Slashdot Mirror

I found my own little list of "potentially insecure" apps by opening my windows directory lol.

Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.

This rule of thumb does not hold true for your firewall or antivirus software...

BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.

I found my own little list of "potentially insecure" apps by opening my windows directory lol.

Seriously, just go ahead and delete whatever you want. If something breaks, you needed it. Just go to a recovery console and get it back if you have to. If not, cool, your system is likely better without it.

This rule of thumb does not hold true for your firewall or antivirus software...

BTW, Sysinternals (http://www.sysinternals.com) has some really great free products that could really help in determining what files and dlls you actually need. Checkout http://www.sysinternals.com/ntw2k/freeware/listdll s.shtml and http://www.sysinternals.com/ntw2k/freeware/handle. shtml and http://www.sysinternals.com/ntw2k/source/filemon.s html among other products.

You can't even fucking spell.

Mark Russinov is the guy from wininternals who have some very cool utilities for windows - frequently mentioned in the microsoft knowledge base. If you're looking for windows utilities to show processes, logged on users, open file handles/mutexes etc., don't look no further.

Having said that, the talk was about the kernel. Obviously the differences between a GNU/linux distribution and a Windows variant run very deep.

My pet peeve about windows is the registry. Sure, the staggering number of sometimes quite byzantine file formats of all those different /etc/ and ~/.somethingrc files can be quite daunting, but it's so much better than the registry in real life situations where things can go wrong and you want to edit stuff by hand or restore stuff, it's just not funny.

The biggest difference in the kernel would have to be security. Windows has a lot riding on their weird security system with it's SIDs and groups (which isn't enough to actually lock down your users, you need to use funky policies for that), whereas linux usually tries to get by with a simple uid/gid combination. Of course, if you'd want to, you could SELinux the kernel up beyond recognition, when it comes to security. (Try to do that on windows).

Also, printerdrivers don't run in Ring 0. They do on NT (and on windows 2000/XP as well, if you install old drivers. There's no warning or nothing. Yay.)

I forgot that 2k does not have a native tool for it though NTFS does support it. You can use the freeware tool Junction from sysinternals available here to do it. It's per directory not per file so MUCH more limited then true symlinks but it would allow you to mount a common plugin directory.

I'd be surprised if someone hasn't written a tool that can do it.
Yep. Here's the tool (and source code).

We got hit by Nachi/Welchia at the end of August 2003 while I was on holiday with my daughter.

I came back to work to find the place in chaos (the volume of traffic that critter produced on our network was astounding).

I knocked up a KiXtart script which, when run remotely with Administrator credentials using Sysinternals.com's PSExec detected the presence of the worm, killed the process if it was running, ran McAfee's Stinger and patched the workstation.

A modifed version of that script which detects over 100 common viruses is now run on every workstation when the users log in.

In my experience, there's a residual 2 to 3 percent of workstations which, for a variety of reasons, refuse to be patched remotely (usually no ADMIN$ share, sometimes in need of a service pack).

Every month I use the same techniques to push out critical patches to our 2000+ desktop PCs.

It's amazing what you can do with free software.

Here we go...

for instance showing the login screen for Windows 2000 and its successors BEFORE the system has finished loading and all daemons have started running.

This is true. True more so for XP than 2000. But that doesn't make it any faster because there's still a couple of seconds where you can't do jack shit even though the screen is already "drawn". Never fooled me, really. But then again, I've never seen Linux (any distro with any window manager or not) boot faster than Windows. I'm sure you can boot Linux in about 3 seconds if you spend 4 months tweaking it and that's been done as a cool geek experiment, but the average Linux user (if there's ever such a thing) probably won't go there anyway, and neither will the major user-oriented distros.

And also we have the thing with IE and lots of other MS software being loaded in the background wether you ask or not

OK, let's do a little experiment. Load up Windows. Download Geoshell and reboot. Now, load up Process explorer and try to find a single instance of a process mapping the IE render library (mshtml). No? OK, now load IE. How fast was that? Now load Mozilla or Firefox. This whole "oh teh M$ is teh cheat" is absolutely bogus. IE is simply fast, and Mozilla is simply slow. Period. That doesn't make one a better browser than the other, but I'm not going there.

and only hiding the icons instead of unloading them when the user tries to "close" them thereby sacrificing memory to gain percieved speed for the user.

What exactly do you mean? When I close a window I expect the process to go away and be unloaded. If anything the executable image will remain in memory and it will load without swapping next time, but are you saying that Windows "hides" windows instead of unloading their processes when I ask it to? That's nuts. Or are you referring to this? Heh. You really don't believe the argument that this problem is a Microsoft issue, right? Because the only application that has that problem happens to be Mozilla.

My original point was that Windows console is more of an afterthought than a powerful system for accomplishing tasks.

As far as the \Device\Network0, ipconfig doesn't seem to take that as an input on my box. A consistent naming convention for nics doesn't exist, in a gui world it doesn't have to.

I have 2 books on the registry, one out of date one from MS Press and one from O'Reilly for Win2k Registry. They both point to these three points in making the registry: 1) The registry was made to provide a single place to store data (ie a single point of failure) 2) The registry was created to be harder to edit (ini files were easy to edit, and users would screw themselves over all the time) 3) The registry was to have a defined hierarchy

So instead of /dev/blah I get {53B6AA67-3F56-11D0-916B-00AA00C18068}, great. If my machine gets screwed I'll have a jolly old time calling someone trying to tell them {53B6AA67-3F56-11D0-916B-00AA00C18068} (or something like it) over the phone. The registry should be easier than this...

My original point was that Windows console is more of an afterthought than a powerful system for accomplishing tasks.

As far as the \Device\Network0, ipconfig doesn't seem to take that as an input on my box. A consistent naming convention for nics doesn't exist, in a gui world it doesn't have to.

I have 2 books on the registry, one out of date one from MS Press and one from O'Reilly for Win2k Registry. They both point to these three points in making the registry: 1) The registry was made to provide a single place to store data (ie a single point of failure) 2) The registry was created to be harder to edit (ini files were easy to edit, and users would screw themselves over all the time) 3) The registry was to have a defined hierarchy

So instead of /dev/blah I get {53B6AA67-3F56-11D0-916B-00AA00C18068}, great. If my machine gets screwed I'll have a jolly old time calling someone trying to tell them {53B6AA67-3F56-11D0-916B-00AA00C18068} (or something like it) over the phone. The registry should be easier than this...

1)Yes, the drive letters are old and a bit bothersome; other posts have explained how mount volumes and subdirectories. Internally C: is just a symbolic link to \Device\HarddiskPartition1 in the Object Manager. The Object Manager is kinda like the VFS in Linux.

5)About the HAL: the HAL isn't optomized for CPUs; it is an interface to the interrupt controller, bios and some other things that can be motherboard specific.

7) If apps follow MS's guidelines, each app stores its settings under \Software\Company\Appname in the registry. Global settings go in the local machine software hive and user settings go into the specific user's hive in their profile. Large quantities of data are supposed to go under the application's directory and \Application Data of the user's profile. If you make a registry export of the program's keys, and optionally take user profiles with the app directory, you should be able to transplant anything (assuming the developer followed the guidelines). Thinking ahead: Yes, it's more complicated, and no I don't know of an automated way to do it.

8)A GUI that isn't doing anything isn't wasting cpu time. It does take some paged memory; if that memory is needed elsewhere it will be paged out.

9)I have never had a corrupted WinNT install. It's not like I don't use them, either.

About there being a place for both Windows and Linux (and others), I agree completely.

I second Eraser, or SDELETE for scripting.

Equivalent hack is available for NT too. It's done via registry, but I can't be bothered to google for it right now.

Well, I bothered. :)

This is not a regitry hack but a little program that attaches itself to the keyboard class driver.
http://www.sysinternals.com/ntw2k/source/ctrl2cap. shtml.

Internet Explorer. The only thing it is integrated with is the shell (ie explorer). Process Explorer tells me that Internet Explorer is acutally implemented mostly in (on xpsp1)
shell32.dll 7.85mb (5.5mb of which is pictures and AVIs)
mshtml.dll 2.66mb
shdocvw.dll 1.27mb
browseui.dll .97mb
sxs.dll 695kb
wininet.dll 574kb
shdoclc.dll 536kb
shlwapi.dll 386kb

TCP/IP has always been included with Windows NT. So has a FTP server and client. Notepad and Calculator, too.

SysInternals

Here

Why do you blame yourself? Have you tried a bootable distro? I have no idea why you are getting issues like those (keyboard in X!!!) as I have never scene a problem. Mostly if we need a linux box at work we just throw linux on and we are done.

I blame myself because I do not (as yet) know what I am doing most of the time on a Linux box. I love Knoppix, and wish that fixed distros had that kind of hardware detection, but a live CD isn't a long term solution.
About the X keyboard: I think it was shortly after I installed WINE (the next restart) and the keyboard quit under X; I might as well unplug it. Not even the lights worked. If I log out to close X and go back to the console, it works fine. I played with X's config files for hours with no effect, under RH9. I have since re-installed (yes, I'm sure it was fixable without resorting to that (like most Windows problems) but I couldn't figure out how.)

Odds have everythign to do with it apparently. It's not just my co-workers, it's friends, family, and random strangers on the street that find out I know anything about computers!!

I believe you, that most people can't run their computer without having tons of problems. I deal with them too. I don't think that Windows is any easier to keep running than Linux; only that it's possible if you really know what you are doing.

The problem is that for all intents and purpouses, Windows is a black box because oeping that box is very unpleasant.

To me, the /etc directory is unplesant. It's unpleasnt because it is unknown to me. I would even say I am a little afraid of it. The only remedy is for me to learn it.
I could be wrong, but do you think that mabye the registry and Windows internals are unpleasant to you because you don't understand it?

Why would I want to go to all the effort you suggest?

To fix it without reinstalling? (overkill) To learn something?
It still could be anything. Does Office have a repair function? It would be in add/remove programs. Re-installing only PowerPoint or Office should be enough to fix it; all of Windows is overkill.

I am done, I installed OpenOffice and have moved on with my life.

Good; whatever works. Personally, I use OpenOffice too, at home.

Is it really doing that though? Or is that a made up example.

Actually it was Gnome's panel, on the same RH9 install the first time I tried to use it (and thereafter).
The problem I am having currently is with a FC1 install under VMWare 4 (the RH9 has its own computer). X won't start, it used to, but has since quit; I don't know what caused it. It tries to start about 5 times and then says it will disable the the X server for now until the configuration is fixed. I tried running the config scripts, but after entering redundant data, it still doesn't work. Another thing is that I would like to go back to the original display driver that came with the Fedora install but was replaced installing VMWare tools; they seem to have the same name, and I have no idea how to go back. It runs with either one, but the performance was much better with the original. Mabye it's newer?
Sound is also broken; I can't remember if it ever worked.

Now let's talk about ability to fix. If a Linux app is really having an issue, it's far more feasible to do remote support on that problem by running a few commands (like ps) or send on a core file. Your suggestion of literally debugging what is wrong with Powerpoint or seeing what registry entries it uses is far more complex.

There are plenty of command line tools for Windows. pslist is equvalent to ps on UNIX. You can use those across telnet or SSH. Other tools support text output. Beyond that, there is Remote Assistance. Is there an eqivalent tool for

You aren't really helping your case much. What I said was that Linux stays "fresher longer", to put it another way. I said nothing like what you said, not even a little bit. I am saying that generally a box used in the same manner will need less repair on the Linux side of things.

I suggest you buy a lottery ticket because you sure are good at beating the odds!

Most people have different experiences, just judging by random samples of people at work.

Well, what do you want? The code it displays when it crashes? Support people can't figure it out either actually looking at the computer, so I wouldn't waste your time - just another case of Windows flaking out, corrupting some vital bit of registry somewhere, and needing a reinstall. I'm sure that never happens with XP.

You aren't really helping your case much. What I said was that Linux stays "fresher longer", to put it another way. I said nothing like what you said, not even a little bit. I am saying that generally a box used in the same manner will need less repair on the Linux side of things.

I suggest you buy a lottery ticket because you sure are good at beating the odds!

Most people have different experiences, just judging by random samples of people at work.

Well, what do you want? The code it displays when it crashes? Support people can't figure it out either actually looking at the computer, so I wouldn't waste your time - just another case of Windows flaking out, corrupting some vital bit of registry somewhere, and needing a reinstall. I'm sure that never happens with XP.

You aren't really helping your case much. What I said was that Linux stays "fresher longer", to put it another way. I said nothing like what you said, not even a little bit. I am saying that generally a box used in the same manner will need less repair on the Linux side of things.

I suggest you buy a lottery ticket because you sure are good at beating the odds!

Most people have different experiences, just judging by random samples of people at work.

Well, what do you want? The code it displays when it crashes? Support people can't figure it out either actually looking at the computer, so I wouldn't waste your time - just another case of Windows flaking out, corrupting some vital bit of registry somewhere, and needing a reinstall. I'm sure that never happens with XP.

Download tools from SysInternals.
Autoruns will list everything that gets started. Check that out for unnecessary entries.
Process explorer will show all running processes and exactly where cpu time is spent, down to the thread, with stack information.
Filemon can show all disk activity down to the lowest level; even writes to the file table.
There are many others, try them out.

As for stuff that already comes with Windows:
Look at the Event Viewer; what is causing the crashes? Is it a specific driver that could be replaced/upgraded? Include bus drivers listed under system devices. Ignore driver signing; there are bad signed drivers and good unsigned drivers out there. Generic drivers will be more stable but might be slower.
In XP, run verifier.exe to run some extra checks on drivers (restart requried) to help identify problems. Using the checked build of the kernel can also be quite useful, if you know any kernel debugging. If possible, buy hardware from vendors that write quality drivers. (sounds like Linux; buy hardware for the software support.)

Run spybot/adaware to rid the computer of spyware, and institute protection from future infection by running IE and the shell as a lesser user. Runas, psexec, and SUD can help with this.

Otherwise, try to figure out when and how the computer is slow. Is the hard drive running all the time? Mabye the computer is low on memory and it's time to stop some unnecessary services? Is it CPU usage caused by some rogue process that you can track down with Process Explorer?

Complete replacement of the ACL with a root based system. By default nothing else has any privileges unless expressly granted.

New files should never be executable. The ability to execute should be a privilege that must be explicitly granted. This means no more .exe's, .com's, .vbs, etc,...

User's should have the ability to disable non-essential functions of any kind, such as IE. They should not be integrated into essential OS functions.

User's should be able to kill any and every process. Have you ever tried to kill MS processes? There are dozens of them treated like kernel processes. A process could have a huge gaping security hole in it; yet, you can't kill it.

Heck, you aren't even allowed to know what it's doing with 33% of your CPU.

All ports should be closed by default. Sounds easy, but disabling MS's networking abilities by defaults scare's Redmond. Their ActiveX and central administration initiatives run counter to this.

It needs to implement PAM and other pluggable security technogolgies so administrators can choose best of breed instead of being stuck with one that has holes in it.

The source code needs to be open...

Complete replacement of the ACL with a root based system. By default nothing else has any privileges unless expressly granted.

New files should never be executable. The ability to execute should be a privilege that must be explicitly granted. This means no more .exe's, .com's, .vbs, etc,...

User's should have the ability to disable non-essential functions of any kind, such as IE. They should not be integrated into essential OS functions.

User's should be able to kill any and every process. Have you ever tried to kill MS processes? There are dozens of them treated like kernel processes. A process could have a huge gaping security hole in it; yet, you can't kill it.

Heck, you aren't even allowed to know what it's doing with 33% of your CPU.

All ports should be closed by default. Sounds easy, but disabling MS's networking abilities by defaults scare's Redmond. Their ActiveX and central administration initiatives run counter to this.

It needs to implement PAM and other pluggable security technogolgies so administrators can choose best of breed instead of being stuck with one that has holes in it.

The source code needs to be open...

Umm, I would just like to point out that a kernel which changes every few weeks can hardly be described as a stable platform, and the absence of evidence regarding the changelog of the NT kernel doesn't mean it isn't changing. After all, it is closed source.

One good source of information and windows kernel mode apps is Sysinternals. If you want to know more about native NT API's, NT source tree layout, NTFS etc, thats the place.

I use cygwin heavily on Windows. I ssh in all the time. Sometimes I don't actually want to start an interactive kill, so by using sysinternals tools I can do stuff like "ssh system pslist | grep game" and then I can pskill the game that's tying up my input devices in the same fashion. That's just a limited example, though. cygwin is bringing more and more Unix tools to windows which means I can have most of the best of both worlds. True, it's not as stable, but for a desktop system, it's "stable enough".

Good post. The culture differences between Windows and UNIX are just like you said. I wish MS would crack down on ignorant developers too, but it really isn't their job; the users should be complaining more. Microsoft's own software is usually pretty good about it. Games are the worst.
UNIX has commands like su to run programs that require extra priveledges. Windows has runas, psexec, and sud.When I find something that doesn't behave as a lesser user, I create a simple shortcut that uses sud to start that one program as admin or some user with just enough access. It's not perfect but it works.

By running applications such as Filemon and Regmon and the Task manager, you can get a pretty clear picture of what a program does or does not do to your system when running it. A good virus scanner and an application-level firewall also come highly recommended.

This does not, of course, eliminate the chance that your mysterious app won't do something bad the 10th, 100th or 1000th time it's run, when you may be less suspecting of foul behaviour. However, I've yet to come across, or hear of any major spreads of such a trojan.

Speak for yourself. Some of "us" Slashdot readers don't expect Microsoft to stand in the way of WINE at all. After all, they couldn't stop DR-DOS or PC DOS or Pro DOS. And they didn't stand in the way of VirtualPC or VMWare.

As for breaking WINE -- well, Microsoft would be hard pressed to change their APIs in such a way that would break WINE, but that wouldn't break third party applications. The last thing Microsoft wants to do is to further annoy third part devs who have enough trouble with service packs already.

Incidentally, poking the WinAPI shouldn't be that big a deal considering how much work us third party Windows developers have already done to catalogue it. It is a popular Slashdot myth that nobody knows how Windows works. In reality, it's more the Linux/BSD situation that you think. There are a FEW developers who know how EVERYTHING in Windows works and (more importantly) what doesn't. But almost everybody knows a couple of API tricks. By this point, the whole API has been traversed and documented -- check out sites like allapi.net or dotnet247 for decent free info on the APIs and their side effects, and sites like SysInternals for tools to uncover the "secret world" of your Windows kernel. Process Explorer alone is a godsend...it's like a really handy GUI front end to grep, ps, and kill on Linux/UN*X with the ability to remove file, process and registry handles without (necessarily) crashing the program that opened them.

Sysinternals Freeware AUTORUNS Applet.

Allows manual removal of anything and everything you don't want.


Without question, worth the $0 it costs to download.
http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml

I suggest pstools, specifically pslist. These handy apps and a little scripting can do wonders on a Windows network. Of course spyware is the least of your problems if you are responsible for a large network of workstations (linux or MS) and you do not already have some type of package management and reporting solution in use.

Just a note regarding 0-day exploits: SysInternals (the people who brought you filemon, regmon, etc) write BGInfo, a low-CPU no-memory way of displaying important system properties. If you do have it installed, you can tell it to display the timestamp of the file C:\Program Files\WindowsUpdate\V4\iuhist.xml, which should be the last time WindowsUpdate was run, helping remind you to run it frequently.

Microsoft calls NT a microkernel, but it's not. It is closer to a layered client/server model. Also, the kernel proper is different than kernel mode. If anything, NT has too many things running kernel mode. Since NT4, most of win32 runs in kernel mode (win32k.sys).
Disk access running in user mode? Let's say you open a text file with notepad. Notepad calls CreateFile from win32 in kernel32.dll, in user mode. Win32 translates CreateFile into the native function NtCreateFile (ntdll.dll). All NtCreateFile does in user mode is load that function ID into a CPU register and raise a software interrupt. After that, everything is in kernel mode. Software interrupts for system calls are handled by KiSystemService (in ntoskrnl.exe). The corresponding entry for NtCreateFile in KiSystemServiceTable translates to ZwCreateFile. After that, the filesystem driver takes over.(Same thing with reading/writing).
Overall, applications are on top, then win32 (or some other subsystem), then the native api (ntdll), then in kernel mode the minidrivers, executive services, low level drivers, the kernel itself, and the HAL at the bottom.

See http://www.sysinternals.com/ntw2k/info/ntdll.shtml for more information. (and the whole website)

• GNU emacs for win32
• Perl for Win32
• Core GNU unix utils for Win32 (sorry, cygwin is just too much hard work to keep it all working)
• Visual Studio v.whatever for VB, C++ etc. (whatever "the job" is)
• WinZip to unpack stuff above, and then to regularly curse how crap it is in so many ways
• All the SysInternals stuff, RegMon, FileMon, etc.
• Personal copy of Perforce to keep track of stuff I write from day one.

are all y'all nuts? Reinstalling the OS once a month or even once a year? Holy shit! My current box is 4 years old and I've never reinstalled the OS and hope I never have to.

Once a month I consider rather excessive, but for a Windows box, reinstalling at least once a year greatly reduces the kruft. After a clean install, you can feel the improved responsiveness.

Anyway, my list of the first ten (+1 x2):

0) Turn off half of the default Windows crap (services, the recycle bin, CD autostart, etc), and perform assorted registry tweaks to stop Windows from acting like a crippled DOS-box-with-GUI (ala Win95) with only 64MB of RAM (such as LargeSystemCache, NtfsDisableLastAccessUpdate, CompletionChar, and DisablePagingExecutive).
1) PageDefrag, which keeps your registry and pagefile in a single contiguous file (though you should always have your min and max pagefile the same, so that doesn't get fragmented in the first place).
2) AntiVir. No sane person goes without an AV program, and IMO, this counts as the best of the free ones (for that matter, I consider it better than Norton as well - Slightly more awkward autoupdates, but it doesn't hog system resources). Best of all, as a non-USian program, it doesn't deliberately ignore "official" virii such as the FBI's Magic Lantern.
3) AdAware. We all know what it does.
4) SpyBot. Ditto, and it catches some things that AdAware doesn't (and vice-versa).
5) Mozilla, of course.
6) Winamp. I still prefer the v2.x series, but, gotta have at least one of them.
7) TeraTerm Pro and TeraTerm SSH. Technically two installs, but only a moron would use unencrypted telnet these days.
8) Calypso, a really nice (and free-as-in-beer) email program. Want the latest, greatest features in your email program, making it all but indistinguishable from a full-featured web browser and media player? Don't use this. Want a safe medium for text communication, with fairly powerful regexp filtering? You'll consider Calypso a godsend.
9) The GIMP. 'nuff said.
10) Finally, a compiler (or three... The next dozen installs after this one would include various other dev tools). Currently I still prefer Borland C 5.02, sadly not free. Although advancing technoology has already made it basically obsolete, it has what I consider the most straightforward IDE of any development suite out there.
0, part 2) Repeat step 0, since by this point Windows will have tried to undo half of my changes from the first time.

Okay. Ego-post of the day done.

• Aida32, hardware display and diagnotics
• CoolTaskBar to sort out the mess (particularly in Windows 2000)
• FreshUI, tweaking utility
• TweakUI, same as FreshUi, but different options, these two combined give you a lot of different options.
• PowerToys, tweaking utilities. In particular the [Send file name to clipboard] and other options which I cannot work on Windows without.
• Get everything from SysInternals, a ton of wonderful stuff here, too much to mention, but will let you track every file access, every registry write, every debugging message. Tons of great command line tools too. For instance, ever wanted to delete a file only to get a "There has been a sharing violation. The source or destination file may be in use" message ? Where Windows doesn't even know for sure if the file is in use or not. Get Process Explorer from SysInternals.com and type the file name in its [Find][Find Handle] menu. Close or kill the appropriate process if necessary.
• Desktop Manager or FlashDesktops, gives you 4 desktops just like on Linux.
• Alt-Tab Replacement, Gives a screenshot of window Alt-Tabbing, useful when you have multiple unsaved docs open, etc...
• OpenCommandWindowHere, right-click on folder option to open command prompt window at that folder, useful for deep or complicated folder names
• Memstat XP, lets you monitor memory usage in tray, small and simple but not that useful.
• NetMeter, lets you monitor network usage in the tray, small and simple but does not seem to work on all types of network interfaces. Online Eye Pro works better and has lots more options, it's based on WinPCap just like Ethereal (see below).
• TrayMeter, lets you monitor cpu usage in the tray, small and simple.
• WinRAR, unzip anything you want, supports tar.gz, zip, rar, arc, and much more.

Network Utilities

• Xmanager, excellent X-windows manager.
• FreshDownload, Download Manager
• ssh, scp, wget, rsync... comes on CYGWIN
• Putty (and friends), ssh client and other utils (but ssh is part of cygwin and works just as well)
• WinSCP, a wonderful SCP/SFTP client for windows (scp is part of Cygwin but this is easier to use)
• NetScanTools a GUI interface for most command line tools also found in cygwin
• WebDrive, mount various types of network protocols (ftp, http, ssh) as local drives, buggy but useful (RiverFront)
• POPfile the best spam remover I've found so far (works with outlook express and any app)

I install these programs first on new Windows machines.

• firefox
• cygwin (including emacs, ncftp, wget, openssh, grep, sed, and other favorites)
• putty
• ntfilemon/ntregmon
• Java2 SDK
• winamp
• VideoLAN Client
• wget
• WinPT/gpg
• Filzip

VNC, Emacs for Windows, VMWare, CDEx, Vorbis Tools, DaemonTools follow. I like Photoshop but as long as it's crippled (currency watermarks) and activated I'll never buy another license for it.

1. Proxomitron - awesome web filter.
2. mSys+mSysDTK+MinGW (extremely useful *nix tools that don't require a Cygwin shell)
3. Winroll -Next best thing to a useful Windows desktop manager
4. Sysinternals utilities
5. Vim!!

Of course others, but they've been mentioned above.

No, windows and message queues (and other similar GDI/USER objects) are managed by the kernel in Windows.

I guess you're thinking of the kernel32 -> ntdll mapping.

By RTFM!

Or how about using google to search for "how to find out the specific registry keys the application accesses"?

Links #2 and #3 point to a free tool called RegMon which is even easier to use than the auditing approach.

Sysinternals are the gods of NT. They have an app called native that prints a message before the Win32 subsystem starts. All by using only the NT native API.

Sysinternals has an excellent article with a list of undocumented NT functions.

Autoruns from sysinternals is about all you need to find and track down most viruses and spyware. When launched it shows every registry entry and folder that a program can use to launch itself at boot or login. If it's not in this list, and you didn't launch it yourself, it's not running on your computer. You can use autoruns to launch regedit and remove the offending entries.

It does take a bit of general widnows knowledge to know what entries should be in there, and what shouldn't, but any idiot can tell that c:\4545$5-ee.exe shouldn't be running at login.

The only thing autoruns can't see is all the crap that get's installed as IE browser extensions. You can either disable extensions in IE, or use firefox.

Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

Both these utilities from SysInternals allow you to log realtime entries to a file. turn them on when you install something and you have a log of everything the installation program touched.
RegMon
This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
FileMon:
This monitoring tool lets you see all file system activity in real-time. It works on all versions of WinNT/2K/XP, Windows 9x/Me, Windows XP 64-bit Edition, and Linux.

1. You only need a 3rd party tool for command-line support. The disk management mmc snap-in lets you do the same thing: right click on a volume and select 'Change Drive Letter and Paths'. (Actually, the drive letter itself is just a symlink to the device in the object manager namespace.)

2. Yes, it most certainly does work with SMB file sharing. Try it before you expect it not to work.

Now, if Windows had some form of sudo or setuid, that might actually work.

[...]I much prefer the way OS X handles it, in that you never "log in" as administrator, instead you just temporarily give privilege to one process when installing software or changing system settings. In most UNIX systems, you never log into the GUI as root. Because of this design in OS X, it pretty much forces apps to behave properly, and even casual users will usually understand that having to type in their password meens "something important is happening".

This isn't Windows' fault. There's a LOT of crappy programmers out there that don't really understand computers (CS Grads in it for the money, obsolete old timers that don't like change, etc.). They're used to developing on DOS based OSes and don't understand the concept of security and NT. They make their program with the assumption that the logged in user has full control on all resources.

To get around their crappy programs, usually giving write permissions to the local users group will do the trick. It may be necessary to do the same thing in the registry. Remember that regmon, filemon, and NTs auditing can be your friend. Regmon and filemon are free utilities made by Sysinternals.

-Lucas

Tell me you've never gotten a sharing violation when using Windows.

Describe to me under what circumstances you would want to avoid reading from a file by two processes at once

Tell me you haven't rebooted when installing software.

That's not the point. The problem is that *developers don't*. They plop a zero in that field and don't worry about it.

On *IX, you blow away a file, and the OS refcounts the thing. It doesn't break any applications currently using the file -- the file just doesn't have a directory entry any more, and when the last application using a file goes away, so does the file.

I could be wrong, but I doubt that Process Explorer will let me kill off said handles from a remote system (and certainly not if the access is from a different account...I might even have to go sit in front of the file server to run Process Explorer...I'll admit that it could have been handy other times that I've run into issues though, and didn't know about it).