Slashdot Mirror

NTFS supports something similar to links (NOT shortcuts):

Sysinternals

Some information about the way NT handles timers can be found at Sysinternals, here and here (Quantums).

Some information about the way NT handles timers can be found at Sysinternals, here and here (Quantums).

Here is a command line utility to make symlinks in NT. It works well.

virtual dub video editor

all the sysinternals programs useful system utilities

miranda icq clone

You also neglect this technical problem in XP: "If you say no to some of the requests, some functions of Windows XP will not work (such as networking)." If you deny internet access to many components, XP will cease to function properly. Did you notice the long list he had of components that needed 'net access? Windows Media Player!?! That's a technical flaw that's borderline malicious.

Untrue. I agree that a stupidly huge number of apps and processes attempt to access the 'net, but it isn't true that XP will cease to function properly if you deny that access. My wife's external firewall is configured to automatically deny access to everything except to a small handful of specific apps/ports/addresses, and XP runs just fine. Yes, including Media Player.

There is also no technical solution things like "Run DLL as an app" not telling you which DLL needs to be run. These programs should not be calling home unless they need to in order to function properly for the user's benefit. They way they work now is simply frivolous.

I do agree with you here in principle, although it isn't technically impossible to determine what DLL is making the call, just difficult. Many of the tools from SysInternals will show you all the nitty-gritty details of what DLLs are in use by each process, for example. Interestingly, Tiny Software's Personal Firewall is still able to block multiple apps using RUNDLL or the generic "service" process by maintaining hashes as identifiers. Unfortunately it's still up to the user to track down what specifically is trying to make the connection, though.

Also it should be noted that XP really doesn't "call home" as you said. At least, not in the sense that you wish to imply. If you pay attention to where the calls go, they do perform some useful task in almost all cases. (The value of these tasks is a completely separate question.) The real problem is that the user isn't given any choice in the matter, or even told that it's happening. But none of the connections I've seen or that I'm aware of were ever specifically a "call home" facility. Yes they might be tracked that way, but they aren't raw "call home" connections as you imply.

here's an interesting one. let's say you (or someone you know) has just bought a brand new computer. or more or less new. or at any rate you know it works.

but the blarsted thing starts all this junk up when the machine boots! everything fFrom media players, to monitor controllers, to printer and scanner watchdogs, almost certainly some schedule apps, and maybe a couple virusscanners! untold ram is just being gnashed away by a string of programs sitting in the systray!

so, i always, when i go to look at a fFriend's new computer, take autoruns fFrom www.sysinternals.com . conveniently shows every thing which is scheduled to boot fFrom anywhere in the registry or startup directory. lovely lovely app.

that, and a nice task manager (there are many available.) i like A.T.M.

You just need the right tools... Many people have already mentioned the wonderous tools over at Sysinternals, but no one's mentioned any of the stuff writen by some finish dude named Jouni Vuorio. Over at his site there's a really nice set of power tools with a registry cleaner, powerful file manager, and remote admin capabilities. While this set of tools is curently in beta I've never had a problem on my home Win2K desktop. On the other hand, I won't use beta software on production machines at work so I just use his stand alone RegCleaner which even when set to "Auto clean" and "Extra powerful" has yet to damage the registry on any PC I've used it on. It has even fixed a few PC's which would only boot into safe-mode. They're not open source, but they're definatly free as in beer. Try 'em out, I think you'll be as pleased as I am.

I decided to build a new system some time in the fall of 2000, but prior to that I had been running the original Windows 95 install that I did some time in mid 1996. There were some hardware upgrades, sure, but I never resorted to reinstalling. My systems are highly customized, I like to set everything just the way I like it. So to me a reinstall is not something I do lightly. The system was not unstable at all, it was quite a workhorse. Sure, every now and then it would have a lockup of some sort, but we're talking once every few weeks. Now that I run win2k it's very rare indeed.

You can manage the cruft in windows. It's not impossible, even if you install/uninstall a lot of stuff. The important things are to know what's running (task list, services, run at startup, etc) and to get to know the registry. You must babysit for poor installation programs. Often they will add crap to startup, or icons on the desktop, or other weird things, which I would always delete. You also have to help some of them wipe their ass when you uninstall, as a lot of them leave junk behind. You have to be willing to go into the Windows system directory and examine questionable DLLs. There a lot of tools to help with this. I recommend everyone who is interested go to www.sysinternals.com. There you will find programs such as REGMON and FILEMON which show you every registry access or file access in realtime, with the ability to filter. Also very useful is LISTDLLS which shows you which DLLs are loaded by every process in memory. If there is a file that's locked you can often find out who is using in with this program. The 2k resource kit has a free utility called Dependancy Walker which will show you the library dependancies of any .EXE, sort of like ldd. You must also be familiar with certain areas of the registry, such as the part where stuff is loaded on boot, the "pending file rename" section, the section where apps install their preferences, etc.

I find a lot of times when I use someone else's windows machine I am appauled by the amount of crap they have loaded, and most of the time aren't aware of it. Programs that load stuff on startup without being very clear about it and asking you first really peeve me. I patrol the startup folder+registry entries very strictly, and keep the task list small.

You of course have to make sure your hardware is stable and you have to go through the process of finding a driver combination that is suitable. It can be very frustrating to mess with crap drivers and a ton of strange BIOS settings. But if you stick with it you can eventually find a combination that is bulletproof and will yield stability. If you don't put in the effort to do this, though, you will forever be messing with strange crashes.

It can be done, but it is not for the faint of heart.

Without going into a long story, there is a problem in making backups of Windows XP that actually can be used to make a copy that restores full functioning. The Microsoft article says,

"Microsoft does not provide support for computers on which Windows XP is installed by duplication of fully installed copies of Windows XP. Microsoft does support computers on which Windows XP is installed by use of disk-duplication software and the System Preparation tool (Sysprep.exe)."

There is only one kind of backup that is a true backup: A fully installed copy, or some method of creating a fully installed copy. Microsoft is saying that that is "not supported". That language hides the fact that Microsoft made it difficult.

You said, "You most certainly can (and I have) use disk imaging software to back up and restore your system, complete with registry."

I've done it too. But, as Microsoft says, Microsoft does not support this. Think about that for a moment. Suppose Linus Torvalds said, "I don't want Linux to support fully functional backups". That would be preposterous. Why, then, do people accept the same statement from Microsoft? Maybe that is because they have been habituated to being abused.

Please take Microsoft's statement seriously. Consider a real life situation. If you have had a hardware failure, when you do the restore it may not be to a computer that is identical to the one on which Win XP was first installed. (If several years have passed since the computer was made, it may not be possible to buy identical components, for example.)

There can be serious problems with using a restored copy since, with Windows XP, most of the configuration is thrown into one pot, the registry. Yes, you may be successful hand-editing the registry, but maybe you won't. Even if you are successful, you could not call a backup that needs considerable adjustment a "fully functional backup". In a real life situation, the cost of doing a restore to alternate equipment may be more than the cost of completely re-installing the software.

The problem is not in changing the SID. SysInternals provides a free utility, NewSID, to change the SID. The problem is that Microsoft has deliberately made it difficult to make functional backups, apparently as a method of copy protection. Remember, we are NOT talking about manufacturers making copies that work on identical equipment. We are talking about a backup that can actually be used immediately after a hardware failure to do a repair in which the new system is not identical.

It is not impossible that someone could move a backup to new hardware. But, in practice, it may be impossible or too expensive under some circumstances.

I use disk cloning software when the hard drives are not identical, and a mirroring controller like the Promise FastTrak when the drives are identical. Remember, I am making copies that are fully legal because I have purchased licenses for them. I am only trying to save time; re-installing all the software might cost far more than the cost of Windows XP. The issue is not with rollout of new machines. The issue is whether your backup can actually be used to make a fully functional copy.

Most people who use Windows XP don't know of the existence of hard disk cloning software or hardware. One effect of Microsoft's policy is that Microsoft does not tell them. Even if they did have such software, and they new how to use it, most users might still have the difficulties mentioned here.

Without going into a long story, there is a problem in making backups of Windows XP that actually can be used to make a copy that restores full functioning. The Microsoft article says,

"Microsoft does not provide support for computers on which Windows XP is installed by duplication of fully installed copies of Windows XP. Microsoft does support computers on which Windows XP is installed by use of disk-duplication software and the System Preparation tool (Sysprep.exe)."

There is only one kind of backup that is a true backup: A fully installed copy, or some method of creating a fully installed copy. Microsoft is saying that that is "not supported". That language hides the fact that Microsoft made it difficult.

You said, "You most certainly can (and I have) use disk imaging software to back up and restore your system, complete with registry."

I've done it too. But, as Microsoft says, Microsoft does not support this. Think about that for a moment. Suppose Linus Torvalds said, "I don't want Linux to support fully functional backups". That would be preposterous. Why, then, do people accept the same statement from Microsoft? Maybe that is because they have been habituated to being abused.

Please take Microsoft's statement seriously. Consider a real life situation. If you have had a hardware failure, when you do the restore it may not be to a computer that is identical to the one on which Win XP was first installed. (If several years have passed since the computer was made, it may not be possible to buy identical components, for example.)

There can be serious problems with using a restored copy since, with Windows XP, most of the configuration is thrown into one pot, the registry. Yes, you may be successful hand-editing the registry, but maybe you won't. Even if you are successful, you could not call a backup that needs considerable adjustment a "fully functional backup". In a real life situation, the cost of doing a restore to alternate equipment may be more than the cost of completely re-installing the software.

The problem is not in changing the SID. SysInternals provides a free utility, NewSID, to change the SID. The problem is that Microsoft has deliberately made it difficult to make functional backups, apparently as a method of copy protection. Remember, we are NOT talking about manufacturers making copies that work on identical equipment. We are talking about a backup that can actually be used immediately after a hardware failure to do a repair in which the new system is not identical.

It is not impossible that someone could move a backup to new hardware. But, in practice, it may be impossible or too expensive under some circumstances.

I use disk cloning software when the hard drives are not identical, and a mirroring controller like the Promise FastTrak when the drives are identical. Remember, I am making copies that are fully legal because I have purchased licenses for them. I am only trying to save time; re-installing all the software might cost far more than the cost of Windows XP. The issue is not with rollout of new machines. The issue is whether your backup can actually be used to make a fully functional copy.

Most people who use Windows XP don't know of the existence of hard disk cloning software or hardware. One effect of Microsoft's policy is that Microsoft does not tell them. Even if they did have such software, and they new how to use it, most users might still have the difficulties mentioned here.

Anyone know of a Windows editor that uses Borland/Wordstar/Control-Key editing commands?

That shortcut key layout saves about 15% in editing time, because you do not need to remove your hands from the home row of keys.

That shortcut system is intuitive, also, because it uses a "cursor diamond". Control-E is line up (top of the diamond). Control-X is line down (bottom of the diamond), Control-S is character forward, and so on. (The arrow keys also work.)

Programs that use the control key in this way are meant to be used with a utility that makes the caps lock key a control key. Sysinternals provides Ctrl2cap, for example. The utility is run once only.

The Borland/Wordstar editing commands allow almost all operations without removing your hands from the home row. Many commands are two keystrokes. Control-Q Control-R goes to the top of the document, for example.

SetEdit is an example of a DOS editor with these commands. I would like to find a Windows editor.

I install ZERO M$ software other than Windows itself.

I can vouch for that. My hands have been bothering me after working at the office using a generic Compaq keyboard, but I can go home and work on my Avant Stellar for hours and not have any trouble whatsoever. I'm using the misnamed ctrl2cap utility to map the caps lock key to a control key on my work keyboard, which helps somewhat, but my hands still feel achy at the end of the day.

sysinternals make loads of good tools for doing that kinda thing, often free and sometimes with source code

multi-threading is why, for example aolserver can do with one process what apache needs a bunch of processes to do. (though i digress, aolserver only has to run tcl interps, where apache is much more versatile.)

meanwhile, both FreeBSD and NetBSD are trying to get SMP and scheduler activations into their kernels. this would improve their support for multi-threading substantially. there's a paper which explains this better than i ever could.

I found this bug in several commercial programs I've purchased in the past. I would install a program on my WinNT machine and discover it could only be run from an administrator account -- even though it wasn't doing anything that would normally require special access. The tech support people didn't seem to think this was much of a problem, but I go by the philosophy that my run-of-the-mill userid should not have adminstrator authority.

I tracked it down to the security settings for some of the registry keys. The call to open the key requested full access, which required administrator authority. Apparently the software had been developed and tested on Win9x or administator-level NT, where security does not really exist in the registry. The program did not require full access (read/write would be sufficient), but the coders probably didn't even bother with security.

The solution was to change the security level for a few registry keys. Once I did that, everything worked fine. I had to use a registry monitor to figure out what was happening.

I think the point of all of this is, the moment an attacker gets administrative control to your machine, it's no longer your machine. The method they use to backdoor your machine, and the technique they use to break the security is not important. The other thing to remember is the attacker wants not to be detected for as long as possible, so if that attacker were to replace things like /bin/ls with modified versions from source, there's a chance that the behaviour of the program would drastically change and they would be detected. Lets take tar for instance. One version of GNU tar used 'I' for uncompressing bzip2 archives, while later versions use 'j', for example.

Sure it wasn't a screensaver?

On the Sysinternals site, they have this update listed.

February 28
Regmon v4.34
Regmon now runs on Win64/Itanium, and a window-class randomizing scheme foils most software that otherwise tries to close Regmon in order to prevent you from monitoring the software's Registry accesses.

This is VERY VERY true. There is an app called RegMon It is basically a tail -f of Win registry hits. If you run this app (or a similar one), run it and go to WindowsUpdate (with IE of course... :-)). You will be afraid.

You'll see your full (registered) name, product ID, unique ID's, everthing about your machine and you being accessed by the prompt that says "No personal information is being sent to Microsoft".

Seriously. Try it.

You could have defragged your disk and then run pagedefrag from Sysinternals.

It's usually best not to mess with the pagefile. Just let pagedefrag defragment it for you. The only catch is that you have to reboot to defrag the pagefile since pagedefrag needs full access to the disk. Oh and it also defrags your registry and other system files.

That's the Windows System Registry. There, you can get names, passwords, Install codes, all kinds of neat stuff. Hit Gnutella or Morpheus. Do a regex to get the keys, etc.
That's scary.

So what do you propose, there is no safe way to store passwords if you have to send them plain text later, that is if you asume security trough obscurity is not safe which most people do

Oh and real men use regedit.exe (whats in a name) to search the registry and use regmon to find out what stuff software is storing/reading from the registry (thats includes user.dat/user.man, which has unique user data rather then the system wide settings in sytem.dat)

Let me tell you about an interesting feature that XP has that the rest of the Windows line doesn't: It can have multiple users running programs at the same time.

Services also typically run as different users, as do system processes such as winlogon.exe, svchost.exe, csrss.exe and mstask.exe. As others have pointed out, Terminal Services also allows multiple users to run programs with their own privilages. In fact, Windows NT, 2K, and XP allow finer-grained control of processes, threads, and objects than Unix does. What XP allows is an easy way for multiple users to have their own individual desktops available at the same time (and their own Explorer process running on their appropriate desktop). Download Process Explorer from System Internals to see how processes under NT work.

Windows 2k supports symbolic links for directories:


Win2K's version of NTFS supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes the linkd program for creating junctions. I therefore decided to write my own junction-creating tool: Junction. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Win2K's Remote Storage Service (RSS), as well as volume mount points.

Um. There are plenty of "inside windows" books and the like.

The guys at
SysInternals have lots of inside knowldege of NT.

COM/COM+ is heavily documented (how do you think Gnome/Mozilla managed to copy it so well?). Lots of source code/examples are available too.

If you read any good OS book, it'll tell you things like the real time capabilities of NT compared to Solaris etc.

I don't see how knowing the scheduling algorithm used by Window 2000 would help system administrators....but if you want to know, the information is out there. Perhaps you should start reading Windows technology related websites and cut down on the linux evangelist websites?

Oh yeah, wasn't there a way to get ntfs support?

or is this something different?

While many argue that Microsoft is a (pardon my french) big bum-bum head, they do have a pretty snazzy windows system (with some exceptions, of course.) You've got to admit -- all security flaws and other massive problems aside, they've been doing windows There's a book that I have found IMMENSELY informative, helpful, and, in its own way, entertaining. It's called Inside Windows 2000, by David Solomon and Mark Russinovich. Mark runs sysinternals.com, a very cool site full of windows hacks and utilities that he's written. I run a Win2k network, and the sysinternals utilities have saved my life and a whole lot of work, many times. Check it out!

>So try a utility like this one: Sysinternals' filemon.exe [sysinternals.com]

That's what I was using for Ad-Aware scanning... there's a lot of tools at sysinternals to track the software that tracks you. Theres also Regmon for monitoring changes made to the registry that is interresting.

One last thing you might want to check is a tcpmonitor process (there's one at sysinternal as well I think) to check where it's communicating (if you want to go that far)

For you linux people there's also a flavor of filemon (file access tracking discussed above) for linux, you can grab it Here

I don't use spyware, so I never installed Kazaa, so I can't help you. But I'm curious, too. (I hate advertisers, and anything that threatens to kick over the rocks under which they grow is k00l by me ;)

So try a utility like this one: Sysinternals' filemon.exe

Could be as innocent as your swap file, 'cuz some Windoze proggies leak memory like sieves. Could be something less-than-innocent. Let us know!

It doesn't seem to bother the guys over at sysinternals too much.

This don't work in 9x/Me, but for NT4 and 2K download PageDefrag from Sysinternals. It's free and works great for defragging page files and registry hives at boot time.

Assuming that these are Windows computers, there are several tools that allow you to query a computer remotely and obtain a list of the currently running processes and kill them. For example, sysinternals has just such a suite of tools available freely.

You could easily set up a scheduled task to look at the processes running on each computer and generate a list of ones that aren't on the "approved" list. I don't think that this is the right solution to this problem, but it is a possible one.

Kevin

... then use NTFSDOS Pro.

Better yet, if you're using NT/2000 and you're stupid enough to double-click on an email attachment or even use Outlook, maybe you're spending your operating system money in the wrong area. Maybe personnel training? Maybe a different platform? I'm sure a business full of Macs wouldn't be bothered by this.

First they ignore you, then they laugh at you, then they fight you, then you win. -Ghandi

Actually, it is possible to use NTFS on removable media, although not recommended.
More at Sysinternals.

pstools

strings

grep

pstools

strings

grep

What are they?
(etc)

When I talk about rights I should rephrase, I'm talking about security settings.

There are many, many things.

Check out gpedit.msc (just type it in like that to run it), secpol.msc (overlaps with gpedit.msc), rsop.msc (has/creates a redundant backup of the master policies). You can check out secedit (just run "secedit") that'll explain about security policies and how to give an easy way to tighten down your system. There are also under the registry just about everywhere, and also every single object in the system has an ACL (access control list) attached to it (including every registry key). So you could, for example, say that you are the only user allowed to use the second IDE channel or the first USB port, or even the CMOS timer. IT's pretty cool. Go to sysinternals and checkout the winobj program that shows you all objects in the system and you can change policies on them and do more stuff (be careful, you can royally fsck up your system!)

These are in all Windows NT/2K/XP systems and some are even in the 95/98/ME series as well (but not many).

[sysinternals.com] provides some very usefull tools, both CL and GUI. Amongst them is ListDLLs, a tool to examine DLL's in use by a specific processes and to find out which processes use a specific DLL. Output is in clean and formatted text. A script jockey (no, thast's not me) could easily create a script to list the DLL's in use by an Office application. This list can be used this list of dll's to find out whether or not they are preloaded before the invokation of an office application and how office specific this DLL is (I mean: WinWord uses Kernell.dll, but that's not a very specific Office DLL).

You can also use their GUI tool Process Explorer. But becaus of the recursive character of this job and the huge amount of DLL's involved it will be a time consuming and RSI stimulating job to do.

Arleo

Yeah, I was too. Still am. OS/2 did not have that stupid 504MB limit when Windows and DOS did. So I can see 2G of hard drive under OS/2 and 2 * 504 under Windows. Yeah, OS/2 crashes, it has bugs. I've seen its Black Screen. I've completely trashed it. But it is still way better than windows. The current OS/2 is still better than the current Windows.

> win3.1 came about the time of os/2

OS/2 had a lot more in it than Windows and DOS did. You forget that among the 28 disks was 10 for the inbuilt DOS/Windows emulator. Numbers of disks do not dictate usability in any case. It was at that time that most people did not have cdrom drives.

The latest version of OS/2 installs from an OS/2 session. In essence, you boot from the CDROM, and it loads a full GUI, where you can do things as if it were from the hard disk. One of the applications is to install it. Now THAT's user friendly. Link, you're not grubbing around with a command line interface and no gui.

> PC's got accepted in the house because you could play cool games on them. At the time (1992) we had typically 4MB ram, and Windows would gobble 2 of them. So you played under DOS. But then you start games from a DOS character menu.

>I agree, so what was your answer? Lemme guess, all MS right?

My current shop is MS. My former one was OS/2 server and PC-DOS stations.

>..., but happy for MS to send the same amount...

This is the same company that sent the lawyers around onto charities that were recycling PC's to underprivledged kids. Hmmm.

>>The other thing is that MS has been getting some very BAD publicity in relation to WTC. You see, the FlightSim is a fairly accurate representation of many cities, and provides a fairly easy way to learn your way around the skylines of a city. This point has not been lost on Sky TV.

Have not found a link for this: I saw it on the television.

>I mean jeesh Dos can't read HPFS.

Actually, you can load a driver for it, and read and write to it. Installable file systems started with DOS 4. It got a bad name because it took up a megabyte of ram when computers typically came with just 4 MB. NTFS is based on HPFS.

The sad thing is, to do anything useful with a Windows computer, you have to do it from DOS, and load NTFS drivers from there. Try Here for the goss. I can boot OS/2 with the proper drivers from floppy disks: this point is lost on most MS users.

>Again I go back to my point of a single vendor for all your products.

So why not Aptiva PC + OS/2 + Lotus Smartsuite, all from IBM :), or Sun box. Having all the products from the same user is not going to make users use style sheets, and not press return at the end of the line.

MS has no incentives to fix bugs unless they get bad publicity. The calculator thing from Win 3,0 was not fixed until Wall Street Journal ran a story on it. The bugs documented in the Tech data base from NT 3,1 still bug me under win 2K. But they now put some sort of web browser on it, which is pretty stupid if there's no wire to the net, or the thing's a server.

The real reason that people leave the single vendor option is that they're too expensive. Apple Macs never got a big share of the market because they were too expensive, and it was only that Compaq cloned the IBM BIOS that made the PC market competitive. The MS office suite is way overpriced compared to its competitors, but because they offer it as a cheap OEM option, things change. But I have seen Word and Excel trash documents beyond belief. And because the format is secret, it is not recoverable by anyone.

The same people who make this, I presume will willingly pay more for genuine Ford/GM parts for their car too ...

>I did what I could. You really gotta quit makin personal presumtions about me and just stick to the debate OK?

Not you in particular. No, the big trouble since the seventies is this culture that the big boys will look after the big things in town. I mean, we don't have the culture that spawned greenpeace or the nuclear disarmemant any more. About the only things going for people involvement are TeamOS/2 and Linux

But the thing is you have to stop beating MS's drum. Sure they gave 10 million. And you going around saying this is giving them free publicity. Yes, MS waves the flag: look, aren't they good. It's 5 million in cash and 5 million in tech. I suppose that 5 mill is in street prices, not what they get. I mean, I could give out licences of my product, and say I am denating it at street prices.

The actions of MS deserves to be viewed with healthy cynicism.

>When I do my /. posts if i'm including links i'll use frontpage

I just type the mark up direct: {a href="url"}linkword{/a}. But then, I type most formatting and styling as I go. For this, Amipro had an intellegent use of the function keys as separate styles: F2-F9, F11, F12 were all different style keys, defined in the style sheet. Bold and Italics via ^B and ^I.

Use whatever tool you use to detect incoming NIMDA attacks toward your servers. A simple way is to just put a dummy port 80 listener on a box that nobody has any reason to connect to, and assume all incoming port 80 connects are from worms or other attackers.

Whenever you get an attack, launch the following script:

net use \\%1 /user:guest

psshutdown -t 5 -m "This system is infected with NIMDA! Shutting down..." -f \\%1

net use \\%1 /d

%1 in the above should be the attacking IP.

This uses PSSHUTDOWN.EXE which you can download from System Internals. It could easily be adapted to use SHUTDOWN.EXE from the resource kit.

Yes, I realize this is probably illegal in most jurisdictions. Save your flames.

Use whatever tool you use to detect incoming NIMDA attacks toward your servers. A simple way is to just put a dummy port 80 listener on a box that nobody has any reason to connect to, and assume all incoming port 80 connects are from worms or other attackers.

Whenever you get an attack, launch the following script:

net use \\%1 /user:guest

psshutdown -t 5 -m "This system is infected with NIMDA! Shutting down..." -f \\%1

net use \\%1 /d

%1 in the above should be the attacking IP.

This uses PSSHUTDOWN.EXE which you can download from System Internals. It could easily be adapted to use SHUTDOWN.EXE from the resource kit.

Yes, I realize this is probably illegal in most jurisdictions. Save your flames.

Hrm, after reading your post again, it's clear that you're massively misinformed (and ignorant of facts).


But go on, tell me how to emulate fork() using Win32 calls


Read this


Tell me how to do things like write my own login service


Use the Windows GINA APIs. Novell does this.

Read this


Tell me how to do disk defragmentation using Win32 calls


Ok, there aren't any Win32 API calls for this yet. It doesn't seem to be a problem (seeing as there are MANY defrag utils for windows - much more so than for Linux).
You can read this if you want to know how to do it using the Native API.


Tell me how to write an IFS using Win32: I want to put my Solaris UFS disks on my W2K box so I can get rid of this expensive Sun hardware.


I'm pretty sure you can write a virtual device driver to do this. There are tools that emulate virtual drives (from ISO images etc). Also, I belive there is an ext2fs driver for windows around somewhere.

Stop trivializing the problem, Shill-boy. Of course I expect MSFT to have people use the APIs. MSFT programmers have to use them to do things like write the POSIX subsystem, write the login system.

Of course, if what you shill I mean say is true, then MSFT is keeping the native API under wraps because it's so crappy. That's not true, of course: there's some things you can do in the native API that you can't do in Win32. You can't clone a processes address space in Win32, so you can't emulate the Unix fork() system call in Win32. The POSIX subsystem does emulate fork(), so MSFT does use the native API.

But go on, tell me how to emulate fork() using Win32 calls. Tell me how to do things like write my own login service. Tell me how to cancel an outstanding asynchronous I/O request in Win32. Tell me how to do disk defragmentation using Win32 calls. Tell me how to write an IFS using Win32: I want to put my Solaris UFS disks on my W2K box so I can get rid of this expensive Sun hardware.

Really, you should read the URLs I put in my article. You don't have to believe me, you can believe Open Systems Resources, you can believe Mark Rossinovich. Read the references I put in my last article before shilling further, and please, back away from the crack pipe.

The "secret APIs" are not a rumor. Notice the dates on these references, the secret APIs have been in NT all along.

• Using the NT API for file I/O
  
• Inside the Native API
  
• Do you need source? - go down the page about a third of the way: The conclusion was that Vogels's group used source code only as documentation (there is no other documentation for NT), examples, and to understand the behavior of NT. It turned out to be useful for debugging, and it led to the discovery of interesting APIs that are not documented or available in Win32.
  
• Inside Windows NT Disk Defragmenting - MSFT gave one company access to the defragmenting APIs, and never bothered to document them to anyone else.
  

MSFT hasn't hesitated to use the secret APIs either. From the July 10 InternetWeek: Microsoft has historically achieved market dominance by controlling APIs and forcing competitors to write software to Microsoft's APIs, then changing the APIs. "Instead of satisfying their own customers' demand, competitors are busy catching up with Microsoft," said IDC analyst Dan Kusnetzky.

From the October 8, 1998 NY Times: And Microsoft, the people added, did what it has always denied it does -- used access to its technology as a powerful lever in business negotiations, by offering Netscape preferential access to the Windows "application program interfaces," or A.P.I.'s, the links that enable other companies' programs to run smoothly on the Windows operating system. By turning down the deal, Netscape, they say, would not have that preferred access to Microsoft technology -- a threat that Microsoft fiercely denies making.

Think about it - can you, using only Win32, write all of the stuff that MSFT provides with NT/W2k? No. Clearly, MSFT keeps APIs to themselves. MSFT wants to allow itself the latitude to write faster, more functional programs than the ordinary developers can write. MSFT has proven time and time again that it will use secret APIs to its own advantage, or to the advantage of selected partners (Executive Software, for example). This practice is certainly bad for the consumer. Secret APIs raise the cost of entry into the NT system software market, which will keep out competitors, raise prices, and reduce choice.

"Executive Software was forced to purchase a source license for NT and to create and ship custom versions of NTFS and FAT, as well as NT itself, along with their defragmentation code."

"According to Executive Software, they requested specific functionality in NTFS and FAT for cluster reallocation, which Microsoft added for them."

Actually, we saw a drastic improvement in performance moving from the expensive Sun boxes to the cheaper Dell servers. I'm not sure if it's the boxes themselves or the fact that IIS serves static content faster than apache. The CGI part isn't performance critical so I'm not bothered if that's slower, but it seems to be just as fast in my preliminary tests.

This reminds me ... In a related vein, Windows lusers may find Mark Russinovich's BlueScreen Screen Saver highly amusing. Anyone know of an equivalent for *nix?

It lets me know something's happening. Blinking lights on the panel.

Yeah, I missed this too. But then, I took hard drive out of the SilentDrive enclosure, and boy, that was terrible! How could you guys stand this din? I put it back in a minute.

Also, there is neat utility Diskmon that can act as disk activity LED in your system tray... Yeah, it's for Windows. I believe there should be something similar for your favorite OS.

Add your best "Noise busters" link here

While not wishing to fan these flames further, there are some (IMHO) good utilities from sysinternals which allow you to do this for free.

filemon will report file update/access and regmon will report registry update/access.

I haven't tried your examples, but I have found that even if the output from these is rather verbose, given some judicious regular expressions the output can be cut down to manageable size.