Recently I saw some people complaining about the Gmail user interface: Jeff @ Coding Horror, there was also a reference to this in one of the Mix 10 talks but I can't remember which one, because I watched too many of them.

So all the super smart guys now work for Google, but even they don't always get it right.

There are many factors that make up good software and one of them is to follow the standards of the Operating system it runs on.

Here are two examples of why I don't like some Google Software.

There is a process named "GoogleToolbarNotifier.exe" on the computer I am sitting at. I guess this has something to do with the Google Toolbar in web browsers. I do not run a browser though. So lets open Task Manager to kill the process: "Access Denied". What, why can't I kill it. It runs under my own user account and I should have all the rights to stop it.

The only way to kill it is to use a really low level StopProcess API that is usually not available to the end-user.

The other example is the Chrome browser. So far I had only used the portable version of it, which is not installed on the computer. Yesterday I installed the normal version and in the setup wizard chose to not create entries in the Start menu entries or on the desktop. After the wizard was finished I tried to start the browser and had a hard time finding it. Nothing in "Program Files", it turned out it was installed under my user profile directory which is according to Microsoft for application data and settings but not for executables.

Also because as I usually installed Software as an administrator, my normal user account who is not an admin, did not have access to the Software. I had to run setup again under my normal user account, download the whole package again from Google and then ended up with a second copy of the application on my hard drive.

There is actually a standalone installation package for Chrome, but it is not mentioned on the Chrome pages and you have to google with Bing for it.

The fact that the setup wizard doesn't allow me to choose a destination for the software I install, pisses me off. What if I have my user profile on a remote network drive? This is now filled up with Google junk.

Don't get me wrong, Chrome seems to be a nice browser but until Google gets its act together I will not install it on my computers. At least I can use the portable version.

 

Some third party Windows Services think they are very important.
They do not give you the option to stop them in the Services MMC console.
You can kill the process using Process Explorer but you get an "Access Denied" message or the services are coming back right away after you killed them. That is because they have their Recovery options set to "Restart Service". When you try to changes this or even disable the service, you get an another "Access Denied".

One way around this is, to open Autoruns.exe, go to the Services tab and double-click the entry in question. This will open the registry editor with the key for the service selected. Delete the "FailureActions" value, this will reset the recovery options to the default which is 'do nothing', now you can kill the services and it wont come back.

If you want to disable it, set the Start value from 2 (Automatic) to 4 (Disabled).

However they are services that think they are super important, one of these is "Service for G-Buster Browser Defense". Access to its configuration in Windows tools is denied. When you change the start value in the registry to 'disabled', within seconds it is changed back to 'Automatic'.
This is done by the winlogon.exe process, one of the core Windows services. A dll of the G-Buster software 'gbiehAbn.dll' is loaded into the winlogon.exe process. (I think this happens because of the entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GbPluginAbn\DllName). The Software also comes with a kernel mode driver that starts even earlier in the startup process. However it does not come with an un-installer.

The Software comes from a Brazilian bank and does not seem to do any harm.

Deleting the FailureActions registry value and killing the process with RootkitUnhooker.exe works, but so far I have not figured out how to get rid of it permanently.

 

The first thing I do when getting to a new public XP machine is to run a few batch files to stop a whole bunch of processes that are not needed while I do my work.

This only works if I am an administrator, but sadly enough on most public machines this is still the case.

Also most machines run DeepFreeze, so any changes I make are undone at the next reboot.

The batch files I am using are:

• FixRegistry.cmd fixes some things in the registry, which makes it easier to execute the other batch files.
• saj.cmd (stop-all-junk): stops unneeded services and kills many common unwanted applications
• sas.cmd (stop-all-services): stops additional services that are not really needed.
• sarj.cmd (stop-all-root-junk): Stops some processes that I can not stop as a normal admin, I need to run it with this special command:
  psexec.exe -s C:\bin\sarj.cmd
  

This runs the batch as the "System" user, make sure you use the full path to the batch file.

You can download the batch files from my download page.

If you don't already have the SysInternals PsTools package, you can download it here
 

I use a whole bunch of the Sysinternals tools on my USB stick when checking computers for viruses and fixing other problems. On every new computer, each of the tools first pops up the Microsoft License Agreement box which you have to agree to. It is just one click but it gets annoying over time.

So I use a small batch file "FixReg.cmd" which among other things has the following lines:

reg.exe ADD HKCU\Software\Sysinternals\PsKill /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PsList /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PsInfo /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKCU\Software\Sysinternals\PSexec /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Explorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Monitor"  /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autoruns"         /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\TCPView"          /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RootkitRevealer"  /v EulaAccepted /t REG_DWORD /d 1 /f 

I run this on every new computer before I do anything else. After all I have already read and agreed to the license terms more than once. As you can see from the HKCU registry hive, each user has to agree separately.

When using the psexec.exe tool with the -s switch to run a command prompt under the almighty System account, you first have to agree to the License Agreement, which is fine. But then when you want to work with additional Sysinternals tools within the System console, you have a problem. When starting pskill.exe for example, the program tries to pop up the License Agreement dialog box. This does not work because the system account session does not have a desktop at this point and the program hangs because nobody can ever agree to the License Agreement.

To fix this, add a few more lines to the FixReg.cmd batch:

reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PSexec /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsKill /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsList /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD HKU\.DEFAULT\Software\Sysinternals\PsInfo /v EulaAccepted /t REG_DWORD /d 1 /f

The System account looks in the HKEY_USERS\.DEFAULT section of the registry for any settings it should use.

Now you can kill processes that you couldn't kill as normal administrator:

psexec.exe -s cmd.exe 
pskill.exe badprogram.exe 
exit

To agree to all current Sysinternal tools use the following batch file (copy it into a text file, name it 'eula.cmd' and double-click it)

reg.exe ADD "HKCU\Software\Sysinternals\AccessChk" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AccessEnum" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdExplorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdInsight" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\AdRestore" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autologon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Autoruns" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\BgInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\BlueScreen" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\CacheSet" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ClockRes" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Contig" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Coreinfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Ctrl2cap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DebugView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Desktops" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Disk Usage" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Disk2vhd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DiskExt" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Diskmon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\DiskView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\EFSDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Handle" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Hex2dec" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Junction" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LDMDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ListDLLs" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LiveKd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LoadOrder" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\LogonSessions" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\MoveFile" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\NTFSInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PageDefrag" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PendMoves" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PipeList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PortMon" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ProcDump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Explorer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Process Monitor" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ProcFeatures" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsExec" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsFile" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsGetSid" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsInfo" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsKill" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsLoggedOn" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsLogList" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsPasswd" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsService" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsShutdown" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsSuspend" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\PsTools" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RAMMap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RegDelNull" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RegJump" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\RootkitRevealer" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\SDelete" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ShareEnum" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ShellRunas" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Sigcheck" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Streams" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Strings" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Sync" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\TCPView" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\VMMap" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\VolumeId" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\Whois" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\WinObj" /v EulaAccepted /t REG_DWORD /d 1 /f
reg.exe ADD "HKCU\Software\Sysinternals\ZoomIt" /v EulaAccepted /t REG_DWORD /d 1 /f