Monday, May 26, 2008

Last Minute Linkfest!

Zathura is coming on cable in a few minutes.  We loved Jumanji and I think it has a few of the same elements.

So hold on...popcorn and one last moment of family-time fun await once I pound these links out.

Windows Incident Response: RegRipper Update - Harlan has now released his great tool RegRipper in version 2.02 which now includes the "Advanced" version features.  Download via SourceForge from his post link.  Only at the moment, it looks like SF is choking a bit as none of the mirrors will successfully download it.  Hopefully it will be cleared up soon.

Does a Site Have Malware? Google Provides Diagnosis - Tip via GoogleBlogoscoped.  I have previously posted tips for Pre-Scanning of URL Links for Safe Web Surfing.  Now If you know the correct Google-code for searches, you just need to "append any domain – your domain or another site you want to check on – to the end of the URL “"  That link also has a form box you can use if you want to bookmark.

Java SE 6u10-build 24 is now available - I use these cutting-edge beta Java versions which are optimized for added Firefox performance.  Build 24 was just released. Just download and install over the old 6u10 version.  I do have the current "standard" version of Java 6 also installed.

Quick and easy HP JetDirect firmware updates - Tip via "the back room tech" blog.  Use HP JetDirect Download Manager to keep your HP network printers happy and updated.  Pretty neat.  See Julie's post for GUI screenshot.

Lavasoft released 2008 edition of Ad-Aware - Donna's SecurityFlash. And here I was just downloading and installing version 2007 on a friend's pc the other day.  Oh well. Ad-Aware 2008 Free.  Not quite my favorite or most powerful any longer, but still easy anti-malware protection and scanning for most home users.

Workstation Migration Assistant 1.0 RC3 - More improvements are seen in this latest project installment from Dan Cunningham.  I'm sitting on a pretty big post about this and some other GUI-based Workstation Migration Assistant tools.  Hope to get that posted in the near future.

Outlook Attachment Remover - (freeware) - Little Outlook add-in to save and extract attachments. I haven't loaded it on my system yet.  Looks handy, but I have been in the habit of removing and filing attachments to my Outlook messages at work for quite a while now.  Really cuts down on PST file sizes.  Only wish I could find a way to add in a note to the emails which would record the original file-name in the email.  Maybe someone knows a solution?  Related: Outlook Attachment Remover Add-in - Review via gHacks and Windows Tip: Remove Outlook Attachments Without Deleting the Message via Lifehacker.

Firefox Ponders Suicide - [sarcasm] -Calendar Of Updates.  Basic premise here is that Mozilla might find a way to leverage the pretty massive install base of Firefox to collect (ostensibly "anonyomized" data on surfing habits of its users for statistical outsourcing.  Read also: Mozilla phancies doing a Phorm - The Register and Mozilla Stealth Data Project Could Be Just What The Internet Needs - TechCrunch.  Appears participation would be optional by Mozilla users. Still seems kinda creepy and no word if "opt-in" or "opt-out" will be set by default.  I'm thinking someone will be struck by logic and reason and decide this isn't a good thing for Mozilla to play around with.  Good way to get burned by your fans, even if the "Fire" is in your product's name.

SpecialFoldersView - (freeware) - New Nirsoft utility that might not be useful to most Windows users, but is still a bit cool and handy to have around.  Basically it displays all the "special" Windows folders and allows you to quickly navigate to them by double-clicking the folder. So if you are a hard-core Windows System folder jock, this might be right up your alley.  I've added it to my USB stick collection.

Security Process Explorer - (freeware) - I'm always on the lookout for Windows process explorer tools and utilities.  I have a very good collection now and yet another mega-massive post just for these waiting in the wings.  Anyway, found this one this weekend.  Good? Well, it provides a semi-useful bar for most processes showing a "unique security risk rating". You can see details, Google search items directly, block and end processes. It lets you monitor processes and has some good info. Supports Windows 2000, 2003, XP and Vista (32-bit only). If you decide to play with it, take a moment to click on the "view" file-bar and see additional column items you can add. Bad? Comodo Firewall kept firing off serious warning alerts when I would try to view the properties of items. I'm still not sure what that was about. Processes are displayed, but apparently not in a helpful (to me) process-tree/dependency view. Also, it's not nearly as powerful as the venerable Process Explorer from Microsoft's Sysinternals.  Might be good for newbies to teeth on as a step-up from Task Manager, but real sysadmins won't find any reason to replace Process Explorer. It remains the paragon of Windows Process management utilities.

There you have it.

Time to put the pop-corn in the microwave!

See you in the skies!


Four Important Bits for Windows: Almost as good as Brisket!

Important for Sysadmins: Sysprep Updated and Changed for XP SP3!

This is critical info for all you system administrators who use Microsoft Sysprep to prepare a system before imaging and deployment.

Back Room Tech guru Julie points us to a post by David Remy in which he provides the following summary:

...the issue deals with the default profile and it no longer being copied when running sysprep. Before SP3 and without the patch the default profile was copied from the administrator account during the sysprep process, this behavior however changed in SP3 or when you installed the hotfix 887816. In SP3 the default setting is to not copy the default profile, thus a new key was added to sysprep.inf to allow for this functionality. The UpdateServerProfileDirectory=1 setting tells SP3 to copy the administrator profile to the default profile during the sysprep process.

He also has updated his great sample sysprep.inf file to incorporate the changes in sysprep in it.

See also:

KB 302577 - "How to use the Sysprep tool to automate successful deployment of Windows XP"

Download details: Windows XP Service Pack 3 Deployment Tools - The new Sysprep tool for XP SP3 systems.

Windows 7 Native VHD Support?

Long Zheng points out that it is very likey (at this early stage) that Windows 7 will support Microsoft's Virtual Hard Drive (VHD) formats for mounting.

While this may not be exciting to everyone, for system administrators and virtualization geeks it is pretty neat with possibilities.

Long also has a screen capture purporting to show a Microsoft VHD HBA storage controller in action.

Related: If you use Microsoft's ImageX for drive imaging, with a bit of work you can configure your XP or Vista system to mount them for exploration and file copying via Windows Explorer. I've done the registry trick and life is great with it as I work a bit with WIM files.

Of course, that assumes you have already installed the Windows Automated Installation Kit (Windows AIK) on your host system.

Note: there is also a newer version of the WAIK out as well that has Vista SP1 bundled in it - Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008.  Be sure you know which one you want before you download.

Ghost of the (Windows) Shell

Daily Cup of Tech shared a little trick that might let you restart a Windows interface and run as the LOCAL SYSTEM account.

Why?  It has lots of handy and powerful privileges that come along with it.

There has been a way do so via some cmd prompt kung-fu. (DCOT shows you how.)

But for folks who don't want to do that, he has also created a little "GetSystemAccess" exe file (also downloadable from that post) to one-click auto-it.

Warning...not for the feint of hart of those who worry about possibly tanking their system.

To get back to "normal" just log out and log back in as yourself.  Or reboot.

Read the comments as well regarding discussion on Vista and other Windows builds.

Might be handy to know for sysadmins.


Like how to start a fire in the grill at the park, with all the family waiting, only you don't have any lighter-fluid as it evaporated because someone didn't pop the top down good enough.  So you use some spare paper plates as kindling--scout style--while your brother drives off to look for some at a nearby store..only by the time he finally gets back you have it going perfectly and the briquettes are nicely ashed over? 

Yeah. Something like that.

Service Please! To Muck or Not to Muck...That is the Question!

Ed Bott's on a tear with his great looks into Vista:

Now we are at Part 4: Fixing Windows Vista, Part 4: Get smart about services - RE: Services

Long story short. Leave them alone. Yes you can muck around with a few, but the performance gains really are negligible.

So, it's up to you.

Muck around a lot with Windows Vista Service Pack 1 Service Configurations (via BlackViper) or not.  Just be a bit informed before you start.

I personally haven't made many service changes except for some very specific third-party services (HP) but that will be another GSD post. Oh yeah, I also turned off Windows Defender on our Vista laptop.

Otherwise, all my Vista services are running as they were set by default for Vista.


Before I reloaded XP on my desktop a while back I had also done some service mucking using a BlackViper guide. Now everything is at defaults.

Did it make a difference? Maybe. Hard to tell.  I don't think I actually "hurt" anything, but I really can't really say I personally noticed much of a performance gain either.

I really wouldn't recommend service tweaking for most any XP/Vista user except hard-core tweakers and gamers who must eke out every last bit of performance from their systems.


Memorial Day Moment of Thanks

WWIIMemorialWall VietnamMemWall

World War II Memorial and Vietnam Memorial, Washington, D.C., cc credits: flickr Jeff Kubina

I would be remiss this day if I don't take a moment to thank the families (current and past) who have lost loved ones in the defense of our country.  Thank you for your sacrifices.

Both of the images taken above by Jeff Kubina really humbled me.

Regardless of one's politics, these warrior souls should never be forgotten.

Good time as any to remind folks of the amazing Vietnam Veterans Memorial (The Vietnam Wall) : where you can look up and perform searches by name, Service branch, home town, or enlistment.  They are working on a beta search that has even more detailed views.

What makes Footnote's project so special is that they have digitized the entire wall and when you select a name, you can see the actual image of the soldier's name on the wall.

I did a search for those who fallen who had listed Houston as their home town and found 356 matches.  Very humbling.

On my bookshelf at work, I have a framed copy of General Douglas MacArthur's Farewell Speech to West Point.  I like to pause to reflect on it from time to time.  Helps me stay in touch with a greater purpose for service and work.

Let me offer but a portion of the speech below:

Others will debate the controversial issues, national and international, which divide men's minds. But serene, calm, aloof, you stand as the Nation's war guardians, as its lifeguards from the raging tides of international conflict, as its gladiators in the arena of battle. For a century and a half you have defended, guarded and protected its hallowed traditions of liberty and freedom, of right and justice.

Let civilian voices argue the merits or demerits of our processes of government. Whether our strength is being sapped by deficit financing indulged in too long, by federal paternalism grown too mighty, by power groups grown too arrogant, by politics grown too corrupt, by crime grown too rampant, by morals grown too low, by taxes grown too high, by extremists grown too violent; whether our personal liberties are as firm and complete as they should be.

These great national problems are not for your professional participation or military solution. Your guidepost stands out like a tenfold beacon in the night: Duty, Honor, Country.

You are the leaven which binds together the entire fabric of our national system of defense. From your ranks come the great captains who hold the Nation's destiny in their hands the moment the war tocsin sounds.

The long gray line has never failed us. Were you to do so, a million ghosts in olive drab, in brown khaki, in blue and gray, would rise from their white crosses, thundering those magic words: Duty, Honor, Country.

This does not mean that you are warmongers. On the contrary, the soldier above all other people prays for peace, for he must suffer and bear the deepest wounds and scars of war. But always in our ears ring the ominous words of Plato, that wisest of all philosophers: "Only the dead have seen the end of war."

Thank you, you ghosts of war.


Comcast Broadband is Fast (despite other issues) + Gmail Login gets Optimized


cc credit flickr: peasap

Comcast seems to be be a popular, well, piƱata, lately.

We have had our service (analog cable/broadband) for a number of years now and have always been very pleased with their service in our East-o-H-Town suburbs.  The very few times I've had to call them regarding outages, I have always gotten fast service and response.  Might have something to do with the fact that I can talk the network-lingo talk with the techies (Can you ping down to my cable modem? What response rates are you getting? Etc.)

Speeds have always been awesome.

I found a new broadband speed test site the other day: Internet Speed Test by

Here's my best from that site:


And from

And from


Rates vary and I got tired of running/re-running the tests then trying to do captures.  Needless to say, it's still been quite fast and sufficient for all our download needs.

Anyway, Internet Speed Test is a pretty interesting site. It offers a number of "unusual" tests so you can really pick and choose different situations:

Gmail Upgrade?

Will Gmail Get Themes?  I don't know but it would be cool if they released themes for Gmail.  If you use Firefox you can use Lifehacker's great Better Gmail 2 which now has more features, skins and Firefox 3 support.

I've also noticed the following Gmail loading bar this week logging into one of my Gmail accounts via web browser:


I hadn't seen that before so I was wondering what's up?

Turns out Google has been doing some performance tuning on the load-routines for Gmail.

A need for speed: the path to a faster loading sequence - Gmail Blog

The Gmail gang has been doing network traces using some cool tools (Httpwatch, WireShark, and Fiddler -- all free) along with their own in-house stuff.  I haven't seen Httpwatch before so I might be downloading this plug-in for IE soon.

Anyway, when done they found they were using about 14-24 HTTP requests required to load a Gmail inbox and then display it.  Not bad but they felt they could do better.

Once out of the Google-blender they got it down to as few as four request from punching the "sign-in" button to display of your inbox.



C it now or C it later

Got a few more posts to put up before the day is through.

Cheated on the Bar-b-que front.  Dropped by the local smokehouse and picked up some brisket sammy's.  Yumm.

Let's see 160 tapes x 3 hours = 480 hours of encoding?

I saw this interesting device this morning:

ION USB VCR - Last Chance To "Be Kind & Rewind" - Retro Thing

The very first VCR movie we rented was Stripes.  It's pretty dated now, but it seemed really funny at the time to a impressionable high-school kid.  All disestablishment and attitude. Good stuff. I'm not sure what the first Betamax movie I saw was.  Probably Murder on the Orient Express.  Think it was a two-tape version.

We probably have at least 160 VCR tapes and movies around our video-library. The vast majority are Disney material.

They take up lots of shelf-space and it just isn't very convenient any longer to pop them in and watch.  We usually keep a blank VHS tape in the deck to capture the occasional show, but nowhere near as much as we used to.  And no.  No TiVo yet in the Valca home.

I don't know what the legal ramifications would be for changing out our VHS tape collection and converting them to a DVD-based codec format.  Probably illegal, despite the fact we own them and you can't find VHS movies anymore in any store.  I think a few pharmacies and grocery stores still stock blank tapes, but even these are getting a bit harder to find.

I wonder if any GSD readers have suggestions or advise on porting VHS tapes to a digital format.

I don't know which system I would want to use. The Vista system has 2x the RAM as my desktop, but I've got a 500GB drive in my desktop system and the AMD Athlon XP 2400 chip is still pretty fast.

I haven't really done much research into video capture devices yet.  Would USB 2.0 be fine? I'm not sure I could find a PCI card for my desktop unit any longer.  What codex format should I use?  I would probably want to find something that would work on both the laptops as well as our Sony DVD player.  I suppose I better dig out the manual.  At close to 160 or so tapes, that would be many, many hours of encoding work.  I would really want to find a balance between quality and storage space on media.  Especially if I went ahead and burned them to DVD.

Probably will be one of those projects I think about doing, but never follow-through on.  That works out to about twelve (12) 40-hour weeks worth of encoding.  Not sure I have that much free time.  Better stock up on a few more VHS desks while I can still find them.

Reminds me of a great scene from the Cowboy Bebop series (Speak Like a Child episode 18) where Faye gets a package that contains a Betamax tape. So the boys go on a hunt for a player. Turns out they find a VHS one so it's not compatible.

Hello Mars!

Last night when we got back from taking Mom out to a birthday dinner, my little bro and I sat in her living room watching the countdown for the Mars lander.  It was pretty fun doing that as a family.  I'm not sure how attended the show was on CNN, but we thought it was cool.  God bless those poor engineers and planners who spend all that time building and programming the thing, then have to pretty-much sit on their hands until it gets there.

No pressure!

This image was incredibly cool


Image credit: NASA

It shows the Phoenix Lander parachuting down to Mars as seen from the High Resolution Imaging Science Experiment camera on NASA's Mars Reconnaissance orbiter.  I just can't seem to get my mind around the fact that one orbiting satellite was able to capture a second one coming down to land.

NASA - Phoenix Mission Page

NASA - Phoenix Images

Twitter / MarsPhoenix - The Mars Phoenix Lander Twitters!  Who knew?

Phoenix (spacecraft) - Wikipedia, the free encyclopedia

YouTube Shenanigans

So the giant "D" Silverman led me to waste considerable time on YouTube again yesterday.

He had posted a funny South Park spoof of Mac vs PC:

That led me to the "sequel" for Mac vs PC vs Linux:

And since we run a Novell network shop, I would be remiss to leave these Novell creations out:

Novell Launches Pro-Linux "Get a Mac" Spoofs - Cult of Mac from

Who knew Linux was a girl?


Sunday, May 25, 2008

Grinders & De-Grinders


cc credit minkymonkymoo via flickr


Keeping the home systems (and work systems) running smoothly is no small task.

Sometimes being a sysadmin can lead to more work (or lack thereof) at home as well.

Case in point, I've been working on blogging and updating software on just two of our three home systems for most of the day. Sure it's fun. Lavie is taking a nap and Alvis has been a bit under the weather so it has been quiet.

Periodically I run a system cleaner.  I don't do it "regularly" but maybe once every three months or so.

This is to clean out all the extra "bits" of junk that can accumulate during the use of a Windows system. Temp files, cache files, (some) log files, etc.  It can grow to be quite a haul if you aren't careful.

Is it critical?  Probably not. But it usually doesn't hurt either.

I have three tools I use primarily to do this cleaning:

CCleaner - (freeware) - version 2.07.575

Wise Disk Cleaner and Wise Registry Cleaner - (free/$) - versions 3.3.0

With CCleaner, I take the defaults, except I don't delete cookies the System items, or anything under "Advanced" unless I'm gunning for something specific.  Under the "Application" tab I do cleanups of everything I find except Firefox (which I manually manage) and Sun Java.  All else I let rip.

With the Wise tools, I usually just take the defaults as well.

Both Wise products and CCleaner have seen version updates recently so you might want to download newer versions to get the updates first.


I will run a registry defrag maybe once a year.  I don't personally think it adds that much in performance gains, and if something goes bad, you can trash your registry. Not a good thing.

Here I prefer Auslogics Registry Defrag and PageDefrag (Sysinternals) for my tools.

For hard-drive defragging I like Auslogics Disk Defrag and JkDefragGUI by Emiel Wiedraaijer.

A new defragging tool that has been making the blog rounds lately is UltimateDefrag.. It certainly presents a "unique" interface using a circular pattern of blocks rather than the usual square/rectangular grid most use.  Aside from this unique GUI, I can't really say much more, having not tried it out yet.  Some uses report defragging issues when running along with some crashes of the application.  Related Download Squad post: UltimateDefrag Optimizes your hard disk for apps you use the most.


Grand Stream Dreams: Defrag Mosaic

Grand Stream Dreams: More Freeware Defragging Tools


Foxit Fixed: + Lessons in PDF security

Just in case you wanted my humble opinion, Foxit Software's Foxit Reader is probably one of (if not THE best) PDF reader alternative out there.

"Alternative to what?" you ask? 

Why This monster of course.

Only a worrisome bit of news came out this week in the security-vulnerability realm:

Foxit Reader executes injected code - News - heise Security UK

Basically, Foxit Reader could be used with a buffer overflow to execute malicious code on a system via crafted PDF file.

The problem is caused by a boundary error when the program processes PDF files with embedded JavaScript. A buffer overflow can occur in the util.printf() function when the program parses format strings containing a floating-point specifier. This can allow malicious code to be injected and executed.

Problem is present, even without the optional Foxit JavaScript plugin feature for Foxit Reader.

More here via Secunia.

Version 2.3 builds 2825 and possibly earlier are impacted.

So go update to the newest version of Foxit (2.3 build 2923) or use the "updater" inside Foxit Reader if you already have it installed.

New features (awesome as always) include:

New Features

  1. Bookmark Design - Makes it possible to have your own bookmarks. Users can create, edit, or delete bookmarks in a PDF file if the security settings allow.
  2. Multi-tab Browsing - Enables users to open multiple files in a single instance. You can choose to view PDFs in a multi-tab window or multiple instances by setting documents layout from the Preferences dialog.
  3. Multimedia Player Support - Supports many media formats including audio and video. Read multimedia ebooks with Foxit Reader 2.3.
  4. Callout and Text box Tool - Creates comments in a callout text box or a box. You can also define their appearance as other commenting tools.
  5. Commenting Text Tool - Enables users to add most types of text edits by right-clicking on the selected text, including highlight, strikeout, underline, squiggly and replacement. You can also use the Commenting Text Tool to add bookmarks for PDF files.
  6. Rulers and Guides - Provides horizontal and vertical ruler guides to help users align and position objects on the page. Right-clicking on the ruler enables you to change the unit of measurement.
  7. Magnifier - Magnifies areas of the PDF files easily as you work on Foxit Reader.
  8. Automatic Scrolling - Allows users to view documents without using mouse actions or keystrokes.
  9. OCG Support - Enables the user to view related content stored in a variable number of separate layers.
  10. FDF Related - Opens FDF files directly with Foxit Reader without any import implementations.

Enhanced Features

  1. Optimized Rendering - Supports progressive rendering and significantly reduces the response time from the user interface events.
  2. Improved Link Tools - Allows users to add actions to links, such as go to a page view, open or execute a file, open a web link, etc.
  3. Improved Snapshot - Enables users to print the selected area in Foxit Reader by simply selecting the Print option from the context menu.
  4. Search Enhancement - Allows users to float, move and resize the Full Foxit Search box.
  5. Better Annotation control - Groups drawing markups to help users operate objects collectively, and allows users to move annotations through pages.
  6. Font Information - Lists the fonts and the font types used in the original document in the Properties dialog.
  7. Updated Command Line - Allows users to open password protected PDF documents with a simple command prompt.
  8. Streamlined UI - A completely redesigned UI with a new look and feel makes Foxit Reader more intuitive than ever before.
  9. Many Bug Fixes, including V2.3 Build 2825 security issues .

Diving into PDF Depths with Didier

Didier Stevens has been posting some really fascinating looks into the world of PDF formatting.

Great stuff, especially from a security standpoint.

Quickpost: About the Physical and Logical Structure of PDF Files - All you wanted to know about PDF formats and then some.

Quickpost: eicar.pdf - In which he embeds an EICAR test file into a PDF for your puzzling fun.

PDF Stream Objects - In which we find out how a zip-bomb might be set up.

Solving a Little PDF Puzzle - Solution for A Little PDF Puzzle which challenges us to find the passphrase of the PDF file and we see more about "incremental Updates" to a PDF.

PDF, Let Me Count the Ways… - How PDF language can generate variants of malicious PDF docs.

He also has cross linked to this excellent writeup by akudaniy: Let’s modify your acrobat files! « The Playground to show how to generate a PDF file from a web-page (as well as modify existing PDF files).

PDF Related

See these related Grand Stream Dream post:

Free PDF Readers (and then some)

Vista Tip: Install a PDF Printer Driver for Free

Firefox and fixing PDF madness, + Bonus Firefox Links



Evidence Collector - Beta: New Auditing Utility (+ some Bonus Finds)

Why does it always seem to me that the weeks that the best new utilities come out that I find myself swamped at work and not really having the time to sit down and evaluate these gems?

Case in point: Security Database Tools Watch - Evidence Collector Beta released

The fine team at Security Database has been best known (to me and many others) for their FireCAT project. FireCAT is a collection of Firefox Add-on's that help with system auditing and assessment from a security perspective. Great stuff.

So when I saw this new beta-release tool offered, I instantly had to drop what I was doing and check it out.

I would hesitate a bit to label it a "forensics" evidence collector. Instead I see its use more in line with system assessment and auditing. As such, I found it to be a great and useful tool to collect a ton of log data very quickly.

From the product description page:

Features :

- System information : Get owner, IP, MAC address before going through forensics.
- Shares and policies applied on shares : very handy to detect if someone gets into computer from opened shares.
- Started and stopped services : Some services could be a wide opened doors to get unauthorized accesses.
- Installed softwares : Unwanted softwares could be installed without your knowledge. See what inside your computer
- Installed Hotfixes : Enumerating installed hotfixes. Note that a missed critical patch is a potential exploitable vulnerability.
- Enumerated Processes : List whole processes starting on system.
- Events logs : Application, system and security events logs are collected. Events logs keep traces of what happened to system.
- TCP / UDP mapping endpoints : See what hidden behind TCP / UDP ports. Generally, most of remote administration tools and trojans don’t hide their activities.
- Process handles tracking: See what processes did when started. From accessing Registry keys to writing into files. Useful to see if evil activities are not disguised behind some processes.
- List start-up programs : When rebooting computers, many evil programs stick into registry keys in order to be reloaded again.
- Suspected modules : Scanning modules to see if they are rootkitted.
- USB history : Reveals if any USB key has been plugged into system.
- Users policies : Collecting users and their policy. You can easily identify any unknown user.
- And more...

In-progress features integration :

- Files MD5 hashes generating
- Essential files and registry keys permissions enumeration
- More rootkit revealers support
- Windows Events ID scanner and tracker
- Advanced Log Viewer

Get it and Run it

Follow the links and download the zip file. Unpack it.

Inside you will see the main exe program launcher "EvidenceCollector" along with a readme file and a system file needed to facilitate the program's operation.

There are three folders also. "GFX" contains an image used by the program. The "Logs" will become the repository of your log-files generated. Finally there is the "utilities" folder which contains the actual applications doing the back-end work.

The launcher/manager calls to the following tools, all of which are available independent of this tool: Autorunsc, Fport, Handle, ListDLLs, modGREPER, OpenedFilesView, policy (DumpWin), PsFile, PsInfo, PsList, PsLogList, Sigcheck, StartupRun, TCPVcon, USBHistory, users (Inx download at bottom of page).

Just click on the main launcher program and it will first check to see if the profile account you are running it under has sufficient privileges to execute properly (Administrator rights required).

Once loaded, just click the "Start collecting Data" bar at the bottom.

It will then go through the process of running each tool and outputting the resulting log file into the log folder. Run-times vary depending on the system and amount of activity captured. On my systems it took just under a minute to run.

On my Windows XP Pro system it collected a great number of helpful log reports. On my XP Home system it generated a single log file of minimal value. I'm not sure if it is Home/Pro thing or if some of my home security apps are giving it some grief.

Update: Late last night, I realized why the reports were not all being generated on my XP Home system when they were working find on my XP Pro system. Turns out that I had been running it on my work machine from my second partition (not the system partition). On my home system I had unpacked and ran it from my C: (system) partition. So I moved it to my D: and ran it. Worked perfectly. Lots of logs! 26 in fact. Folks running it from USB shouldn't encounter that "problem". Next time I get a chance I will have to do a followup post outlining the log report files generated and how they might be useful.

Running from a non-system partition is not really clear in the release notes. Makes sense however as you might not want to be dumping log data directly onto the HDD you are attempting to analyze.

I would also toss in Harlan Carvey's excellent RegRipper tool to run in parallel with your system information collection tools.

Bonus Material

Harlan has a new post that links to a few more neat tools: Windows Incident Response: More Free Tools

Specifically, NetworkMiner which.

...can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files.

The purpose of NetworkMiner is to collect data (such as forensic evidence) about hosts on the network rather than to collect data regarding the traffic on the network. The main view is host centric (information grouped per host) rather than packet centric (information showed as a list of packets/frames).

Adding this one to my laptop and USB stick.

gHacks also points us to a utility which might be valuable to notebook road-warriors.

NetSetMan - (free/$) - The free version allows you to set up to six IP configurations for your laptop or portable desktop system. Just hook up to the network, run the utility and it will instantly configure your network interface for your preferred settings. Could be a real time-saver if you connect to various locations frequently. The Pro version brings unlimited number of configurations, proxy support, and browser home page configurations. Network Settings Manager - gHacks review

While tracking down the source of some of those previously mentioned utilities, I found this Tools from NII Consulting page. It contains some various free security and auditing tools.

SEEM (System Eyes & Ears Monitor) v4.5 - (freeware) - This is another "Wunder-Tool" that provides an almost holistic view of key system parameters and operations. It will warrant a post-of-it's own. I think I have mentioned it before here at GSD but this is a newer release. If you are curious, visit the linked (translated) page. Read the Description page. Then hit the "Remote loading" page which Yahoo! is not correctly translating to "Downloads". Should be fully portable to run on USB as no installer is required. Download, extract and run.

All Muy Bueno!


WinPatrol Flash - Feeding the Scotty


The other day I was tooling through my RSS feeds at work and caught a new post from Bill Pytlovany.

As frequent GSD Blog readers will recall, I am a big fan of his WinPatrol software.  Simply put, this real-time tool monitors your Windows system and alerts you to changes made by applications (good/bad) to said system.  Besides the monitoring features, you can view and manage start-up items, browser toolbars, scheduled tasks, Windows services, cookies, the HOST file, log when programs are first detected on your system, and a number of other elements all useful for the advanced user.  Great program and incredible that Bill offers it in both free and $ versions.

Bill's latest post immediately caught my eye.

Bits from Bill: Help Friends/Family with WinPatrol FLASH

This has just convinced me that Bill must be one of the most crazily kind guys in the world.

See, what Bill has done, is to bundle up at least eight of his WinPatrol product's most powerful features and released them in a singularly USB portable EXE file.

WinPatrol Flash provides geeks an almost all-in-one solution for dealing with pc-cleaning and optimization of a home-user's system.

Oh my!

Behind the Bark

Get this free application from the BillP Studios: WinPatrol USB Flash Edition download link.  It supports Windows 9x - Vista builds.

Nothing at all to install. Download the single file and click to run.

You will be greeted with the familiar bark of "Scotty" the watch-dog.

Once up you have a number of tabs to explore.  I noticed right-away that it loads the contents very fast.

  • Startup Program - This tab shows a list of all the times set to run at system startup.  You can click on an item to get more information about the entry or you can remove the item.  There is also an "advanced" mode which shows some additional launch-points.
  • ActiveX - This tab shows which ActiveX items are installed and enabled on your system. You can disable the ones you wish selectively, as well as list ALL ActiveX controls or only non-Microsoft ones.  Malware sometimes tries to insert itself into Internet Explorer by use of ActiveX controls.
  • IE Helpers - These are additional toolbars or "features" that are plugged into IE by the system or other applications. Again, you can get more info on them or remove them.
  • Scheduled Tasks - Provides a view of which items have been scheduled to run by the Windows Task Manager.
  • Services - Shows all the services that are installed on your Windows machine, as well as the status state and if they are set to run at startup. You can "filter" the list for non-Microsoft services if you wish.  More information is available for individual items.
  • Active Tasks - Yep. You get a quick-view of running tasks/processes on the system. Name, description, and company. Select one and click the "Info" button and you will get a bit more info along with the full path location.  You can attempt to kill task as well.
  • Hidden Files - This provides a list of files that were found to be marked with a "hidden" property attribute.  Just because a file is marked this way doesn't necessarily mean it is "evil"  So don't freak out just because you see something listed here.
  • Plus - This tab allows you to cross-link your WinPatrol Flash edition to your WinPatrol Plus registration information.  This allows you to have access to the lookup database for items that is possible under the "Info" button usage on other tabs.  If you are a subscriber, you now have access to additional details about these tasks, processes, files and other items.  This is a great feature, especially for home-users who fall somewhere in beginning to advanced range of computer knowledge.  It's a great way to check if something is safe or not before you go deleting stuff.
  • Options - Few more neat things...and to me the best; log files!  The WinPatrol Log gives you a HTML formatted list of running processes and other found items. The Spreadsheet report outputs the information into a spreadsheet document. On my system it auto-launched Excel. I personally liked the Hijack Log format the best. A text file was generated with tons of great data. There is also a button to view the HOSTS file in notepad. Finally there is a History keeper and a button to export your settings.


As I alluded to earlier, I would recommend this wonderful tool to home-users who are just starting to get their feet wet into understand what is running and going on with their system.  It's also valuable to the geeks who need to carry a singular utility around to quickly assess a system.

By itself it offers no real-time "protection" to a system like the full-featured WinPatrol installation does.

The log files generated are quite detailed and alone make this a great program to keep handy on a USB stick.

However, advanced Windows geeks and system-administrators probably have a number of more sophisticated "power-toy" utilities at their disposal that would provide better resources for more in-depth system assessment and response: Process Explorer, Autoruns, Process Monitor. OpenedFilesView, CurrPorts, VStat, UNLOCKER, Advanced Process Termination, RegASSASSIN, and FileASSASSIN.

Unfortunately, using these effectively requires a significantly deeper understanding of Windows systems and you have to flip between them as you are working on a system.

So hat's off to Bill for stripping out his WinPatrol Explorer component from WinPatrol proper and releasing it for us to drop into our USB toolbox.

Definitely a keeper!


Fitted Sheet Puzzle

I have been doing laundry since high-school.

Mom figured that she didn't want to have to stop what she was doing every time I wanted to wear my favorite jeans and shirts...several times a week.

Being a "clean" kid, i almost never re-wore the same pair of clothes without washing them between use.  It's a habit I still follow today.  I have gotten a "micro-bit" more relaxed, as I will wear my long pj-pant bottoms about a week, and I have a pair of cargo-shorts I will wear a full week at a time after I get home from work and on the weekends.

Anyhows....when Lavie and I got married our first apartment didn't come with washer/drier hookups. So we would sort out the dirties, then haul them down to the wash-room at the end of our apartment house block.  It was a drag, especially in the rain having to take the laundry out, but on the other hand, if we did our at night, usually we could get three washers and then three dryers all going at the same time so wash-time was actually pretty fast.

When we finally got a place that had hookups for our own washer/dryer machines it was very convenient.  And shortly thereafter, I somehow became the sole laundry-washer/folder for the Valca home.  No biggie.  It's pretty relaxing except when I have to put the clothes up.  Don't know why I don't like that task.

The bane of my washing existence isn't what you would normally think.  Not the stains. Not the sorting, not the dealing with the "delicate" items.

Nope.  It's folding those stupid fitted sheets.

You know, the ones with the elastic at the corners that don't lay flat.

The only time I have ever seen them perfectly folded is when the are taken out of their packaging; new.

My technique has generally resulted in something that looks like a bed-roll.

So out of frustration last week after getting the new sheets on our bed, and the old ones washed and dried, I did a Google-search looking for a solution.

And found it.

How to Fold a Fitted Sheet -

The secret?

Fold the fitted sheet in half, tucking one pair of corners into the other, then square up the sides. Fold as normal. See, it's that "tucking" part I kept missing.

I have a bit more practice to do, but my first attempt was very impressive.


BTW...who still irons their bed-linens? Anyone?  I noticed that on the tag for our new ones last night "warm-iron if needed."

I couldn't imaging taking the time to iron a full set of bed-sheets. Don't they just get all wrinkled up again once you jump in?  And then doing that for as many sheets/bedrooms you might have?

Whew!  No thank you!

Real Simple has guides to folding a number of other household items as well:

How to Fold Anything -

Worth looking into and brushing up on your techniques.


Sunday, May 18, 2008

Sunday Linkfest Ramble...

Whew!  I am beat!

Got up at 7:30 AM to get fresh local donuts for Alvis and her BFF's who spent the night post eighth-grade senior dance.

Picked up the house from about nine to ten. Got more laundry going.

Went and grabbed some pic-i-nic vittles at the grocery store about ten.  Got back and prepped all the yummies while continuing to deal with house-clutter.

Mom and brother arrived at about eleven thirty.  Time for the picnic!

Drove out to the neighborhood park by noon, wondering if we would be able to find a free pavilion on such a wonderful Sunday.  We did.

Got the barbeque pit loaded up.  Brother realized his lighter fluid bottle was empty. Left to go find some more.  I wadded up several paper plates and surrounded the core with brickettes. Lit it. Fanned it.  By the time he got back it was going just fine; thank you very much.

Ate burgers and beans and basil-seasoned corn-on-the-cob.  Ate a silk-chocolate pie. Played catch and caught up on everyone's stories and drama.

With the breeze, and the low humidity, and the clear blue skies, the barges going up and down the bayou and the gulls calling, it felt like a childhood Florida moment somehow.

Bundled back up by three PM at the house. Split up the leftovers.

Took a shower and shaved.

Ran out to get a book for Lavie she had reserved at the bookstore.  Stopped by Khol's to look for new pillows and sheets for our bed.

Learned that Vera Wang makes very nice bedding and thinks highly of her products.  Bought them anyway.  Agreed that Lavie and I should try getting matching pillow styles, and found some to our mutual satisfaction.

Realized at checkout that there really are 1000 count pillowcases in the world, and that if you buy them, you must enjoy them.  Every single penny of them. 1000 count pillowcases fell REALLY good.  I better have some very sweet dreams tonight.  That's all I am saying.

(OK, I picked them out, not Lavie. They do feel very nice.)

Got back home, Alvis reported she had finished her homework. Mostly.  Lavie instructed Alvis of all the things that will not be allowed on the new master-bedroom bedsheets; hamsters, food, drinks, jeans still on Alvis's body home from school, hamsters.

Tossed out a few bedrooms worth of very old and very scary looking bedsheets that had been lurking far back in the linen closet.  Convinced myself that while I could find many uses for them, that the simplest thing to do would be to just toss them and walk away.  Done.

Still got to fold the mountain of laundry in the study.  Still got to unload the dishwasher and re-load.  Still got to change the sheets to the new 401K plan which consists of 400 to 1000 count Vera Wang bed sheets and Laura Ashley pillows (4).

Might eat some leftovers.  Or not.

Got to get done by 8 PM in time for the last episode of Masterpiece Theatre's wonderfully fun Cranford.  I missed most of the second installment, but fortunately, it's being offered to Watch Online!

What am I forgetting?

Oh yeah! This week's Linkfest Roundup!

Security Tools and Techniques.

This week in a rare moment, I was able to take a break from my project management and go hands-on in a tough fight with some challenging malware.

It was a strain of malware that tosses a big 3vil bio-hazard warning about infection on the user's desktop wallpaper, grinds their network connection to a crawl, and provides horrible popup warnings about (false) virus infections found and directs the user to pay for the tool to remove them.


This particular variant is in a class similar to PrivacyProtector Free (Red BioHazard Desktop Screen).  Turns out that it has been making our way around a few offices and desktops of ours.  I think it seems to be installed by users as a "drive-by" when they visit a less-than reputable website. The guys have been resorting to just recovering the user's data files, then doing a re-image of the system and moving on.  As I found out, it's very sticky, but not too complex if you have the right tools and a bit of know-how.

In the end I used Autoruns and Process Explorer to locate, disable and/or remove the startup items and delete most of the launching files.  However there were two files I couldn't delete and attempts to use my "locked-file" killers resulted in BSOD's.  With a bit more investigative work I discovered that the two particular files (both .dll's) were hooking at startup deep into the LSASS and Winlogin processes.

Fortunately I have another trick up my sleeve as we now run on XP Pro desktops.  I logged into the Administrator account and set the Security permissions on the files to "Deny" for everything and all users.

Rebooted. The files could not be launched and executed!  Then I merrily deleted them.

I then re-ran Autoruns and removed the remaining bits of the ilk from the auto-start shell, registry, and startup locations.

I removed a few more program folders where it had been "installed" and removed the annoying fake threat wallpaper folder.  Finally (still disconnected from the network) I launched Internet Explorer and hand-entered the original home-page which had been changed to the PrivacyProtector website.

One quick pass with CCleaner and dumped all the temp files, cookies, history, etc. and plugged it back to the network.

Ran like a top.

Some Microsoft Sysinternals tools got great updates this week:

Autoruns v9.2 - 9.21 - This tool got an update that allows exportation and importation of scan results to better view results on other systems.  It also adds support to enable and delete Winsock notification DLL's and fixes bugs encounterd on the 64-bit Windows systems.  Must have tool.

Process Monitor v1.33 - This tool fixes some 64-bit Windows issues and now preserves profile information by default when saving log files.

AccessChk v4.1 - This command-line tool for looking at effective permissions on files, keys and processes now handles Vista process owner rights and shows permissions on active threads.

I didn't know it at the time, but Precise Security has a free tool to effectively remove a specific collection of malware, desktop hijackers, and adware/malware installed by the Zlob trojan family.

Tools and Resources | SmitFraudFix - Freeware malware remover.

Turns out I probably could have used this tool to remove that PrivacyProtector junk from the get-go.  Now I know.

Stinger v3.9.9 - McAfee Threat Center - (freeware) - Standalone utility used to detect and remove specific and active virus infections.  No replacement for full anti-virus protection, but good to keep this single exe file on a USB stick, just in case.

Multi Virus Cleaner (MVC) 2008 v8.2.0 - (freeware) - Another standalone tool to detect and remove major viruses from a system.  Covers over 6000 common variants. Offered as a public service by VirusKeeper security professionals.  Good to keep handy as well

Nirsoft Fun

Nir Sofer is still at it!  Here are some new and improved offerings from his workbench.

PstPassword - Outlook PST Password Recovery - (freeware) - Nothing is more frustrating that a end-user who figures out they can password their Outlook PST files, but then forgets their password!  Sure, we can unlock their Exchange Server password, but their PST file? Luckily Nir has that one covered.  This new update to version 1.10 allows the user to save the results as a CSV file. Nice.

OpenedFilesView v1.15 - (freeware) - Use this tool to display a list of all the open files on your system, along with information about read/write/delete access, and importantly to me, the process that opened the file.  You can also attempt to use this to close the opened file or terminate the process that has it opened.  New version supports CSV file export of results, AutoRefresh sub-menu selection is displayed, and the main window doesn't loose focus when switching back and forth.

MUICacheView - (freeware) - According to Nir Sofer, "Each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the 'MuiCache'.  This utility allows you to easily view and edit the list of all MuiCache items on your system. You can edit the name of the application, or alternatively, you can delete unwanted MUICache items."  Granted, they come back when you run the application again, but it could be useful when you are inspecting a system and it's application usage.

Seriously Fun, Serious Utilities

Event Log Explorer - (free for personal use) - Great tool that allows you to one-stop-shop view, monitor and analyze the wealth of system logs and events on your Windows 2000/XP/2003 systems.  Sure you can do it without this tool, but this really does help you organize the myriad of reports and drill down to exactly what you are looking for.  Supports tabs, filter by event, power-searches, and the ability to print or export the results.  Great for system inspection and auditing. From FSPRO Labs.

RegRunner - (freeware) - Stunningly well made tool that (like BillP Studios: WinPatrol) monitors your system for changes.  RegRunner keeps its eyes open for registry changes.  Very good to run during program installations/uninstalls.  Can also display running processes and auto-run items, but I prefer the Sysinternal tools for those areas.  Found via a DownloadSquad post.

Empty Folder Nuker by Simon Wai - (freeware) - Does knowing that you have empty folders scattered across your hard-drives keep you up at night?  Want a quick and dangerous way to find and delete them? You need Empty Folder Nuker.  Works on XP, Vista, 2000, and Server 2003.  Simple and easy to use.  But beware, some applications actually need these things to operate. Toss the empties at your own risk!

winMd5Sum Portable - (freeware) - There are a ton on MD5 file hash generation tools out there. I have about five or six.  What I like about winMd5Sum in particular is that it allows you to quickly compare results without having to run multiple sessions of the same tool or copy/paste/write the first one down, then get the second one. Designed to run of USB.

SoftPerfect Network Scanner: fast and free network scanner - (freeware) - Updated recently to version 3.7.  Does lots of wonderful things like pinging, detecting MAC addresses, finds hidden shared folders and write accessible shares on networks, scans for listening TCP and SNMP services. Exports findings in a variety of formats.  Great and USB portable network tool.

Visual IP Tools: Visual Ping, Traceroute, Whois and Email Headers Investigation tool. - (freeware) - Yep it does all that. For free.  See visual route tracking for packet sends. Get WHOIS info. Pings are very pretty. And what I find especially cool, is that it can review email header information and analyze it to get a better understanding of who sent you what.

Seriously Fun, Not-so-serious Utilities

Task Coach Portable 0.69.2 - PortableApps - (freeware) - From the feature description, "Task Coach is a free/open source to-do manager with a friendly interface making it very easy to create, organize, and manage all of your tasks. Task Coach features various handy options such as setting start and completion dates for a task, creating a budget for a task, adding attachments, reminders and more!" Learn more about Task Coach...

BootTimer - (freeware) - Itty-bitty utility to find out just how fast your XP system boot-up time is. Nothing deep here. Just for geeks who like to compare boot-times as a badge of honor.  Could be good to see if disabling certain auto-run items makes any difference or not. Spotted via LifeHacker

Rulers - Omnidea - (freeware) - Really cool on-screen ruler utility and screen shot capture tool.  Supports multi-monitors, also contains a magnifier, color picker and comes in both Windows and Mac versions.  Fun and useful!

Bytessence UserBar Generator - (freeware) - Ever notice those cool little user-bars that some forum users have as their signature graphics?  This tool helps you to design and craft your own custom creations.  It is very easy to use and supports a lot of really eye-catching visual graphic effects including gradients, reflections, "scanlines", custom fonts, opacity, transparency masking and other graphic elements.  Quite addicting to play with.

For the Browser Fans

Yes, I know. I heard.

Firefox 3 Release Candidate now available for download

Dwight is now encouraging folks to go try this version. I would agree.

I personally have been using the "nightly" builds of Firefox 3 for quite some time now and am very pleased with the performance and behaviors.  It is my full-time browser of choice now.

However, I'm not really looking at that old-news.

I've been playing a bit more with the Opera 9.50 beta 2 browser.

Me likey!

No, I'm not going to switch anytime soon from Firefox, but this little browser just keeps getting faster and faster and better and better.  Amazing piece of work, it is.

Oh, and like testing bleeding-edge versions of Opera?

I found that download page as well: Opera Software - Beta Testing.

While not quite as "nightly" as Mozilla's "Nightly" are, they are still periodically made available.

More neat Opera development news can be found over on the Desktop Team blog.

I spent considerable time last weekend playing around in Opera.  In doing so I found a great resource that documents all the files and folders used by by Opera on Windows.  Really good stuff here.  If you are an Opera fan, you must bookmark this page for posterity.  It really helped me understand the files and folder structure when I was poking around my system, post-Opera install.

Files Used by Opera for Windows

Also found out that like Mozilla's "about:config" that contains the inner configurations of the Mozilla Zilla, Opera has a back-stage pass as well; "opera:config".  Only Opera's is very slick and well organized.

Speaking of Firefox 3 and the Zilla, you may remember this post where I found a variety of tools that could be used to look at Firefox 3's SQLite files now used in the latest version: Two More "Lite" SQLite viewers - All good, light, and free

Turns out there is actually a great Firefox Add-on extension that can view SQLite files!

SQLite Manager :: Firefox Add-ons - spotted via this Confessions of a Freeware Junkie blog post.

So if you don't want a standalone freeware SQLite viewer utility to inspect your Firefox SQLite files, then you can use an add-on to do it!  Neat!

One feature of Opera I think I like (still not sure) is the speed-dial feature (Flash-based example) where-by you are presented with a number of thumbnailed sites to pick from as your home-page.  Cool I suppose if you are sorting through the same sites each morning.  I personally just use this blog as mine, but at work, I think I could see some value in this.  Though I usually spend most of my time in my RSS Feed reader (NewsFox) first, then branch out to some other sites.

Anyway, there are two similar Add-on's for Firefox that capture the "speed-dial" feature in Opera:

Speed Dial :: Firefox Add-ons

Fast Dial :: Firefox Add-ons

Which is better? I'm not really sure at the moment.  Give me a few weeks trying one, then the other and I will be able to provide a fair evaluation.

Finally, the Firefox Extension Guru has been providing some wonderful tip-posts on how to tweak Firefox 3:

My personal favorite? Fx 3: Removing Bookmark ‘Star’ Button.

Others have included:

Removing ‘Live Feed’ Button

Make Active Tab Wider

Fx 3: Removing The Search ‘Go’ Button (and the "search bar" magnifying glass)

Find even more Firefox tweaks in The FFGuru's redesigned Tweak's Section

Good work Guru!

And now...time for Masterpiece!

See you in the Skies!


In the Microsoft Mill....

So last weekend I was planning the best "breakfast-night" for dinner ever.

I'm known in the family for my wicked-awesome French toast.  So I had planned a great dinner of special scrambled eggs, bacon, and the French toast.

The first two were no problem...then I began making the French toast batter.  I added all the normal (and my secret) special ingredients.  Yummy! Then for the topper I reached for the cinnamon spice jar and topped off the now dunked and cooking slices sizzling on the flattop grill.

Only one problem.

It wasn't cinnamon I had grabbed, but cayenne pepper powder.  My eyes must have been tired.

Lavie thought the resulting dinner was much too spicy to eat.  Alvis kindly ate two or three pieces declaring it surprisingly good.  I had to agree, but only if done with moderation.  The sweet syrup worked well with the spicy flavor.

So this week I had to have a re-do.  I recreated the menu again, this time carefully reaching for the cinnamon spice miller, just to be extra safe....only I had forgotten that I had removed the mill part and the cap was loose on the top.

This time I was greeted with a shower of cinnamon chunks over the counter and in the batter. Luckily these were quickly fished out and cleaned up.

Had to end up using the two-year old jar of ground fake-cinnamon instead.  Checked twice before application.

It was still good.

Here are some Microsoft related posts from the Web grinder I found interesting to note this past week.

A Look Behind the OEM Driver Curtain

The key to Windows success? It’s all about the drivers - Ed Bott’s Microsoft Report

Mr. Bott takes us on a quick two-page review of how drivers and hardware come together to get on your Windows system...and the pitfalls we face when users must rely on OEM manufactures to produce and distribute them.

IE and XP SP 3 What You Need to Know

IEBlog : IE and Windows XP Service Pack 3

You only need to care if you plan on rolling back your current version of IE after you install XP SP3.  Here's the gist:

XP SP3 ships with IE 6;

If IE 6 is installed, no changes or impact.

If IE 7 is installed, XP SP3 will install, BUT you will no longer be able to uninstall IE 7 to roll back to IE 6 under XP SP3. To roll back, you must uninstall XP SP3, then roll back to IE 6, then reinstall XP SP3.

If IE 6 is installed, and you install XP SP3, THEN upgrade to IE 7, you can roll back to the "newer" IE 6 in XP SP3 with no issues.

If you have IE 8 beta installed on your XP SP2 system, Windows Updates will not offer XP SP3 to you (by design). You must first roll-back IE 8 Beta to a previous version of IE first. If you do a manual install of XP SP3 on top of an existing install of IE 8 beta, you can't remove IE 8 beta after that! Recommendation is to roll back to IE 7 or 6, then install XP SP3, then reinstall IE 8 Beta so you can remove it later if you wish.

Nice and simple isn't it?

Branding IE in XP SP3

I haven't seen or had a need for a "branded" IE installation since my early Windows 2000 support days.  We decided to rollout some IE 6.0 releases with the agency name as part of our imaging and IE upgrade project way back when. More work than it was worth (fun though it was).

Turns out that XP SP3 mucks up the process a bit on producing custom IE7 packages unless you use the new Internet Explorer Administration Kit 7 (IEAK7).

IEBlog : Installing Branded IE7 on Windows XP Service Pack 3

Although likely to be rare, if someone you support does get the XP SP3 upgrade, and later tries to use one of these "branded" IE7 setups (say from a broadband provider), they may get the following error:

“Process 'xmllitesetup.exe /quiet /norestart /er  /log:C:\WINDOWS' exited with exit code 61681”

Reason according to IEBlog is that the IE7 installer package is attempting to toss an older file version on top of a newer one, something the system won't allow.

Now you Know!

New Mystery Solved at Mark's Blog

Always a source of entertainment and good Windows troubleshooting techniques, this latest "guest post" installment from Mark Russinovich's blog hunts down problems in FrontPage.

The Case of the FrontPage Error - by Windows Detective Troy Wolbrink

Troy illustrates the easy use of Process Monitor to find a file-creation error.  A few security setting changes on the original file resulted in the fix.

What I found most useful to learn from the post, was not this technique, but a comment at the end regarding how file properties are handled between "move" and "copy" actions on the same volume:

Looking back I believe that this problem occurred because I used Windows Explorer to “Move” and not “Copy” the csv file into place. I did some more tests to confirm this. When you “Move” a file within the same volume using Windows Explorer, the file permissions are moved with it. When you “Copy” a file using Windows Explorer, it creates a new file that inherits permissions from the target folder. If I had originally performed a “Copy” this problem would have never happened.

Other interesting bits from the comments:

I immediately tried to reproduce this behavior on Windows Vista x64 SP1. I created a folder (c:\temp) with very unique permissions. I used right-click and drag-copied from my desktop to the c:\temp folder window and it did inherit the permissions. However, when I used right-click and drag-moved the same file to to the folder, it also inherited the permissions of the folder. This is at odds with the behavior described by Tony.

I then proceeded to make a very simple C# sample (.NET 3.5) to do the same thing, as a developer asked if the behavior described by the guest was the same for MoveFile() and CopyFile():


This sample did reproduce the behavior described by Tony. The file copied.txt did inherit the folder’s permissions, but the file moved.txt kept its original permissions from my Desktop folder.

That didn't make any sense, so I went back and read this blog post and thought about the interpretation of "Windows Explorer". I then used the true-blue Windows Explorer (Windows Key + E) and only moved the file within that window from my Desktop folder to c:\temp. It exhibited the behavior described by Tony and did not inherit the permissions of the folder. Likewise, copying the file only through the Windows Explorer window resulted in the file inheriting the folder's permissions.

So what's going on here? Did the behavior in the Windows shell change at some point? Or are we looking at a bug? Is there a spec for the expected behavior for each scenario, and have these behaviors changed with different releases of Windows (RTMs and Service Packs)? - Joel Peterson

...there is an KB article about the not inherited permissions when moving folders on NTFS Partitions:

It also states that this behaviour has changed in Vista and Windows 2008.

This sometimes also happens on Win2000/2003 fileservers when Users are moving folders on the same share. To prevent problems I'm using Mark's AccessEnum to make regular checks for permissions that are not inherited correctly within the shares. - WDoser

As mentioned above, Windows API, by default, retains all of the file and folder permissions when you move them from one parent folder to another parent folder on the same NTFS volume. For copy operation and move operations to another volume, the destination file always have a new set of permissions, all inherited from its parents.

The reason is obvious to a developer: When you move a file within a volume, no physical data transfer seems to occur; Apparently, Windows only changes the volume Master File Table so that the intended files and folders belong to a new directory entry. This means that Access Control Lists (ACLs) remain unaltered, so even if your Access Control Entries are acquired from a parent. Now, it is arguable whether or not the inherited permissions should be updated with the new parent or not, and whether there is a bug here or not.

However, during a copy operation, or a move operation to another volume, a physical data transfer from one location of the hard disk to another is inevitable. Therefore, Windows API has to build a new ACL for each file and folder entry. These new entries turn out to have permissions inherited from parent.

As demonstrated by Joel Peterson, .NET Framework has the same behavior as Windows API.

Windows Explorer (Windows Shell) tends to deviate from this behavior. According to Microsoft Knowledge Base:

1. On Windows XP, when Simple File Sharing is enabled (default), Windows Explorer always makes sure that all ACLs are reset. This an intended feature that makes using Standard User Accounts in homes and small-business environments more convenient. Note that this only applies to Windows Explorer and Windows Shell, so file operation behavior of programs like Command Prompt are not affected by Simple File Sharing setting.

2. Windows XP, when Simple File Sharing is disabled (domain default) and on Windows Server 2003, Windows Explorer does not alter file and folder permission. This is meant to be an intended defense-in-depth security feature.

So far I don't know the exact behavior of Windows Vista and Windows Server 2008. The KB article which WDoser introduced indicates that Windows now updates ACEs which are inherited from parent but does not explain whether it is a Windows API behavior or only a Windows Shell behavior. To make matter worse, the Applies To section says this article is applied to all editions of Windows Server 2008 but not Windows Vista. (I think it's time I investigate this matter a bit more.) - S. Mahdi Veradi (MCP)

Got to confess...I almost never use "move" and almost always use "copy" but I have never considered the real difference that makes with file permission security settings, especially between different volumes.

Now Serving: Chef Bill's House Special

I really like reading Bill Pytlovany's "Bits from Bill blog.  While he does post regularly regarding issues and updates for his GSD recommended WinPatrol freeware/$ system monitoring and security product, he also mixes it well with great tips and observations on Windows and life-in-general.

This post was quite timely:  Windows XP SP3, The Good, the Bad and the Ugly

Good: XP SP3 may indeed make some minimal performance improvements.

Bad: Some HP AMD pc's are taking after XP SP3 upgrades. Link to Jesper’s Blog with his solution.

Ugly: See the summary earlier in this post regarding IE and XP SP3

I still haven't gotten around to upgrading Lavie's Compaq laptop that is running XP Home SP2 to XP SP3.  It also has a AMD processor.  I didn't have any problems with the AMD chip in my Shuttle desktop system.  So I am hopeful this one will go well.  Instead of using the full installer, I think I will allow it to flow down via Windows Updates, just for kicks.