Slashdot Mirror

← Back to Domains

Domain: sysinternals.com

Stories and comments across the archive that link to sysinternals.com.

Comments · 757

  1. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  2. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  3. Reputation Counts by Ridgelift · · Score: 5, Insightful · on SysInternals Releases RootkitRevealer

    Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals". They put their name on everything they give away and sell.

    When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS have saved my butt in the field.

    Way to go Sysinternals.

  4. Reputation Counts by Ridgelift · · Score: 5, Insightful · on SysInternals Releases RootkitRevealer

    Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals". They put their name on everything they give away and sell.

    When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS have saved my butt in the field.

    Way to go Sysinternals.

  5. Sysinternals is great by Dr.Opveter · · Score: 5, Informative · on SysInternals Releases RootkitRevealer
    I love their stuff

    No really, they have class utilities for free, thanks Sysinternals

  6. Re:Happened to me 2 days ago. by ManxStef · · Score: 1 · on Microsoft Warns of Impossible to Clean Spyware

    In cases like this the SysInternals tool Process Explorer is massively handy -- it's taskman but much, much better, and has the ability to both display the process list heirarchally and list the actual commandline call, so it's easy to spot something dodgy. Combine that with TCPView, which shows all listening &/or open TCP ports, and you'll be able to find all but the proper rootkits.

    Speaking of taskman clones, SpyBot actually has one built-in in the Tools section, though you have to be in "Advanced Mode": click on the header of the Tools list in the left-hand pane, then tick the checkbox next to the "Process List" icon in the right-hand pane (and tick some of the others, too, e.g. BHO's & ActiveX) and these items will now appear in the l-h pane - check them out, they're basic but very useful :) (It's a shame Spybot's UI's a bit wierd, I know plenty of people who didn't know these features were there!)

    If you're more of a commandline person, the PSTools suite a little better - pslist will give you the process list, then pskill processname will despatch it (if it's really cheeky it'll respawn itself), and there are a few other useful ones there, too. XP actually has very similar commandline tools to the above, but that's no help if you're on 2000!

    (Though as you mention regmon you've probably got the other SysInternal tools, too, but this post might come in handy for someone else?)
  7. Re:Happened to me 2 days ago. by ManxStef · · Score: 1 · on Microsoft Warns of Impossible to Clean Spyware

    In cases like this the SysInternals tool Process Explorer is massively handy -- it's taskman but much, much better, and has the ability to both display the process list heirarchally and list the actual commandline call, so it's easy to spot something dodgy. Combine that with TCPView, which shows all listening &/or open TCP ports, and you'll be able to find all but the proper rootkits.

    Speaking of taskman clones, SpyBot actually has one built-in in the Tools section, though you have to be in "Advanced Mode": click on the header of the Tools list in the left-hand pane, then tick the checkbox next to the "Process List" icon in the right-hand pane (and tick some of the others, too, e.g. BHO's & ActiveX) and these items will now appear in the l-h pane - check them out, they're basic but very useful :) (It's a shame Spybot's UI's a bit wierd, I know plenty of people who didn't know these features were there!)

    If you're more of a commandline person, the PSTools suite a little better - pslist will give you the process list, then pskill processname will despatch it (if it's really cheeky it'll respawn itself), and there are a few other useful ones there, too. XP actually has very similar commandline tools to the above, but that's no help if you're on 2000!

    (Though as you mention regmon you've probably got the other SysInternal tools, too, but this post might come in handy for someone else?)
  8. Re:Happened to me 2 days ago. by ManxStef · · Score: 1 · on Microsoft Warns of Impossible to Clean Spyware

    In cases like this the SysInternals tool Process Explorer is massively handy -- it's taskman but much, much better, and has the ability to both display the process list heirarchally and list the actual commandline call, so it's easy to spot something dodgy. Combine that with TCPView, which shows all listening &/or open TCP ports, and you'll be able to find all but the proper rootkits.

    Speaking of taskman clones, SpyBot actually has one built-in in the Tools section, though you have to be in "Advanced Mode": click on the header of the Tools list in the left-hand pane, then tick the checkbox next to the "Process List" icon in the right-hand pane (and tick some of the others, too, e.g. BHO's & ActiveX) and these items will now appear in the l-h pane - check them out, they're basic but very useful :) (It's a shame Spybot's UI's a bit wierd, I know plenty of people who didn't know these features were there!)

    If you're more of a commandline person, the PSTools suite a little better - pslist will give you the process list, then pskill processname will despatch it (if it's really cheeky it'll respawn itself), and there are a few other useful ones there, too. XP actually has very similar commandline tools to the above, but that's no help if you're on 2000!

    (Though as you mention regmon you've probably got the other SysInternal tools, too, but this post might come in handy for someone else?)
  9. Already in the wild? by kilocomp · · Score: 4, Interesting · on Microsoft Warns of Impossible to Clean Spyware

    One of the computers I support had a very nasty piece of spyware. I am not sure if it was exploiting the same things described by Microsoft, but it had the following symptoms:
    1. The process would not show up in task manager
    2. The related files would not show up in Explorer
    3. The related registry keys did not show up in regedit
    4. It some how was being called by Winlogin, so it ran even in safe mode.

    The way I detected it was by using several Sysinternals utilities http://www.sysinternals.com/. I have a script that uses pslist to monitor all processes on the network and this spyware was not smart enough to hide from that. A remote regedit session enabled you to see the related registry files. I had to use BartPE http://www.nu2.nu/pebuilder/ to mount the drive and clean out the related files and registry keys.

  10. Re:Yippee by Anonymous Coward · · Score: 0 · on IE7 Announced for Longhorn and WinXP

    Actually. It is funny to see everyone claiming that IE is loaded at boot and this is why it loads so quickly.

    But my boot process only takes a few seconds, so IE still loads faster than Mozilla or FireFox considering the whole OS is loaded at boot.

    For facts, what part of IE is integrated into the OS? Or is it that IE uses integrated features (like mshtml.dll)?

    Just because these DLLs exist it doesn't mean they are all loaded or integrated in the OS kernel. You can use any process explorer to verify what is loaded or not.

    At least I can't see that Windows Explorer is loading mshtml.dll unless I choose to display a folder as a webpage.

  11. Re:Still smoking crack, eh? by Foolhardy · · Score: 1 · on Ask Microsoft's Martin Taylor About Linux vs. Windows
    And unless you are running a version of Apache from 1984 (or a version for AIX on windows), it never required cygwin... NEVER! In which case it begs the question: what the hell kind of comparison are you trying to make by comparing a recent version of IIS to a version of Apache thats 10 years old?!!
    I'm sorry I ever mentioned Cygwin. The version that wastes threads is the most recent release I could find: 2.0.52, from here. Also, I'm not comparing it to IIS or any other web server. I am comparing Apache's threading model, one that is efficent on UNIX to one that would be much more efficent on Windows.
    If it's that simple then why doesn't everyone do it? Hmmm? Why aren't all programs optimized for that and enabled to run at a command line? You'd think everyone would want this right? Faster apps, better functionality.
    The reason is that almost all software for Windows was written for the Win32 API, which is integrated hopelessly into the GUI. The alternative is to use NT's native API. Almost nothing is written for it because Microsoft's documentation of it is poor (there are several good third party sources, however) and almost all libraries depend on Win32. If even one library or one program needs Win32, the whole GUI needs to be loaded. Using only the native API is possible, but there is so little software that only uses ntdll, it usually isn't practical to exclude Win32. Most of Windows's own components even depend on Win32, but if you don't need them it isn't a problem; such as running Apache and nothing else. XP has maybe 10MB of user mode binaries that don't depend on Win32.
  12. Re:Still smoking crack, eh? by Foolhardy · · Score: 1 · on Ask Microsoft's Martin Taylor About Linux vs. Windows
    Apache doesn't need cygwin. Who the hell told you that? I run an install just fine without CYGWIN; you only need CYGWIN to use system calls. If you don't use them or find an alternate method or approach (which there are several), you don't need cygwin at all. :)

    And Apache does not need 100 processes. I swear you Microsofties have some sweet crack over there that you guys are smoking to keep spitting out all this bullshit.

    Regardless, it's still faster and more stable on Windows than IIS anyday :)
    No, you're right. Apache doesn't require Cygwin. Sorry. That's just the version I had laying around.

    I never said that Apache required 100 processes. I said that it requires 100 threads to support 100 potental connections, even if nobody is connected. Did you even read the docs I quoted? On a fresh install of Apache 2.0.52 for Windows, it wants to have 250 threads by default. That's ridiculous. I start Apache, and sure enough: it has 252 threads sitting idle for no reason. Surely Apache could create new threads on demand, up to a limit rather than allocating them prematurely? Having large quantites of threads scheduled in a round-robin order is not an optomized strategy in Windows, which is was the original point. Yes, I can turn the amount of threads down, but that would leave clients with too many connections errors if I set it any lower than peak usage.

    Who said anything about IIS? This is about software designed for UNIX not performing well on Windows because the architectures are different.
    And just to make an additional point about memory availability.... do that control-alt-del again and take a look at physical memory and kernel memory, and look at total, available, paged, etc. Notice that the numbers are alot smaller than they should be? Go ahead. Take some time to do the math, I'll wait.
    Task manager doesn't exactly have a super detailed memory report. The performance monitor is better.
    Available Bytes (free + zeroed + standby) 87187456
    Resident kernel bytes (aka cache bytes, not to be confused with system cache) 19628032
    Nonpaged kernel bytes 2404352
    Total process working sets 21241856
    Total process paged pools 220040
    Total process nonpaged pools 274408
    Total shared bytes 3261584
    Total bytes accounted for 130956144
    128MB = 130956144 bytes
    I don't see any missing memory.

    The GUI is part of the Win32 subsystem. The subsystem server and video driver owns all the shared state for GUI apps. Since NT4, the Win32 subsystem server runs mostly in kernel mode from win32k.sys, so all of the GUI's memory is reflected as part of the kernel's paged pool. You can use the driver verfier's pool tracking hook to see how much memory win32k has allocated. Let's see here: win32k has 626952 paged and 6160 nonpaged bytes allocated. Can I run XF86 and a window manager with 630k of memory? ntfs.sys alone is using more than three times that.
    You can't shut down the Windows in Windows my friend.
    Actually, you can. The GUI is an optional environment subsystem. Unfortunately, the GUI is connected to Win32, and Apache depends on Win32. If Apache knew how to make native syscalls instead, it'd be no problem to run only Apache. Just rename it smss.exe :)
  13. Re:Do you work using restricted accounts by Foolhardy · · Score: 1 · on Microsoft's AntiSpyware Disabled by Spyware

    PsExec can start a new process as admin with the password on the command line.
    SU/SUD is a more flexible program, including a setuid equivalent function.
    Also, SFU can launch Win32 processes as different users with su and can also do setuid.

  14. It's already there by Henk+Poley · · Score: 1 · on Ask Microsoft's Martin Taylor About Linux vs. Windows

    You know, it's already there, most of what you ask for. It's just that there aren't that much programs written for the Windows NT Native API.

    http://www.sysinternals.com/ntw2k/info/ntdll.shtml

  15. Re:Sorry Bill but you're full of shit by Foolhardy · · Score: 2, Insightful · on BBC Bill Gates Interview Part 2: Security
    Apparently the message isn't getting through. Here's a repost of a comment I made before:
    with the IE api hooks into the kernel
    What are you talking about? Internet explorer is a 100% user mode shell environment. It is not, has never been, and never will be integrated into the kernel, or given special hooks or privileges. All of the entry points into the kernel are exported by ntdll.dll. Tell me which of those functions hooks IE into the kernel.
    The objects you would need to control to take over the system are kernel objects which IE plays no part in managing.
    Since the Win32 server moved into kernel mode (in NT4), it has its own system function table, and none of those functions are a part of IE either.

    Show me ONE malware program that can install itself for all users when only a normal user runs it.
  16. Re:But what about Debian/NT? by Foolhardy · · Score: 3, Interesting · on Microsoft in 2008

    That's why SFU isn't built on top of Win32, but the kernel's native API, which does fork() just fine. So does SFU; it uses the native API.
    The NT kernel was designed from the beginning to support different environments, including POSIX and Win32. Each environment subsystem consists of a server process that maintains common state specific to the environment, and a set of client libraries that translate the environment's API to the native API and calls to the server. Win32 is an environment subsystem and so is SFU.

    For some reason, cygwin (which debian-win32 uses) insists on using only Win32, so they have to resort to kludges to make certain things like fork() work.
    Now that SFU is free, I don't see why debian-win32 couldn't use that instead of cygwin.

    As it stands, Interop Systems has the best collection of packages for SFU. Most of the essential stuff is there, but it's still a far cry from Debian's library.

  17. XP and foibles of local security by Roman_(ajvvs) · · Score: 1 · on Just How Paranoid Are You?
    almost every application requires that you have local administrator privilege or it will not work properly
    This is an application installation design issue. This is not an issue with the operating system security. InnoSetup as an example has a flag which installation creators can set to require administrative privileges. general guidelines say only to use it when it's actually needed. Not everyone follows guidelines, but MS is hardly to blame for this.

    You can't just give yourself local administrator privilege to install and then take it away
    "Run as..." can be accessed using an alternate click to impersonate any user when running any application. I have it on by default, so I can't tell which key combo; it's probably SHIFT + Right Click. Granted, some applications won't run because they think they're admin all the time and can do whatever they want, since they were installed as such. This is again an application issue.

    so if you have an xp machine with more than one user, you choice is to not let those users use basic applications like Palm Desktop (it's a documented requirement, so it's 'not a bug' [yeah, right]) and cd/dvd burning software, or give everyone local administrator privilege -- which rather defeats the purpose of having a local administrator privilege
    A solution is to find out which files your application requires access to and provide file-by-file access to users who need to run the program. You would do this for data files as well, so I don't see how this is any different. The complexity comes in when figuring out which files to "unlock". using a tool like filemon from http://www.sysinternals.com/ can help in that regard.
    Nero as another example provides a tool to allow users without administrative privileges access to the DVD Burner. Their application is the problem, so they provided the solution. It's not up to MS to do this for them.

    local administrators can delete or modify any locally stored file

    You could theoretically make an account group with administrative-style privileges, and be able to lock this entire group out from folders. In my case, I have a laptop connected to a corporate LAN. noone logged in from that lan (including network admins!) can access primary shares on my drive. However, I've given read-only access to non-network systems so I can get stuff I need from any test computer (which are never logged on to the network).

    In summary, you should think again about being admin yourself, since you don't understand the basic principles of administration. These same techniques (with variations of course) equally apply to any other OS. Unfortunately MS makes it look like it's easier than it really is.

  18. Re:Interested by cortana · · Score: 1 · on Local Root Exploit in Linux 2.4 and 2.6

    Cite please?

    Do you really mean what you are saying? I've looked through all the Native APIs listed at http://www.sysinternals.com/ntw2k/info/ntdll.shtml and I can't seem to find any mention of Internet Explorer.

  19. Re:OT Unix - like OS by Foolhardy · · Score: 2, Informative · on Mike Hall on Choosing Embedded Linux over Windows
    1. The Object Manager provides a single tree for all named objects, including files. Win32 has its own directory in the OM of symbolic links that connect the DOS compatible drive letters to the actual devices. For files, Win32 just sticks \DosDevices\ on the front of the path before handing it to the native (syscall) api. \DosDevices\C: is commonly a symlink to \Device\HarddiskVolume1, equivalent to /dev/hda1.
    2. The OM can be extended by any kernel mode component by adding a new object type. One thing that an object type can do is be reparsable; extending the namespace into an object as if it were a directory. One of the object types that the IO Manager exports are device objects. Device objects are reparsable and are used to extend the root namespace into filesystems that will return file objects.
    3. Everything in UNIX that is a file is also a file object in NT, and many more kinds of things are also objects. Browsing through \Device with winobj I see a beep device, null, my cdrom, the gameport, my harddisk partitions, the keyboard, sysaudio, the video device, several protocols (IP, TCP, UDP, NwLnkIpx, NwLnkSpx), the named pipe filesystem (npfs.sys), the mailslot filesystem (msfs.sys), NFS and SMB server and client devices, and tons of other stuff. Each of these are device objects that produce file objects for client processes; objects under the IO Manager's domain. You can use the same read, write and ioctl functions on all of them. Some, like TCP rely heavily on ioctls but you can still use read and write on a socket handle (which is really a file open under \Device\TCP)
    4. Win32 does not support fork directly (and neither do many popular shared Win32 libaries), but NT itself has no problems with any of those functions. Environment subsystems like SFU use the same syscall interface that Win32 does to make processes and such.
    5. I don't think that this is really a requirement of UNIX. Yes, it should provide compatibility as needed for the old style permissions but there are UNIXes that use ACLs internally.
    The programming style for UNIX or even a POSIX target is different from Win32. This isn't due to NT, but the Win32 subsystem and all the libraries that are initialized up startup for new Win32 processes. NT is perfectly happy to make a new process with a copy of the parent's address space with no new memory or threads or libraries or anything. fork() in SFU is as fast and efficent as it should be.
  20. Re:OT Unix - like OS by Foolhardy · · Score: 2, Informative · on Mike Hall on Choosing Embedded Linux over Windows
    1. The Object Manager provides a single tree for all named objects, including files. Win32 has its own directory in the OM of symbolic links that connect the DOS compatible drive letters to the actual devices. For files, Win32 just sticks \DosDevices\ on the front of the path before handing it to the native (syscall) api. \DosDevices\C: is commonly a symlink to \Device\HarddiskVolume1, equivalent to /dev/hda1.
    2. The OM can be extended by any kernel mode component by adding a new object type. One thing that an object type can do is be reparsable; extending the namespace into an object as if it were a directory. One of the object types that the IO Manager exports are device objects. Device objects are reparsable and are used to extend the root namespace into filesystems that will return file objects.
    3. Everything in UNIX that is a file is also a file object in NT, and many more kinds of things are also objects. Browsing through \Device with winobj I see a beep device, null, my cdrom, the gameport, my harddisk partitions, the keyboard, sysaudio, the video device, several protocols (IP, TCP, UDP, NwLnkIpx, NwLnkSpx), the named pipe filesystem (npfs.sys), the mailslot filesystem (msfs.sys), NFS and SMB server and client devices, and tons of other stuff. Each of these are device objects that produce file objects for client processes; objects under the IO Manager's domain. You can use the same read, write and ioctl functions on all of them. Some, like TCP rely heavily on ioctls but you can still use read and write on a socket handle (which is really a file open under \Device\TCP)
    4. Win32 does not support fork directly (and neither do many popular shared Win32 libaries), but NT itself has no problems with any of those functions. Environment subsystems like SFU use the same syscall interface that Win32 does to make processes and such.
    5. I don't think that this is really a requirement of UNIX. Yes, it should provide compatibility as needed for the old style permissions but there are UNIXes that use ACLs internally.
    The programming style for UNIX or even a POSIX target is different from Win32. This isn't due to NT, but the Win32 subsystem and all the libraries that are initialized up startup for new Win32 processes. NT is perfectly happy to make a new process with a copy of the parent's address space with no new memory or threads or libraries or anything. fork() in SFU is as fast and efficent as it should be.
  21. Re:MS = the Mob by Foolhardy · · Score: 2, Informative · on MS AntiSpyware vs Ad-Aware vs. SpyBot

    Have you looked at Process Explorer? It's a task manager type progam that provides tons of extra information: for each process you can see its parent, the startup options, a list of every kernel handle it has open, every library it has loaded, a cpu and memory usage graph, a list of threads with stack and status for each, what services (if any) are running inside it (for the svchosts mainly), what sockets are open, environment variable information, image strings and more. Lots of other tools at sysinternals.com too.

  22. Re:*sits back* by skinfitz · · Score: 1 · on Local Root Exploit in Linux 2.4 and 2.6

    I use psexec (and the other excellent pstools) a lot and this question has come up before - Sysinternals give away the source, and they would be wonderful to have on Linux, but I've yet to see them ported.

  23. Re:*sits back* by zerblat · · Score: 1 · on Local Root Exploit in Linux 2.4 and 2.6

    Ah, but that's the nice thing about Windows, you don't even have to install a telnet server (or some other remote execution server) to be able to run processes remotely -- have a look at psexec. Extremely handy.

  24. Change Permissions by Noksagt · · Score: 2, Insightful · on Windows OSS Only For Administrators?

    If you trust the software, just grant the Users group extra permissions & file a bug report for what you had to do. In environments where I trust the users, I am lazy & grant users the same permission for the apparently relevant files and directories as the accounts that can run the software. On some occasions, this includes changing permissions of dlls outside of the installation directory. I use listdlls to do this. In less trusted environments, I will gradually add read+execute access for the users to the programs & dlls users need. If I get sick of trying to fix it, I usually reevaluate the need to install the program or the level of trust to grant the users.

  25. Re:Ironic that Apache 2.x is going to threaded mod by Foolhardy · · Score: 3, Informative · on Quest For "Unbreakable Java" Unites ABAP & Java

    Underneath the Win32 API is the NT Native API. NtCreateProcess can be called with the SectionHandle parameter set to NULL which produces a new process with the same address space as the ParentProcess handle, mapped copy-on-write just like fork. CreateProcess from win32 calls this function to create a new process but does not expose all of the functionaility.
    SFU and the POSIX subsystem have to use NtCreateProcess too, but take advantage of SectionHandle=NULL.

    Cygwin uses copy-on-create to simulate copy-on-write by copying the entire address space to the child. This is slow and wastes memory. The cygwin mailing lists have had endless arguments on why they don't take advantage of NtCreateProcess. Here's a small thread.
    Also, there is the problem that Win32 does a lot more than just call NtCreateProcess: the native function creates a new process but nothing else. It allocates no memory, creates no threads, and loads no libraries. When you call CreateProcess from Win32, it does all that for you. Since Cygwin implements Posix (and related) over Win32, not Posix over NT (as opposed to SFU which is over NT), they feel compelled to use only Win32 functions.
    It would be nice to have a cygwin fork that creates its own subsystem, an open-source SFU, that would take advantage of this kind of thing.

    Depending on fork to provide stability is a workaround for the real problem: the app crashing.
    Besides, if your data areas are well defined, you can put them in shared memory sections and have the children map that copy-on-write at the same addresses.

  26. Re:Windows clusters don't make sense by Foolhardy · · Score: 3, Informative · on Microsoft Finally up for Distributed Computing?

    top - pslist
    ptree - pslist
    w - psloggedon
    ls -al - dir /adhs, fsutil (both standard)
    finger - finger (standard)
    unzip - expand (standard, for CABs), cygwin unzip, rar
    mount - (automatic), fsutil, linkd (from resource kit)
    make - make (comes with SDK)
    grep - find (standard)
    piping with | > < are the same
    perl
    cygwin for other UNIX processing utils.

  27. Re:Windows clusters don't make sense by Foolhardy · · Score: 3, Informative · on Microsoft Finally up for Distributed Computing?

    top - pslist
    ptree - pslist
    w - psloggedon
    ls -al - dir /adhs, fsutil (both standard)
    finger - finger (standard)
    unzip - expand (standard, for CABs), cygwin unzip, rar
    mount - (automatic), fsutil, linkd (from resource kit)
    make - make (comes with SDK)
    grep - find (standard)
    piping with | > < are the same
    perl
    cygwin for other UNIX processing utils.

  28. Re:Windows clusters don't make sense by Foolhardy · · Score: 3, Informative · on Microsoft Finally up for Distributed Computing?

    top - pslist
    ptree - pslist
    w - psloggedon
    ls -al - dir /adhs, fsutil (both standard)
    finger - finger (standard)
    unzip - expand (standard, for CABs), cygwin unzip, rar
    mount - (automatic), fsutil, linkd (from resource kit)
    make - make (comes with SDK)
    grep - find (standard)
    piping with | > < are the same
    perl
    cygwin for other UNIX processing utils.

  29. procxp by zlel · · Score: 1 · on Free Windows Software Without Spyware/Adware

    Does anyone else use procxp from Sysinternals? It's the most needed thing to help you weed out file handle ghosts so that you don't have to reboot your whole system to delete a darn file... oh yes, sysinternals does offer pretty nifty stuff.

  30. Sysinternals utilities by ReKleSS · · Score: 1 · on Free Windows Software Without Spyware/Adware

    Back when I was using windows (errr... about a year ago? I don't remember) I found the utilities written by Sysinternals very handy. They're probably not of use to everyone, but there were a few times when they were invaluable.
    -ReK

  31. And the less obvious by Osty · · Score: 5, Informative · on Free Windows Software Without Spyware/Adware

    For power users, mostly (because they'll confuse your grandma)

    • Startup Monitor. Priceless for dealing with crap like Real or Quicktime that always want to setup stubs to run at boot. The popup warning is pretty non-descriptive, though.
    • Startup Control Panel, also from Mike Lin (the Startup Monitor guy). Similar to msconfig's Startup tab, but more powerful.
    • Pretty much anything from Sysinternals. And they provide source!

    I'm sure there are many others, but those are the ones that immediately came to mind.
  32. Re:what if you cant by Myen · · Score: 1 · on Four New Unpatched Windows Vulnerabilities

    Assuming you are running Win32 (as opposed the Win64), try turning DEP off via boot.ini (look under /noexecute).

  33. Re:No way by Foolhardy · · Score: 1 · on Microsoft Acquires Spyware Removal Company
    But to the OS the file is gone.
    The file is still there, taking up space, it just doesn't have an entry in that directoy anymore. Once the refcount reaches 0, i.e. no longer listed in any directories and not opened by anything, the space is de-allocated.
    Just as MS windows doesn't wipe the free space, but just updates the file allocation table.
    UNIX doesn't either; you have to use shred on it to clear the free space. Both OSes prevent you from reading old data from previously deallocated sectors (unless you resort to direct disk access). The OS just makes a write operation of all zeros to newly allocated space, usually cached. It would take forever to delete large files otherwise.
    The problem with that is you get some spyware like vx2(I think that is the name), that monitors the registry.
    Registry keys have ACLs. Take whatever user the malware process is running as and add a full deny, or at least a deny-write, entry for that user to the FileRenameOperations key. Add the delete ops with a different admin user. This should work unless the kernel is infected, in which case only booting from trusted media will work.

    Also you might try if the spyware is monitoring stuff and can restart itself upon death is to suspend instead of kill the process; the death code won't be executed but the process will be just as useless. Process Explorer can suspend processes.

    Still, cleaning up an infected system is a poor substitute for preventing infection in the first place. It is entirely possible; I've been able to do it on all of my own computers. The fist step is not running everything as admin all the time.
  34. Re:No way by Foolhardy · · Score: 1 · on Microsoft Acquires Spyware Removal Company

    Yeah, the inability to delete a filename but leave the underlying inode (like UNIX does) is annoying.

    To work around this, the session manager (smss.exe: it's like the init process) provides a nice feature. In the registry key HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations there is a list of files to be moved or deleted the next time the OS starts. The value name is the source file and the value data is the destination. An empty destination means delete. This happens before any other processes are started, before Win32 starts, and even before the pagefile is created.

    Sysinternals has a couple of command line tools that can be used with this: movefile which adds new move operations and pendmoves which lists existing ones.
    See also the MOVEFILE_DELAY_UNTIL_REBOOT flag of MoveFileEx, which does the same thing from a program.

  35. Re:Common by pnutjam · · Score: 1 · on IT Practice Within Microsoft

    If you find out where the updates are installing, both in the file system and in the registry you can explicitly allow users access to those registry keys and folders. Then they will be able to isntall files. I find Sysinternals software invaluable for figuring out where software is trying to write.

  36. Re:Mistake by Foolhardy · · Score: 1 · on Linux Has Fewer Bugs Than Rivals

    The NT kernel supports multiple syscall tables. Any kernel mode component can add its own table. Since NT4, Win32 has its own syscall table because it has less overhead than an out of process LPC port to CSRSS (what was used before), but the kernel's native API is seperate.

    You may say that this is a trivial difference; that since the Win32 server runs in kernel mode and has a syscall table, it might as well be in the kernel. It wasn't much different before: the Win32 server ran as SYSTEM, the most priviliged account. Although it didn't have it's own syscall table, any app could send messages to it along the LPC port (\Windows\ApiPort). The same functions exported on the LPC port were simply moved to a syscall table. Most of winsrv.dll's functions were moved to win32k.sys. Nothing else in kernel mode, save video drivers, even care about win32k.

  37. Re:My the SAM be with you by bedessen · · Score: 1 · on AOL Plans A Standalone Browser

    autoruns from sysinternals.com is a much better way compared to using regedit by hand.

    It shows you ALL the locations where programs are automatically started (there are lots of them!) It shows you the path to the executable, and can show you its properties (filename, description, module name, version, etc. -- all the info fields embedded in the .exe), and lets you remove the entry with a single click.

  38. Re:My the SAM be with you by bedessen · · Score: 1 · on AOL Plans A Standalone Browser

    autoruns from sysinternals.com is a much better way compared to using regedit by hand.

    It shows you ALL the locations where programs are automatically started (there are lots of them!) It shows you the path to the executable, and can show you its properties (filename, description, module name, version, etc. -- all the info fields embedded in the .exe), and lets you remove the entry with a single click.

  39. Re:My the SAM be with you by JPriest · · Score: 1 · on AOL Plans A Standalone Browser

    But it also runs in starup... I use tools like msconfig, autoruns, Process Explorer, Security Task Manager, BootVis etc. I know exactly which processes run on my system, so if something new shows up I know it did the bad thing.

  40. Re:My the SAM be with you by JPriest · · Score: 1 · on AOL Plans A Standalone Browser

    But it also runs in starup... I use tools like msconfig, autoruns, Process Explorer, Security Task Manager, BootVis etc. I know exactly which processes run on my system, so if something new shows up I know it did the bad thing.

  41. Re:Running Win Server 2k3 as a Workstation by Foolhardy · · Score: 1 · on Service Pack 1 for Windows Server 2003

    Try Process Explorer. A property tab lists every service running in a process, among many other things, like every handle and network port opened by a process.

  42. Re:Wonder how long... by James.Stanton · · Score: 1 · on Spyware Removal is Big Business
    You don't know what any of these programs are sending, or how often they send it.

    Of course you do. Check out TCPView to when/if connections are being made, then use any of a dozen freely available packet sniffers to see what they're sending.
  43. Re:You can't play the 'luser' card! by Foolhardy · · Score: 1 · on Clean System to Zombie Bot in Four Minutes

    I did run AdAware and SpyBot once, but they were able to find nothing. And going with the bad analgies, I do lock the safe; it's called running as a normal user. Things like Process Explorer tell me what's inside.

    Besides, if the kernel is compromised properly, even a malware detector can't help you. Nothing short of booting from trusted media can.

  44. Re:Help... file delete by Johnno74 · · Score: 3, Informative · on CA's 'Pest Scan' Results Mislead Users

    Yes, there is a tool to tell you what process has is holding a lock on a file - you mentioned it in your article too!

    Use process explorer from Sysinternals. (free download)

    If you use the "find handle" function, and enter the filename, or partial filename, it will list the processes that have this file opened. The find dll function is similar, but finds all processes that have loaded the specified DLL. Very handy for spyware that lives in a dll and has loaded itself with rundll.exe...

    Its an incredibly useful tool. Its one of the first apps I install after a rebuild.

  45. Re:Actually, Windows can be quite stable... by Foolhardy · · Score: 4, Insightful · on Air Force Orders Up A Custom Windows Monoculture
    with the IE api hooks into the kernel
    What are you talking about? Internet explorer is a 100% user mode shell environment. It is not, has never been, and never will be integrated into the kernel, or given special hooks or privileges. All of the entry points into the kernel are exported by ntdll.dll. Tell me which of those functions hooks IE into the kernel.
    The objects you would need to control to take over the system are kernel objects which IE plays no part in managing.
    Since the Win32 server moved into kernel mode (in NT4), it has its own system function table, and none of those functions are a part of IE either.

    Show me ONE malware program that can install itself for all users when only a normal user runs it.
  46. Re:Wrong! by julesh · · Score: 1 · on Failed Win XP Upgrade Wipes Out UK Government Agency

    But then NTFS is a chore to acess from a "dead" system...

    Not in the slightest.

  47. Re:Personal experience with anti spyware tools by Software · · Score: 1 · on Failing Grades For Most Anti-Spyware Tools

    The Run key in the registry is only one of many places that spyware can be installed. To get all of them, use a tool like AutoRuns, from System Internals, which is free and works great (disclaimer: I haven't tried the just-released version 6.0). AutoRuns looks in several places, and allows you to easily disable or re-enable entries. I'm not sure that their disabling works reliably vs. spyware, because spyware will re-enable itself, but it's a start.

  48. Re:none here by kyhwana · · Score: 1 · on Failing Grades For Most Anti-Spyware Tools

    Also, sysinternals.com has a pretty decent process explorer.
    http://www.sysinternals.com/ntw2k/freeware/procexp .shtml

  49. Re:Well... not _quite_ right by Foolhardy · · Score: 1 · on Security Vulnerabilities Discovered in WinXP SP2
    Technically, in a really literal minded sense, that's correct. Technically, any Win32 component or control can be replaced. In practice, the way that Microsoft has built the system too much depends on the HTML control and Windows Explorer.
    You're right. Too much depends on the shell and the shell isn't very secure.
    For the latter, instead of mounting devices like my Jornada in the file system, they're shown on the desktop but are only there via a plugin for Windows Explorer, so without it I can't browse my Pocket PC.
    That was the decision of the Jornada support programmers to create a shell extension instead of an actual filesystem driver. Still, I can see why: the offical filesystem SDK is about $1000 USD (it's mostly one header file and a free version can be had here). Also, writing an NT FSD isn't easy.
    I can't have a great deal of faith in that design. There's just too much shared state between components of Windows, and too little control over the implementation of security boundaries: every component seems to have its own call gates, with multiple independent implementations of the same security and sanity checks on arguments and objects.
    NT is object-oriented. At the heart of object management is the Object Manager. The Object Manager provides a namespace of named objects, manages handles to those objects, including opening and duplication. Kernel mode components can add their own types of objects to the object manager by implementing functions for manipulating them.
    The Object Manager is also the only component that handles security checks when a new handle is created (by opening or duplicating) unless the object type overrides the SecurityProcedure: the IO manager object type Device overrides it so it can ask the filesystem to provide an ACL instead of relying on the Object Manager to store every file's ACL.
    One system call is NtAccessCheck; this is the defined method to check an ACL against a token and a requested access mask. Microsoft is pretty good about using it or it's win32 equivalent AccessCheck.
    Note that this applies only to kernel objects, which comprise almost everything securable in the operating system.
    Desktop, window station and job objects are all kernel objects that fall under the Object Manager's domain. None of them supply a custom SeurityProcedure, so they are checked like any other object.
  50. Re:No OS is 100% secure by Foolhardy · · Score: 1 · on Security Vulnerabilities Discovered in WinXP SP2

    The NT kernel's design has all kinds of wonderful possibilities for building a secure OS around. I really wish Microsoft would do it.

    So do I. Maybe Reactos?

    The Win32 subsystem, however, is inherently insecure. And without the Win32 subsystem, NT is not a complete OS.

    Yes, Win32 IS insecure, to a point. Window station, desktop and job objects are securable objects that NT adds that can be used to partition Win32 into sandboxes. They just aren't used much.

    Win32, includes not just the GUI but the equivalent of all the UNIX daemons and system services, and large parts of what in UNIX would be kernel modules. Take that out and you're left with less than the UNIX kernel.

    Most built in services are written for the Win32 subsystem since the user mode service control manager's interface is part of win32, but several have only superficial dependencies. The SMB client and server come to mind.

    I thought that the NT had more, not less things running in kernel mode. Nothing in kernel mode depends on win32, ever. The only thing related to win32 that runs in kernel mode is win32k.sys, the server part of win32. Nothing in the kernel depends on win32, or can even use win32. Moving win32 into kernel mode didn't change that.

    What, specifically, in Windows is implemented as a user-mode win32 dependent service that would normally be a kernel module in UNIX?

    Also, there is no such thing as THE UNIX kernel. There are UNIX kernels such as Linux or OpenBSD's kernel, but no one 'true' UNIX kernel.
    Compared to Linux, the NT kernel and executive services (ntoskrnl.exe) do a couple of things that Linux doesn't: the Configuration Manager AKA the Registry; a database for configuration info, the extensible Object Manager (althought the VFS comes close), and a dedicated local proceduce call facility (you can use pipes under either, but only NT has LPC) If you include all the modules that run in kernel mode (besides win32), there is more: SMB: the client is in mrxsmb.sys and the server is in srv.sys, MUP (mup.sys), CD burning support (as a filesystem), audio processing, the mailslot filesystem (msfs.sys), the named pipe filesystem (npfs.sys), plus all the things you'd expect: filesystems, bus drivers, USB drivers, and network stuff.

    If you were logged on to an NT workstation as a normal user, first of all, you're more likely to be infected by a virus in the first place because the design of the Win32 subsystem practically invites them in.

    Invites? How's that?

    Secondly, there's a lot more opportunities for an application to boost security to Administrator or even LOCALSYSTEM: not only is the security model very complex, but you have to have all the rights any application you run is ever going to need.

    NT isn't any more vulnerable to privilege escilation than UNIX is. Just because the security model is complex, doesn't mean it is broken. It may be harder to use, but it also provides much granularity (if you use it). For the last part, I don't understand what you are trying to say; how is this different from any other security model? Define a user's permissions so that they can do everything they need to. ACLs can be changed, but you should be able to set them up once.

    To top it all off, there's no hard "system call" interface between different security domains.

    Sure there is. It's called the Native API. The only way to request services of the kernel is through the system call interrupt, and all those functions are exported by ntdll.dll. Win32k adds an extra function table, though; it exports the services that used to be in us