Slashdot Mirror

If you're looking for what's possible, see Mark Russinovich's blog entry from last year. He runs Windows XP with as few processes as possible, then describes what breaks and why.

Here's an academic answer from a the infamous Russinovich: only System and csrss.exe are truely necessary to run XP! The practical answer is of course, "it depends on what you want to do with it".

I remembered seeing this a few months back on /., but you can load WinXP without any services. Doesn't quite answer the question but it still makes for interesting reading. http://www.sysinternals.com/blog/2005/07/running-w indows-with-no-services.html

and that's all!

Here's the link:
http://www.sysinternals.com/blog/2005/07/running-w indows-with-no-services.html

Note that the original poster is asking about processes, and many readers are answering with information more specifically about services, including this Sysinternals article. Still, it's relevant even if not the entire story.

You can also google for the names of your process executables and usually find descriptions of what they are.

It all depends on what is the role of your PC. I used to have somewhere a list of services grouped by profiles like: gaming, workstation, networked etc.. Each profile had diferent services running. For example a workstation needs most of the services while a gaming PC will benefit from the least amount of background processes
Hacking Windows XP: Speed Up Your Boot
You can also use autoruns from systernals (is still online!!11ONE??) to check your startup services/applications

For my part-time job I reinstall windows about 5-10 times a week on people's computer and if I actually had to talk to that women I would go insane. The answer you're looking for is to use your keypad to enter the numbers as it goes much faster and has fewer errors. Additionally you can just get around re-activating windows (legally?) by backing up system32/wpa.(dbl|bak) and writing down your volumeID (win+r; cmd; vol). The, when you re-install windows start boot into safe mode and replace the wpa files and then use VolumeID by Sysinternals to change back your partitions volumeID. Done and done.

Um, device drivers certainly DO NOT depend on Win32. Win32 is an environment subsystem that sits on top of the NT native API, which combined with other kernel mode functions, are what device drivers use. Up until NT4, Win32 was implemented entirely in user mode; drivers couldn't call into Win32 then and they don't now. There is no interface to call Win32 functions from kernel mode; there are no Win32 headers in the DDK. The new UMDF is designed for code written in C++ using COM. Win32 is supported, but IDK if using the CLR (i.e. .NET) is possible.

You're right that there is a huge dependency on Win32, though. All user-mode software in and for Windows depends on Win32 except the Session Manager, autochk and a few third-party boot time defragmenters. I, too, had once hoped that Win32 with its ugliness could become depreciated, secondary to something better such as .NET. Technically, this would be possible by creating a .NET environment subsystem independent of Win32, and moving core components over to the .NET subsystem. The performance of graphics and sound systems needn't suffer; they'd just go through an API translation layer (like the one that has always existed from Win32 to the native api). Unfortunately, at this point Microsoft seems to have invested so much into Win32 that it'll probably stay where it is for the lifetime of NT.

As for competing VMs like Java, ideally they would each be built inside their own subsystem independent of either Win32 or .NET, each using the same interfaces for system services. Realistically, they'd continue to use Win32 plus some extra functions. Reactos is planning a real Java subsystem, however.

Tools? You mean Sysinternals offers something other than the BSOD screensaver??!

I am certainly aware that Microsoft employees have been recommending SysInternals free utilities over Microsoft's sloppily coded and primitive utilities that do the same thing.

I am also very aware that Microsoft has no utilities at all for some of the Windows functions people need, and Microsoft employees have long been recommending SysInternals utilities for those functions.

Remember, the Windows Command Line Interface and command line utilities are upgraded DOS programs. DOS is shockingly primitive compared to the Linux command line interfaces, for example. And not all of the DOS utilities have been converted completely to 32-bit Windows; they fail in weird ways that have not been fixed even though the failures have been discussed thoroughly over the years.

The SysInternals programmers are some of the finest Windows coders in the world, if not THE finest, in my opinion. However, I don't think the SysInternals employees will stay long in the abusive and adversarial and socially backward and ignorant Microsoft climate.

I think what will happen is that Microsoft will embrace and extend and poison the SysInternals software, as they have done for the dBase language, or, much more recently, for Giant's AntiSpyware.

Microsoft began tinkering with Giant AntiSpyware, which became Windows Defender. Giant was considered the best in its field. Now the Microsoft version has problems. Sometimes, for example, it will fail, and re-installing will not fix the failure.

Of course, Giant AntiSpyware was only a bandaid for problems that exist because of Microsoft's sloppy coding that leaves huge numbers of vulnerabilities. Remember that Microsoft makes more money if there are more vulnerabilities, because people buy new computers as their old computer become slow because of infestation.

Anyone who thinks that an OS is complicated, and therefore must have vulnerabilities, should buy a secure OS like OpenBSD for $5,000 per copy. The really expensive operating system organizations can hire extremely skilled programmers who know how to eliminate vulnerabilities. Oh, wait, sorry, OpenBSD is FREE, and is coded by volunteers.

Microsoft is a socially backward and adversarial organization, in my experience, but they aren't so dumb they don't know how to hire people who can write secure software. The reason for the huge number of vulerabilities seems to be that, when a company effectively has a temporary monopoly, more vulnerabilities make more money.

If you're going to wget, may I suggest playing nice with rates, delays, and non-essential files:

wget -w 2 --limit-rate=5k -m http://www.sysinternals.com/SysinternalsSiteMap.ht ml -X /Video,/Chat,/Forum,/Blog

A relatively reasonable 81MB and 553 files.

And don't redistribute. As a software author, beyond it being illegal I consider it to be quite disrespectful to the authors if you were to redistribute these files in violation of their license. On the other hand, it certainly seems like a good idea to make a personal copy at this moment, and that certainly IS in accordance with their license.

You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, or sell any information, software, products or services obtained from the Services.

"Unless otherwise specified, the Services are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, or sell any information, software, products or services obtained from the Services."

http://www.sysinternals.com/Licensing.html

Thanks for the list, I'm getting it before it's completely slashdotted.

How long will MS allow you to download the BSOD emulating screen saver?

BlueScreen Screen Saver

http://www.sysinternals.com/Utilities/BlueScreen.h tmlBlueScreen Screen Saver

:-)

You have to remove the "Utilities" portion of the path in all those URLs for them to work.

e.g. http://www.sysinternals.com/Utilities/Files/Hostna me.zip --> http://www.sysinternals.com/Files/Hostname.zip

You have to remove the "Utilities" portion of the path in all those URLs for them to work.

e.g. http://www.sysinternals.com/Utilities/Files/Hostna me.zip --> http://www.sysinternals.com/Files/Hostname.zip

They want to halt all the tech calls, gray hair and suicides caused by this.

wget -r --domains=www.sysinternals.com,sysinternals.com http://www.sysinternals.com/

I do this on a daily basis for my Windows laptop, I search through my running processes to find strange things, search them on Google

Also the awful start up time !! Even the best IE basher will accept that IE is far better in this case!!!!

C:\bin\psexec.exe -l -d "C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe"

And it's free! http://www.sysinternals.com/Utilities/RootkitRevea ler.html

Should you need to advocate again on this subject, please suggest Autoruns instead.

Did the writers of the rootkit consider that...

"The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior." http://www.sysinternals.com/Utilities/RootkitRevea ler.html

Ooops... 1 step ahead of the hackers yet again.

Linux & UNIX based virtualization has always been far superior to that of Windows. Superior is probably an understatement though, more like exponentially better.

Just check into

OpenVZ http://openvz.org/
FreeBSD Jails http://en.wikipedia.org/wiki/FreeBSD_Jail
Solaris zones http://www.opensolaris.org/os/community/zones/faq/
Xen http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

and the list goes on. So much better on *nix. Of course, I think that is somehow related to the fact you can run a *nix box via CLI, bare minimum of functionality, the likes of which it even the best Windows gurus cannot get close to (though Mark Russinovich and Bryce Cogswell do rox)

What is funny, is so many of us are ignorant of virtualization's roots in IBM mainframes. Big Blue was so far ahead of the times, it is like omg. BTW, I love Wikipedia. I've been preparing a presentation on virtualization the last few days, and Wikipedia makes it so easy!

Even better, Windows users can make them up on the fly.

As a result, I am forced to use it (and I do pay for it.). Now, I may be forced to base on Windows, or ignore updating the software. I can't use Windows XP (the "phone home" stuff is a killer; I deal with confidential/trade secret/secret material).

Do you have a solution?

It sounds to me that based on your requirements, classified material and XP usage are mutually exclusive thereby making Office unsuitable for use with such material. The solution is to use other software if the material demands such sensitive handling and then implement that as a policy organization-wide.

Another option would be to update Office on a bare-bones XP install, watch what files and registry entries get updated (see Filemon and Regmon), and then roll those updates over to Linux. This could potentially be automated with some grunt work up front.

But how do you know Office doesn't phone home under Linux and potentially leak information there? Do you require whitelisting of outbound connections on a per-application basis? And while you may create Word/Excel documents on Linux in a secure environment, odds are good that those reading them are using XP, so all your precautions would be moot anyways.

Keep in mind that I am NOT a programmer. Merely speculation here. In my understanding of rootkits is that they install themselves as a part of the operating system (Kernel Level) instead of a rogue program (Subsystem or User Space) taking advantage of Software holes or Poor User Rights admin. That being said, I know that LSASS.exe's default NTFS permissions are FULL CONTROL for Admin, System; and Read/Execute for Power users. With Virtual technology there would be two instances of all required system processes. Further, in the Virtual OS, you have Virtual Access to the Hardware within a Seperate Memory block. Now as a Rootkit, I would have to determine what user rights are currently in place, and which instance of LSASS is the Host or Real Mode OS. I could then use the guest OS to emulate NTFS permissions and further re-write Registry keys undetected. The cryptographic services then has to be fooled on either OS depending on what the programmer hopes to accomplish. Essentially, a rootkit on a guest OS would be more like a Nightmare virus. It would also have the potetnial to do more damage to either OS. Some helpful resources may be: Security Config and Analsis MMC. This is helpful when using templates. http://www.microsoft.com/windows2000/en/advanced/h elp/default.asp?url=/windows2000/en/advanced/help/ sag_SCMwhatis.htm MRT: Malicious SOftware Removal Tool http://support.microsoft.com/kb/890830 Further Check out RootKit Revealer and Autoruns @ http://www.sysinternals.com/ These should all be helpful running in the proper OS. I know this isn't meant to be a support article, however, some out there may have no clue as to where they should search for help. there are a number of other sites that could be listed and probably should be, but I'm refraining from going further as to maintain the scope of this Article.

Just a simple example, in Unix a tape streamer behaves just like a file, the handful of file-related system calls, each with just a few parameters, apply to many devices including tapes. VMS has special system calls for tapes, for disks, for files, for terminals etc. etc.

Windows can't be everything to everybody. We've already seen a fractionalization between XP and 2003 server. In 2000, these actually were the same OS, with differently tuned kernels. XP is actually different from 2003 server.

Why not have a trend where Windows fractionalizes further so that some are optimized for game playing, some for office work, some for light server/office applications, and some for dedicated secure services.

The only obstacle I see to the latter is that despite very nice security granularity, the security policies that come boxed with windows leave a lot to be desired. They're difficult to manage, and some have holes you could drive a truck through.

We know they use Winternals software. :)

• Use Autoruns (everybody should have it already) to disable wgalogon.exe on the winlogon page.
  

Thanks for that! Just updated settings on my system. BUT, I woul dlove to have a lightweight (i.e. small and quick-to-load) alternative to Adobe Acrobat for viewing (and printing) PDF files. I'e grown accustomed to some of the quirks of the user interface, my main complaint with Acrobat is its slow startup speed. That, and at least on my system, Acrobat 6.0 has a working set of about 35 MB. (As reported by sysinternals.com's amazingly powerful Process Explorer utility.

I did some cursory googling a week or so ago, but couldn't find what I was looking for. It looks like ghostscript might be useful for this? Has anyone tried it?

msconfig sucks
Autoruns is THE 1337

Oh, and btw, after removing all the malware (in safe mode!! without network!) make sure the desktop image is NOT a web page, I lost 2 hours looking where the fuck a spyware was loading after removing it. I got the hint when saw that each time windows started the desktop image sort of went blank for a second before putting the backgroudn image.

Not to mention:
http://www.sysinternals.com/blog/2006/04/why-winte rnals-sued-best-buy.html

You might check out Filemon. It's a handy utility that shows you exactly what programs are reading/writing on your HD.

Which "su" program from systinternals are you using? The closest functionality I could find was PsExec.

"An unusual practice? Where? Most places I know have their users running as admin..."

Personal experience is not a statisical sample. This applies both to the parent and the grandparent. I have no idea which approach is more common in the Fortune 500, but the exereriences of a couple of random Slashdot people, no matter how smart they may be, isn't going to tell us. I've met companies in the Fortune 1000 that do it both ways, FWIW (i.e., nothing).

Now, as far as my current employer goes... I'm the IT Manager for a small manufacturing company. Almost everybody (including IT staff, including myself) use an unprivilaged user account for day-to-day operations. This works reasonably well, all though there are plenty of programs that need a little persaution (sometimes with a large hammer) to be made to work. REGMON and FILEMON from http://www.sysinternals.com/ are great for debugging problems that arise from Windows Programmer Brain Damage. I've only got one program that couldn't be made to work this way, and it's limited to two computers.

I'm fortunate in that management recognizes computer security as important, and backs me up on this.

I have to say that restricting user rights this way (along with a few other things, like WSUS and roaming profiles) go a long way towards making Windows a usable platform. All the support calls from malware/badware vanish. Support calls from things "I installed Napster and now AutoCAD won't work" vanish. People can't tinker with stuff and break it. It's a Good Thing.

I still vastly prefer Linux for any number of reasons (not all of them technical), but if I have to support Windows, I will at least do it right.

Actually, I was able to get every application you listed to run as a normal "user" account. I have repacked and given special permissions for hundreds of third party apps to get them to run non-admin.

The last co. I worked for decided to do this, boy you should have seen the backlash and uproar from users. Everyone from other IT depts, engineers, heck even secretaries were mad. However, once we successfully implemented a locked down environment help desk calls were dramatically reduced.

It's actually not as hard as you think to get "legacy" apps to run correctly as a non-admin. The best tools for this can be found at Sysinternals http://www.sysinternals.com/, regmon and filemon. Just install the app as an admin, then try to run it as a user. Regmon and Filemon will tell you where you get an "access denied" error. When repacking the app, just make sure to give the appropriate permissions to keys/files that the app writes to. InstallRite from epsilon is also pretty handy http://www.epsilonsquared.com/ , its basically a nice front end to sysdiff.

Don't get me wrong, it isn't always easy. Some apps need to run exe's on the first reboot, some dynamically create files at winnt, but with a little programming know how you can create some tools to get around this.

You can eliminate the guess work by using Regmon and Filemon from here.

These utilities log all file and registry access attempts, successful or unsuccessful.

Most applications that "need" admin rights, actually only need the correct rights on a specific reg key or directory. Granting only the needed rights gets the app working without adding unnecessary rights/risks.

And the "blue screen generator" screensaver, right?

http://www.sysinternals.com/Utilities/BlueScreen.h tml

While waiting to determine why Microsoft is going to such trouble to advertise the insecurity of its present operating systems, you can use the free RootKit Revealer from SysInternals.

My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.

Windows Server 2003 Service Pack 1 32-bit Deployment Tools work with Windows XP, also. Maybe these are better, since they have been recently updated, and work with all Windows releases.

I have not had good luck with using SysInternal's free utility NewSID. However, other utilities from SysInternals are best in class, and NewSID was updated after I tried it.

Also see PsGetSID.

Windows Server 2003 Service Pack 1 32-bit Deployment Tools work with Windows XP, also. Maybe these are better, since they have been recently updated, and work with all Windows releases.

I have not had good luck with using SysInternal's free utility NewSID. However, other utilities from SysInternals are best in class, and NewSID was updated after I tried it.

Also see PsGetSID.

Lets also remember that some of the people associated with this site were the first to notice the Sony DRM RootKit. The research that has been done on this site has really made it hard for rootkit developers to install their wares unnoticed - if you have the right tools. I could be wrong, but I think that Mark Russinovich from sysinternals has been there contributing to this site. It has led to the development of some really great tools such as the SysInternals RootkitRevealer - a really great tool by the way (http://www.sysinternals.com/Utilities/RootkitReve aler.html)

The Sysinternals apps for monitoring and understanding windows (particularly Process Explorer) are always the first things I install on a windows machine. After finding these, windows feels less like a black box and more like, well, a bunch of smaller black boxes.

The Sysinternals apps for monitoring and understanding windows (particularly Process Explorer) are always the first things I install on a windows machine. After finding these, windows feels less like a black box and more like, well, a bunch of smaller black boxes.

Seems no one is giving serious answers so i guess i will be the only one

Freeware or open source software:
01. Firefox, http://www.getfirefox.com/
02. Winamp, http://www.winamp.com/
03. Miranda, http://www.miranda-im.org/
04. Media Player Classic, http://sourceforge.net/projects/guliverkli
05. ffdshow, http://www.free-codecs.com/download/FFDShow.htm
06. CDBurnerXp Pro, http://www.cdburnerxp.se/
07. Daemon-tools, http://www.daemon-tools.cc/
08. uTorrent, http://www.utorrent.com/
09. XnView, http://perso.wanadoo.fr/pierre.g/xnview/enhome.htm l
10. ExactAudioCopy, http://www.exactaudiocopy.de/
11. Dev-C++, http://www.bloodshed.net/devcpp.html
12. 7-zip, http://www.7-zip.org/
13. Real Alternative, http://www.free-codecs.com/download/Real_Alternati ve.htm
14. QuickTime Alternative, http://www.free-codecs.com/download/QuickTime_Alte rnative.htm
15. Process Explorer, http://www.sysinternals.com/utilities/processexplo rer.html
16. Uniform Server, http://www.uniformserver.com/
17. nLite, http://www.nliteos.com/ (sp+hotfix+driver slipstreaming and ability to remove almost anything from the windows installation disc, including wmp, ie, drivers, services, etc, you can get your windows install disc down to 180MB with a 70MB RAM footprint after boot).

Commercial/Shareware software.
01. NOD32, http://www.nod32.com/ - simply the best antivirus software out there
02. Cinema4D, http://www.maxoncomputer.com/ Great modelling/rendering program (also available for OS X)
03. mIRC, http://www.mirc.com/ not the best irc client, but it has a tiny memory footprint/feature ratio
04. Directory Opus, http://www.gpsoft.com.au/ replace Explorer with a far better file manager.
05. UltraEdit, http://www.ultraedit.com/ great editor for many textbased formats
06. Visual Studio, http://microsoft.com/
07. Nero Burning ROM. http://www.ahead.de/ my burning program of choice

Sysinternals Freeware is a slick collection of utiltiy software for Windows from tools I use regularly like FileMon, TcpView and Process Explorer to more trivial tools like BGInfo capable of nothing more than stamping a configurable block of system info onto the desktop wallpaper on boot.

Sysinternals Freeware is a slick collection of utiltiy software for Windows from tools I use regularly like FileMon, TcpView and Process Explorer to more trivial tools like BGInfo capable of nothing more than stamping a configurable block of system info onto the desktop wallpaper on boot.

Sysinternals Freeware is a slick collection of utiltiy software for Windows from tools I use regularly like FileMon, TcpView and Process Explorer to more trivial tools like BGInfo capable of nothing more than stamping a configurable block of system info onto the desktop wallpaper on boot.