Slashdot Mirror

← Back to Domains

Domain: sysinternals.com

Stories and comments across the archive that link to sysinternals.com.

Comments · 757

  1. Deleting files that are "in use" by frenetic3 · · Score: 4, Informative · on Spyware Floods in Through BitTorrent

    I guess no one has suggested this yet: use Process Explorer and search for any open handles to the file. Once all the handles are closed, you can delete it safely because it won't be in use.

    This technique is a little shaky because those running programs that have handles to the DLL might be a little upset that it the handle is suddenly closed, but just reboot after you complete the process if something breaks or crashes.

    -fren

  2. Re:random current cmd gripes by sconeu · · Score: 1 · on Windows to Have Better CLI

    NTFS has hard links and symlinks. The cmd line tools to do it just aren't provided with the system.

    Sysinternals.com has Junction for symlinks, and

    Microsoft provides a hardlink utility for NTFS.

  3. Re:Annoying inconsistancy of Windows document fold by Anonymous Coward · · Score: 0 · on Longhorn Drops 'My' Prefixes

    In that case, you can use a reparse point (aka junction or directory symlink) to make the My Music folder point to some other directory, even one on a different volume.

    Junction from Sysinternals can do this. For example,
    rd "c:\documents and settings\me\my documents\my music" (the link destination directory must not exist)
    junction "c:\documents and settings\me\my documents\My Music" f:\music
    Now, My Music will be a link to f:\music.

    Note that you should copy the desktop.ini file over first if you want the special My Music folder icon. The desktop.ini file gives special meaning to various shell folders.

  4. Re:Once again: Bind CAPSLOCK to Control by AdamPiotrZochowski · · Score: 1 · on Poor Man's Kinesis Keyboard: The K'nexis Keyboard

    real people use a low level keyboard rewriter tool from
    http://www.sysinternals.com/ntw2k/source/ctrl2cap. shtml

    its from sys internals, the best windows hackers out there,
    same people who brought junction with source for win2k+ ntfs,
    reg/file mon, process explorer. On top it comes with source!

    --
    /apz, Avert misunderstanding by calm, poise, and balance.

  5. Re:Calculator key? by EvanED · · Score: 1 · on Blank Keyboard

    Windows lets you do it with a GUI too, though not per user. Find remapkey.exe.

    Or you can find one of the registry files that will do it.

    Or you can get one of the third party tools (there are others) that do it.

  6. Re:Reminds me of something that just happened to m by sffubs · · Score: 1 · on Linux and OpenOffice save Microsoft Presentation

    Actually, DOS is not completely out of the question.

    http://www.sysinternals.com/ntw2k/freeware/ntfsdos .shtml

    Still, Knoppix is a better way.

  7. Re:Corollary: by csirac · · Score: 4, Informative · on MS Invites Security Questions

    Over at sysinternals.com, there's filemon, and regmon. These are real-time registry/file activity loggers, will show which processes access which files with the result code (open success/fail/permission denied/disk full/file not found/etc). These are absolutely invaluable tools, especially when you come across a new virus that your virus scanner doesn't pick up and general bug hunting... sysinternals has the most useful tools that I really miss from the unix world.

  8. Re:Corollary: by csirac · · Score: 4, Informative · on MS Invites Security Questions

    Over at sysinternals.com, there's filemon, and regmon. These are real-time registry/file activity loggers, will show which processes access which files with the result code (open success/fail/permission denied/disk full/file not found/etc). These are absolutely invaluable tools, especially when you come across a new virus that your virus scanner doesn't pick up and general bug hunting... sysinternals has the most useful tools that I really miss from the unix world.

  9. Re:Corollary: by csirac · · Score: 4, Informative · on MS Invites Security Questions

    Over at sysinternals.com, there's filemon, and regmon. These are real-time registry/file activity loggers, will show which processes access which files with the result code (open success/fail/permission denied/disk full/file not found/etc). These are absolutely invaluable tools, especially when you come across a new virus that your virus scanner doesn't pick up and general bug hunting... sysinternals has the most useful tools that I really miss from the unix world.

  10. Re:This is arranging deckchairs on the Titanic by tmortn · · Score: 1 · on Does Voting Technology Affect Election Outcomes?

    Hey I don't normaly supply refference material because it almost always breaks down into a my source is better than your source debate. As you may have noticed I only use what I am supplied with. However, I think here is a good neutral source regarding the art of root kit detection.

    http://www.sysinternals.com/ntw2k/freeware/rootkit reveal.shtml

    Supplies a very good discussion about how you detect rooted systems. I think we probably had a miscommunication about what constitutes single machine detection. As we have both said, cleaning yourself from the inside of a compromised active kernel is impossible, but this dosn't mean you need another system in order to get 'outside'. Software just controls the beast (hardware) And if you have the power over the plug you have ultimate power over what controls the beast and at that point you just have to be able to verify your system... or wipe it. A problem if you have general use files that are not clean/backed up. Not such a big deal for a single purpose machine. This is not an insane cost activity... really just a day in the life of a sysadmin under fire.

  11. Re:Here's how to do it on Win2k by Tux2000 · · Score: 4, Interesting · on Stopping Unstoppable Malware?
    Some additional tips:
    • To kill "unkillable" Processes, use pskill from sysinternals.com. Also try pslist instad of the taskmanager to list the processes. The taskmanager does not give you all the information you might want to know, like many other tools from Redmond.
    • Try to kill a whole bunch of suspicious processes at once, so that no part of the malware has a chance to restart another process. Again, pskill can do this.
    • Boot another system, preferably one that can not execute EXEs, DLLs and so on: Get Knoppix or some other CDROM-based Linux (that is able to write NTFS if you use NTFS for Windows). Use it to browse the WWW, especially to search information about the malware. Use it to delete all executable files (*.EXE, *.DLL, *.OCX, ...) of the malware. (Malware registry entries should be harmless if all executables of the malware are deleted.) If you use Knoppix, this is not much harder than deleting files using Windows. You just have to find the right harddrive partition (usually hda1) containing windows and mount it read-write (use the right mouse button on the hdd icon). The real hard job is to find each and every executable of the malware.
    • Disconnect the network plug / modem / isdn / whatever, switch off WLAN router, etc., before you boot windows to prevent the remaining parts of the malware to re-install itself from the net.
    • Re-enable network only for the time you run Knoppix on the machine, until you are really, really sure that there are no traces left from the malware.
    Tux2000
  12. Re:Here's how to do it on Win2k by Tux2000 · · Score: 4, Interesting · on Stopping Unstoppable Malware?
    Some additional tips:
    • To kill "unkillable" Processes, use pskill from sysinternals.com. Also try pslist instad of the taskmanager to list the processes. The taskmanager does not give you all the information you might want to know, like many other tools from Redmond.
    • Try to kill a whole bunch of suspicious processes at once, so that no part of the malware has a chance to restart another process. Again, pskill can do this.
    • Boot another system, preferably one that can not execute EXEs, DLLs and so on: Get Knoppix or some other CDROM-based Linux (that is able to write NTFS if you use NTFS for Windows). Use it to browse the WWW, especially to search information about the malware. Use it to delete all executable files (*.EXE, *.DLL, *.OCX, ...) of the malware. (Malware registry entries should be harmless if all executables of the malware are deleted.) If you use Knoppix, this is not much harder than deleting files using Windows. You just have to find the right harddrive partition (usually hda1) containing windows and mount it read-write (use the right mouse button on the hdd icon). The real hard job is to find each and every executable of the malware.
    • Disconnect the network plug / modem / isdn / whatever, switch off WLAN router, etc., before you boot windows to prevent the remaining parts of the malware to re-install itself from the net.
    • Re-enable network only for the time you run Knoppix on the machine, until you are really, really sure that there are no traces left from the malware.
    Tux2000
  13. Re:Everything can be cleaned manually by erth64net · · Score: 3, Informative · on Stopping Unstoppable Malware?

    False. Be careful where you make such broad "...everything..." statements.
    Some spyware either is, or borders on, the definition of a rootkit. Rootkits can be detected, but there are a growing number which cannot be removed without an fdisk/format.

  14. Re:BSOD by Quirk · · Score: 1 · on Longhorn: Fewer BSODs, More RSODs

    The BSOD, download the screensaver from sysinternals it'll bring back that sick to the pit of your stomach feeling.

  15. Re:BSOD by Quirk · · Score: 1 · on Longhorn: Fewer BSODs, More RSODs

    The BSOD, download the screensaver from sysinternals it'll bring back that sick to the pit of your stomach feeling.

  16. Re:It is just me, or are most Microsoft servers do by Quirk · · Score: 2, Funny · on Microsoft Migrates Internal Servers to 64-bit

    Run windows, miss the BSOD, download the screensaver from sysinternals. It's dejavu all over again.

  17. Re:It is just me, or are most Microsoft servers do by Quirk · · Score: 2, Funny · on Microsoft Migrates Internal Servers to 64-bit

    Run windows, miss the BSOD, download the screensaver from sysinternals. It's dejavu all over again.

  18. Three words ! by TractorBarry · · Score: 2, Informative · on Spitzer Sues Intermix Media for Bundling Spyware

    And don't forget Sysinternals (many thanks to the Slashdotter who originally clued me up on them)

    Their Process Explorer is what the Windows Task Manager should have been. Not only does it show you ALL the running processes but you can kill ANY of them (none of this crap where Windows says "Sorry that's a system process you can't kill it" WTF ? I'm logged in as adminstrator I'll kill what I bloody well want to thankyou very much)

    So if you're gutting spyware out of a box then I'd first use this to kill off any superfluous daemon processes, then run Adaware and Spybot S& D, then manually check and clean the registry start up keys, then remove all temp files in windows and internet caches, then look for ".hta" files, ".bat" files. win.ini entries etc. etc.

    Of course after doing this a couple of times you'll simply give up, install Linux, and wonder why you ever bothered trying to use something as retarded as Windows ?

    I don't know about you but I didn't get into computing so I could spend all my time patching holes in a poorly designed O/S (If I wanted to do that I'd write my own poorly designed O/S) I actually wanted to use my computer to do stuff.

  19. Re:Nothing new really by Henk+Poley · · Score: 1 · on Microsoft's New Mantra - It Just Works

    Synli, could you give us a link or an explanation on where to enable this in stock Windows XP Gold/SP1/SP2?

    In the mean time I'd like to point to Buzzsaw, a program that actually does do on-the-fly defragmentation on any Windows NT based system.

    Together with boot time defragmentation by PageDefrag this keeps even Microsoft Windows systems defragmented.

  20. Re:It just won't work by TummyX · · Score: 1 · on Microsoft's New Mantra - It Just Works
    Interesting claim that NTFS supports hardlinks. So, how do I do something like this: ln a.txt b.txt Here's a free hint from an MSCE: you can't because there is no support for hard links in NT.

    Uh

    fsutil hardlink create a.txt b.txt


    That's standard with XP.

    There's also the linkd program from the NT/2K resource kit and you can also get Junction from SysInternals.

    BTW, where did you get your MSCE?
  21. Re:It just won't work by Electrum · · Score: 1 · on Microsoft's New Mantra - It Just Works

    If anyne knows the API to create a symlink in Windows I'd love to see it!

    http://www.sysinternals.com/ntw2k/source/misc.shtm l#junction

  22. Re:wtf?? by Anm · · Score: 2, Insightful · on Microsoft's New Mantra - It Just Works

    Yes, it does have this ability already (although not in the places you cite). Here is a command line app to create them:

    http://www.sysinternals.com/ntw2k/source/misc.shtm l#junction

    For example, I used this to share Sims neighborhoods between user accounts so my girlfriend's characters can interact with mine. works great, but be careful with it.

    Anm

  23. Re:Just works.... they way they tell you it should by TheTomcat · · Score: 1 · on Microsoft's New Mantra - It Just Works

    You might find junctions interesting. They're symlinks, and for directories only, though.

    S

  24. Re:Agreed by Foolhardy · · Score: 1 · on Michael Robertson Says Root is Safe
    Windows doesn't have a direct equivalent to root. root can ignore the security on any object, but Administrator still needs to be included in an object's ACL to get access. Still, the Administrators group has access to pretty much everything by default. Admins also have the take ownership privelege, which allows them to become the owner of any object, and since the owner can set a new ACL, admins can have full control over any object. The idea is that requiring an extra step (taking ownership) leaves an audit trail, and helps admins to use the privelege only when necessary.
    For example, go into windows and bring up your process listing. Look for an item called SERVICES. Now, try to kill it. You'll get access denied.
    Task Manager won't let you kill it, not the OS itself. You have access, but Task Manager is taking matters into its own hands. It would be like the Red Hat task manager UI app (forget the name) preventing you from killing init.
    I hate it when Task Manager or Explorer does stuff like this too. However, it's a problem with the UI, not the underlying system.
    pskill services works fine. It doesn't do anything fancy, just opens the process and kills it.
    As a result, the priveledge separation in Unix is much better. There are ways to temporarily become root to handle tasks. No need to log out of the system all together, you can use simple commands to change.
    Like RunAs, psexec, or tsdiscon?
    Another thing worth mentioning is that under Unix you can grant limited root access to people. For example, let's say you needed to be able to restart my mail server, for whatever reason. I can grant you the ability to do just that without giving you the keys to the kingdom.
    Every service (like every other object in Windows) has an ACL you can use to give permission to start, stop, query and control services. The easiest way to set that is to use a security template.
    But the beauty of it is that, most of the time, you don't need to do that. A user can install software, and all that stuff, without needing admin access in most cases. The reason why most people run Windows as administrators is that it's hard to do anything without that ability.
    Install, are you sure? Most package management apps need to be root to run. There are a few hacks to get them to install to home, but it's not common.
    It's true that there is a lot of Windows software that requires excessive priveleges to run. Usually, it is the app developer's fault for assuming the system is single user when it's not.
  25. Re:Agreed by Foolhardy · · Score: 1 · on Michael Robertson Says Root is Safe
    Windows doesn't have a direct equivalent to root. root can ignore the security on any object, but Administrator still needs to be included in an object's ACL to get access. Still, the Administrators group has access to pretty much everything by default. Admins also have the take ownership privelege, which allows them to become the owner of any object, and since the owner can set a new ACL, admins can have full control over any object. The idea is that requiring an extra step (taking ownership) leaves an audit trail, and helps admins to use the privelege only when necessary.
    For example, go into windows and bring up your process listing. Look for an item called SERVICES. Now, try to kill it. You'll get access denied.
    Task Manager won't let you kill it, not the OS itself. You have access, but Task Manager is taking matters into its own hands. It would be like the Red Hat task manager UI app (forget the name) preventing you from killing init.
    I hate it when Task Manager or Explorer does stuff like this too. However, it's a problem with the UI, not the underlying system.
    pskill services works fine. It doesn't do anything fancy, just opens the process and kills it.
    As a result, the priveledge separation in Unix is much better. There are ways to temporarily become root to handle tasks. No need to log out of the system all together, you can use simple commands to change.
    Like RunAs, psexec, or tsdiscon?
    Another thing worth mentioning is that under Unix you can grant limited root access to people. For example, let's say you needed to be able to restart my mail server, for whatever reason. I can grant you the ability to do just that without giving you the keys to the kingdom.
    Every service (like every other object in Windows) has an ACL you can use to give permission to start, stop, query and control services. The easiest way to set that is to use a security template.
    But the beauty of it is that, most of the time, you don't need to do that. A user can install software, and all that stuff, without needing admin access in most cases. The reason why most people run Windows as administrators is that it's hard to do anything without that ability.
    Install, are you sure? Most package management apps need to be root to run. There are a few hacks to get them to install to home, but it's not common.
    It's true that there is a lot of Windows software that requires excessive priveleges to run. Usually, it is the app developer's fault for assuming the system is single user when it's not.
  26. Re:Okay now... by strangemonkey · · Score: 1 · on Michael Robertson Says Root is Safe

    In this case, the Citrix client requires write access to HKLM\Software\Microsoft\MSLicensing\Store (see this Citrix KB article) So you don't have to give the users full admin rights.

    It's a software development problem, not strictly a "Windows problem". With most applications, developers assume users have admin rights, and don't test their products any other way. Even big guys like Citrix.

    I suppose it's a Windows problem for reasons of history: in Win9x everyone was a root user, so Windows programmers developed bad habits. By and large, OSS developers (usually) assume you have minimal rights.

    This stuff is still a nightmare to administer. If you want to remove admin rights from users, you're forced to spend hours finding permissions tweaks like this for every new application. (Use regmon & filemon from sysinternals.com - that's how I found the Citrix tweak.)

  27. Alternative Data Streams by fsck! · · Score: 1 · on It's not a Feature, It's a Vulnerability!

    NTFS allows you to store data both in foo.txt and foo.txt:evil, and only foo.txt will be visible in a directory listing. In fact, almost none of the tools that come with the system can see :evil. More info and examples from the nice folks at SysInternals. Spyware creators use this extensively. When you see a registry entries pointing to C:\WINNT\System32:xyzzy.dll, it's time to format and reinstall. I know there are other stupid, half-implimented features in NTFS but I can't think of what they are at the moment.

  28. Re:And on a related note by reika · · Score: 1 · on Improving the Windows XP User Interface?

    The blue-screen-of-death screensaver is hilarious!

  29. And on a related note by Anonymous+Brave+Guy · · Score: 4, Informative · on Improving the Windows XP User Interface?

    Also check out the many useful tools available from SysInternals. These guys are serious Windows hackers and know how to integrate tightly with the internals. For general use, Process Explorer is a must-have replacement for task manager, and many of the others are useful if you're working in the areas they concern. And they give them away free, and a fair bit of source code too, bless them.

  30. Things I can't live without... by phallstrom · · Score: 2, Informative · on Improving the Windows XP User Interface?

    Putty for SSH
    http://www.chiark.greenend.org.uk/~sgtatham/putty/

    CTRL-CAPS Lock Switcher
    http://www.sysinternals.com/ntw2k/source/ctrl2cap. shtml

  31. Re:Free update ? by quantum+bit · · Score: 1 · on Microsoft Releases Windows Server 2003 SP1

    There is a primary drawback though. The memory management strategy is different between the desktop and server editions of Windows.

    The first step to fixing that is in the System Propties (right-click on 'My Computer'). Under the Advanced tab, go to Performance Settings, then the Advanced tab in that. Change both Processor scheduling and Memory usage to "Programs".

    There are some other more subtle things as well, but these can be tweaked in the registry if you know where to look. IIRC the default quantum length is longer on Server than Pro (at least it was for 2000). The articles over at Sysinternals can be helpful here, especially the one about the differences between Server and Workstation.

  32. Re:Defrag first, man. by downundarob · · Score: 1 · on Comprehensive Guide to the Windows Paging File

    > The only way to fix it is to completely delete (deactivate) the page file, then do a defrag, then re-create the page file (several reboots involved).

    Or use the freeware tool (pagedefrag) available from sysinternals.com.

  33. Re:Defrag first, man. by pla · · Score: 1 · on Comprehensive Guide to the Windows Paging File

    The only way to fix it is to completely delete (deactivate) the page file, then do a defrag, then re-create the page file (several reboots involved).

    Okay, this entire topic (as it pertains to Windows) only needs four points covered, and even if you ignore the rest, implement #1 ASAP...

    1) As the first thing you install after the OS, use PageDefrag by SysInternals. Set it to defragment at every boot (after the first time, it only takes a few seconds). This will keep your pagefile, hibernation file, and registry as contiguous as possible. Totally free-as-in-beer, and as with all SI's tools, absolutely rock-solid for stability (and no, I don't work for them).

    2) If you need a pagefile, set it to a fixed size (same max and min). This will avoid it getting fragmented in the first place. As for what size to use... On any modern drive, don't get stingy. Go ahead and set it to 4GB (perhaps 64bit versions of Windows can use more, but if you actually need more, you already know all about tweaking memory and pagefile performance).

    3) If you have two physical drives, put the pagefile on the non-system drive. If you only have one, put the pagefile on the same drive as the OS. Do not put the pagefile in its own partition, ever (the above two points prevent fragmentation anyway, and having it in the same general place on the disk as most activity will help minimize disk head movement).

    4) If you have a gig or more of RAM and don't have a special need for more, don't even bother using a pagefile. Set its size to zero, set your "system failure" section NOT to automatically reboot and the memory dump type to "none" (otherwise you can get into a state where you BSOD immediately on boot, which itself causes a reboot, laeding to another BSOD, and so on forever). Yes, I know this point seems to really drive self-proclaimed "experts" absolutely batty, and they'll tell you never ever ever to not have a pagefile, but I've run half a dozen machines without pagefiles over the last two years, without a single problem occuring as a result. Quite the contrary, you get a VERY noticeable speedup, particularly with opening new explorer windows (not MSIE, but the filesystem navigation you get to from "My Computer").

  34. Here's what I did by steeef · · Score: 1 · on Comprehensive Guide to the Windows Paging File
    Got the trial version of DisKeeper (which is probably worth a purchase anyway, as it seems to perform better than Windows' defragger). Alternately you can get something like PageDefrag for free. Both of these will defrag your paging file, but DisKeeper allows you to place it at the beginning of a partition, allowing for faster access.

    I first deleted all paging files and rebooted. This allowed me to start fresh. I followed these steps to setup my new paging file:
    • Figure out a permanent size for your paging file. I recommend having 2gigs of memory (RAM + paging) for Windows XP. I have 1 gig of RAM, so I figured 1024MB was good (as the article says, you should probably determine what your maximum load is and then choose a size). Allowing the paging file to grow and shrink will always introduce fragmentation.
    • If possible, put the paging file on a separate disk than the one Windows is installed on. This will reduce head movement on the system disk and decrease access time for the paging file.
    • If you're using DisKeeper, have it place the paging file at the beginning of the partition. Again, this should reduce access time.


    I followed the instructions in the XP Tweaking Companion guide. It's a nice all-around guide for optimizing XP.
  35. Re:Before the defrag by Henk+Poley · · Score: 4, Informative · on Comprehensive Guide to the Windows Paging File

    I've mentioned it elsewhere already. But try PageDefrag and Buzzsaw.

    The first one will defragment your Windows pagefile on each boot. And Buzzsaw will defragment recently accessed files in the background, much less intrusive than Diskkeeper. Both are freeware tools.

  36. pagefile vs. swapfile by Henk+Poley · · Score: 3, Informative · on Comprehensive Guide to the Windows Paging File

    It explains what a paging file is and lists the differences between a swapfile and a paging file.

    There is no difference.. He says that swapfiles would swap whole processes. I beg you pardon? Working on whole processes hasn't been the case since 'multiprogramming' on third generation computers (around 1965-1980).

    btw, a good program to defrag your Windows page file is PageDefrag

    Together with Dirms & Buzzsaw, you can keep your disk defragmented for free. Especially Buzzsaw is nice since it will defragment recently accessed files in the background.

  37. Re:Faster/easier method by mosschops · · Score: 2, Informative · on Comprehensive Guide to the Windows Paging File

    Use the free PageDefrag utility from http://sysinternals.com.

  38. Re:Faster/easier method by mosschops · · Score: 2, Informative · on Comprehensive Guide to the Windows Paging File

    Use the free PageDefrag utility from http://sysinternals.com.

  39. Re:Or by XorNand · · Score: 5, Informative · on Comprehensive Guide to the Windows Paging File

    SysInternals (who make some of the best freeware available for Windows) has PageDefrag. It defrags your registry hives and pagefile at boot, before Windows loads. Very slick program and free to boot.

  40. (Use the Preview Button! Check those URLs!) by Anonymous Coward · · Score: 0 · on Hurd/L4 Developer Marcus Brinkmann Interviewed

    Brush up on your Windows architecture--everything is an object to the NT kernel. When you're bored, play with WinObj or the "NT Obj" tab in ReactOS Explorer to see how Windows really looks before the awful Win32 API comes and messes everything up.

  41. Re:And how long have they been working on this? by Anonymous Coward · · Score: 0 · on Hurd/L4 Developer Marcus Brinkmann Interviewed

    Brush up on your Windows architectureeverything is an object to the NT kernel. When you're bored, play with http://www.sysinternals.com/ntw2k/freeware/winobj. shtmlWinObj or the "NT Obj" tab in http://www.sky.franken.de/explorer/ReactOS Explorer to see how Windows really looks before the awful Win32 API comes and messes everything up.

  42. Re:Anyone know... by Anonymous Coward · · Score: 0 · on Over a Million Zombie PCs

    WTF? Firstly, there is no such thing as NtReadFileEx, only NtReadFile. Second, it's in ntdll.dll not kernel32.dll. Third, how did you expect this to crash the system? Libraries such as this one are mapped copy-on-write: you'll only be screwing up your own copy, which will lead to a crash of your own process at most. The kernel (and every other process) will retain the original pristine version. Fourth, your terminology sucks: you're talking about overwriting a library in memory but you mention EIP and registers, which have nothing to do with it. The only registers used are one for the function number and one for a pointer to the arguments. The kernel tries to copy the function's amount bytes from the source buffer to the kernel stack, and if there aren't enough, it fails safely. See this page for a detailed walkthrough.

    I've heard some trashy anti-windows trolls in the past, but this one tops them all. Fuck off.

  43. Re:Anyone know... by Foolhardy · · Score: 4, Informative · on Over a Million Zombie PCs
    Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?
    I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.

    As for resources, ask Google.
    noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
    Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
    Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)

    Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.
  44. Re:Anyone know... by Foolhardy · · Score: 4, Informative · on Over a Million Zombie PCs
    Am I alone in wondering whether this truth extends to running Windows Limited Accounts, instead of Administrator logins?
    I'm sure it does extend to that. Users aren't used to dealing with computer security, on any operating system. It wasn't so important to a home user before the Internet, and it was impossible on 9x. Now they're using a different OS and are connected to a malicious network, but don't want to learn to adapt.

    As for resources, ask Google.
    noadmin.editme.com has a wiki about it, and also see Aaron Margosis' WebLog, aka the The Non-Admin blog, made by a Microsoft employee.
    Windows NT Security in Theory and Practice, a long-running set of MSDN articles about NT security is also interesting, espescially to developers.
    Also useful are FileMon and RegMon from SysInternals, to see what files/reg keys an app is hung up on trying to get unreasonable access to. (Remember that security is checked only on open/create, so set the filter to show opens only)

    Still, there is too little information about running stuff as non-admin. Part of the problem is that making a program run as non-admin when it wasn't designed for that, usually isn't easy.
  45. Re:SHOCKER- Microsoft's new framework forces upgra by Lemmingue · · Score: 3, Informative · on Microsoft Developers Respond To .NET Criticism

    Are you sure? Why most DOS apps still runs in Windows XP? You can use your Word 6.0 in your Windows XP with no problems. I think it makes sense to rewrite parts of your application to take advantage of new features. How can you develop software using an API that doesn't exists? Try to develop a Linux app

  46. Re:BSOD by Vollernurd · · Score: 3, Funny · on Microsoft Robots to Watch Kids

    Then you, sir, are using the wrong Screensaver.

  47. Re:Isn't this the same type of tool as by ZoomieDood · · Score: 0 · on SysInternals Releases RootkitRevealer

    streams -s [dirname]?

  48. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  49. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  50. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.