Slashdot Mirror

← Back to Domains

Domain: sysinternals.com

Stories and comments across the archive that link to sysinternals.com.

Comments · 757

  1. Re:Simple risk mitigation by EXrider · · Score: 1 · on Pipeline Worm Floods AIM With Botnet Drones

    Actually Filemon and Regmon can help very much with troubleshooting permissions. I used them to get Great Plains 7 (which is a fucking M$ product btw) running under regular user accounts, extremely time consuming, but worth it in the end.

    I agree though... lots of shitty legacy software to deal with. So true on the Event Log LOL.

  2. Lets hope its not broken.... by cmdrbuzz · · Score: 1 · on Hack Mac OS X With Installer Packages
    Whilst i'm not totally convinced on the secure attention sequence idea, lets hope that if Apple do implement it, they make sure it works.
    Unlike Windows where its not secure as you can intercept it.

    Have a look at SysInternals - Ctrl2Cap utility for a working example.

  3. Re:Process Explorer by Chelloveck · · Score: 1 · on Finding a Disappearing Application in Windows?

    Yup. Process Explorer, Filemon, and Regmon should be in everyone's toolboxes. And it might not be a bad idea to download everything from SysInternals as it was recently acquired by Microsoft and may not exist much longer. From the announcement on their blog:

    As for Sysinternals, the site will remain for the time being while Microsoft determines the best way to integrate it into its own community efforts, and the tools will continue to be free to download.
  4. Re:Process Explorer by Chelloveck · · Score: 1 · on Finding a Disappearing Application in Windows?

    Yup. Process Explorer, Filemon, and Regmon should be in everyone's toolboxes. And it might not be a bad idea to download everything from SysInternals as it was recently acquired by Microsoft and may not exist much longer. From the announcement on their blog:

    As for Sysinternals, the site will remain for the time being while Microsoft determines the best way to integrate it into its own community efforts, and the tools will continue to be free to download.
  5. Re:Process Explorer by Chelloveck · · Score: 1 · on Finding a Disappearing Application in Windows?

    Yup. Process Explorer, Filemon, and Regmon should be in everyone's toolboxes. And it might not be a bad idea to download everything from SysInternals as it was recently acquired by Microsoft and may not exist much longer. From the announcement on their blog:

    As for Sysinternals, the site will remain for the time being while Microsoft determines the best way to integrate it into its own community efforts, and the tools will continue to be free to download.
  6. Re:Process Explorer by Chelloveck · · Score: 1 · on Finding a Disappearing Application in Windows?

    Yup. Process Explorer, Filemon, and Regmon should be in everyone's toolboxes. And it might not be a bad idea to download everything from SysInternals as it was recently acquired by Microsoft and may not exist much longer. From the announcement on their blog:

    As for Sysinternals, the site will remain for the time being while Microsoft determines the best way to integrate it into its own community efforts, and the tools will continue to be free to download.
  7. Several Sysinternal tools by S3D · · Score: 1 · on Finding a Disappearing Application in Windows?

    There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExplo rer.html 2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc. http://www.sysinternals.com/Utilities/Autoruns.htm l 3. Rootkit Revealer - name speak for itself. http://www.sysinternals.com/Utilities/RootkitRevea ler.html Other tools allow monitor access to files, to disk, TCP/IP traffic etc.

  8. Several Sysinternal tools by S3D · · Score: 1 · on Finding a Disappearing Application in Windows?

    There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExplo rer.html 2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc. http://www.sysinternals.com/Utilities/Autoruns.htm l 3. Rootkit Revealer - name speak for itself. http://www.sysinternals.com/Utilities/RootkitRevea ler.html Other tools allow monitor access to files, to disk, TCP/IP traffic etc.

  9. Several Sysinternal tools by S3D · · Score: 1 · on Finding a Disappearing Application in Windows?

    There are some very effective free tools from Sysinternal.com : 1. Process Explorer - it's showing not only the list of process, but also their paths on the disk http://www.sysinternals.com/Utilities/ProcessExplo rer.html 2. Autorun : showing all processes and services launched automatically on start, and allowing to disable them. Very usewful for temporary disabling DRM crap like cdac11ba.exe, temporary disabling google web accelerator on start etc. http://www.sysinternals.com/Utilities/Autoruns.htm l 3. Rootkit Revealer - name speak for itself. http://www.sysinternals.com/Utilities/RootkitRevea ler.html Other tools allow monitor access to files, to disk, TCP/IP traffic etc.

  10. Root-Kit? by UltimApe · · Score: 5, Interesting · on Finding a Disappearing Application in Windows?

    Why hasn't anyone mentioned root-kits?

    My gf's computer had a root-kit on it. I go to a tech school, and nearly everyone knowledgeable here (even IT guys) went over the damn thing to see what was wrong. It kept doing pop-ups, like it had some type of ad-ware, but it didn't appear to have anything abnormal running. It didn't matter if it was IE or firefox, the ad would pop up on pretty regular intervals. Every possible thing was checked, from using standard tools like spy-bot-s&d, any number of free and bought virus scanners... Some people (including me) even poured over the registry by hand to find out if anything was running. absolutely nothing.

    It turned out to be a ROOT-KIT (2 actually, they hid each other. One user-mode, and one kernel-mode). The rogue programs actually were able to make windows "not see" the file. On boot, windows would see it just enough to turn it on, but after it was running it prevented anything from actually finding it, injecting code between the hard-disk access and low-level windows stuff. not windows-explorer, not regedit, not task-manager, not even 3rd party apps like win-task, or even defraggers.

    http://www.sysinternals.com/Utilities/RootkitRevea ler.html - RootkitRevealer 1.7 by Sysinternals showed a directory in "C:/windows", and one in "C:/program files", that if you went to look normally, didn't show up. I quickly booted up Knoppix and verified that there was some crap in there, but a search on the Internet showed nothing. Booted windows into safe mode, and since safemode doesn't run things other than windows crap, I was able to delete the two folders, and even a registry entry that showed up about it.

    If you can't find anything, maybe its because it won't let you find it!

  11. Re:Task Manager by MLease · · Score: 5, Informative · on Finding a Disappearing Application in Windows?

    Good point. Maybe download Process Explorer instead.

    -Mike

  12. Sysinternals is a windows admins best friend by Anonymous Coward · · Score: 1, Informative · on Finding a Disappearing Application in Windows?

    For any windows problem to which you do not know the answer immediately or through a quick google search.

    Visit http://www.sysinternals.com/

    Look through all the categories and short descriptions until you find a tool that could provide a diagnostic clue.

    In your case Process Explorer will do the trick, just turn the highlight time up and you should see process creation (provided it is caused by a process).

    If no new process is spawning, an existing one is launching the window, so compare the process listing against a similarly configured pc without the problem or a clean one and slowly remove processes until the one causing the problem is destroyed.

    If all the processes listed are valid, then you may have a compromised exe or dll, so use the dependency walker to find all the files used, then use md5sum or similar to hash them and compare the hashes against a clean machine.

    If you think the problem may be using a network connection you get additional options; you can use tcpview & process explorer to find the process in question and then kill it. You can also use wireshark (formerly ethereal) from http://www.wireshark.org/ either on the machine itself or another machine to monitor the network traffic.

    If all these steps are ineffectual, you may have a rootkit, so run rootkit revealer also from sysinternals.

    If you suspect a virus/spyware then it can be difficult to use the machine itself to diagnose; instead grab a copy of Barts PE with Mcaffee/Sophos & lavasoft adaware and the registry redirector to scan the local machine. This usually will allow you to get the machine to a state where other tools can be effective.

    Check out the Windows Resource Kits from Microsoft; they have a wealth of tools that may not be immediately useful, but can prove invaluable.

    On domain machines, the first step is always to check any logon scripts/group policy.

  13. The next step... by hackwrench · · Score: 2, Insightful · on Finding a Disappearing Application in Windows?

    After doing that and then downloading Process explorer to make sure it isn't replaced is to look in your startup with either MSconfig or startup control panel.
    http://www.sysinternals.com/Utilities/ProcessExplo rer.html
    http://www.mlin.net/StartupCPL.shtml

  14. Re:Process Explorer by RobertKozak · · Score: 2, Informative · on Finding a Disappearing Application in Windows?

    Process Explorer

  15. Process Explorer by rizzle · · Score: 2, Interesting · on Finding a Disappearing Application in Windows?

    Download Process Explorer. It's like task manager on steroids. One of the things you can do is put "delays" on the list of running processes when the list changes, like with the addition/removal of a process/window.

    Go to Options > Difference Highlight Duration, and set it like 15 seconds or whatever. New processes will show up in bright green for 15 secs, and killed processes will show up as red for 15 secs.

  16. Process Explorer by greerga · · Score: 5, Informative · on Finding a Disappearing Application in Windows?

    Prcess Explorer Options..Different Highlight Duration

  17. Re:Blu-ray camp showed this at IFA 2005 !!! by Anonymous Coward · · Score: 0 · on Toshiba Develops 3-Layer DVD and HD-DVD

    "I can't believe it - is the Slashdot populated by demented anti-Sony fanbois?"

    People have a long memory. Don't feel sorry for Sony though. They brought this on themselves.

        Hopefully every corporation in the world that ever thinks about trying this Ministerium für Staatssicherheit shit on us again will think twice.

    http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html

  18. Re:Sort of unrelated by The+MAZZTer · · Score: 1 · on Blue Screen of Death for Mac OS X

    Sysinternals made a really nice BSoD screensaver for Windows.

  19. Merry Christmas and a Happy Root Kit by Morphine007 · · Score: 0, Redundant · on PS3 Assembly Starts End of September, Most High-End

    <More Dead Horse Beating>

    I can't help but wonder if their sales are going to suffer after their Root Kit shenanigans

    </More Dead Horse Beating>

  20. Re:Trail by LinuxIsRetarded · · Score: 1 · on Privacy Web Browser 'Browzar' Branded Adware

    Have you ever considered writing a shell plugin that aids in this process? Even a simple little app that you could toss a shortcut to in the user's Send To folder might be worthwhile.

    Otherwise, this should probably work (but it requires a reboot- I like your method better): http://www.sysinternals.com/Utilities/pendmoves.ht ml

  21. Re:How to turn it off.. by spongman · · Score: 1 · on Vista Startup Sound to be Mandatory?

    you can't, obviously. but you can kill almost everything else: http://www.sysinternals.com/blog/2005/07/running-w indows-with-no-services.html

  22. Re:Safari has similar capabilitites by carnifex0 · · Score: 1 · on New Web Browser Leaves No Footprints

    My personal favorite method of dealing with hung apps is pskill, part of the PsTools suite - when you absolutely need to end a process right now.

    Also cool because you can kill processes remotely if you're an admin. Fun with friends!

  23. Here's a free utility to defrag page files: by Optic7 · · Score: 1 · on How Much Virtual Memory is Enough?

    SysInternals.com has a free utility that defrags windows page files and registry hives, called PageDefrag.

  24. Re:Not much, anymore... by GooberToo · · Score: 1 · on How Much Virtual Memory is Enough?

    Windows constantly pages because that's how the kernel works. Under windows, EVERYTHING is dynamically loaded via paging from the page file. Yes, that means it's initially loaded directly to the page file. They do this to back-store, on demand paging. The way Linux does it is to load from a shared lib on demand. To do this, they load from the shared lib, into the VMM, where it can later be written out to the page file. On windows, they directly load it to the page file, loading to the VMM as needed. I hate to say this, but the Window's solution actally has some advantages.

    Thusly, no matter what you do under Windows, the pagefile is heavily used. I highly recommend the use of sysinternels Page Defrag utility. Otherwise, your page file can become very fragmented. If you're a Windows user, check it out! It also helps defrag various system registries which is normally left untouched; which causes it suffer from heavy fragmentation too.

  25. Re:Quick list by Denyer · · Score: 1 · on What's On Your Thumbdrive?

    I couldn't find active links for one or two of them myself, but here's an updated list -- in some cases these aren't the original sites, which have disappeared, so obviously it's worth being extra careful with antivirus software... apologies for the mess of links; the filter doesn't like short lines...

    1by1 (play MP3s), AriskKey (recover passwords), AutoRuns (enumerate startup tasks), BurnCDCC (burn ISO images), CD (basic CD player), CDex (rip CDs + convert MP3/WAV), Copier [0X Copy Machine] (scan + print), CWShredder (clean spyware), DComBob (tame DCOM), DirLister (make quick file lists), Discover (force windows onscreen), DupeLocater (find and clean), FileRecovery [PC Inspector] (undelete), Folder2ISO (use with BurnCDCC), FoxitReader (read PDFs), GUIPDFTK (split/join PDFs), HijackThis (find spyware), HJSplit (split/join files), Identify_Boards (identify hardware), KatMouse installer (due to MS drivers), LCISOCreator (make ISO image from CD), Leaktest (test firewall), Microsoft keygen (people lose things), MultiRes (change res + force refresh), Multi Timer (stopwatch), NoteTab Light (text editor), NTest (test monitor setup), OnTop (pin windows to foreground), Process Explorer (task manager), ProduKey (recover passwords), Registry Commander (virus cleanup), ResHacker (examine executables), Rootkit Revealer (just in case) ShootTheMessenger (turn service off), Shred by AnalogX (simple filer shredder), TedNPad (unicode text editor), TFT (dead pixel locator), UNPnP (tame SSDP), UPX (compress executables), UnitConverter (what it says), utorrent (basic torrent app), VCdControlTool (mount ISO images),

  26. Re:Quick list by Denyer · · Score: 1 · on What's On Your Thumbdrive?

    I couldn't find active links for one or two of them myself, but here's an updated list -- in some cases these aren't the original sites, which have disappeared, so obviously it's worth being extra careful with antivirus software... apologies for the mess of links; the filter doesn't like short lines...

    1by1 (play MP3s), AriskKey (recover passwords), AutoRuns (enumerate startup tasks), BurnCDCC (burn ISO images), CD (basic CD player), CDex (rip CDs + convert MP3/WAV), Copier [0X Copy Machine] (scan + print), CWShredder (clean spyware), DComBob (tame DCOM), DirLister (make quick file lists), Discover (force windows onscreen), DupeLocater (find and clean), FileRecovery [PC Inspector] (undelete), Folder2ISO (use with BurnCDCC), FoxitReader (read PDFs), GUIPDFTK (split/join PDFs), HijackThis (find spyware), HJSplit (split/join files), Identify_Boards (identify hardware), KatMouse installer (due to MS drivers), LCISOCreator (make ISO image from CD), Leaktest (test firewall), Microsoft keygen (people lose things), MultiRes (change res + force refresh), Multi Timer (stopwatch), NoteTab Light (text editor), NTest (test monitor setup), OnTop (pin windows to foreground), Process Explorer (task manager), ProduKey (recover passwords), Registry Commander (virus cleanup), ResHacker (examine executables), Rootkit Revealer (just in case) ShootTheMessenger (turn service off), Shred by AnalogX (simple filer shredder), TedNPad (unicode text editor), TFT (dead pixel locator), UNPnP (tame SSDP), UPX (compress executables), UnitConverter (what it says), utorrent (basic torrent app), VCdControlTool (mount ISO images),

  27. Re:Quick list by Denyer · · Score: 1 · on What's On Your Thumbdrive?

    I couldn't find active links for one or two of them myself, but here's an updated list -- in some cases these aren't the original sites, which have disappeared, so obviously it's worth being extra careful with antivirus software... apologies for the mess of links; the filter doesn't like short lines...

    1by1 (play MP3s), AriskKey (recover passwords), AutoRuns (enumerate startup tasks), BurnCDCC (burn ISO images), CD (basic CD player), CDex (rip CDs + convert MP3/WAV), Copier [0X Copy Machine] (scan + print), CWShredder (clean spyware), DComBob (tame DCOM), DirLister (make quick file lists), Discover (force windows onscreen), DupeLocater (find and clean), FileRecovery [PC Inspector] (undelete), Folder2ISO (use with BurnCDCC), FoxitReader (read PDFs), GUIPDFTK (split/join PDFs), HijackThis (find spyware), HJSplit (split/join files), Identify_Boards (identify hardware), KatMouse installer (due to MS drivers), LCISOCreator (make ISO image from CD), Leaktest (test firewall), Microsoft keygen (people lose things), MultiRes (change res + force refresh), Multi Timer (stopwatch), NoteTab Light (text editor), NTest (test monitor setup), OnTop (pin windows to foreground), Process Explorer (task manager), ProduKey (recover passwords), Registry Commander (virus cleanup), ResHacker (examine executables), Rootkit Revealer (just in case) ShootTheMessenger (turn service off), Shred by AnalogX (simple filer shredder), TedNPad (unicode text editor), TFT (dead pixel locator), UNPnP (tame SSDP), UPX (compress executables), UnitConverter (what it says), utorrent (basic torrent app), VCdControlTool (mount ISO images),

  28. Arsenal of Tools by sixtyfivebit · · Score: 5, Informative · on What's On Your Thumbdrive?

    Funny, I also carry a thumb-drive with a removable memory card slot. It's this generic one floating around online: http://www.supermediastore.com/supermedia-handy-4i n1--usb-20-flash-memory-card-reader-yellow.html

    I think they're a great idea, because I can move with the SD card market as flash memory becomes denser and denser. Speed hasn't been a problem, either. The thumbdrives support USB 2.0 and my SD card seems to be capable of a very decent data transfer rate.

    I have a collection of Windows tools on the drive. Not Linux tools, because I can usually accomplish whatever it is I'm doing in the Linux environments I encounter day to day.

    Network Tools:
    * Raw TCP/IP transfer -> netcat ( http://www.vulnwatch.org/netcat/ )
    * SSH/Telnet -> putty ( http://www.chiark.greenend.org.uk/~sgtatham/putty/ )
    * Port Scanner -> SuperScan4 ( http://www.foundstone.com/resources/proddesc/super scan.htm )
    * Classic Port Scanner -> nmap ( http://insecure.org/nmap/download.html )
    * Packet Capture and Analysis -> WireShark setup ( http://www.wireshark.org/download.html )

    Editors:
    * General -> vim 7.0 ( http://www.vim.org/download.php )
    * Hex Editor -> xvi32 ( http://www.chmaas.handshake.de/delphi/freeware/xvi 32/xvi32.htm#download )

    Development:
    * Tiny C Compiler ( http://fabrice.bellard.free.fr/tcc/ )
    * nasm ( http://sourceforge.net/project/showfiles.php?group _id=6208 )

    Misc:
    * Lightweight Windows md5sum -> md5summer ( http://www.md5summer.org/download.html )
    * Process Explorer ( http://www.sysinternals.com/Utilities/ProcessExplo rer.html )
    * MP3 Encoding -> RazorLame with lame ( http://www.dors.de/razorlame/download.php )
    * Terminal Emulator -> TeraTerm Pro ( http://hp.vector.co.jp/authors/VA002416/teraterm.h tml )

    The folder is 26.7MB.

  29. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  30. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  31. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  32. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  33. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  34. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  35. Sysinternals by nmb3000 · · Score: 5, Informative · on What's On Your Thumbdrive?

    There are a myriad of great tools out there, but personally I have a copy of almost everything from Sysinternals on my thumbdrive. Top of the list are Process Explorer a (overclocked, suped-up, uber, and simply amazing) version of TaskManager. It shows everything you've ever wanted to know about a process but didn't know you could know. In addition, FileMon and RegMon are very helpful for troubleshooting permission problems, and the PSTools kit (psexec, pskill, etc) are also great. They also have a free read-only version of NTFSDOS (and even an NTFS filesystem driver for 95/98. The TCP/IP tools are also very good to have on hand. Best part is of course that they are free, and many have source available.

    If you do any Windows troubleshooting, this website is a must-have. No joke.

  36. Re:Umm , I think a completely blank hard drive... by The+MAZZTer · · Score: 1 · on P2P Defendant Destroys Evidence, Case Defaults

    Even better, delete the offending files and then run SDelete several times to overwrite all your free space with random data. Then they can't prove anything (although the inability to find deleted files is suspicious).

  37. Re:Total crap by Foolhardy · · Score: 2, Informative · on Windows vs Mac Security
    There is a desciption. ok... so how can I tell if that file is supplied by microsoft or is it droppings from malware?
    System binaries have digital signatures. Five seconds on Google turned up To verify that system files have a digital signature. Process Explorer can also verify the signatures of loaded binaries. In any case, the system directories are trusted and can only be modified by highly privileged accounts (i.e. admins); if malware can put files in here, the machine is already compromised.
    Even dll's are a pain in the butt to look up in the registry.. if I register it multiple times there are multiple entries (each under the GUID, not in English) and it is DIFFICULT to determine which one is "real"
    Only COM libraries have GUIDs. The registry is not a dictionary of all libraries. Besides, if the machine registry has been altered by malware, that malware already had admin privileges and might as well have already installed a rootkit by now.
    Think about what the complaint is about, even if not well written: NTFS allows secondary streams, and the only programs that use them for the most part are Malicious. The complaint is that the OS allowing access to these streams is YET ANOTHER point of contention. It is not an exploitable hole (in the hacker sense), but it is exploitable by hackers (in the making Windows hard as hell to keep secure). Simple to close that up.., yet Microsoft just seems completely unconcerned.
    There are many legitimate uses for alternate data streams. For example, they're used by the summary information in the shell's dialog for file properties. This data is also used by the indexing service. Since the interfaces have been published and supported for a long time, disabling them could break a lot of software for something that admittedly isn't a vulnerability. If you've let malware create files at arbitrary locations on your disk, you've already got a bigger problem. Otherwise, use streams to locate exting alternate streams.
    Launchd allows you to specify rights. You get a lot more control of the order processes are started. Launchd, like xinit, allows you to start processes on demand. Launchd can control who/what is allowed to start processes, unlike the "net start" command, "oh it's set to automatic, great, I'll start it" mentality.
    The SCM allows you to specify an any account (that has the "log on a service" privilege) you have the password for to run the service as. SYSTEM and the low privilege LOCAL SERVICE and NETWORK SERVICE accounts are also available. Services can be started, stopped, and paused on demand via services.msc or sc.exe or the related API functions. Every service can have a list of dependencies. You can see these with services.msc or sc.exe enumdepend. These dependencies are always started before the service in question starts and must be stopped after the service stops. See About Services.

    There are a lot of services that run as SYSTEM, but remember that Win32 doesn't have setuid binaries. Instead, NT uses privileged services accessible only on the local machine that listen for requests. Compare the entire list of setuid binaries plus daemons that run as root (and any dependent libs) on a UNIX to all the processes on NT that have the SYSTEM token (and any dependenent libs)-- these are the comprehensive lists of system trusted user mode binaries for the two platforms.
  38. Re:Total crap by Foolhardy · · Score: 2, Informative · on Windows vs Mac Security
    There is a desciption. ok... so how can I tell if that file is supplied by microsoft or is it droppings from malware?
    System binaries have digital signatures. Five seconds on Google turned up To verify that system files have a digital signature. Process Explorer can also verify the signatures of loaded binaries. In any case, the system directories are trusted and can only be modified by highly privileged accounts (i.e. admins); if malware can put files in here, the machine is already compromised.
    Even dll's are a pain in the butt to look up in the registry.. if I register it multiple times there are multiple entries (each under the GUID, not in English) and it is DIFFICULT to determine which one is "real"
    Only COM libraries have GUIDs. The registry is not a dictionary of all libraries. Besides, if the machine registry has been altered by malware, that malware already had admin privileges and might as well have already installed a rootkit by now.
    Think about what the complaint is about, even if not well written: NTFS allows secondary streams, and the only programs that use them for the most part are Malicious. The complaint is that the OS allowing access to these streams is YET ANOTHER point of contention. It is not an exploitable hole (in the hacker sense), but it is exploitable by hackers (in the making Windows hard as hell to keep secure). Simple to close that up.., yet Microsoft just seems completely unconcerned.
    There are many legitimate uses for alternate data streams. For example, they're used by the summary information in the shell's dialog for file properties. This data is also used by the indexing service. Since the interfaces have been published and supported for a long time, disabling them could break a lot of software for something that admittedly isn't a vulnerability. If you've let malware create files at arbitrary locations on your disk, you've already got a bigger problem. Otherwise, use streams to locate exting alternate streams.
    Launchd allows you to specify rights. You get a lot more control of the order processes are started. Launchd, like xinit, allows you to start processes on demand. Launchd can control who/what is allowed to start processes, unlike the "net start" command, "oh it's set to automatic, great, I'll start it" mentality.
    The SCM allows you to specify an any account (that has the "log on a service" privilege) you have the password for to run the service as. SYSTEM and the low privilege LOCAL SERVICE and NETWORK SERVICE accounts are also available. Services can be started, stopped, and paused on demand via services.msc or sc.exe or the related API functions. Every service can have a list of dependencies. You can see these with services.msc or sc.exe enumdepend. These dependencies are always started before the service in question starts and must be stopped after the service stops. See About Services.

    There are a lot of services that run as SYSTEM, but remember that Win32 doesn't have setuid binaries. Instead, NT uses privileged services accessible only on the local machine that listen for requests. Compare the entire list of setuid binaries plus daemons that run as root (and any dependent libs) on a UNIX to all the processes on NT that have the SYSTEM token (and any dependenent libs)-- these are the comprehensive lists of system trusted user mode binaries for the two platforms.
  39. Total crap by jiushao · · Score: 3, Interesting · on Windows vs Mac Security

    It is not that hard to argue for OSX security over Windows security due to the track-records, but this article is total crap. A few of the points:

    • All Windows background processes/daemons are spawned from a single hyper-privileged process and referred to as services.: Right, just like how OSX daemons are launched by launchd, what is the point here?
    • By default, Windows launches all services with SYSTEM-level privileges: This is plain false, you have to give a user account that the service should run as, and at that point the extremely comprehensive NT security model kicks in.
    • SYSTEM is a pseudo-user (LocalSystem) that trumps Administrator (like UNIX's root) in privileges. SYSTEM cannot be used to log in, but it also has no password, no login script, no shell and no environment, therefore the activity of SYSTEM is next to impossible to control or log: Right. I don't see the problem. This is akin to the classic "you should not always run as root", it is counter-intuitive to people used to the UNIX security model of course, but it is not by any means a bad idea. There is no reason to have ridicolously powerful login accounts when such priviliges are better brokered by daemons. If needed you can of course still elevate the permissions though, but it should not be needed.
    • Windows buries most privileged software, service executables and configuration files in a single, unstructured massive directory (SYSTEM32) that is frequently used by third parties. Windows will notify you on an attempt to overwrite one of its own system files stored here, but does not try to protect privileged software: This is an odd complaint, of course the NT security model applies to system32, set any permissions you feel like. Massive usntructured directory? In comparison to the fine old let's-dump-it-in-/usr UNIX tradition? :)
    • Microsoft does not sign or document the name and purpose of the files it places in SYSTEM32: Right click on any dll/exe in system32, click properties, click version and you get a short description of what the file is for.
    • Windows requires extraordinary effort to extract the path to, and the files and TCP/UDP ports opened by, running services, and to certify that they are valid: Granted the builtin stuff is weak, which is why every sane Windows user quickly downloads Process Explorer (recently bought by Microsoft actually, keep your fingers crossed that it becomes standard). At any rate, pretending that this is an inherent property of the operating system is plain wrong.
    • Access to the massive, arcane, nearly unstructured, non-human-readable Windows Registry, which was to be obsolete by now, remains the only resource a Windows attacker needs to analyze and control a Windows system: Massive sure. "Arcane"? How so? Seems quite similar to Mac plists actually. "Nearly unstructured"? This is just bullshit, it is extremely well-structured. "non-human-readable"? Well, use regedit, not unlike needing a utility to read binary property lists on Mac. The core of the complain appears to be "if we hide settings all over the place they'll be hard to find for the bad people!" which is the worst attempt at security-through-obscurity I have ever heard.
    • Another trick that attackers learned from Microsoft is that Registry entries can be made read-only even to the Administrator, so you can find an exploit and be blocked from disarming it and Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these: "Once executed with administrator priviliges exploits can do hard-to-recover harm to your system, the horror!". These are idiotic complaints.

    With all that said I can easily see people going to OSX to improve security, that does not make that article anything but deeply flawed however.

  40. My Response (I know you want to read it!) by scovetta · · Score: 2, Informative · on Windows vs Mac Security

    Interesting read. I agree with most of his points, with comments on the following:

    Microsoft does not sign or document the name and purpose of the files it places in SYSTEM32
    Most, if not all of the files can be identified through a simple Google search. It doesn't get Microsoft off the hook -- they should provide proper documentation, but such information is available.

    Windows requires that users log in with administrative privileges to install software, which causes many to use privileged accounts for day-to-day usage.
    Not all software. User-level installations should be possibly to non-restricted directories.

    Windows requires extraordinary effort to extract the path to, and the files and TCP/UDP ports opened by, running services, and to certify that they are valid.
    TCPView. Now you have it. And since Microsoft now owns Sysinternals, I guess they have it too.

    Malicious code or data can be concealed in NTFS files' secondary streams. These are similar to HFS forks, but so few would think to look at these.
    This is not really Microsoft's problem. If no one can remember the features of the OS, it's their fault when they overlook them.

    Apple's daemons have man pages, and third parties are duty-bound to provide the same. Admins also expect to be able to run daemons, with verbose reporting, in a shell for testing.
    Duty-bound? Sure, they probably all provide them because that's what everyone else does, but most Windows applications include a help file too.

    Launchd can tripwire directories so that if they're altered unexpectedly, launchd triggers a response.
    I believe TripWire exists for Windows too.

    The UNIX/POSIX API, standard command-line tools and open source tools leave malware unable to hide from a competent OS X administrator. It takes a new UNIX programmer longer to choose an editor than it does to write a console app that walks the process tree listing privileged processes. Finding the owners of open TCP/UDP ports or open files is similarly trivial. The "system" is not opaque.
    I may be wrong here, but aren't their other ways of injecting malware into a system than setting it up as a detectable process? I know on Windows machines there are a number of ways to get around a process walk -- does the same thing exist in *nix?

  41. Re:where did you read that? by chrisbeatty · · Score: 1 · on Microsoft Recalls Small Business Server

    Erm, about the fella that thinks he's already got R2...

    R2 is a somewhat confusing new Microsoft-ism, it appears to me to be an upgrade of sorts to get new features for a variety of software "created" by MS, amongst them:

    Windows Small Business Server 2003 R2

    Windows Server 2003 R2

    Windows Storage Server 2003 R2

    Microsoft Systems Management Server 2003 R2

    Microsoft Virtual Server 2005 R2

    My guess would be he's running Windows 2003 Server R2 (I think it's been available for some time now)

    I'd expect the "non-final core components" is a PR term for a bug, maybe one that was patched this month & was deemed important enough to stop shipment of the software? More likely just some crappy code coming from a MS developer (who'd guess huh??)

    We should say well done to whoever made this decision, SBS is a key product for MS now & the fact that they didn't want to send out second rate code out to the front line of organisations who are most likely to leave open relays/become part of a botnet/whatever should be applauded.

    I'd hazard a guess that the effected software didn't make it past the MS partners, if the code was checked on the production line it should have been found within a week or so of the first copies of the media being sent out. I doubt any organisation can figure out a way to neatly package & sell an update piece of Microsoft software that quickly!!

    Although installing SBS on a server, downloading & installing Apache, the Sysinternals utilities, the Google Pack, running Windows Update & finally sysprep doesn't take too long I suppose?? (-;

  42. Re:We're stuck half-way by majest!k · · Score: 1 · on IT Asset Tracking and Helpdesk Software?

    That said, does anyone know a way of automatically detecting software packages installed on a Windows PC?

    Check out PSInfo

    "psinfo -s \\remote_computer" connects to the Remote Registry service (on by default on XP) and shows you the "Add/Remove Programs" list.

  43. Re:Mac Viruses & Spyware by not_hylas(+) · · Score: 1 · on Consumer Reports Creates Viruses to Test Software

    "Even in the latest issue (September 2006), they persist in assessing the rate of Mac OS X spyware and virus infections by conducting a survey, an annual gaffe on their part. Rather than checking around and discovering that no such malware exists in the wild, they assume that computer users are able to judge for themselves the cause of computer difficulties."

    "... no such malware exists in the wild"

    Or has been detected in the wild, this is key.
    Is it so tough to wrap your mind around this, in the era of DRM?

    See:
    Industrial espionage:

    http://en.wikipedia.org/wiki/Industrial_espionage

    The Industrious Spies:

    http://samvak.tripod.com/pp144.html

    "The perpetrators keep quiet for obvious reasons. The victims do so out of fear."

    Sony:

    http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html

    Jedi mind trick: :-)

    Obi-Wan: These aren't the droids you're looking for.

    http://en.wikipedia.org/wiki/Jedi_mind_trick

  44. For Windows, SysInternals ctrl2cap by senahj · · Score: 1 · on War Declared on Caps Lock Key


    Those of us with Northgate Omnikey or Avant Stellar
    keyboards can do this in hardware.
    I'm guessing Das Keyboard can do it too.

    For those lacking L337 hardware,
    the System Internals app ctrl2cap fits the bill.

    Comes with source.

    http://www.sysinternals.com/Utilities/Ctrl2Cap.htm l

        [ Russinovich & Assoc. recently sold their souls to
            the Beast of Redmond. May Bog have mercy on them. ]

  45. Re:Useful for Vi users by CaveMike · · Score: 1 · on War Declared on Caps Lock Key

    Here it is on sys internals: http://www.sysinternals.com/Utilities/Ctrl2Cap.htm l

  46. Re:Security? by Emetophobe · · Score: 2, Interesting · on Mozilla VP Talks the State of Firefox

    I run windows as an admin since it is much easier (iTunes is broken as a limited user, you can't sync your ipod unless you're an admin. This is just one of the dozens of problems you will encounter trying to run windows as a limited user). I use SysInternals' PsExec to run certain programs as a limited user while I am logged in as an admin. For example, all my firefox shortcuts look like this: psexec -l -d "C:\Program Files\Mozilla Firefox\Firefox.exe".

    PsExec allows you to run a process under alternate credentials.

    Here is a description of what the -l and -d parameters do:

    -l
            Run process as limited user (strips the Administrators group and allows only priviliges assigned to the Users group).
    -d
            Don't wait for application to terminate. Only use this option for non-interactive applications.]

    It's not the best solution, but it works, run firefox as a limited user using psexec and then try and overwrite something in c:\program files or c:\windows, it won't let you (which is a good thing).

  47. Performance Issues by prandal · · Score: 2, Interesting · on Is Windows Vista Ready? 'No. God, no.'

    Apart from another brain-dead UI design, it appears that Vista has some annoying performance issues, which my be one of the reasons Microsoft snapped up Sysinternals.

    Mark Russinovich's blog http://www.sysinternals.com/blog/ makes interesting reading.

  48. You're wrong. Stop spreading bad advice! by astrosmash · · Score: 3, Informative · on IE7 to be Pushed to Users Via Windows Update

    Firefox uses the same amount of memory whether trim_on_minimize is true or not. However, if you set that to true you will dramatically increase the number page ins/outs to disk and severely reduce system performance. That's why it's disabled by default. If you're low on memory you're much better off if you restart Firefox regularly. trim_on_minimize simply makes a bad situation much worse, especially when you're low on RAM.

    You don't understand the memory statistic (Working Set) that Windows Task Manager is showing you. It doesn't mean what you think it does, but you can blame Microsoft for defaulting to misleading memory statistic (and mislabeling it as 'Memory Usage')

    Use Process Explorer to get an accurate representation of the memory usage on your computer.

  49. Re:Windows...still... booting... by Anonymous Coward · · Score: 0 · on IE7 to be Pushed to Users Via Windows Update

    What?? IANAD but here's my take:

    Try this & I'm assuming your not daft enough to be using IE as your browser otherwise you get completely different results...go figure.

    Open up a Windows Explorer window, run FileMon from Sysinternals. Begin capturing file access & type a URL into the address bar & press return, actually maybe you need to sit down first...

    Notice how the window "magically" changes to an IE window. Check the contents of the FileMon capture, shock horror there's nearly nothing there!! Just a few precious dlls are opened, or is FileMon just lying??

    Try the same thing but open up a "true" IE window, lots more activity I grant you, but what process is it all running under?? Hmm??

  50. Re:May I suggest by dave+sanderman · · Score: 1 · on Microsoft Acquires Winternals and Sysinternals

    okay, this is a week old so nobody will see this post, but the above wget doesn't (at least for me) fetch any of the useful stuff. i use:

    wget -w 2 --limit-rate=5k -nc -r -l inf -H -k --no-remove-listing -X /video,/Video,/Chat,/forum,/Forum,/blog -R .wmv,.gif,.jpg --exclude-domains forum.sysinternals.com --domains www.sysinternals.com,download.sysinternals.com http://www.sysinternals.com/SysinternalsSiteMap.ht ml

    if you want the various screenshots, lose the '.gif,.jpg' from the -R arg.