Sunday, August 24, 2008

Enabling Dual-Core Support

I don’t really feel quite worthy enough to be attempting to get this info down.  However, I had a problem at work that demanded a solution.

Now that I found it (in two forms) I feel a bit obligated to share, despite my lack of a Microsoft Certification.

Any omissions or incorrect information shared is unintended and I welcome comments from any kind folks more up-to-date in this area.

I want to pick this up by building on my Windows CPU throttling techniques post made about a month ago.

To summarize, we have had a DOS 16-bit program that chewed up all the CPU cycles when running. In finding and testing a solution, I came to realize that the problems wasn’t nearly as sever on our dual-core processor systems as it was on our single-core processor systems.  We have been slowly upgrading and deploying dual-core configurations now for the past two years.

In that process, I discovered that a significant number of our deployed desktop systems that had a dual-core processor were, in fact, only running in a single core mode.  Yikes!

Upon more investigation, I have also identified many of our dual-core laptops also running with only a single core enabled.

What gives?

That turned out to be pretty simple to determine.

How do we get the full dual-core mode turned on?  Well, that got a bit more complex.

Double-Trouble

Turns out that the factory-provided images were flawed.  Seriously.  I just didn’t pay attention to it staring me in the face for the past two or more years.

See when we started deploying these systems, we had a post-deployment configuration step that involved copying some files to C:\Windows\System32.  It was known as the “Hyperthreading patch”.

As all our technicians knew, the files already existed on the system, and were in fact newer than the ones with the same names we were copying, but we were just told to copy them anyway and reboot.  The files were hal.dll and ntoskrnl.exe.

Whatever…so we copied them and moved on down the setup guide.  Well…most of the techs copied them.  Turns out it is now clear that a few did not.  I could tell which systems weren’t updated correctly because no sooner did we walk away then our help-desk would get a call of the user’s pc running slower than their previously assigned system.  A quick copy of the files and reboot turned the system back to a speed-demon.

Not only that, but with the latest rounds of laptops, copying those files (which did no harm to the desktops would render the dual-core laptops unbootable.

Not good.

Finally, with my CPU utilization problems bringing to the forefront of my attention that we had some dual-core systems not running dual-core mode, I knew I had to start digging deeper for an accurate understanding of what exactly was going on.

To the Google!

It’s the Processor…Stupid! (Well, maybe not.)

Having the systems in front of me and our technical specs, I had no trouble running a Google check on Intel’s website to verify that the processors we had in each system were, in-fact, dual-core.

Were I not to have that information, I could have used CPU-Z, System Information for Windows (SIW), or even SIV - System Information Viewer to get enough hardware identification information about the processor to do my lookup.

I then opened up the Windows Hardware Device Manager on several of these single-core using, dual-core processors and was surprised to see that XP Profession had correctly identified and was reporting both processors present.

However, a quick launch of the Task Manager (example 1 or example 2) confirmed that the OS was only “seeing” one core as I had no options to show both cores in separate usage graphs.

Maybe it was a driver thing?

I found this post Windows XP Multi Core config - Does your OEM do it for you? - Notebook Forums and Laptop Discussion that suggested I needed to download and apply a Microsoft patch and make some tweaks.  Only that didn’t “enable” the dual core mode at all.  Nor apparently did it help a lot of other folks who have been reading that thread.

I next turned to a comparison between two otherwise identical systems.  One was showing dual-cores activated and the other was not.  After much digging, I located what appeared to be a key registry key difference:  The dual-core system had two entries in the following locations:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTIONS\System\CentralProcessor

and 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ACPI\

Whereas the single-core one did not.

So, stupid grasshopper that I was just exported those extra registry key items and then imported them on the single-core system.  It didn’t hurt anything, but after a reboot, they were removed automagically and the system remained in a single-core state.

It was very clear that something else was going on.  But what.

It’s a HAL and NT OS Kernel Thang

I’ll spare you the extra days of ed-u-fi-cation I put myself through but in the end, I think I got it all sorted out.

(Note: All the following discussion assumes that the BIOS/systemboard supports a dual/multi-core processor AND that it has been enabled as such in the BIOS.)

Turns out that when Windows setup is ran, it should (in most cases) auto-sense the processor and apply and configure the proper HAL (Hardware Abstraction Layer) file and the correct NT OS kernel depending on the hardware auto-detected.

In our case, either the imaging process or imaging application at the factory failed to take into account a shift from a single-core to a dual-core model, or maybe the pre-build setup of the XP Pro OS wasn’t done correctly.  In any case, every dual-core system that had been deployed from the factory didn’t ship with the supported dual-core processor HAL and NT OS Kernel.

What I came to understand is that our “Hyperthreading fix” was actually patching that error and replacing the single-core files with the proper dual-core ones.  That’s why the file-names, sizes, and dates were different but the system speeded up afterwards…the dual-cores were now being used!

What I discovered is that you can see this difference in action if you have both a dual-core and a single-core enabled system to compare.  Just browse to the installed HAL and Ntoskrnl files and take a look at the file properties, then look at the “Original File Name” field.

The key thing to notice in those quick tips is that the (correctly activated) multi-processor files will have different original file names than those of the single-processor systems.

Here are some of the most commonly seen ones:

Advanced Configuration and Power Interface (ACPI) PC
- halacpi.dll (renamed to hal.dll)
- ntkrnlpa.exe
- ntoskrnl.exe

ACPI Uniprocessor PC
- halaacpi.dll (renamed to hal.dll)
- ntkrnlpa.exe
- ntoskrnl.exe

ACPI Multiprocessor PC
- halmacpi.dll (renamed to hal.dll)
- ntkrpamp.exe (renamed to ntkrnlpa.exe)
- ntkrnlmp.exe (renamed to ntoskrnl.exe)¨

Why are they different?  Let me have a Windows IT Pro explain….

A. The core OSs are the same for both uniprocessor and multiprocessor systems. The only real differences are in the underlying Windows kernel (which is implemented along with the Executive subsystem in Ntoskrnl.exe) and the hardware abstraction layer (HAL--hal.dll). Windows versions earlier than Windows Server 2003 and XP did have some additional files that differed (Windows 2000 also had separate versions of Win32k.sys, NTdll.dll, and Kernel32.dll). When Windows is installed, it detects the processor requirements and copies the relevant file from the media to the standard name (e.g., ntoskrnl.exe) on the installed OS. The Table shows the files that differ between the uniprocessor and multiprocessor versions of XP. Note that the Ntkrnlpa.exe is used only on systems that have invoked the Physical Address Extension (PAE) kernel, which allows access to as much as 64GB of memory. Essentially the uniprocessor version of the kernel doesn't have the mutliprocessor synchronization algorithms, which are more complex and time-consuming, so they're a waste of processing resources for systems with only one processor.

So when Windows Setup is run on a system, it should sort all this out automatically.  But problems come up if that image is Sysprep’ed and then deployed on systems that are similar enough for it to work, but having a different processor core type.

Need more links?  Here are a ton that I found helpful to get my understanding down.

Fixing the Single-core to Multi-core Problem

OK.

I now clearly (as bayou mud) understood what was going on.  I also knew we had at least one fix method already down.

Seems from a review of multiple forums that I looked into, many home-users with the problem of their system being dual-core supported and the hardware to match, but only seeing a single-core often ended up getting told that the only way to fix this on their XP systems is to just start from scratch and re-run a full Windows setup.  This isn’t something that a Windows Repair was going to fix.

Only I didn’t like the idea of re-running Windows Setup on all these dual-core able, single-core using systems.  Too much time and work for our team.

Simply using our already issued “Hyperthreading Fix” patch which involved (what I know knew to be) copying the multi-core ACPI supported hal.dll and ntoskrnl.exe files with a following reboot would do the trick.

Kind-of. 

Although this worked great on the desktop systems, it seems it tanked the laptops.

I needed some other solution options.

Method #1: Pugsly0014’s Batch-file Wonder

I eventually discovered a solution (very similar to our “Hyperthreading Fix” patch in a notebook support forum as contributed by Pugsly0014.  Actually Pugs offers two solutions, but I liked the first better in our environment.

Enable Dual Core Support in a Windows XP Single Core Install? - NotebookForums.com

…you are going to have to replace the hal.dll and ntoskrnl.exe from the single core version to the multi core version.

Option #1 - Hal / NToskrnl replacement

a. Make a directory called DUO on C:\
b. Copy halmacpi.dll (search your C:\ drive for this) to C:\DUO then rename it to hal.dll
c. Copy ntkrnlmp.exe (search your C:\ drive for this) to C:\DUO then rename it to ntoskrnl.exe
d. Make a batch file called go2core.cmd and put this in the file.

C:
CD\windows\system32
REN hal.dll hal.old
copy C:\Duo\hal.dll C:\windows\system32
REN ntoskrnl.exe ntoskrnl.old
copy C:\Duo\ntoskrnl.exe c:\windows\system32

e. Run Go2Core.cmd from C:\duo directory.
f. Reboot and you should now see two processors in Task manager

Pugs’ second solution involved editing your boot.ini file and pointing it to the multi-core supported files, if that option is selected at boot.  It is another clever solution, but not one I wanted to offer my end-users in our environment.

Lab-testing soon found that the batch-file switch-er-oo worked great, and could be deployed as a server login-script if we so choose to do.

If you don’t find the files halmacpi.dll and ntkrnlmp.exe, you might find them in a cab file or compressed but not “expanded”. 

However, when I tested it on Dell D620/630 dual-core notebooks, it tanked them.  Seriously.

Back to the drawing board.

Method #2: An “Ageless” Solution

More searching and thinking ensued.

I then located this deviation on Pugs’s second “boot.ini” solution.

Dual core not processing two units – Seti@Home Forums

Forums poster “Ageless” offered this elegant solution (which ties into Pugs’ second method I skipped):

…follow the steps:

1. You will need Service Pack 2 for XP for this, so if you do not have it, install it from Windows Update.
2. Use search to find ntkrnlmp.exe and halmacpi.dll and copy them to your c:\windows\system32 directory.
3. Use search to find boot.ini and open it in your text editor then find the following line:

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn

(or something of this sort)

and replace that line with:

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”XP Professional MP” /fastdetect /kernel=ntkrnlmp.exe /hal=halmacpi.dll

Make sure there are no line breaks in that line.

4. Reboot your computer. It may go through an installation of the new kernel, just continue to click Yes and Install (or which ever you get) until done and that's it.

Note, depending on your flavor of XP and other factors, your boot.ini line might look a tad-bit different.

The key here is to add the /kernel=ntkrnlmp.exe /hal=halmacpi.dll part.

So I tried it on the notebooks and it worked!

Hurrah!

Caveat Emptor

Only I now wondered what impact this might have on the notebook when we went to apply XP SP3.  Would the fact that they were pointing at a non-standard kernel and hal file muck things up?

I then attempted to install XP SP3.

And it failed…because it checked the boot.ini and found it wasn’t using a “standard” kernel and hal file!

Bummer.

But wait!

When I went back in to look at the hal.dll and ntoskrnl.exe files, turns out they now matched the same size, date, and original file-name property of the ones I was pointing to!

Turns out that during the XP re-configuration process (Step 4) where it sensed the new multi-processor changes, it also updated the original single-core hal.dll and ntoskrnl.exe files to the multi-core supported ones!

What would happen if i went in and re-edited the boot.ini file back to the original?

I tried it and it worked!  The system/OS still recognized the mulit-core processor state.

Now when I tried to install XP SP3 it went on with no issues or complaints!

Awesome!

Claus’s “Ageless” Mod Fix

So here (from the top-down) is what I ended up doing to move the dual-core laptops that were only running a single-core enabled into a fully enabled multi-core processor mode when the simple file switchout trick didn’t work, as founded on “Ageless’s” technique.

1. Ensure system is running XP Service Pack 2 or greater, if not upgrade accordingly first.

2. Run a local file-search (F3) to find the ntkrnlmp.exe and halmacpi.dll files. Copy them to your c:\windows\system32 directory. Note, in some cases they might only find them in the format ntkrnlmp.ex_ and halmacpi.dl_. If this is the case you must “extract” the files in the command line using expand.exe <filename> <output filename> synatax (example: expand.exe ntoskrnl.ex_ ntoskrnl.exe)

3. Browse to the C:\windows\system32 folder and make copies of the existing hal.dll and ntoskrnl.exe files…just in case you need them later. I just leave the copies in the c:\windows\system32 folder.

4. Use search to find boot.ini and open it in your text editor.

(Or browse to Start -> Control Panel -> System and launch that. Then go to the “Advanced” tab and click the “Settings” button on the bottom “Startup and Recovery” section. Click the “Edit” button under the “System Startup” section and it will launch your boot.ini file in Notepad.)

Save a copy as boot.ini.orig to the root of your system partition (usually C:) just in case.

Then find the following line (yours may look slightly different):

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn

(or something of this sort)

and replace that line with:

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn /kernel=ntkrnlmp.exe /hal=halmacpi.dll

All that is on a single line, by the way!

Save this version as boot.ini on the root, overwriting the original.

5. Reboot your computer.

It should go through an installation of the new kernel and supporting elements.

You shouldn’t get any prompts but if you do, just continue to select Yes or Install.

When completed, you should be prompted to reboot your system to put changes into effect.

Reboot again.

6. When it comes up, you should now be able to verify you are running in dual-core mode by going to <CTRL> <ALT> <DELETE> and opening the Task Manager. Click the Performance tab and it should show both CPU cores in the “CPU Usage History” graph.”

7. Go into the c:\windows\system32 folder and you should also now be able to compare the hal.dll and ntoskrnl.exe files with the copies you made. You should note that the file sizes are now different, but do match the ntkrnlmp.exe and halmacpi.dll versions you copied in earlier. That’s because they were changed to the multi-core support versions!

8. Go back to your boot.ini file (however you want to find and open it) and open it in Notepad.

Just to be sure, you might want to first save it as boot.ini.multi.

Re-edit it back to the original state you found it in:

Find the following line (yours may look slightly different):

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn /kernel=ntkrnlmp.exe /hal=halmacpi.dll

(or something of this sort)

and replace that line with:

multi(0)disk(0)rdisk(0)partition(1)WINDOWS=”Microsoft Windows XP Professional” /fastdetect /NoExecute=OptIn

Save it again as boot.ini to the root of your system partition (usually c:).

9. Reboot your system again and all should be well!

So, pick whichever method you want and give it a shot.  It ended up working well on our systems at work.  Of course, every system is different in its own way and your mileage may vary.

I’m no Mark Russinovich so I’m not sure I can provide much advice outside of this narrow range of testing and hardware I’ve been working with. I know there is a lot more of the multi/single kernel and hal related technicals that I’ve only just scratched the surface of understanding with here.

I’d also recommend making backup copies of any original hal.dll and ntoskrnl.exe files first. And, keep a Windows PE 2.0, a VistaPE, or even a BartPE liveCD boot disk handy, just in case you need to liveCD-boot your system to put back any original versions.  It came in dead-useful as I was testing and working out these issues.

Bonus #1 – Controlling the Processor Affinity in a Multi-Core system

So now that you got multiple cores up and running what can you do with them?

By default, a properly configured Windows multi-core supporting system will automatically manage and load-balance CPU usage rates across them.

However, in some rare cases (or with gamers) you might want to shove all of a particular process onto a single processor and not spread it across multiple ones.

There are a number of ways and tools you can use to do this:

  • Getting More Bang Out of Your Dual Processing Buck : Getting The Most Out Of Software By Properly Assigning Threads – Tom’s Hardware. – Shows how their freeware tool “THG Task Assignment Manager” can be used to assign affinity on a per-case (non-permanent) basis.

  • Or, as Tom’s shows in that post you can also use the Windows Task Manager to set process affinity.

  • Process Explorer from Microsoft Sysinternals can also provide that functionality, with a bit more beef in my opinion.

  • RunFirst - (freeware) – Also allows you to choose on which processor an application starts. This one is clever as it supports command-line arguments so you could use it in combination with the program to make a special shortcut that will launch your program automatically on the desired multi-processor core.

  • Processor Affinity Manager 1.0 - (freeware via Softpedia) – Original location at this pamanager - Google Code link.  Has drag-n-drop support, Current-process details, process defaults, tool to create a shortucut (a-la RunFirst) to launch an app with a particualar processor affinity set.

  • SMP Seesaw - (freeware) – Another nice utility for setting processor affinities. (As reviewed by Download Squad.)

Finally, if you really want to get down and dirty and modify the application to launch on a particular core without these tools, you can do it, but it is going to take some extra work, as I previously posted.

You can change an application to run exclusively under a single CPU on a dual/multi-core processor, but it takes a bit more work.

In my case it specifically addressed the ntdvm.exe file tweaking that I was looking at, but could apply to almost any process.

Troubleshooting an MS-DOS application which hangs the NTVDM subsystem in Windows XP and Windows Server 2003 -  markwilson.it

Read the post but it comes down to using a Microsoft Windows 2000 Resource kit tool, imagecfg.exe with some detailed command-line arguments.

Related posts on this technique:

Bonus #2 – Miscellaneous Multi-Core posts

I also found these posts as well in all my research.  Don’t really apply to much but are semi-related and I found them interesting, nonetheless.

I hope this documentation of all my personal trials and tribulations in the land of multi-core Windows systems ends up helping someone.

The answers are out there, just takes a lot of work to tease them all out.

If anyone has any more information or additional tips, wisdom, or l33t 5k1ll5 to share, please feel free to educate me and us all.

Cheers!

--Claus

Saturday, August 23, 2008

So many links….So little time…

mipinata_preview 

cc credit flickr: peasap

Yep, it's another Grand Stream Dreams Linkfest extravaganza! 

Sometimes I wonder if I don’t bring it all on myself.

I’m pretty curious and am always open and looking for new utilities, updated versions, and new )techniques that I can apply to Windows systems both at home and at work.

What I usually end up with is a pile of links to sort out and share, and not nearly enough time to get them all recorded and given their just due in commentary.

So get out the baton, the piƱata is full of treats!

How-To's and Cool Utilities

How to Prepare Yourself for System Restore From Scratch - MakeUseOf.com. Nice little tutorial on one method to prepare a custom system restore disk from scratch.  There are a lot of different methods--to each their own--but this guide did take an interesting approach.

5 Ways To Update Your Windows Operating System - MakeUseOf.com. Previously covered on Grand Stream Dreams, there are a wide number of applications that make updating the Windows operating system a bit easier, especially on a large-scale.  Varun Kashyap's line-up of choices is pretty good!  All my favorites were included (c’t offline updater, AutoPatcher) and a new one called Project Dakota which I hadn't heard of before.

USB Office Showdown: Tiny USB Office vs. Portable Apps - MakeUseOf.com.  Which is better? Who knows.  It is cool to know that Tiny USB Office backs a bunch-load of apps into just 2.5 MB of space.  While the PortableApps suite has just about all the mojo you could need for basic to advanced office application management in a slick GUI launcher, but it weighs in much larger.

MobaLiveCD - Run your LiveCD on Windows - Spotted via a recent back room tech post.  While I already have a number of virtualization apps (Virtual PC or VirtualBox to name just two) I use to pre-test "Live CD" burns I am always building, some folks might just want a bit more integrated solution for ISO testing and running.  What makes MobaLiveCD so nice is that once you run and install it, you get an easy-to-use wrapper for QEMU.  So when you want to test an ISO, just right-click on an (bootable) ISO file to launch it in the QEMU emulator. It has a very nice and helpful interface.

Mark Minasi's Newsletter #72 August 2008: Making Pkgmgr Deliver Hotfixes Offline is out and has a great amount of tips on how to use the Pkgmgr to "inject" update patches into (ImageX) WIM files. Turns out there is a bit of trickery required and Mark's got the details down great.

Windows Post-Install Wizard Home - (freeware) - I had never ever heard of this tool before I read Confessions of a freeware junkie's post reviewing it.  I must say I am very, very impressed with this and I haven't even downloaded it yet to play with.  It really seems to be able to open up a number of doors.  While no replacement for SysPrep for image pre/post deployment work, it does and a wicked-cool wizard post image deployment that allows system administrators (or geeks) to add particular applications or system tweaks on a per/system basis.  It appears to be highly customizable from the element lists, to the template styles, to the image used on the wizard's background.  It does have a steep learning curve, but once you get it down, I bet you will be amazed! I'm thinking right now on how I can incorporate it into our post-image workstation deployment process at work.  Any Sysadmins out there must at least take a look at it.

New and/or Improved

Sandboxie version 3.28 - (freeware) -This favorite tool which creates a "sandbox" for programs to be installed or operate within got a recent  update.  While not a common tool for most folks to use, system administrators in general, software testers, and malware avoid'ers might find it beneficial to use.

Altiris Software Virtualization Solution (SVS) - (free for personal use) - To get it, go to this Altiris Juice page and scroll down a bit to the "Free for Personal Use" section. A number of download sources are provided from trusted locations.  Basically what SVS does is to manage "virtual software packages" without "installing" them on the host system.  Similar to SandboxIE but a bit different.  There is an active developer and support community out there and a number of popular Sample Applications already built.  For more details from a third-person perspective check out Altiris SVS - review at freewaregenius.com.

AutoRuns for Windows - (freeware) - Gets another version bump to v9.33 and this time brings some command-line options for auto-scanning and exporting of results.

EASEUS Disk Copy 2.0 - (freeware) - Many new features in this version including expanded drive support, partition copy, dynamic disk support, booting from CD, GUI upgrades, and then some more.  Related: EASEUS Partition Manager (free for personal use).

RegFromApp - (freeware) - NirSoft app to monitor registry changes made by an application gets updated for command-line support and drag-n-drop.

OpenedFilesView - (freeware) - NirSoft app to display what application/processes have opened which files on your system now gets an option to mark filenames that their their date/time or file size was changed since the last OFV snapshot was taken.

MozillaHistoryView - (freeware) - NirSoft app to explore and manage Mozilla/Firefox browser history files now is able to support Firefox 3 (places.sqlite) file.  Hurray!

FavoritesView - (freeware) - NirSoft app to explore and manage Favorites/bookmarks in your system browsers is updated to deal with some bug-fixes, but also now supports Firefox 3.0 (places.sqlite).

UserAssistView - (freeware) - Let's let Nir Sofer explain this new utility; "This utility decrypt and displays the list of all UserAssist entries stored under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist key in the Registry. The UserAssist key contains information about the exe files and links that you open frequently. you can save the list of UserAssist entries into text/html/xml/csv file, as well as you can delete unwanted items."  Sounds handy to me!

KeePass Password Safe - (freeware) - Bumped to version 1.12 brings in lots of new features and improvements.  Still hands-down my most favorite password manager.

xpy - (freeware) - This perennial Windows XP tweaking toy brings in a number of new features and program tweaks.  A must-have for anyone who tweaks and manages Windows XP systems.

 AceBackup - (now freeware) - Lots of tools are out there for making backups and archives of Windows systems some of my favorites are DSynchronize, Toucan at PortableApps.com, SyncBack, Cobian Backup, Comodo Backup, and Karen's Replicator.  Ace Backup has some easy-to-use wizard help and a nice interface to make setting up your backups a breeze. Ace brings some special elements to the backup mix including secure FTP support, file-specific encryption, and multi-file versioning support.  For a brief review check out the one at MakeUseOf.com.

Tiny Apps Two-Fer!

I love the TinyApps.Org site.  It is sparse. and when a post is made, it is always good.  So with delight I found Miles Wolbe's Automatically click OK (or any button) with ClickOff post contained two great finds!

ClickOff - (freeware) - An amazing tool that will "click" a button and then some, automatically. Who might need this?  Well, as Miles points out, if you have ever been confronted by an application that requires an "OK" button press to continue, only there are a ton of windows to clear, you will instantly know and recognize the worth of this application!  Once installed the program files can be copied to USB for a portable version.  The program starts out in German, and it is a bit confusing at first to switch to English. Here's how to change ClickOff from German to English: Once launched, right-click the program's icon in the system tray.  Choose the 2nd option from the top "Einstellungen".  When the window launches, find the "Programmsprache" section and click the drop-down arrow to select the "English.lng" file.  Click OK. Done!

Anyway, the second find was another tool that could be used to scan and remove specific virus files; Trend Micro Damage Cleanup Engine / Sysclean.  I'm going to have to save configuration and usage of this tool for another post, but suffice it to say, it is really easy to use and I really like the ideas that come to mind on using it to perform a 2nd-opinion scan on a potentially impacted system.  Similar to McAfee's Stinger tool as well as the McAfee command-line scanner with Bart Lagerweij's ScanGUI interface.  All three of these will be well worth a GSD post of their own soon.

Thanks Miles!

In Security News...

(IN)SECURE Magazine - latest edition (July 07) has some great articles.  Good PDF reading during slow meetings.

Symantec to Acquire PC Tools - Donna's SecurityFlash - Yep. The Yellow Monster of system security is gobbling up PC Tools which provides a number of great consumer-oriented computer security products (both free and $) such as Spyware Doctor, PC Tools AntiVirus Free Edition, PC Tools Firewall Plus, and my personal favorite (running it on all my XP and Vista systems) ThreatFire Free Edition.  I'm really not sure what to make of this.  I just hope these free versions don't get shoved to the wayside and abandoned by Symantec. Official Symantec press release.

Security Vulnerability Research & Defense : IE 8 XSS Filter Architecture / Implementation - New and technical details from Microsoft on how the IE 8 browser will defend against Cross-Site-Scripting malware attack methods.  Interesting stuff.  IE 8 is stepping up to the security plate looking to smash one out of the park. Opera and Firefox better take note!

IE 8 looking like a November release - Bink.nu.  Looks like the IE 8 Beta 2 release for testers might come out at the end of August or early September.  Then the Final Release of IE 8 is still on track (per Microsoft) for an end of 2008 release. Wowzers!  We still haven't deployed IE 7 yet in our enterprise shop.  Yikes!

Anti-Malware Toolkit - (freeware) - This isn't really a anti-malware tool per-se.  What it does do is allow you an (almost) one-click experience to download a majority of anti-malware tools to a target system.  It's available in both an exe installer and a non-install zip format.  See also their informative PC Cleanup and PC Security pages that contains advise and helpful links. This program will download all the major anti-malware and pc cleaning programs, along with some definition files, some recommended web-browsing/email platforms, some anti-virus platforms, firewall, and some very helpful utilities.  I really can't say anything bad about these at all.  It looks like the download files come directly from the specific developer's sites so you should feel confident you are getting unadulterated versions.  Worth sticking on your USB stick as a time-saving download helper!  For more information see these reviews: Anti-Malware Toolkit Keeps Your Arsenal Up-To-Date - Download Squad and Featured Windows Download: Anti-Malware Toolkit Builds a Quick Computer Cleaning Toolbox - Lifehacker.

Windows Incident Response: Browser Artifact Analysis - (post) - Harlan covers a common scenario I run into; not really doing forensics work, but assessing a web-browser session to evaluate clues for system infection.  He provides some great tips and article links to help organize this process.  There are a number of tools and utilities I keep at hand to do this on my USB stick, but Harlan provides even more.

Microsoft Sysinternals Desktop Utility

I'm giving this one a standalone section.

Desktops - (freeware) - is a standalone (no-install) utility from the Yodas of Microsoft (Mark Russinovich and Bryce Cogswell) that allows you to create up to four virtual desktops in XP or Vista.

Who needs it?  Mostly no-one except maybe those who want the dual-monitor effect but can't afford or configure a real multi-monitor configuration.  Or maybe (and I see this as the true use) for those who demo or provide presentations.  This will allow them to quickly and professionally jump between multiple applications quickly like Mark often does during his TechNet Live presentations.

It seems to perform much better than the Virtual Desktop Manager - PowerToy for Windows XP that Microsoft put out a long time ago.  I've used that before and was so (yawn) in awe of it I ended up uninstalling it.

This version seems more flexible as I can run it on demand on whatever system I want to.

Seems to have a few "bugs" but might fit most folks needs and is bound to see feature improvements.

For reviews see this Download Squad review as well as a nice Cybernet News review.

Other (but not by far all) notable utilities that accomplish much the same thing, but with many added features (and not quite the portability level) are:

Despite the large numbers of applications available for this segment, I wonder just how many folks use them on a daily basis.  Give me a multi-monitor configuration over a virtual one any-day.

That said, I think Sysinternal's Desktop utility will become much loved and used as it is free, portable, and seems to be designed by the Microsoft pros.  As I said, I bet presenters will find the most use for it.

Finally - Firefox

Turns out that Firefox 3.1 will get a MAJOR boost to JavaScript performance.

Firefox to get massive JavaScript performance boost - Ars Technica

Some say it might be up to seven-times as fast. Wow.

It is built into the Firefox "Minefield" nightly releases now. (If you are confused about Mozilla "nightly" versions please read this Grand Stream Dreams primer: Resolving a “Nightly” Firefox Issue…).  However it is disable by default.

John Resig - TraceMonkey post has the method to get it enabled:

If you want to try these out for yourself, just snag a nightly of Firefox 3.1, open about:config, and set the following preference to true:

javascript.options.jit.content

You should be, happily, in just-in-time tracing land. It's still buggy (hence the reason for hiding behind the preference wall) but it should be good enough to handle most web sites.

What's especially exciting is that this code is working on x86, x86-64, and ARM - which means that these improvements won't be limited to just the desktop - you'll be able to receive them on your mobile devices as well.

I'm wondering if even more Firefox 3.1 browser performance with JavaScript can be eked out by combining this feature with Sun's Java SE 6u10-b28 build version which is now available for download.  The 10-b builds promise to bring Next-Generation Java Plug-in Technology to Firefox and Opera.  More here.

I've been running them both (the updated Firefox feature and Java SE 6u-10-b28) without any ill effects, but I don't (yet) really use any heavy-lifting JavaScript programs to allow me to fairly make a conclusive statement.

Whew!

Looks like that linkfest piƱata has been beat to death!

Have fun picking out your favorite candies!

--Claus

Microsoft XP and Office “Places Bar” Tweaking

In case you didn’t know, the icon bar on the left-hand side of the dialog window you get when you “save-as”, browse folders, open folders/files, etc. is called the “Places Bar”.

image

A slightly modified form of It is also present in Microsoft’s Office line.

Most folks do quite well with the default set of icon/location choices offered them and don’t ever think of going beyond this.

However, a few power-users may find themselves accessing other common folder locations on their system when they browse to open or save a file.  And let’s face it, browsing the folder tree using the “”Look in” drop-menu or the “up folder” icon method can be click-consuming if your folders are well buried.

I was facing that very situation the other day at work.  Throughout the day I kept having to take additional time to browse to a deeply structured folder on my laptop.  And the default location choices just weren’t cutting it for me.

I knew they could be modified, but it had been a long time since I had reconfigured setting them up on my home system, so I had to go back to Google to refresh my memory on how to make the changes.

Turns out there are quite a lot of freeware applications to help you make this tweaking process smoother.  (Note: on some systems you may be required to have “Administrator” rights to make the changes.)  They all work on XP.  Vista is a bit different.

The Tools

First up is Microsoft PowerToys Tweak UI.  Download and install this long-time tweaking favorite.  When installed, launch Tweak UI and expand the “Common Dialogs” item, and select the “Places Bar” sub-item.  Click the “Custom places bar” radio button then pick which additional items you would like instead.  Or you can add your own custom folder locations.  See this post, How To Change Windows Default Save As or Open Location » Raymond.CC Blog for a walkthrough.

PlacesBar Tweaker - (freeware) – This freeware application is a piece of cake to use.  Install then launch.  You will get a nice little interface that lets you preview the Places Bar, select which custom folder you want to use, or use a common special system folder.  You can restore the defaults back, and you can move the icons in the Places bar around.

Shell Places Bar Editor - (freeware) – Very simple interface contains just the elements needed to get it done.  Pick one of the five items and browse to the new folder location you wish to use.  You can rearrange their order, delete items, or save them as a “scheme”.

PlacesBar Editor - (freeware) – A bit more “old-school” in the GUI style, it still is tiny (90K) and gets it done.

WinPlaE O.S. PlacesBar Editor - (freeware) – Basic but serviceable utility to modify the Places Bar. Also allows you to save loadable custom “lists” so you can reload new Places Bar sets depending on your needs (say switching between projects at work).

PlacesBar Constructor - (freeware) – Another very simple and basic places bar item editor. (Located at bottom of page link.) Only “drawback” is an upgrade ad seen when program is launched. Can be ignored with no loss of  functionality.

Additional “Old-School” Methods

As the PlacesBar Constructor page points out, what all of these tools are doing is actually just modifying a particular registry key sub-key value for each of the five item locations displayed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar

I’ve found it on all my systems but I understand if just the defaults are used and haven’t been previously “tweaked”, it may not be present and can be created from scratch or by using any of the tools above to load a “default” set.

If you are using a version of Windows that supports the Group Policy editor (GPEDIT.MSC) then you can browse into there as well to tweak your custom choices.

1. Type GPEDIT.MSC in the Start, Run

2. Navigate to this location:

User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer -> Common Open File Dialog

3. Double-click Items displayed in Places Bar and add your places.

(Note, it’s a bit different in Vista here.  See KB926167: How to customize the Favorites Links list in common file dialog boxes in Windows Explorer in Windows Vista for more info on that.)

The trick with making the changes in the registry turns out to come down to knowing the correct type of registry key to select.  Some custom items need to be created as “REG_DWORD” types while others need to be “REG_SZ” types.

You can use a string (REG_SZ) to identify the target folder for a PlaceX entry. You must specify the folder's full pathname.

You can also use a numeric index (REG_DWORD) to specify the target folder if it's a system folder.

I found in trying the tools listed above that if you make a change and it doesn’t appear in the Places Bar (even after a reboot) then it is likey that program didn’t choose the correct type. Try another utility.

If you know the correct DWORD value for a corresponding system folder, you can quickly make links in the Places Bar to a number of common and oft-used locations.

The Change the Default ‘Save As’ Locations post by windowsxp550 also shows an alternative technique you can use to make these changes in the registry.

Alas, the only drawback I see with this whole thing is that you are just limited to a maximum of five locations.

Tweaking the Microsoft Office Places Bar

If you have done the above tweaks (manually or with a tool) and also use Microsoft Office, you will quickly note that the Places Bar changes you made don’t appear to carry over into the similar one for the Office applications.

I ended up needing to do this as I have a number of common folder locations I am always saving attachments into in Outlook at work.

That isn’t a problem with the aforementioned tools, turns out Microsoft Office uses its own location and methods for its own version of the “Places Bar”.

The bonus is that you are not limited to just five locations in the Microsoft Office Places Bar but can have up to ten at once if so desired.

You just need to take a different approach to add these in.

Customize the Places Bar in Office XP/2003/2007 – Petri IT Knowledgebase

That post spells out the basics

  1. Open a MS Office application (say Word).
  2. On the File Menu, select an action like “Save” or “Open” that will open up a dialog window.
  3. Browse to the folder location you want to add and click once to highlight it.
  4. Click on the “Tools” menu item and pick “Add to My Places”
  5. There it is!
  6. You can move them up/down by right-clicking the item in the list and picking “Move Up/Move Down”
  7. You can also resize the icons by right-clicking anywhere in the Places Bar area and selecting “Small icons” option.

The Microsoft KB826214 How to customize the My Places bar in both the Open and the Save As dialog boxes in Office has even more juicy details:

For example you can find the Registry Key location these are saved in, just in case you want to export it for quick re-adding on another system or as a backup.

HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Common\Open Find\Places – Office XP

HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Open Find\Places – Office 2003

HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\Open Find\Places – Office 2007

The Places key contains the following two subkeys:

StandardPlaces

UserDefinedPlaces

The “StandardPlaces” items are the five default items that show up there in Office.

The “UserDefinedPlaces” are the “extras” that show up after you have added the ones you want.

Graham Mayor’s website page File Operations Places Bar has a great number of details and screenshots about this process/tweaking.

There’s quite a bit more registry information at the bottom of that KB as well that further details the registry key usage out.

Finally, if all this manual editing or inside-office adjusting isn’t your thing, the Zjooj Team has a freeware download utility to help with this process:

OPiE 2.0 Office Places Editor - (freeware) – Neat app in that not only can you add up to 10 Office Places Bar locations, but you can also save multiple lists of 10 so you can conceivably end up with an unlimited number of custom locations to pick from, you just need to load the particular set you want each time.

Miscellaneous Items

Folder Marker - (freeware) – While not really related directly to the Places Bars we have been discussing, this easy-to-use tool lets you quickly modify the Windows folders on your system.  You can select from several default sets of folder colors or iconized styles, or even add your own custom icons from other sources.  I like using this to tweak key folders for visual cueing and organizing the different project management folder stores I use.

Grand Stream Dreams: Weird XP Folder Issue--Solved! – Tips on what you need to look at if somehow your folder icon tweaking doesn’t result in what you expect.

Cheers!

--Claus Valca

Friday, August 22, 2008

Feeling like Batou…

batou

In case you don’t know, Batou is the right-hand man and second in command to Major Motoko Kusanagi of Ghost in the Shell anime fame.

He has been partially “cybernized” (think Six Million Dollar Man for those who remember that ancient TV series) with cybernetic prosthetics; including his trademark eyes.

I say this as this morning I just got back from a long visit in the Houston Medical Center where I received my RGP contact lenses.  These are the very first contact lenses I have ever worn in my life.  And I paid an arm and leg for them.  These aren’t Alvis’s weekly disposables.  With luck and diligent care they should last four to five years, at least.  Better.

About a month ago I blogged about not being satisfied with my recent optical correction checkup and being referred to a Baylor specialist with a likely diagnosis of Keratoconus.  After a two hour examination and testing that bordered on pure torture, the diagnosis was confirmed with indications of a very mild case in both eyes.  The condition in my left eye was significantly greater than my right.  Thus I was fitted for these specialized RGP contact lenses.

Lavie went with me and I’m sure she had her feelings confirmed that I’m really a big baby despite that “don’t mess with me crew-cut” I wear.  Let’s just say the contact fitting-technician was professional and patient and leave it at that.

So today I went back to get my final take-home pair.

After a quick check by the technician (popping them in/out in seconds) I had to prove my worthiness to be trusted on my own with them.  No doubt she still recalled my last session with her.

I felt like I was a pre-king Arthur having to pull the sword out of the stone.

Fortunately I passed the tests on my own and went out the door feeling like I had two large and clear bottle-caps crammed in my eyes (crown-side out), along with a collection of solution bottles and an acclimation schedule.

I was tough and comfortable enough (barely) to drive home in mid-morning Houston traffic.  Only I had forgot that I didn’t have any “plain” sunglasses and while I was quickly gaining tolerance for the weird feeling of the hard-contacts beneath my lids, I was squinting up a storm due to the bright sunlight we haven’t seen in Houston for almost a week.

Near home we stopped and grabbed a pair of cheap sunglasses for now.  Once I get the second mortgage paid off for the contact lenses Lavie said she wants to take me looking for “normal” cool-dude sunglasses at the mall.  (I think that means Lavie likes my new glass-less style.)

After about three to four hours back at home came the second trial-by-fire; removal.

In the doctor’s office, I managed to get them in/out with no difficulty.  Turns out there is a technique to getting contacts out; something that involves a weird dance between pulling the skin around my eye to my ear-then blinking to “pop” the lens off the eye surface.  Apparently most all players for the Argentine and Spanish Olympic teams also have contact lenses as they also demonstrate the technique I am speaking of.

I successfully got the right lens off and out, but the left one turned out to be a horrid experience.  I managed to get the lens crammed all the way to the far outside edge of my eye.  It looked like a horror movie as the lens has a light-blue tint.  After about five minutes somehow (miracle?) I managed to pop the lens out accidentally while trying to get it re-centered.

Hopefully practice will eventually make perfect.

Do they help?

Heck yea!

On the drive home, even though my eyes were watering like I was cutting onions in Houston traffic and the glare was killing me, and those bottle-caps were digging into my eyelids, I could still see better than ever.  And when I got my glasses back on the soreness in my left-eye due to eye-strain quickly returned.

Heck the HDTV now really looks like we have HDTV….that’s another blog-post by the way.

Alvis has been especially supportive to dear-old-dad.  She has offered to help and coach me in the different techniques she has become a master at with her pair. And while Lavie was holding me back from getting a spoon from the kitchen to dig my errant lens out of my eye, dear Alvis was calmly comforting me and telling me all would be well and that I would get the hang of it.

Lucky man to have such a supportive family.

I think one of the reasons my blogging has tapered off for the past month is that my left eye has just plain “hurt” to be parked in front of a computer screen typing.  The (very slight) double-vision thing in my left eye has really psyched me out more than I think I realized.  It has left me feeling quite drained both physically and mentally.  Much more than I either expected or cared to admit to anyone.

I even felt so charged up at the pharmacy after getting my temporary sunglasses that I picked up a copy of the latest issues of Men’s Vogue, Men’s Health, and QC (alas, no Esquire on the stands) to check out the latest fall-fashions for men.

While I’m still an avowed polo and jeans guy, I’m ready to toss out all the old and fading ones and order some new threads…along with a major dress-shirt refresh as well.

How’s that for a positive sign!

Here’s another great link on the condition: The National Keratoconus Foundation

Now…I got Batou’s eyes down, got his boss crew-cut, getting closer to attaining Anderson Cooper’s gray hair.  Just gotta figure out how to get Batou’s muscle mass…

--Claus

Thursday, August 14, 2008

It’s a [PSA] Thing

Just a few “public service” announcements…for the interested.

It’s a Dell Thing

All of our enterprise notebooks are Dell Latitude models.

When it comes to notebooks at work, I’m pretty agnostic.  We cycle through our notebook leases about every three years.  Unfortunately, our IT department doesn’t get first and frequent dibs on the latest models.  While I always would like to have the latest processors and maxed memory, having a stable and dependable system is much more valuable to me.  Besides, we are all pretty good about putting in the tweaks needed to keep any system running at top-form. (Although it still does smart just a bit when we hand off a brand new system to a user and that system is spiffier than ours.)

So I instantly perked up when I saw this post:

Dell Laptops Affected by NVIDIA GPU Failures – CyberNet News.

Turns out a number of Dell notebooks (including our Latitude line) have some faulty NVIDIA on-board graphic processors.  Dell has released BIOS updates for many (but not all) of its impacted line including the D630 we field.  Seems that what the BIOS update does is cycle the internal cooling fan on more often  to keep things cool.  Our notebooks are covered under a pretty sturdy support plan so I doubt we will have any issues replacing those that fail, but it will be something to add to the deployment guide.

Dell revamps Latitude line with new E laptop series - Crave, the gadget blog

This also got me thinking.  Depending on how many Dell Latitudes are still in the supply pipe-line, it is conceivable that we might be getting some of these new E-series notebooks when our turn at the equipment-renewal trough comes up.   While I bet we get standard-issue black/gray cases, wouldn’t it be neat to get one in a more Texan-like “Regatta Blue” or “Regal Red”?

After playing with the D620 and D630’s dual-core processors for a while, my D610 model is looking a bit shabby.  Fortunately, all of our new systems deploying are dual-core jobs with 2GB RAM (on XP Pro), so they are quite snappy.

It’s a Buzz Thing

I’ve (almost) never sought out a beverage solely based on caffeine content.  Generally for daily consumption, I stick to non-caffeinated drinks.  In the morning I have my double-size cup of tea-bag or loose-leaf brewed tea (black/green).  If I do eat out (rarely now) I might indulge in a large (un-sweet) iced tea.  I rarely hit the coffee beans now.  Still enjoy it, but it’s too high maintenance.  And I spurn the energy drinks like the plague.

I’m not overtly caffeine sensitive, but a Grande Frappuccino (with chocolate) is a sure-fire way to get my heart palpitating.  Only thing I’ve drunk that seems to do that.

So it is with pleasure that I found this handy chart on Caffeine Content.

That Grande brewed Starbucks I used to pick up? 320mg!

Curiously, the Frappuccino only comes in at 115 mg.  Must be Lavie’s presence as she is always with me when I get them.

Meanwhile, my morning tea is likely in the 100 mg range.

I do know that while I was on the coffee thing, if I skipped my regular cup I had a caffeine headache a few hours later, but on my morning tea, I don’t notice if I miss it.

It’s a Freeware Thing

Quite a few new and improved software finds to share today.

EASEUS Partition Manager - (freeware) – New Window-based, GUI controlled partition manager.  Free for personal use.  Looks nice and seems to cover all the regular bases.  Most users don’t normally need a partition manager, but if you ever do, this looks like a non-geeky way to work with one.  Other partition managers worth mentioning are GParted, PartedMagic, Ranish Partition Manager, Cute Partition Manager, Partition Logic. Partition Resizer, SystemRescueCd, BootIt Next Generation (not free but good), and UBCD for Windows.  Spotted on Cybernet News and Lifehacker.

Process Monitor - (updated to version 1.37) – This Microsoft Sysinternals program for monitoring file/registry/process-thread activity for systems just got updated to fix some filtering usage and other bugs.

Process Explorer - (updated to version 11.21) – Another Microsoft Sysinternals program that got a bug fix.

Nir Sofer has been hard at work in his laboratory updating awesome utilities and releasing a new one.

ShellBagsView - (freeware) – Weird name but cool app.  This tool scans a Windows system and provides a list of when folders were opened and associated information.  Could be handy when you are doing “research” on a system looking for activity-related clues.

ServiWin - (freeware) – Use this tool to view, audit, and modify the installed drivers and services on a Windows system.  Again, I like tools like this as I can quickly audit and log system parameters for troubleshooting and documentary purposes..

SysExporter - (freeware) – Many times while troubleshooting a system I am presented with a text-box or window that has a very detailed (and ginormous) error-code message.  Instead of attempting to write it all down, I fire up this application and then can often copy/paste it into Notepad or other text editor for safe-keeping and searching. A screen-shot works, but this is much better in particular cases.

SmartSniff - (freeware) – Packet-capture tool that is quick and easy to get up and running. For guerilla-style tactics, this one is very dependable.  This version update now provides locate/remote MAC address information, IPNetInfo integration, and can be configured to show IP Country of origin.

WirelessNetView - (freeware) – Find and monitor the wireless networks that surround yourself.  New update includes the ability to report MAC address, RSSI, channel frequency and number. Can also report the company name of the MAC address based on hardware.

JavaRa - (freeware) – Just a reminder plug to not forget about this Java uninstaller/updater tool.  Very small, fast and handy.  I keep forgetting about it.

Newsfox - (FIrefox Add-on) – The RSS reader for Firefox now has release version 1.0.3 out.

Totally Free Burner - (freeware) – Yes, there are a ton of good and free CD/DVD burning apps out there.  Just do a Google search of this blog and you will no doubt find the many I have recommended over the years.  This is yet another one.  With a pretty simple interface and all the major burning needs covered, this might be one to pass on to friends and family members who are looking for something a bit more advanced, but not requiring the hand-holding sessions required by many commercial or advanced freeware burning tools.  A good review can be found via freewaregenius.com.

It’s a Desktop Thing

Mandolux has a great multi-monitor desktop wallpaper for all you geeks who think hard-drive mechanicals are sexy.

500gb V2 – Triptych

This hard-drive dual-monitor wallpaper is also bright and vivid as found at DMB (Dual Monitor Background).

dmb – Hard Drive

Cheers!

--Claus

Tuesday, August 12, 2008

Windows Security Linkfest

I’ve been sitting  on this growing stack of links for a few weeks now.

Figured I might as well get it out the door—fast and furious.

Seem - System Eyes and Ears Monitor - (freeware) – I’ve mentioned this one a few times in the past and keep wanting to get around to doing a fuller “review” but can’t find the time. (I’m still recovering from that AVG post-fest.)  Anyway, Seem is a nice (and portable) tool for viewing and exploring a whole-lot of system points including processes, system hooks, the kernel module, a service manager, Netstat, network devices (Arp), disk overviews, device viewer, startup manager, the control panel imbedded into the program, and registry tweaker.  While I don’t generally like “all-in-one’s” this utility has a whole-lot of goodness about it.  Certainly handy and worth playing around in. Works for XP systems…I haven’t messed around with it in Vista yet, if it does work, it will almost certainly need Admin elevation to work properly.

oSpy v.1.9.6 the reverse-engineering software - (freeware) – Offered by the l33t cats over at Security Database.  Although it is still in development, this is one crazy-cool tool.

oSpy is a tool which aids in reverse-engineering software running on the Windows platform. [W]hen the sniffing is done on the API level it allows a much more fine-grained view of what’s going on. Seeing return-addresses for each recv/send call (for example), can prove useful when you want to look at the processing code at that spot in a debugger or static analysis tool. And if an application uses encrypted communication it’s easy to intercept these calls as well. oSpy already intercepts one such API, and is the API used by MSN Messenger, Google Talk, etc. for encrypting/decrypting HTTPS data.

You can also use this tool for Forensics purposes. This utility can trace and reconstruct any service launched. Very helpful to bust "hidden" remote connection (malwares and other sophisticated worms.

I’ve played with it just long enough to see how it could be really useful in some network capture work with malware.  Basically you run the app on the target system, then inject/attach it to a running process and start the capture.  You can do all kinds of neat things once your capture is completed with the data.

See this ospy - Google Code page for some very short-but-sweet screencast demonstrations on its finer points and operations.  Also check in at the mov ah, 9<br>mov dx, hello_world_msg<br>int  21h blog for some more programming details and tricks for the program.

AnVir Task Manager Free - (freeware) – Another great utility find!  Spotted in a review on 4sysops blog this all-in-one utility looked too fascinating for me to pass it up.  Once installed, you can copy the program-folder to your USB stick for a “portable” version as well.  It has a well-developed GUI interface that is heavy on the tab-format.  Check out system startup items and get deails on each one/enable/disable, find dll’s and associated paths/processes, look for files in action and which process is controlling them, network connections open, monitor system performance, show information on system Windows (viewable/hidden), drivers, and along with a host of other neat and dead-useful features, you can select and upload files to VirusTotal directly from within the tool.  How neat is that?!!!  This one’s tucked away on my USB stick!

Microsoft® Malware Protection Center : How potentially unwanted software finds a way into our computers – great blog post that has some technical details and investigative work on pathways for malware infection on Windows systems.  Short read.

What is Windows Malicious Software Removal Tool (mrt.exe) and how to use it - Windows Vista for Beginners – Most times we all reach for power-house anti-malware/anti-virus tools to clean a system.  However, XP and Vista systems do contain a tool for dealing with specific threats.  This post is a fast read and shows us how to use it.

SANS ISC – Is Anti-Virus Dead? – Thought provoking post on the role of traditional signature-based malware protection.  I don’t think we have seen the end of ant-virus protection, but the threats are changing and heuristic/behavior-based protection is probably a good item to add to your Windows security protection elements.

Windows Incident Response: The Question of "whodunnit?" – Does the “Trojan Defense” still have merit?  Methinks so, but the forensic analyst has their work cut out for them.  Just because something is “discovered” on a pc doesn’t mean the user did it.  A good examiner will look for related evidence of “intent” and other clues to draw a supportive conclusion.  Unfortunately, sometime the issue isn’t with the forensic examination or examiner, the issues may lay in outdated company policy and/or failure of non-system-aware managers who are not able to understand the nuances of these elements technically.  In many folk’s minds it if is on your pc, then you are responsible.  Period.  Or, it can swing the other way…non-technical folks might buy into the “It wasn’t me it was a root-kit” explanation, despite a lack of evidence on the system. Harlan does a nice job covering this angle.

ISC SANS: Securing A Network - Lessons Learned – Great list of things to consider when securing a workstation, a server, or a network.  Good refresher material, because no matter how good you are…it can still happen to you! Hacked! And I didn't like it - URLScan is Step Zero (ComputerZen blog).

F-Secure Rescue CD 3.00 - (freeware) – I’m not sure how I didn’t know about this LiveCD tool for so long!  Download the ISO file and burn to CD.  Use to “live-boot” the target system.  The Linux system will download the latest signatures from F-Secure into memory and use them during it’s scan.  If no Internet connection is available you can load them from a USB key where they have been previously tucked away.  When malware files are located, it will rename them with a .virus extension so you can find them quickly.  Of course, if these are any key system files, it might make the target system non-bootable.  So you had better be ready for some kung-fu troubleshooting work.  Cools stuff!  I’ve added this one to my sysadmin’s CD case.

Seen this “explosive” post on the destruction of Vista security so that it is “…completely game over”?

Neowin.net – Vista’s Security Rendered Completely Useless by New Exploit

Well, turns out that may not be quite the case after all. Just you usual net-security web-hype before folks have RTFM.

Submitted for your consideration….

Whew!  I can sleep better now with these security bits!

--Claus

Mount ImageX WIM’s via Windows Explorer

This is a “by-request” post for the D-Man.

We were talking in my cubicle/bullpen the other day about images and how files can be extracted from within them for recovery or troubleshooting purposes.

For instance, Symantec Ghost has Ghost Explorer.

And ZENworks Imaging has ZENworks Image Explorer.

Well, you might not have known it, but ImageX users can also mount and explore/extract files from a WIM image.

Here’s how.

Get the Windows Automated Installation Kit and Install

Take your pick:

Download details: Windows Automated Installation Kit (AIK)

Download details: Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008

The first is the original, the 2nd incorporates the Vista SP1 updates in the WinPE 2.0 (and then some) files.  You don’t need both.  Either will do.

Once downloaded, mount the ISO using a utility like SlySoft Virtual CloneDrive. Or burn the ISO to CD, then turn around and install it.

Note:  from what I read, if you are clever, you can also just snag a copy of the following files from the C:\Program Files\Windows AIK\Tools\x86 (for x86 OS’s) or from C:\Program Files\Windows AIK\Tools\amd64 or C:\Program Files\Windows AIK\Tools\ia64 for the appropriate 64-bit OS processor type folder where the WAIK has been previously installed on another system.  I prefer just to install the WAIK package myself.

  • imagex.exe
  • wimfltr.inf
  • wimfltr.sys
  • wimgapi.dll

Install the WIM Filter

For some reason installing the WAIK does not install the WIM filter your system needs running to mount/manage WIM file images.

To do that you need to again browse to to C:\Program Files\Windows AIK\tools. Pick the right sub-folder for your CPU type.

Now, right click on wimfltr.inf and then click on “install”. Reboot. 

This shouldn’t require Administrator privileges to do, but if you have problems, try that instead.

For more details see this post: 4sysops - How to mount a WIM image with ImageX in Windows Vista

Add WIM Filter Options to Windows Explorer

So to make this convenient, I find it very helpful to add a registry hack that puts the WIM filter options in the Windows Explorer’s right-click context menu so I can quickly mount/dismount WIM files from Windows Explorer on the fly.

Jump over to Robert Law’s post: Mounting WIM Images from Windows Explorer - Robert McLaws: Windows Vista Edition  (Note: Works on XP and Vista systems.)

Download the appropriate REG file from his site,

Add a “mounted_wim” folder at the root of your system partition –> C:\mounted_wim

Run the REG file you downloaded.  Reboot.

Then to see if it worked, browse to C:\Program Files\Windows AIK\Tools\PETools\x86 and look for the winpe.wim file.  You should now see a pretty icon and if you right-click it from within Windows Explorer, you should see options to “Mount, Commit Changes, Dismount, and Mount Writeable.”

Pretty Cool!

Possible Gotcha!

When preparing this post, I wanted to make sure it still worked as described.

I was using the x86 versions and for some reason, it never did.

I did some looking around and it seems like the REG file downloads from Mr. McLaws sites might actually be corrupted.

I compared the wim-x86 version I was getting downloaded and it seemed to have some corruption in the text.  It just didn’t look right.

The MD5 hash I get from his file dated 11-04-07 is 0b0cd1941bdae4ab24feb31f65f74ca8

The MD5 hash I get from the one that I downloaded months ago and DOES still work is:
1b87e35ee51998b26a8e1a4853cfdf0f.

I’m getting the “corrupted” version on all my systems when I try to download it, independent of browser used.  I’m not sure if this is just something crazy I am running into or a real issue with the files he is hosting.  So you may find different. I just can’t say yet.

I dropped Mr. McLaws a line to see if he can confirm.  I’m waiting for his response.

In the meantime, below is the contents of the working version of his wim-x86.reg file that I have.  Alas, I don’t have one for the x64 file.

If you experience the same thing that I was, you might want to try making a blank wim-x86.reg file in Notepad.  Then copy the following text into it and save.  This might work in the meantime.  Also, this is all Robert’s work.  I’m just passing it on for folks having problems with the current downloadable version from his site…all credit where due!

wim-x86.reg contents

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\DefaultIcon]
@="C:\\Program Files\\Windows AIK\\Tools\\x86\\imagex.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell]
@="Mount"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Commit]
@="Commit Changes"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Commit\command]
@="\"C:\\Program Files\\Windows AIK\\Tools\\x86\\imagex.exe\" /unmount /commit c:\\mounted_wim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Dismount]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Dismount\command]
@="\"C:\\Program Files\\Windows AIK\\Tools\\x86\\imagex.exe\" /unmount c:\\mounted_wim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Mount]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Mount\command]
@="\"C:\\Program Files\\Windows AIK\\Tools\\x86\\imagex.exe\" /mount \"%1\" 1 c:\\mounted_wim"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Mount2]
@="Mount Writeable"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Windows.Image.Format\shell\Mount2\command]
@="\"C:\\Program Files\\Windows AIK\\Tools\\x86\\imagex.exe\" /mountrw \"%1\" 1 c:\\mounted_wim"

[HKEY_CLASSES_ROOT\.wim]
@="Windows.Image.Format"

Alternative #1 – Via the CLI

If you don’t want to do this registry trick, just mount your WIM files from the command line.
Windows IT Pro has a great and simple guide:

Alternative #2 – Via a GUI Utility

ImageX is pure command-line kung-fu.  However, Jonathan Bennett has developed a wicked-cool GUI utility that can also be used to do this.  I like Robert’s method, but if you want, this little guy should do the trick.  Note: since I have already installed the WAIK and WIM Filter before using this, I can’t say for certain that it will work without all that jazz.  I would recommend doing so (as described above) before you use this tool, just in case.

Current version was just updated to v2.0.13 as of July 4th, 2008.  So keep an eye open for more updates down the road.  This version is much more robust and feature-rich than the early versions I encountered back when I was getting my feet wet in ImageX usage.

Cool Curiosities for PC Sysadmins

While doing the troubleshooting (before I located the bad REG file), I thought that maybe I had to install the wim filter via an admin account.  As I was using one of the IE App Compat VHD virtual images, it provides a limited user account by default so I wondered how I could install it with Admin rights.

I had already obtained this VHD’s Administrator account password…somehow!

I knew I could do the “run-as” command to elevate but that didn’t work for this particular situation with the wimfltr.inf file.

I could do a “run-as” elevation of CMD as administrator easily enough…which I did.  But can you install an INF driver from the command line and not the GUI?

Yep!

Install INF Drivers From Command Line or Script – Dashken’ I-Blog held the answer.  And dealing with the WIM filter no less!  Definitely worth bookmarking!

See also this MSDN page: InstallHinfSection Function (Windows)

The trick here is in the guide where you see the <filename.inf> noted for you to type, you must type the FULL CLI path\filename.inf, not just the filename.inf for it to work.

Example, to install the x86 WIM Filter system service do this:

%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Program Files\Windows AIK\Tools\x86\wimfltr.inf

OR

C:\Windows\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 C:\Program Files\Windows AIK\Tools\x86\wimfltr.inf

NOT

%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 wimfltr.inf

OR

C:\Windows\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 wimfltr.inf

Even if you have the CLI open to the location of the wimfltr.inf file itself.

Clear?

Next find, I wanted to actually work on the IE Tester’s “Administrator” desktop account workspace, but short of booting in Safe Mode, I couldn’t initially get to it.

The first workaround I did to get to the full Administrator account on this free virtual hard-drive image was to download Process Explorer and then use it’s “Switch User” option from the menu bar.  I suppose I could have tried Ctrl-Alt-Del as well.

However, Process Explorer’s user-switching worked and quickly I was logged on to the Administrator desktop.

But I would have to do this at every reboot.

What if I wanted the Administrator login to show at boot?

Yep….one more registry hack.

That did the trick!  Now I can not only log on as the IE Tester user for regular work, but if I have to install or do something with “full” rights, I can choose to log on to the “Administrator” profile as well.

Sweet!

--Claus