotes the .net framework since 2001 which applications do not use the registry at all, but store it's configuration in XML files. Even non-dot.net Application use or could use this approach.

9. Never use Windows in ATMs or other devices
So they have been bluescreens on huge public screens during the Olympics and malware has been found in ATMs in Eastern Europe. But to blame that on Windows makes it too easy. BSDs usually indicate a hardware problem. If you use cheap or non compatible hardware or bad drivers it is the owner's fault. If the hardware fails, no OS keeps running. How did the viruses get onto those machines? It is likely they were put on the machine during setup, another human security problem. Of course it is easier to use existing Windows malware than to write custom malware for a specific embedded OS, but it is not impossible. I have seen Windows boxes in system critical situations with an uptime of years and no problems. I don't want to say to use Windows in all possible situations but sometimes the use of other OSes in cost prohibitive

10. Open Source is more secure
So how many people are actually looking at all the open source source code? And what are the chances that many of them are doing it to find exploits they can use rather than fix. There are tons of Linux flaws found all the time by the small Unix community alone. What if all the professional crackers would spent more time on Linux code because they could actually made money from their exploits like in the Windows world. What if Microsoft would make the Windows source code public? For years this would give crackers the opportunity to find exploits more easily. Security experts reviewed every single line of active code within Microsoft and found tons of problems but still not everything and exploits still come up. So I doubt just because something is open source, it is more secure. It all depends. Many open source projects are done in a distributed fashion with developers only knowing each other by email. Some code checked in by person A and review by person B can cause a major security problem for code written by person C. At Microsoft and other traditional software houses, the team usually works closer together and such problem can be avoided by communication.

Interestingly enough, none of these myths are promoted by Paul Thurrott, the host of Windows Weekly, the Twit show covering all things Microsoft. However he also does little to debunk them.

Please note, that I am not saying anything like "Windows is better than OS X or Linux", I just want to point out some facts

 

In the old days rebuilding a Windows machine involved a day or so of post-installation work to set up applications and customize the environment.

Because I travel a lot without a computer I love using 'portable' software that runs from a USB stick. The same software also comes in handy on my home machines.

After a new Windows setup I install only my main work applications: Office, Visual Studio, SQL Server. Then I map two partitions usually from an external drive (so I can move it around). One partition has all my data and the other one has many applications that don't require any installation.

There are dozens of these applications that don't require a set-up procedure, copying them into a folder on a hard drive is enough. These apps fall into two categories, portable apps, that are especially written to not use the registry or documents and settings and only write to there own 'application folder' Many of these can be found at http://portableapps.com. The second category is software that wasn't created as portable but still runs without installation. All kinds of little tools do this and also many small to medium size dot.net applications.

Some issues:

Some apps still write to the registry, the users home directory or isolated storage. So if you are concerned about any privacy data there, make sure to delete this data manually after you are done.

File associations do not work because they are not created during setup (as there was none). If you really need them, you can create them yourself.

Other considerations:

dot.net was created with 'standalone' apps in mind. There are not suppose to use the registry and can be deployed using xcopy (just copy the files). However if you are using the built-in way to save user settings, they go into the user's home directory. Visual Studio promotes to package applications into msi files that can be installed by the end user. These leave entries in the 'installed applications' section of the registry to allow un-installation. I much rather put them into a zip file, the user can see what he/she gets and can just delete the folder if the program is no longer needed. Ideally the program has a feature to delete any saved user settings, as these are hard to find.

If you are only sporadically using some big application like Visual Studio, consider installing it once into a Virtual Machine and then moving/copying it between machines or installations of Windows.

Some standalone Apps I am using:

• Portable Firefox (portableapps.com)
• Portable OpenOffice
• Portable SevenZip
• Paint.net
• LiveWriter
• SharpDevelop
• Portable Chrome
• Xamp (Apache, MySQL, Php)
• Python
• All sysinternals tools
• VLCPortable
• Foxit

Links:

• portableapps.com
• portablefreeware.com

 

Version: 19-June-2009

As I am going into my fourth year of traveling around the world, I've seen many different setups for shared Windows machines.

I'm using Internet Cafes and PCs in hostels for all my computer usage and the number of viruses and messed up machines I encounter is just amazing.

In Asia in 2005-2007 there were still some Windows 98s around but now in Latin America I only see XP and Vista machines, so I wont talk about Windows 9x, that's a whole different game.

There are a few different ways of how PCs are usually set up:

1. Bare bones OS, users run as administrator
2. As 1 but with some AntiVirus software installed
3. As 2 but users run as standard user
4. Some software like Deep Freeze is used. This creates a snapshot of an install and than reapplies that snapshot every time the machine boots. So all changes during a user sessions are discarded after a reboot. Microsoft's free SteadyState could be used as well, but I've never seen it in the wild.

In addition to the many many commercial shops run some sort of Cybercafe software that tracks the usage time of the customer and reports back to a central server so the customer can be charged when leaving. The software often adds some restrictions as well, like disallowing access to the registry, taskmanager or cmd.exe. Again many times the users still runs as administrator.

So option 4 doesn't sound too bad, doesn't it, lets explain why it isn't a good option. Take the Oasis hostel in Granada, Nicaragua. Deep Freeze 5 was installed about 15 months ago, every morning after booting up, a clean system was on the machine, problem was it was an unpatched system. Within an hour, Conficker came in from the network and other viruses joined in from USB sticks. For the rest of the day these suckers would do their work and would spread to other USB devices. Having AntiVirus software didn't help much because the virus definitions were totally out of date, as any updates would be overwritten every morning.

So none of these ways are perfect and some cost money. Lets try to solve the problem with builtin/free tools.

First, let's think about what a typical user wants to do on the computer:

• Surf the Internet
• Use Skype
• Use Office
• Copy photos from a camera to another USB device or upload them to the Internet.
• Burn files onto CD or DVD
• Download free music or podcasts and put it on a iPod or another player.
• View PDF documents
• Use Chat/Instant Messaging applications

So here's my proposed solution for a fairly secure public Windows machine:

Setup:

• Install XP or Vista
  Always use a fully licensed version, otherwise certain updates may not work.
• Apply all Microsoft updates and patches
  Use Internet Explorer and go to update.microsoft.com, I recommend also installing the latest version of the dot.net framework and Silverlight
• Turn off Fast User switching
  This just confuses uses and may lead to both admin and standard user logged on at the same time, something we don't want.
  Open the control panel and then the 'user accounts' section. Click on 'Change the way users log on or off', untick 'Use fast user switching'.
• Use a strong password for the administrator account
• Make sure the Windows Firewall is on
  In the control panel, click on 'Security Center'
• Make sure Windows Auto update is set to auto download and auto install.
  This makes sure updates are applied when running as standard user. In the control panel, click on 'Security Center' and check the settings for 'Automatic Updates'
• Install a free Anti Virus package like AVGFree and make sure it is set to update the virus definitions once a day.
• Make sure autorun is turned off
  See Microsoft site for detailes
• Install alternative keyboard layouts such as Spanish and Hebrew
  In control panel open the 'Date, time, language and regional options' section. Check the checkbox for 'Install files for complex script...'. This is required for Hebrew.
  The click on 'add other languages' and then on the 'Details' button. There you can add additional input languages. Also click on the 'Language bar' button and make sure the language bar is shown so the use can change the language.
• Install other Software
  • MS Office, or Open Office
    openoffice.org
  • Skype
    internet telephony: skype.com
  • Firefox
    web surfing: getfirefox.com
  • DeepBurner Free
    CD/DVD burning: deepburner.com
  • Foxit
    PDF viewing: foxitsoftware.com
  • IM Client
    chatting: choose a client that supports all common IM protocols???
  • Floola
    iPod management: floola.com This doesn't sync anything and also allows you to copy songs off the iPod.
  • Adobe Flash
    browser plugin: adobe.com
• DO NOT install:
  • Adobe Acrobat Reader
    too big and slow, many security problems
  • Nero
    too big and installs too many things you don't want
  • iTunes
    too big, also may delete people's music when trying to sync
  • Any browser plugins and toolbars,
    these are some times nice to have to not necessary.
• Make sure the installed software doesn't autostart but put an icon on the 'all users' desktop.
  Put a shortcut into C:\Documents and Settings\All Users\Desktop
• For Vista and Windows 7, turn off UAC.
  The user should not be able to access admin features and should not be prompted for an Admin password.  On the other hand, when using Internet Explorer UAC is valuable for security reasons.
• Create a new user account.
  Use the 'user accounts' section in control panel. Lets call it 'user'. For convenience reasons with an empty password.
• Set the autologin to the new user.
  See Microsoft site for detailes
• Make sure the user is only in the user's group not in the administrators group.
  This means the user only has write access to the user's own home directory (C:/documents and settings/username or C:/users/username) and can't change anything else in the system.
• If you have additional partitions, make sure the user doesn't have write permissions.
  !Explain how to do this!
• Create a html page that explains the usage of DeepBurner and Floola to users who are used to Nero and iTunes. Put the file on the All Users desktop.
  !A sample file should be created!
• Optional: Set read-only permissions to the HKCU-Run section in the registry and the Startup folder. This prevents most applications from auto-starting.
  !Explain how to do this!

The user can now do all the things he/she wants to do but can't screw up the system itself. New software and viruses may be installed but they can only affect the user's home directory.

You could now create an disk image of the system and use it for other computers. After using the image make sure to apply all updates.

Maintenance:

Over time the user's home directory is getting messed up with photos, documents and software. So once a week or so you should log on as the administrator and do some clean-up:

• Delete the user's profile, but not the user itself.
  This deletes everything the user added and brings the system back into a clean state.
  Do do this log off the standard user and log in as the administrator. In the start menu right click on 'My Computer' and choose properties. Under the 'Advanced' tab, click on the 'Settings' button in the 'User Profiles' section. There chose the User account and click 'delete'.
  You can also download a tool from Microsoft to delete the profile from the command line and create a batch file to do this.
• Windows, Office and your AntiVirus software should be up to date because of auto-update but you should check the third party software for new versions. Another reason to keep the number of these applications low.
• Log on as the standard user to create a new clean profile.
• Optional: Set read-only permissions again.

 

I am in a hostel in Costa Rica and all over the PCs here, the BV:AutoRun-G[Wrm] Virus is popping up when people are using their thumbdrives.

You can delete the autorun.inf file in the root of the drive but it keeps coming back.

avast Antivirus keeps poping up alerts, but a full scan doesn't find any problems.

I searched a little bit but couldn't find a proper solution, formatting the drive didn't help people and the Flash Disinfector tool doesn't seem work either.

I am not an administrator on the machines here, so my tool usage is limited. I can not use Procman.exe to find out who is writing the files after they have been deleted.

Nevertheless, two other SysInternal Tools came to the rescue.

Steps to remove the bugger:

1. Download 'progexp.exe' and 'Autoruns.exe' from http://live.sysinternals.com
2. Open the autorun.inf file in a text-editor and find out which executable it is starting.
3. Start progexp.exe and under the 'Find' menu open 'Find handle or dll'. In the 'Handle or DLL substring' put the name of the executable found in step 2. Most likely you will find it in the explorer.exe process. In my case the virus attached itself to the Windows Explorer process.
4. Still in progexp.exe find Explorer.exe in the process list and kill it. Now the virus is no longer active on your system.
5. Delete autorun.inf on your thumbdrive and also all content of the Recycler bin, both on the removable drive and on the local drives.
6. Open autoruns.exe, click the Logon tab, under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run section may be an entry that points to an executable in the recycle bin. You should have deleted this file in step 5, but also delete the entry here.
7. Your done, copy 'progexp.exe' and 'Autoruns.exe' to your thumbdrive so you have them handy for the next time you are running into a similar problem.

Update: It looks like the virus is always using explorer.exe, so you can just kill it with Task Manager and then use msconfig.exe to remove the Run entry, or even regedit.exe. So you don't need any external programs, I still recommend the SysInternals tools though.
This shows that often you don't need any dubious third party removal tools to get rid of a virus.

For more information about removing viruses, please check my article Manually finding and removing malware
 

 

As we all know, Microsoft named the next version of Windows, "Windows 7". There has been lots of talk about this recently. Here my opinion how this happened.

When finishing up Vista (windows NT 6.0) Microsoft started planning for the next major version (7.0). Someone gave the project the obvious code name "Windows 7". 20 months later Vista wasn't doing so well and Microsoft
realized they had to fix this by releasing a new version of Windows much sooner than planned. They stopped the addition of new features and decided to go with what they had. At this point the changes between the new version
and Vista were just enough for a point release, therefor the Version is "Windows NT 6.1". However, someone in marketing liked the Windows 7 name so much that they decided to stick with it. Of course this was a stupid idea; 7 != 6.1

To help Microsoft with a name for Windows NT 7.0 here are some suggestions, not all should be taken serious:

• Windows 8  (following Windows 7) - as stupid as Windows 7
• Windows FE (Fifth Edition) - because it is the fifth major edition of NT (3.x, 4.0, 2000[5.x] and Vista [6.x])
• Windows VII (roman 7) - another 7, but maybe people would think it is a game console.
• Windows Jet (the OS to take you into the cloud)
• Windows.NET (New Enhanced Technology, also announcing the fact that finally there will be managed code in the OS)
• Windows 2012 Workstation (release year) - this works for the server versions already.
• Windows Mesa (Spanish for table, OS used for desktops)
• Windows XP R2 (XP, best selling Windows ever)
• Windws (with Web 2.0 features)
• Windows VAX (paying tribute to the face that many ideas in NT came from VMS of the VAX)

more to come...

 

The Windows Update Services 3.0 store all their metadata in a SQL-database. It doesn't come with a built-in way to back it up though. Rather than using an existing SQL-Server installation or SQL Server Express it is using the 'Windows Internal Database (WID)' a special SQL-Server instance that is also used by other Microsoft products such as Sharepoint. WID doesn’t come with any tools to access it and it doesn’t allow remote access from existing SQL Server tools. I didn’t want to install any SQL tools on the server and also didn't want to hack the registry to change these settings but I wanted to backup the database and also have a look at it.

I first copied sqlcmd.exe and its components to the server and try to run it, but it is using the 'SQL Native Client' which is not installed.

I then copied QueryExpress.exe which is a single file non-install 'Query Analyzer' clone (available for free at http://www.albahari.com/queryexpress.html) In the server field of the 'Connect…' dialog I typed:

\\.\pipe\mssql$microsoft##ssee\sql\query 

This connects to the local server using named pipes, microsoft##ssee is the instance name of the Windows Internal Database.

It connected fine and I can now have a look at the database structure of the SUS database. To back it up use the following TSQL:

BACKUP DATABASE SUSDB TO DISK = N'C:\Backup\SQL\susdb.bak' WITH NOFORMAT, NOINIT, NAME = N'SUSDB-Full Database Backup', SKIP, NOREWIND, NOUNLOAD, STATS = 10 

This is cool, but now I wanted to automate the backup. I wrote a Powershell script that connects to the server and executes the same TSQL command as above. Unfortunately I couldn't get it to connect to the server, I tried various different connection strings and finally gave up.

I knew that QueryExpress.exe is using ADO.Net to connect, so I wrote a small .net console app to back up the database and any databases for that matter. Just specify the Name of the backup file in the config file and execute the program on the same server WSUS is installed.

You may want to delete the previous backup file before running it because these files are over a gig in size, at least on my server. If you don’t delete it, it will append the data to the existing file.

Download the backup tool from my downloads page.
 

I'm still relatively new to Vista and although I like, some things drive me crazy:

I am now using Powershell extensively and work a lot on the main profile which is located in C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1.

I have an alias in Powershell to edit the profile in Notepad2.exe so I can quickly edit it and then reload the shell.

When starting the shell, my profile show it's version as a date. Recently I noted that the date shown and the one in the profile.ps1 file don't match. After some poking around it turned out that I had started notepad2.exe as a normal user who doesn't have write access to the system directory. Even though it loads the file from

C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

Vista's file virtualization kicks in when saving it, so it ends up at:

C:\Users\pete\AppData\Local\VirtualStore\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

It's pretty useless there because Powershell still needs it under C:\Windows\System32\.

So knowing this, I started only editing the profile as an administrator. I usually have a second Powershell open to run admin stuff, here the function I use for starting it:

function su
{
  if ($tnNT6x -eq $TRUE)
  {
    $ShellApp = New-Object -ComObject Shell.Application
    $ShellApp.ShellExecute("$PSHOME\powershell.exe","","","runas")
  }
  else
  {
    WinAppEx "runas.exe" "/user:$tnAdminUser $PSHOME\powershell.exe"
  }
}

However today I ran into a similar problem even as an administrator. I was adjusting my profile for Windows 2008 Server. For the first time I am using a 64Bit version and once again the profile I am editing is not the one that is loaded by the shell.

notepad2.exe $PSHOME\profile.ps1

is executed as

notepad2.exe C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

>However when restarting the Powershell my changes are not there. Turns out using:

notepad.exe C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

works fine. The problem here is that notepad2.exe and most other text editors are 32bit applications where notepad.exe is 64bit.

When a 32bit application tries to save something into System32 the OS redirects it to SysWow64. Remember under a 64Bit Windows the 32bit files are in SysWow64 and the 64bit files are in System32, pretty confusing if you ask me.

This means I can not use any 32bit application to edit a file in System32, so for now I have to use Window's own notepad.exe.

P.S. After installing Windows 2008 Server I was looking to Powershell because they claim it is now part of the OS. It wasn't there and it wasn't a separate download either. Turns out as with most other features, you have to install it through the 'Turn Windows features On and Off' section under 'Programs and Features'.
 

I was testing Cardspace which comes with IE7, .Net Framework 3 or Windows Vista and while selecting a card the "Windows Cardspace" application hung. There is no way to kill it using Task Manager because your desktop and all other processes are inaccessible when using this tool.
If your computer is on a network, you can kill it remotely:

Open a command line and type
psexec \\computername -u username - p password cmd.exe

Provide a username and password for an admin user on the remote machine.

You can download psexec for free at www.sysinternals.com

You now have a command line running on the remote machine, type:

taskkill /F /IM icardagt.exe

This should kill it, you can then type exit to close your remote session.
 

I using the Windows Indexing Service for the search on of my web sites because most of the content is in flat files. I haven't touched the configuration for years and it works fine (even though the search results are not always what you would expect).
Recently I added two new subdirectories to the site, a normal one and one virtual directory for DasBlog.
I didn't really thing about at the time but realized later that I don't want any of the two new directories to show up in my search results as they are separate sub sites.
For a normal directory, you have to go into Indexing Service node of the Computer Management MMC and find your web site. Add a new directory and set the property to 'Include in Catalog' to No. In the same list
is also an entry for the new virtual directory but there is no delete feature as there is on
directories that you created yourself. Switch to IIS manager and look at the 'Virtual Directory' tab of the properties for the virtual directory. I unticked 'Index this resource' but they directory didn't disappear in Indexing Service. When I created the new virtual directory it inherited the 'Index this resource' property from its parent site and the Indexing directory was created. Changing the property doesn't remove the directory, surely a bug.
How to fix this? I exported the settings for the virtual directory into an XML file, deleted it and then created a new one from that exported file. The indexing service directory is gone.

This was on a 2003 Server, but should be similar on Windows 2000.

 

I had a support call this morning, the guys were unable to connect to a remote 2003 server via 'Remote Desktop' anymore ever though it worked the night before. The message was something like "You can to be a member of the Remote Desktop users group to access this machine remotely".

We had no choice to to cab over to the data center and look at this on the console. Terminal Services were running and the users in questions were still part of the Administrators group which also gives them remote desktop access.

The clue was in the event log. A warning was stating somethine like 'No licensing server found'. I asked the guy how long ago this machine was set up and it was only a few months ago.

Microsoft changed the terminal server set up with Windows 2003 server, the previous 'Administrator mode' a maximum of two users who have to be administrators at the same time, is now enabled by default even without installing 'Terminal Services' in the Windows components setup. However if you install them there you get the old 'user mode' which requires a 'Terminal Server Licensing' service and licenses which costs money. The tricky thing it that you can use 'user mode' for 2 or 3 months without the service but then it seems to stop working completely. This had happened last night.

So uninstall 'Terminal Services', reboot and enable 'Remote Desktop' via the System properties dialog. Works fine again.

In Windows 2000 you had to set up the service even for admin access, that's why people still do it in 2003.

 

The other day I installed Windows Vista Beta 2 and plugged in my IPOD to see whether my 'on the road' set up still works. The first shock was that my beloved File Manager (winfile.exe) does no longer run. The procedure entry point SheConvertPathW is longer in shell32.dll. Dependency Walker shows that some other functions are missing as well SheConvertDirW, SheGetDirW, SheShortenPathW and that there are also functions missing in SHLWAPI.DLL and IEFRAME.DLL. The first lot has most likely to do with the handling of 8+3 DOS file names. The really interesting thing here is though that as far as I know Microsoft breaks NT for the first time ever. I have a command line unzipper from 1992 and it still works fine for me and works in Vista. We have to wait and see how many other older application are not running anymore. Turns out those functions above are undocumented and should have not been used by third party software, so I guess Microsoft had every right to finally remove them.

Gosh, the IIS administration looks totally different, I have to get used to that.

The name game

To me it's always NT 6 or if you count properly it's NT Release 4, (3.1=1, 4.0=2, 2000=3, Vista=4). XP was just a point release (5.1) It's also funny that they started the whole drop the version and use the year in the name with Windows (2000) and now use it with most other applications except they don't use it with the Windows anymore (XP, Vista).

File Manager update: Dave Schneider wrote some Wrapper DLLs for Winfile.exe which avoid calling the removed functions. With his help my beloved File Manager works again, even under Windows Server 2008 64 Bit. Check Dave's page at people.ee.ethz.ch.