Sunday, March 30, 2008

New and Improved (or maybe just stale and repackaged)

Did you know that there are secret meanings behind the twist-tie colors used on loafs of bread?

Urban Legends Reference Pages: Bread Tag Code

My grandmother seemed to believe she had special divine knowledge of these codes from above (although the only golden plates I ever saw her with were for serving Hors d'Ĺ“uvres).  She would carefully spend what seemed like hours hunting through the loafs finding a certain color of twist-tie.

Or maybe that just explains were the OCD comes from in the family.

Red Twisty

TechBlog: Updated: Is Windows XP's last service pack coming next month? - TechBlog

Now that I've gotten Vista SP1 on our laptop successfully, I now get to turn my anxiety to awaiting the upcoming release of XP SP3.

Will we block it from auto-installation across our XP systems at work? Unknown yet.

Will I make a slipstream version of XP Home/Pro setup disks? You Bet!

What am I looking most forward to in XP SP3? Hopefully seeing some performance gains.

Blue Twisty

Windows Incident Response: Registry Analysis - What Is It?? - In this post, Harlan goes in-depth to consider what may be an often overlooked area of exploration; the Windows Registry. As he points out in the opening post, the majority of research work I do involves hunting up a particular string of interest.  However, it can contain a whole lot more powerful information, such as the last time a certain document was accessed, not just by the user, but various applications, or maybe when a USB stick was plugged in under a user's account.

Looks like Harlan is making a sweet registry analysis tool and teasing us with it.

I'd love to get my hands on this thing!

Introducing the Basic Process Manipulation Tool Kit « Didier Stevens

Meanwhile, not to be outdone, Didier Stevens has posted a new tool of his own: the Basic Process Manipulation Tool Kit.  Designed by Didier to be used in researching security mechanisms implemented in user processes.

The toolkit has commands to search and replace data inside the memory of processes, dump memory or strings, inject DLLs, patch import address tables, … I’ll be posting examples in the coming weeks, illustrating how these commands can be used.

Didier then provides a fascinating example using Firefox and how it manages the storing of passwords in memory.

I'm curious how this tool might be able to be applied to researching running malware processes and look for URL's and embedded passwords in the malware programs.  Might be very helpful.

I can't wait for the example posts to start flowing.

4sysops - RegAlyzer - a nifty free Registry editor

4sysops does a brief review of one of my favorite registry tools, RegAlyzer by the same team that brings us SpyBot Search and Destroy.  Not only does it provide multiple search results, but also has undo/redo logs so you can go-back and "fix" editing work in the registry if you use this tool to make those changes. 

I also really like these freeware registry tools: RegistrarLite, ERUNT and NTREGOPT, RegASSASSIN, RegClean, RegHance 2.12 (LavaSoft product now only found on MajorGeeks), Process Monitor (Sysinternals), and RegScanner (NirSoft).

White Twisty

Windows Search 4.0 Preview - This new beta release allows you to perform searches for documents and files/folders on your system.  It is like the old "F3" Windows search, but on steroids.  Much more powerful and much more useful.

Windows Search 4.0 includes the following improvements:

  • Support for the Encrypting File System (EFS)
  • Reduced affect on Microsoft Exchange when you index e-mail in online mode, and there is no local cache (.ost)
  • Support for indexing online delegate mailboxes
  • Support for client-to-client remote query to shared indexed locations
  • Improved indexing performance
  • Faster previewer updates for Windows XP
  • Per-user Group Policy settings
  • Windows software updates for Watson errors
  • Support for the following new enterprise Group Policy objects:

Computer policies

  • Prevent adding Universal Naming Convention (UNC) locations to index from Control Panel
  • Prevent customizing indexed locations in Control Panel
  • Prevent automatically adding shared folders to the index
  • Allow for indexing of encrypted files
  • Disable indexer back-off
  • Prevent clients from querying the index remotely
  • Allow for indexing of online delegate mailboxes
  • Prevent adding user
  • Specified locations to the All Locations menu
  • Enable throttling for online mail indexing

Per-user policies

  • Prevent adding UNC locations to the index from Control Panel
  • Prevent customizing indexed locations in Control Panel
  • Prevent indexing certain paths
  • Default indexed paths
  • Default excluded paths

Supporting XP (SP2 or SP3), Vista (SP1), and Windows Server (Home, 2003 and 2008), it looks to be a great addition to beef up the search capabilities of your system.

The interface is much updated and has a more "Vista'ish" look.

Windows Vista Team Blog : Announcing the Windows Search 4.0 Preview

Windows Search 4.0 vs. Google Desktop 5.5 - Download Squad

Remote Search in Windows Search 4.0 - Brandon Live!

Meanwhile, over in the IE8 development dungeons....

IEBlog : Add-on Management Improvements in Internet Explorer 8 - Turns out the IE8 team is looking to make management of BHO's, Search Providers, and other browser elements much easier to manage in IE8.

This post goes into some of the finer details of the design and implementation.  I had almost as much fun reading the comments.  I think IE8 is on track to learn some good lessons.  Having the ability to easily manage and disable/delete unwanted BHO's from an IE installation is always a good thing.  Previously, this often meant having to get into the registry to clear out some of these items.  While not all bad, many BHO's I've encountered came from drive-by malware installations; toolbars, searchbars, etc.

It appears that one of the more looked for features in Vista SP1 got stripped out: that of being able to create a Windows recovery CD with an easy-to-use GUI interface.


However, all is not lost. Sure you can download a Vista Recovery disk ISO from, but if you want to add this feature back into your native Windows Vista SP1 system, you can with a little bit of a hack: Recover “Create a recovery disc” on Vista SP1 RTM - iStartedSomething blog.

Long Zheng provides an easy to follow guide to getting it restored.  Just pay careful attention to all the file-permissions mojo steps.  Don't know if this will be helpful to everyone.  Probably easiest just to go get and burn the ISO version instead.  Certainly not something most users will need every day, but I tend to collect these sort of utility disks....

See also: Windows RE Notes

Green Twisty

Download Squad did a post on Hinx Backup Easy which is a free Windows backup solution. Other mentions in the ensuing comments were Cobian Backup and AutoVer. I've covered some of my own favs in File Managers, Copiers, and Sync Utilities posting.

Dan Cunningham provides a nice solution (though a registry hack) for Disabling Apple Software Update items.  I personally just use "AutoRuns" to disable it as a startup item in Windows, then do manual checks for updates periodically.  However, each time I update iTunes, it gets restored, so I have to remove it again.

FreewareGenius provides a tip: How to change Windows’ default image editor.  He links to use of the Imgeditor utility off Ramesh's site.

Finally, Donna posts a great update announcing that the Firewall testing pros as Matousec have come up with a new test page:  Firewall Challenge page.

Turns out that the current "Excellent" rated winners of their Firewall "leak-test" results are Online Armor (available in a freeware version), Comodo™ Firewall Pro (also free), Prosecurity (not free), and Outpost Firewall PRO (also not free).  Three other firewalls received "very good" and "good" marks.

Nice to know the folks at Matousec remain hard at work testing, and that excellent software-based firewalls for the masses are available for free.


1 comment:

Keith said...

I found your blog yesterday. I have spent a lot of time today looking through past posts, and I must say that you are my new favorite blogger. You actually had me with your "Last Exile" links. You're the only other sysadmin I know who even knows what a Vanship is. I was right in there with about 80% of your Firefox Extensions, really nice list, I stole a few.

I'm also interested in security and forensics. This post really piqued my interest regarding Registry Analysis, which I've been doing for years the hard way. I requested Keydet89's RegRipper to give a stringent test. I'll let you know if he sends it.

Claus, your blog is awesome, and what I would have imagined mine to be if I had time or inspiration to write more. Thank you very much for taking the time to share your thoughts and interests with the rest of us.