Slashdot Mirror

← Back to Domains

Domain: sysinternals.com

Stories and comments across the archive that link to sysinternals.com.

Comments · 757

  1. Re:Windows needs a rewrite by Foolhardy · · Score: 1 · on Security Vulnerabilities Discovered in WinXP SP2

    The copy protection system "Safedisc" needs a kernel-mode driver to run on NT based OSes called secdrv.sys. Since installing kernel-mode drivers needs to be a privelege given only to trusted users, you need to run as admin so it can install the driver.
    Here is a good link from a WINE mailing list archive about it.

    Sometimes apps want to write all their config stuff in HKLM, so they need access to that, or create temp files or config files in the Windows directory, along with blindly asking for write access to stuff in Program Files. Tools like Filemon and Regmon will show you those access attempts.

  2. Re:Windows needs a rewrite by Foolhardy · · Score: 1 · on Security Vulnerabilities Discovered in WinXP SP2

    The copy protection system "Safedisc" needs a kernel-mode driver to run on NT based OSes called secdrv.sys. Since installing kernel-mode drivers needs to be a privelege given only to trusted users, you need to run as admin so it can install the driver.
    Here is a good link from a WINE mailing list archive about it.

    Sometimes apps want to write all their config stuff in HKLM, so they need access to that, or create temp files or config files in the Windows directory, along with blindly asking for write access to stuff in Program Files. Tools like Filemon and Regmon will show you those access attempts.

  3. Re:Firefox vs. IE, missing features 2.0... by Anonymous Coward · · Score: 0 · on Microsoft Says Firefox Not a Threat to IE
    * Changing the temporary cache path? I like storing anything temporary on another drive, not my system drive. That way I can erase the whole thing at the end of my windows session if necessary.
    On XP/2000 you can actually create the equivalent of a symlink (called "junctions", but only for directories), you could use this feature to "redirect" the cache to another folder. Unfortunately Windows doesn't provide a way to *create* a junction, but see here http://www.sysinternals.com/ntw2k/source/misc.shtm l#junction .
  4. Other anti-spyware stuff by Cosslax · · Score: 1 · on Anti-Spyware Vendor Partners with Spyware Company?

    I've seen a lot of people mention AdAware and Spybot, but I figured I'd throw a couple other recommendations in. For the computers we get in at work, we use a combination of

    Autoruns (Kind of like MSConfig on crack)
    HiJack This
    and some other scanner, usually Ad-Aware or SpySweeper.

    SpySweeper makes for some impressive numbers, but it's unclear to me why these numbers are any higher than what other software detects. Maybe it counts too many cookies.

  5. Re:i notice... by eht · · Score: 3, Informative · on OpenBSD 3.6 Released!

    There's an free app for windows from sysinternals called tcpview that lets you close connection, it's gui based though available here

    not sure of any command line utils

    sysinternals has many other cool free apps and many of those have source code

  6. Re:Sue Themselves? by Brightest+Light · · Score: 1 · on AOL Files First Spim Lawsuit

    PS: I use an older version of AIM (5.2.3292), so YMMV with the hosts file. If the servers have changed any, I've found it's pretty easy to figure out where AIM's getting adverts from with this nifty utility.

  7. Re:Faster processors... by Foolhardy · · Score: 1 · on Intel And AMD's Dual-Core CPUs Investigated

    Process Explorer will show you the threads in each process, complete with cpu time counters and stack trace. Looking at the mozilla process on my computer, it has 10 threads. However, only one of those threads has more than 1 second of total CPU time.

    The main thread has spent 5:30 mins total CPU time. It is the message queue worker thread for all the windows. It spends its time in mozilla.exe.
    Three threads are waiting in nspr4.dll. (netscape something)
    One has spent 0 cpu time and is waiting in wdmaud.drv.
    One keeps asking for the system time some 500 times a second (context switch delta about 1000/sec) from winmm (maybe a Windows sound worker?)
    One is at 0 time with status Wait:DelayExecution
    And there are 3 LPC worker threads that have all spent 0 CPU time on status Wait:WrLpcRecieve. I assume these were created by and for the win32 subsystem.
    It is possible that other meaningful threads once existed, but have exited (and so are not displayed), but I doubt it.

    The bottom line: Mozilla has only one meaningful thread. The rest are contingency support workers, probably created by libraries. As FireFox is based on Mozilla, I would assume it is the same. More CPUs won't help Mozilla's performance in the least.

  8. Advanced startup editor... by logos22 · · Score: 1 · on Spyware/Adware Prevention In Large Deployments?

    I found this startup editor, that happens to be free and allows quick editing of the registry(not for the meek) and access to all start up services and programs.

  9. Re:Aren't you glad you need admin privileges ... by Foolhardy · · Score: 5, Insightful · on Ten Security Bulletins From Microsoft
    Many applications and games require admin privileges to install. Windows Update requires admin privileges. etc etc.
    So run only those programs as admin. Windows NT is (and always has been) multi-user. See RunAs, PsExec, SUD, etc. It would be a pretty lame excuse if I said that I had to run as root on Linux all the time because upgrading the kernel requires root access. You'd tell me to use su; do the same thing on Windows.
    Compare that to the Millions of Windows machines completely infected with spyware right now because Microsoft has no clue how to secure a web browser.
    That's funny, I've used IE without getting any malware.
    Here's a better reason that so many computers are plugged: ignorant users that are gullible, believe everything they see on the Internet, and press yes or OK on every dialog box just to get them to go away (without reading them or caring about the content). This is just as possible with Firefox or KDE or any other complex system that people use: you can make resistence to stupidity, but stupidity will always win some battles.
    Could Microsoft make the resistance higher? I guess. But then they would have to contend with cries of incompatibility and non-ease of use. It's a precarious balance.
    You'd like more security, but you aren't a shareholder of Microsoft; I'm sure the company has done much research that says that invasive security makes users mad and reduces sales
    But combine users running by default as Admin [...]
    Yes, the admin default sucks for security. It is also only a default and so completely avoidable; the fact that users don't avoid it speaks of their ignorance.
    If Windows XP automatically logged you on as a non-admin user, most people would be lost; they would have no idea why they can't install their new software. All they see is an ugly dialog box they don't understand and it isn't working. This news would get out, XP would be branded as impossible to use because some dumb columnist couldn't install Quicken 200X, and nobody would buy it. They would still be using 98 or ME with zero local security. Because it's easier than dealing with security hassles. These are the same people who have no idea what the consequences of installing Gator or whatever are, and if you try to tell them about it, they glaze over and continue to do what they always have done.
  10. Re:Internet Explorer DLL's by Anonymous Coward · · Score: 0 · on GDI Vulnerabilities: An Open Letter to Microsoft

    SysInternals has a tool that allows you to see (almost) all of these locations; see http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml

    The SysInternals tool apparently misses a few of the items. But it has a nice GUI for showing the items and for disabling them (though some spyware re-enables itself, but that's another story).

  11. psShutdown w/Task Scheduler by danZenie · · Score: 1 · on Windows Upgrade, FAA Error Cause LAX Shutdown

    psShutdown with task schedular would have been enough. honestly don't think M$ should be held entirely responsible. any f00l coul have set this up.

    BTW, going from UNIX to Windows is more of a migration, not necessarily an upgrade.

  12. Re:Prosecution? by afternoon_nap · · Score: 1 · on McAfee lists Adware in Top 10 Viruses
    I recently cleaned off a student's laptop and got paid handsomely for it. The XP laptop had outdated antivirus, no firewall, and Bagle.[A-Z] was on it in every executable. Thank god for pskill so I could kill LSASS.EXE and clean it.

    I sent the laptop home with the firewall turned on and the parent bought a cable/DSL firewall for use at home. The hours I spent cleaning that infection helped pay for a new set of tires for my car.

    Who says this economy is down?

  13. Tack on Process Explorer... by SeinJunkie · · Score: 2, Informative · on Batch-o-Moz: Firefox, Thunderbird, Suite Released


    In conjuntion with HijackThis, I use Process Explorer when supporting our customers. It's really invaluable for Killing Processes or Process Trees of spyware like Bubba.wintools that continually regenerate all of its files and registry entries if they are running.

    It's sad that we went from caring about how cookies affect our privacy to frantically trying to keep our computers free of extremely persistant little programs that are free to do whatever they want with your data.

  14. Re:your mission, should you choose to accept it .. by hackwrench · · Score: 2, Informative · on Batch-o-Moz: Firefox, Thunderbird, Suite Released

    Download a bho remover http://www.computing.net/windowsme/wwwboard/forum/ 43535.html use msconfig, look in task manager, or use sysinternal's procexp, and you should be able to remove it yourself http://www.sysinternals.com/ntw2k/freeware/procexp .shtml

    Startup Control Panel
    http://www.mlin.net/StartupCPL.shtml

  15. Off topic: DLL Hell by Davak · · Score: 2, Informative · on Two Years Before the Prompt: A Linux Odyssey

    If there are any windows-users actually in this thread... and they get trapped in a DLL situation. I would suggest trying these programs...

    http://www.sysinternals.com/ntw2k/freeware/procexp .shtml

    It'll tell all the processes associated with a running program.

    http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml will show all the loaded dlls.

    Between these two programs, you can sort through most of the dll errors without killing yourself.

    disclaimer: I don't know this guy... I just use his software. :)

    Davak

  16. Off topic: DLL Hell by Davak · · Score: 2, Informative · on Two Years Before the Prompt: A Linux Odyssey

    If there are any windows-users actually in this thread... and they get trapped in a DLL situation. I would suggest trying these programs...

    http://www.sysinternals.com/ntw2k/freeware/procexp .shtml

    It'll tell all the processes associated with a running program.

    http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml will show all the loaded dlls.

    Between these two programs, you can sort through most of the dll errors without killing yourself.

    disclaimer: I don't know this guy... I just use his software. :)

    Davak

  17. Re:Hmmm... by Foolhardy · · Score: 2, Informative · on Miguel de Icaza Debates Avalon with an Avalon Designer

    Overrunning a web browser, including Internet Explorer, won't get you root access unless you are running it in a privledged account such as Administrator. IE is just another user mode program.

    There are tools available, such as runas, SUD, and psexec that let you run only specific programs (usually those that need admin access for no reason) as admin.

  18. Re:Or maybe... by pVoid · · Score: 1 · on WinFS' Spot on Back Burner Nothing New
    I'm not so convinced about this: NTFS has things called streams. Security descriptors are in an alternate stream for example.

    You can have any amount of streams on a file.

    The only downside is that it's not 'officially' supported, for example, the filesize reported isn't consistent with all the streams (only the $DATA stream is used to compute filesize). That being said, it's not a hidden API either, it's just a question of opening a file name with the stream specified.

    Long story short though, you can put any sort of meta data you want in alternate streams. In fact, Microsoft does this quite often in their own files.

    For more info, check here.

  19. sysinternals tools... by brianjcain · · Score: 4, Informative · on Essential Software for Thumbdrives?

    Everything from sysinternals, 7-Zip, VNC, PuTTY, ClamWin, etc.

  20. Please learn how to make links. by Anonymous Coward · · Score: 0 · on Am I a Spam Zombie?
    Please learn how to make links.
    <a href="http://www.spywareinfo.com/~merijn/">Merjin< /a>
    <a href="http://www.tomcoyote.org/hjt/">HijackThis</a >
    <a href="http://www.sysinternals.com/ntw2k/freeware/p rocexp.shtml">Process Explorer</a>
    (without the "; " or any spaces put there by Slashdot) yields:
    Merjin
    HijackThis
    Process Explorer
    If that's too much typing for you,
    <URL:http://www.spywareinfo.com/~merijn/>
    <URL:ht tp://www.tomcoyote.org/hjt/>
    <URL:http://www.sysi nternals.com/ntw2k/freeware/procexp.shtml>
    (without any spaces put there by Slashdot) yields:
    http://www.spywareinfo.com/~merijn/
    http://www.tomcoyote.org/hjt/
    http://www.sysinternals.com/ntw2k/freeware/procexp .shtml
    Also:

    Don't try and terminate the spyware's running processes.

    "Don't try to terminate".
  21. Please learn how to make links. by Anonymous Coward · · Score: 0 · on Am I a Spam Zombie?
    Please learn how to make links.
    <a href="http://www.spywareinfo.com/~merijn/">Merjin< /a>
    <a href="http://www.tomcoyote.org/hjt/">HijackThis</a >
    <a href="http://www.sysinternals.com/ntw2k/freeware/p rocexp.shtml">Process Explorer</a>
    (without the "; " or any spaces put there by Slashdot) yields:
    Merjin
    HijackThis
    Process Explorer
    If that's too much typing for you,
    <URL:http://www.spywareinfo.com/~merijn/>
    <URL:ht tp://www.tomcoyote.org/hjt/>
    <URL:http://www.sysi nternals.com/ntw2k/freeware/procexp.shtml>
    (without any spaces put there by Slashdot) yields:
    http://www.spywareinfo.com/~merijn/
    http://www.tomcoyote.org/hjt/
    http://www.sysinternals.com/ntw2k/freeware/procexp .shtml
    Also:

    Don't try and terminate the spyware's running processes.

    "Don't try to terminate".
  22. Re:Yes by davron05 · · Score: 3, Informative · on Time to Kill Microsoft Word?

    There is, it's called pskill which is a part of the great pstools package.

  23. Re:Yes by davron05 · · Score: 3, Informative · on Time to Kill Microsoft Word?

    There is, it's called pskill which is a part of the great pstools package.

  24. Re:Prank software by LiquidCoooled · · Score: 1 · on Software For Slackers: Lockout

    sysInternals do a nice windows based rpc suite with software injection :)

    http://www.sysinternals.com/ntw2k/freeware/pstools .shtml

  25. Re:Spam firewall? I want a hard drive firewall by Anonymous Coward · · Score: 0 · on Revolutionary Spam Firewall Developed

    What I want to see is a software hard drive "firewall."

    It sounds like what you want is a filesystem driver that warns you when a "sandboxed" app. is trying to write a file to disk and allows you to prevent it. This does seem like an excellent idea, and though I don't know of any products that address this specific need, the latest versions of many personal firewalls have similar "application protection" features where they will warn you if an app. tries to write something outside of it's directory.

    On the filesystem side, specifically, you may want to try FileMon from SysInternals. It's free, although not OSS, but they link to some great books and articles describing the Windows' filesystems. (You may also want to look into the IFSKit from M$, though you have to pay to use it.) I bet you could get a good start by looking at FileMon and trying to fiture out what it does and how it implements those capabilities...

  26. Re:It's not just the shady companies by starflt · · Score: 1 · on The Spyware Inferno
    Amen.

    The trick with qttask.exe is that you've got to rename the executable. qttask.exe.bak or the like.

    Even with Sysinternals' ProceXP, Spybot, Ad-Aware, BHODaemon, Hijackthis, ect, I can't find the damn thing's entry point.

    As far as Real goes, I'd recommend Real Alternative instead.

  27. Re:I turned it off. by Foolhardy · · Score: 3, Informative · on How Secure is Windows Firewall?

    Wrong. Process Explorer tells me that the firewall and security center are hosted in the main svchost process, along with 21 other services. With the SharedAccess (firewall) and wscsvc (Security Center) services stopped, that svchost was using 18,872k of private memory. With both of them running, the process was using 19,108k of private memory, a difference of 236k. The services are implemented in DLLs so they are considered shared memory: the Securty Center binary (wscsvc.dll) is 80k and the firewall binary (ipnathlp.dll) is 323k. That's a total 639k of memory used by the firewall and security center on my computer (xpsp2). Hardly 20mb.

    I'm curious; how did you come up with the 20mb number?

  28. Re:Works when the machine is locked too by Ytsejam-03 · · Score: 1 · on Point, Click, Root.
    Perhaps the payload could be used to catch login keystrokes, but I doubt Windows makes it possible to receive keystroke events during a login/unlock-workstation screen. If doing so is possible, it's a huge security flaw in Windows.
    While I've not tried it, I'm certain that this is possible, and IMHO it's not a security flaw. In order to do this your code would have to be running as the System account, which means that you've already comprimised the machine and can do pretty much whatever you want. (For example, you could snag all of the password hashes and do an offline dictionaty attack on them.) VNC was running as System account in example screen-shot on the website, so they obviously exploited some security flaw of this nature when they created the example. This is exactly the same type of flaw that Sasser, Blaster, and company exploited.

    If you manage to compromise a service running as the System account, then you could log keystrokes by starting a new process on the Winlogon desktop (the desktop which is visible when logging in and when the workstation is locked) which would then hook fields on the login dialog.

    Another approach is to use CreateRemoteThread API to start a new thread in the Winlogon process that would hook which would hook the fields on the login dialog.

    Yet another approach would be install your own keyboard driver like this utility does.

    I'm sure there are lots of other methods that I'm leaving out.
  29. Network monitoring by flakac · · Score: 3, Insightful · on Computer Security for the Home and Small Office

    Chapter Four is about using common tools, like Ethereal, Netstat...

    If you're talking about Joe User, you need to stick to what works under Windows. Last time I checked, Ethereal on win32 platforms only worked on LAN (eth) adapters and not dialup connections. If you've got a cable modem or DSL hooked up via an ethernet adapter, then it's a viable option. I'll agree about netstat, but I really don't think I'd be able to teach my a non-technical person how to interperet the output -- even given a book with examples, a non-techie really doesn't stand much chance tracing down what programs have what ports open.

    As far as monitoring open connections on a win32 box, I'd heartily recommend TCPView. It's capable of printing out information on all connections, their states and what processes they're associated with. Very powerful tool, and I can talk my mom through using it over the phone, even sending my the results via email.

  30. Re:also by ManxStef · · Score: 1 · on IBM Tells Employees To Hold Off WinXP SP2

    If you're having troubles stopping a process through the Task Manager, try the amazingly useful (and free!) Process Explorer from SysInternals. Be careful though, killing SMSS for instance is not a good idea!

    Check out their other tools too, they rock e.g. TCPView is a nice graphical netstat, and FileMon & RegMon allow you to see what files/registry entries are being accessed. Very cool.
  31. Re:I use RAID 0... by Anonymous Coward · · Score: 1, Informative · on Raid 0: Blessing or hype?

    A word of caution about mount points on the desktop:

    If you mount an empty volume to an NTFS folder using Disk Management, navigate to that folder, and try to delete something, it will fail, telling you something about how "xxx can't be deleted because the file is in use." This is bs. The real reason is that windows can't figure out how to send a file on a volume that's mounted to a directory to that volume's "recycle bin," and so craps out gracelessly. If you try to actually delete the file (Shift+Delete in Windows Explorer) rather than send it to the recycle bin, it will work.

    I've had better luck using junctions with Sysinternal's free tool. This gives you more UNIX-y linking in that it lets you link an empty directory to any other directory (I believe the target directory needs to be on NTFS but I'm not totally sure). The only caution I'd make about the junction tool is that the links it makes are not symbolic, i.e. delete the mount point in windows explorer and you've deleted the target as well (junction.exe has an option to remove junctions).

  32. REGMON and FILEMON by Wolfier · · Score: 2, Informative · on Analysis of Spyware
    If you're a Windows user, I suggest you go to:

    SysInternal

    To get utilities like REGMON and FILEMON.

    While people has used them for other purposes (for example, figuring out where sharewares store dates), they can useful tools against spywares too.

    Run them before doing anything you think MAY be dangerous, and you'll be able to see spyware activities right in front of your eyes.

  33. Sysinternals autoruns by teridon · · Score: 1 · on Analysis of Spyware

    Sysinternals provides an array of tools for monitoring your system. e.g. Autoruns provides the same info as startcop. Filemon shows all filesystem activity, in real-time, with optional filters. I use it, in combination with the registry monitor regmon, to monitor software installation.

  34. Sysinternals autoruns by teridon · · Score: 1 · on Analysis of Spyware

    Sysinternals provides an array of tools for monitoring your system. e.g. Autoruns provides the same info as startcop. Filemon shows all filesystem activity, in real-time, with optional filters. I use it, in combination with the registry monitor regmon, to monitor software installation.

  35. Sysinternals autoruns by teridon · · Score: 1 · on Analysis of Spyware

    Sysinternals provides an array of tools for monitoring your system. e.g. Autoruns provides the same info as startcop. Filemon shows all filesystem activity, in real-time, with optional filters. I use it, in combination with the registry monitor regmon, to monitor software installation.

  36. Sysinternals autoruns by teridon · · Score: 1 · on Analysis of Spyware

    Sysinternals provides an array of tools for monitoring your system. e.g. Autoruns provides the same info as startcop. Filemon shows all filesystem activity, in real-time, with optional filters. I use it, in combination with the registry monitor regmon, to monitor software installation.

  37. Process Explorer by nevermore94 · · Score: 1 · on Windows Accelerators - Do They Really Work?

    What you want/need is Process Explorer. It is one of the best free Windows utilities that I have ever found. It shows all running programs as well information about them to help identify what they are.

  38. Re:Hare by wfberg · · Score: 3, Informative · on Windows Accelerators - Do They Really Work?

    For your defragmentation needs, you could also try buzzsaw.

    Also, sysinternal's pagedefrag and contig are pretty usefull.

    Not that defragmenting your hard drive will give you enormous performance boosts, though.

    The first thing I do when I sit down in front of an XP machine is turn of the unnecessary themes/skinning, animations and shadows, unwanted services (services.msc), unwanted start up programs (try sysinternal's autoruns), and of course the adaware/spybot thing.

    Also, I usually set the swap file to be some fixed number of megabytes (4 times RAM or some ludicrous amount like that), and make sure IE's and mozilla's cache sizes are pretty minimal (i.e. 10MB should be enough) if the machine is on a broadband connection.

    If these programs can do anything more to optimize my setup, they're welcome, but I wonder what exactly they do..

  39. Re:Hare by wfberg · · Score: 3, Informative · on Windows Accelerators - Do They Really Work?

    For your defragmentation needs, you could also try buzzsaw.

    Also, sysinternal's pagedefrag and contig are pretty usefull.

    Not that defragmenting your hard drive will give you enormous performance boosts, though.

    The first thing I do when I sit down in front of an XP machine is turn of the unnecessary themes/skinning, animations and shadows, unwanted services (services.msc), unwanted start up programs (try sysinternal's autoruns), and of course the adaware/spybot thing.

    Also, I usually set the swap file to be some fixed number of megabytes (4 times RAM or some ludicrous amount like that), and make sure IE's and mozilla's cache sizes are pretty minimal (i.e. 10MB should be enough) if the machine is on a broadband connection.

    If these programs can do anything more to optimize my setup, they're welcome, but I wonder what exactly they do..

  40. Re:From the article... by smallguy78 · · Score: 1, Informative · on Longhorn's Windows Graphics Foundation Examined

    You can get a blue screen of death screensaver from http://www.sysinternals.com/ntw2k/freeware/bluescr eensaver.shtml . Always a hoot to have running in your lunch hour.

  41. Re:actual source? by The+Bungi · · Score: 1 · on Microsoft Expands Access to Windows Source Code
    obnoxious Microsoft apologist

    Ahhh. The mark of the Paranoid Leenucks Zealot. You wouldn't happen to be related to my friend twitter, would you?

    let's see you debunk the accepted record

    I don't see how I can prove a negative, and I sure as hell haven't seen anything that approaches an "accepted record". The "hidden APIs" thing is just another one of those myths you wonderful people like to repeat and spread.

    If you had a few more usable brain cells you would have figured out that undocumented != hidden, and that undocumented doesn't mean jack shit. Or do you think someone brighter than you already ran Word or Excel through a profiler to see which of the "hidden APIs" they call? Maybe you're hopelessly confused by things like these, which are not "hidden APIs" but undocumented things that you're not supposed to use, although you're more than free to do so if you figure them out, like Mark Russinovich and other people already did.

    The fun comes when companies play stupid tricks with the native API and kernel-level functions (no doubt with Russinovich's book in hand) instead of with the goddamn published API - next version of Windows comes around and because the kernel people changed something (as they should have the damn right to do; that's why there's a fucking layer on top of it), the assholes that thought they were so cool to call NtCreateFile() directly are screwed. So that must be proof that Microsoft is evil!

    If you're referring to the "Settlement APIs" that Microsoft recently published, here's a newsflash: Those were figured out fucking ages ago. Their ordinals in the system DLLs located, methods and structures and flags worked out by people (again) brighter than you. There's an entire class of these functions that are nothing more than fucking shortcuts to well-documented interfaces. Their existence has never been denied by Microsoft, and in fact you can even find some in examples used in the knowledgebase. The only thing Microsoft did was say "look, these are not documented because we might remove them later from the system. Use them at your own risk, or write your own wrappers". These are the only things al those bright Netscape engineers could find after digging around for a year, and they pointed at them as evidence of Microsoft's evil practices. So they were published and Microsoft was immediately forced to provide support for them (real support, you know, not in IRC). Well there you go. Now, given that you're so obviously intelligent I'd like to have your opinion as to what exactly in that list would give Microsoft a competitive advantage - especially considering almost all of those functions were already known in the developer community. Oh, and remember that there are about 30,000 APIs in Windows.

    Shit. You know, I suppose the fact that Oracle and the Sun Java VM run fucking faster on Windows than on Unix (not to mention the fact that Oracle is a far better database than SQL Server) proves that Microsoft has all these hidden APIs working for them as well to crush their competitors. Why didn't I think of that before.

    Jesus H. Christ, you people are quite the piece of work. All promethean and chest-thumping martyrs when it suits you but perfectly able to turn into bottom-scraping offal whenever you're desperately trying to spread some FUD about Microsoft or anyone/anything else you hate.

  42. Re:actual source? by The+Bungi · · Score: 1 · on Microsoft Expands Access to Windows Source Code
    obnoxious Microsoft apologist

    Ahhh. The mark of the Paranoid Leenucks Zealot. You wouldn't happen to be related to my friend twitter, would you?

    let's see you debunk the accepted record

    I don't see how I can prove a negative, and I sure as hell haven't seen anything that approaches an "accepted record". The "hidden APIs" thing is just another one of those myths you wonderful people like to repeat and spread.

    If you had a few more usable brain cells you would have figured out that undocumented != hidden, and that undocumented doesn't mean jack shit. Or do you think someone brighter than you already ran Word or Excel through a profiler to see which of the "hidden APIs" they call? Maybe you're hopelessly confused by things like these, which are not "hidden APIs" but undocumented things that you're not supposed to use, although you're more than free to do so if you figure them out, like Mark Russinovich and other people already did.

    The fun comes when companies play stupid tricks with the native API and kernel-level functions (no doubt with Russinovich's book in hand) instead of with the goddamn published API - next version of Windows comes around and because the kernel people changed something (as they should have the damn right to do; that's why there's a fucking layer on top of it), the assholes that thought they were so cool to call NtCreateFile() directly are screwed. So that must be proof that Microsoft is evil!

    If you're referring to the "Settlement APIs" that Microsoft recently published, here's a newsflash: Those were figured out fucking ages ago. Their ordinals in the system DLLs located, methods and structures and flags worked out by people (again) brighter than you. There's an entire class of these functions that are nothing more than fucking shortcuts to well-documented interfaces. Their existence has never been denied by Microsoft, and in fact you can even find some in examples used in the knowledgebase. The only thing Microsoft did was say "look, these are not documented because we might remove them later from the system. Use them at your own risk, or write your own wrappers". These are the only things al those bright Netscape engineers could find after digging around for a year, and they pointed at them as evidence of Microsoft's evil practices. So they were published and Microsoft was immediately forced to provide support for them (real support, you know, not in IRC). Well there you go. Now, given that you're so obviously intelligent I'd like to have your opinion as to what exactly in that list would give Microsoft a competitive advantage - especially considering almost all of those functions were already known in the developer community. Oh, and remember that there are about 30,000 APIs in Windows.

    Shit. You know, I suppose the fact that Oracle and the Sun Java VM run fucking faster on Windows than on Unix (not to mention the fact that Oracle is a far better database than SQL Server) proves that Microsoft has all these hidden APIs working for them as well to crush their competitors. Why didn't I think of that before.

    Jesus H. Christ, you people are quite the piece of work. All promethean and chest-thumping martyrs when it suits you but perfectly able to turn into bottom-scraping offal whenever you're desperately trying to spread some FUD about Microsoft or anyone/anything else you hate.

  43. Re:Question by Foolhardy · · Score: 2, Informative · on OpenBSD 3.5 Reviewed
    UNIX security model is much more easy to grasp and implement than whatever MS kludged together in the various pro versions of their environment.
    I don't find the NT security model to be hard to understand; what don't you understand? It hasn't changed much since the first version.
    There's no such thing as chroot/jail in windows isn't it?
    Yes, they are called sessions. Each session has a set of symbolic links in the Object Manager that connect devices to a session's namespace. The Object Manager is like Linux's VFS. Change/delete those links and win32 can't get to the devices they point to. For example, if you changed the C:->\Device\HarddiskVolume1 link to point to \Device\HarddiskVolume1\MyDir, processes in that session cannot access files outside of \MyDir.
    I'm perfectly aware that an XP registry is rife with cryptic and mulply overridden account policy keys that only a specialized enterprise admin might make something out of it (that's probably why SPs often FSCK up deployed servers...).
    Are you saying that group policies are cryptic, despite the paragraphs per entry in the description tab? Here is how policy overriding works. Group policies applied from the domain always replace local settings; they would be useless without this. Computer policies override user policies in a single GPO object when a conflict exists. When you connect GPO objects to an orginizational object you get to pick what order the GPOs are applied in. When in doubt, lookup the "Effective Policy" in Local Security Policy. Policies overwrite each other; redundant entries are not created.
    Personally, I haven't had any problems with service packs.
    When a security hole exposes a 'nobody' or 'www' jailed server I can patch it in no time being 100% shure the only service involved is the one I'm working on; sometimes I go to the point of duplicating shared libs (openssl) for the various servers... Windows is unsafe because of sloppy code and also because it has a byzantine security model.
    If I had an unprivledged local service breached on a NT machine, the only thing I would worry about is local exploits, same as on a UNIX. You can duplicate libraries if you want, but that's a bit pointless.
    The security model is just different, not bad.
  44. Re:actual source? by tristanj · · Score: 2, Informative · on Microsoft Expands Access to Windows Source Code
    There really is a secret "API" in windows NT/2K/XP.

    It's called the native API, and operates at the OS level, much like system calls in linux. It provides functionality for virtual memory, threads, processes, synchronization, files, and so on.

    The Win32 API is a wrapper above this API. This is partly because Windows NT was designed to support different APIs. Many functions in the Win32 API have a one-to-one mapping with native functions. This is a good OS design feature, not a secret conspiracy by evil washington overlords.

    The native API is important for very low level stuff such as driver development, but is not necessary nor desirable IMO for application development. SQL Server is an application, but many enterprise-level databases have special file access or filesystem level things built in for performance, so I wouldn't be surprised if MS used the native API in SQL Server. But I would be quite surprised if they used it in applications like word or media player.

    See, for example, Windows NT/2000 Native API Reference by Gary Nebbett
    http://www.amazon.com/exec/obidos/tg/detail/-/1578 701996/104-0340249-2815171?v=glance on amazon

    A good source of info about this topic is sysinternals' article, inside the Native API at http://www.sysinternals.com/ntw2k/info/ntdll.shtml

  45. Citation by MochaMan · · Score: 1 · on Microsoft Expands Access to Windows Source Code

    I'm not sure if this is what the original poster was talking about, but he could be referring to the Windows Native API.

    How was this "secret" API call discovered since people don't have the source code to SQL Server?

    There are several very simple possibilities that anyone could figure out with the tools that ship with Windows itself. One way is dumpbin. dumpbin.exe can be used to dump a list of functions exported from a DLL. Another way is depends.exe, which list all functions called by a given binary, so you could confirm that sql server calls function X exported from DLL Y. Just because a function is not listed in a header doesn't mean it isn't exported from the DLL and usable.

    Anyway, hope that answers some of your questions.

  46. Re:runas is crap by Foolhardy · · Score: 1 · on 4 New "Extremely Critical" IE Vulnerabilities

    I don't know why it isn't working. This may be a stupid question, but are you sure the SecondaryLogon service is running? Maybe explorer is quitting for some reason; try starting another cmd.
    The user is really named Admin.
    Did you try SUD/SU? I always use that instead of RunAs anymore.
    Also, see psexec. It can do the same thing, and it can also do it on remote computers (assuming you have access).

  47. Re:Well factored code by Foolhardy · · Score: 1 · on Time to Try a Linux Desktop?

    If you were wondering just how big the shell's libraries are (IE included) on xpsp1, ask Process Explorer:
    shell32.dll: shell common (contains many bitmaps, icons and avis too)- 7.85mb
    mshtml.dll: html renderer - 2.66mb
    shdocvw.dll: Shell Doc Object and Control Library - 1.27mb
    ole32.dll: OLE/COM library - 1.12mb
    browseui.dll: shell/browser UI - .97mb
    mlang.dll: multi-language support 563k
    comctl32.dll: common controls lib - 544k
    oleaut32.dll: another OLE/COM library - 556k
    shdoclc.dll: shell doc library - 536k
    urlmon.dll: a URL lookup helper - 473k
    shlwapi.dll: lightweight shell helper - 386k
    cscui.dll: client-side caching (offline files)- 300k
    cscdll.dll: offline files - 87k
    That's a total of 17315k.

    FireFox 9.2 OTOH is mostly a single 6.4mb file (firefox.exe) with 3.4mb of jars for chrome.

  48. Re:It's about damn time! by Foolhardy · · Score: 1 · on Time to Try a Linux Desktop?

    Yesterday I was working on my mom's boyfriend's computer, which I installed a fresh copy of XP on a couple days prior. Already, there were bluescreens during shutdown/reboot (due to IRQ conflicts with our precious plug-n-play system)

    An IRQ conflict won't cause a bluescreen unless some crappy third-party driver doesn't handle that situation correctly and panics.

    Adaptec CD-Creator wouldn't print labels (but everything else would print fine)

    I'm not sure, but I think Adaptec CD-Creator is actually Roxio Easy CD-Creator. In any case, since other apps can print correctly, it's obvious that the printing problem is CD-Creator's, not Windows's.

    right-clicking on My Computer to go to properties would yield a cryptic registry-based error before opening properties.

    Care to repeat the error message verbatim? What makes you think it's a problem in the registry? Saying that it's registry based is just as useful as saying that some file in /ect is misconfigured on Linux.

    I was using that to download drivers, and search for other things (such as "workarounds" for the ever annoying XP Activation), and IE would hang at just about every other website I would go to, rendering everything else I was doing on the computer useless until it freed it's resources.

    I agree that activation is a pain.

    What resources do you speak of?
    CPU? Windows has process and thread priorities. If they are inappropriate, change them. Besides, two processes competeing at the same priority will only take 50% each; hardly useless.
    Disk? I can't imagine what IE would be doing with the disk for long periods of time. Ask Filemon.
    Memory? How much memory does IE have committed? What's the total commit charge? How much physical memory free? Does IE itself using the memory or is it some leaky plugin?
    If you could at least narrow it down to what type of resource? I can't imagine how IE could be rendering the entire computer unusable.

    I installed FireFox, and that helped a lot with the browsing issues.

    If FireFox made things better, great. Personally, I use Mozilla; and it has its own issues, like not handling messages correctly so it gets paged out agressively and paging in at 10% the speed of other apps, requiring large quantities of memory (100mb with 3 windows right now) all in the working set.

    and I have had absolutely 0 problems. It JUST WORKS.

    Good for you. I have had tons of problems. X Windows won't start; it says that there is no mouse, but it restarts like 10 times, as if the mouse problem will magically resolve by restarting a few times in rapid succesion. XF86Config has the same ps/2 mouse config setup as my FC1 install; it works in RedHat but not Debian 3. Also I can't start X without a mouse; how stupid is that? I can still do everything in Windows with no mouse. The sound driver won't load; I'm not sure where to start with this. It is for a VIA AC'97 interface and it tells me something about an unresolved symbol.
    I had to jump thru hoops to enable DMA on my hard drive. I can't compile the kernel anymore; it says "cpp: output pipe has been closed" compiling /kernel/module.c. I would reinstall the sources but debconf won't let me add new sources anymore and the ftp site I was going to before is closed now. When I try to add a new source from the list there it says it can't find the host but I can ping the host from another console. It won't let me force the host to be added to the list.
    The DHCP client is bogus: it continually allocates new IP addresses without releasing the old ones until my DHCP server runs out, preventing other computers from getting one. I know it's Debian by the MAC address and the fact that it's the only instlled OS on that computer.

    I don't see why anybody in their right mind would still f

  49. Re:50% by mgoodman · · Score: 1 · on NIST Issues Windows XP Security Guide

    I found my own little list of "potentially insecure" apps by opening my windows directory lol.

    Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.

    This rule of thumb does not hold true for your firewall or antivirus software...

    BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.

  50. Re:50% by mgoodman · · Score: 1 · on NIST Issues Windows XP Security Guide

    I found my own little list of "potentially insecure" apps by opening my windows directory lol.

    Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.

    This rule of thumb does not hold true for your firewall or antivirus software...

    BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.