Your Ad Here

Sunday, February 8, 2009

Windows Goodies

Just some neat (for sysadmins) posts on Windows related items

  • The Case of the Phantom Desktop Files ' Mark's Blog.  Yep. Microsoft Sysinternals guru Mark Russinovich breaks down a new mystery revealed on his wife's system.  It's good information and might be valuable from a forensics or malware fighting perspective.  Turns out it is a PMIE(Private [browsing] Mode Internet Explorer) Integrity Level thing and as always, very fascinating.
  • Help! My Application only runs on a Single Processor system! ' Ask the Performance Team blog ' The Windows pros provide some nice advise on how to get a balky application to play nicely on a multi-core system.  They provide a number of (relatively) easy methods for forcing the app (affinity) to run on a particular core or cores to help tune its performance.  These GSD blog posts might be related and worth looking into as well: Enabling Dual-Core Support and Windows CPU throttling techniques.
  • Birth of a Security Feature: ClickJacking Defense ' IEBlog continues it drumbeating celebration of IE8's 'ClickJacking' defenses. They've done the coding in their browser and now are out to convert the web developers to change their code to 'activate' that protection.  I'm not sure I fully understand it but something just seems a bit off.  Maybe I've been reading NoScript (and clickjacking defender) Giorgio Maone's hackademix.net blog responses to the whole thing too much and have become biased.  To the IE team's credit, at least they are trying.
  • TaoSecurity: Benefits of Removing Administrator Access in Windows ' Links to a study that shows that (big surprise) running Windows from a non-Administrator level account provides better system integrity protection than doing so under an Admin level account. 
  • Windows XP Your Way- Configuring Windows Explorer ' Somehow at work the other day I was fast-finger clicking though a ton of windows on my desktop. One of which was Windows Explorer. Anyway, I ended up accidently setting the display sorting view of the items to show them all grouped alphabetically.  It was big-time annoying and I had to Google this stupid solution to find the menu path needed to correct it back to my 'detail' view preference.

Enjoy.

--Claus Valca



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Is my log clean?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:45 AM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
C:WINDOWSRTHDCPL.EXE
C:WINDOWSsystem32RUNDLL32.EXE
C:WINDOWSvsnp2std.exe
C:Program FilesHPhpcoretechhpcmpmgr.exe
C:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe
C:Program FilesJavajre6binjusched.exe
C:Program FilescFosSpeedcFosSpeed.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesStardockObjectDockObjectDock.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilescFosSpeedspd.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesYahoo!Messengerymsgr_tray.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre6binssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:Program FilesGoogleGoogleToolbarNotifier5.0.926.3450swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O4 - HKLM..Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [tsnp2std] C:WINDOWStsnp2std.exe
O4 - HKLM..Run: [snp2std] C:WINDOWSvsnp2std.exe
O4 - HKLM..Run: [HP Component Manager] "C:Program FilesHPhpcoretechhpcmpmgr.exe"
O4 - HKLM..Run: [HP Software Update] "C:Program FilesHewlett-PackardHP Software UpdateHPWuSchd.exe"
O4 - HKLM..Run: [HPDJ Taskbar Utility] C:WINDOWSsystem32spooldriversw32x863hpztsb09.exe
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [Adobe_ID0EYTHM] C:PROGRA~1COMMON~1AdobeADOBEV~1ServerbinVERSIO~2.EXE
O4 - HKLM..Run: [DAEMON Tools-1033] "C:Program FilesD-Toolsdaemon.exe" -lang 1033
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKLM..Run: [cFosSpeed] C:Program FilescFosSpeedcFosSpeed.exe
O4 - HKCU..Run: [SUPERAntiSpyware] C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
O4 - HKCU..Run: [Yahoo! Pager] "C:Program FilesYahoo!MessengerYahooMessenger.exe" -quiet
O4 - HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:Program FilesCommon FilesAdobeCalibrationAdobe Gamma Loader.exe
O4 - Startup: Metacafe.lnk = C:Program FilesMetacafeMetacafeAgent.exe
O4 - Startup: Stardock ObjectDock.lnk = C:Program FilesStardockObjectDockObjectDock.exe
O4 - Global Startup: Metacafe.lnk = C:Program FilesMetacafeMetacafeAgent.exe
O8 - Extra context menu item: &Download All with FlashGet - C:Program FilesFlashGetjc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:Program FilesFlashGetjc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:Program FilesSkypeToolbarsInternet ExplorerSkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra Tools menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:PROGRA~1COMMON~1SkypeSKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:Program FilesSUPERAntiSpywareSASWINLO.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:Program FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:Program FilesCommon FilesAdobeAdobe Version Cue CS3ServerbinVersionCueCS3.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:Program FilesBonjourmDNSResponder.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - cFos Software GmbH - C:Program FilescFosSpeedspd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:Program FilesCommon FilesMacrovision SharedFLEXnet PublisherFNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe

--
End of file - 6727 bytes

Read More...

[Source: Webmaster Forum - Posted by Kishore Vengala]
Your Ad Here

Custom Win PE Boot Disk Building: Start me Up!

With deference to The Stones'

This is the second part of failure related to getting my custom Win PE 2.0 boot disk finally up and running.  It actually provided the material needed to make my Eureka moment.

Summary

The purpose of this ongoing project is to build a Win PE 2.0 based boot-disk, that has a great VistaPE GUI interface (instead of the standard CLI shell) and the PGP WDE drivers injected so we can 'liveCD-boot' a PGP WDE system (assuming we have the user's passphrase).  Oh yes, and it has to handle the Dell GX 7xx series USB keyboard drivers.

If you are just joining us, please go back and review the following posts to get up to speed:

OK. Now on to the second failure.

Run it Baby!

As frequent readers of the GSD blog may have identified.  I have a love of both Windows utilities and portable applications.

I have long-ago superseded the space a common CD-ROM offers for holding all the portable tools and utilities I have collected and use.  As it currently holds, my home 'standalone apps' folder contains 2.5 GB worth of programs that work just fine off a USB drive.  The majority of those work fine off a CD/DVD-ROM disk, and a significant portion will also run without fail in the WinPE/VistaPE LiveCD environment.

I also build a custom version to hand out to our technicians at work.  It has the LiveCD system boot side of things (PE 2.0) and if you put it in a running Windows system, it kicks off an auto-play feature that launches PStart with links and all kinds of structured goodness to the portable utilities I have placed on it.  The techies love it.

Some day I will have to take a week off from work and update my Portable SysAdmin Tools post with the current holdings that it represents.

So since I had been failing miserably at getting my sexy VistaPE boot Cd working (with PGP WDE drivers) and the stupid Dell USB hub drivers/keyboard, I felt I had only one avenue left; to just go back to the stripped down WinPE 2.0 CLI base build, inject PGP WDE drivers as we have seen how to do, and tell the guys and gals to be grateful for it.

Rationalizations

However, after a lunch break that day, I took off my analyst hat and put on my techie beanie to think about this from a different perspective.

The VistaPE interface delivers a wicked-naughty GUI interface for the Win PE 2.0 OS environment, and it delivers a cornucopia of custom tools, utilities, system hax0r helps, and other things that make a sysadmin flush.  I use the majority of these included tools and then many of the portable ones I bundle along on the CD for the ride.

However it is my observation that our techies generally only use it boot a system 'off-line', recover user data from it to a USB drive, and then move on to reimage the system and restore the user's data.  The only tool they really interface with is a 'windows explorer' clone (A43 or CubicExplorer).  With the exception of CLI work with ImageX and DiskPart, that's really it.

So, maybe'.just maybe'I could hack out a way to get the PStart launcher on the 'Live' side of the disk feature to kick off once the WinPE 2.0 system initializes and then they could just pick the apps they want to work with.

Yes, it's like dropping Angelina Jolie as Lara Croft for a pale substitute, but it could be serviceable if done right.

Now how can I do that?

The Registry?

I already knew I could hack the registry of a mounted WIM file, make changes and repack.

Maybe I could add a key for an auto-start group to kick off the PStart executable?

Long story short, this technique might work'but there are some barriers.  Aside from the technical ones with the way the Win PE handles startup items (we are getting there), the bigger issue is how do I ensure that the Win PE system is always going to find the correct CD ROM drive letter I'm running on?  I mean, some systems might have multiple drives/partitions and I have no guarantee I'm always going to end up running with the CD/DVD drive as the D:.

Nope.  This Registry launching pad ended up being a dead-end.

Off to the Googles

Now, I have always said up-front to my dear readers that I have not ever had any formal training in Windows systems administration, Microsoft Certifications, or other things that would be deeply useful and beneficial in my job assignment.  Nope.  It all due to years of collegiate honing of my brain, growing up with an ex-army officer dad, and an inordinate curiosity about trying to figure out how things work, and remembering (generally) everything I encounter technically.

So I did some searching on the Net and l pulled up a very important bit of info that all Win PE students should probably be familiar with.  From that TechNet article:

Windows PE provides three methods for launching custom scripts: Winpeshl.ini, Startnet.cmd, and Unattend.xml. The Windows PE default interface is a Command Prompt window. However, you can create a customized Winpeshl.ini file to run your own shell application. You can also create your own version of Startnet.cmd to run a specific set of commands, batch files, or scripts. Unattend.xml is a new answer file format for Windows PE 2.0, which replaces Winbom.ini and Winpeoem.sif.

I'm an Idiot

You mean all I have to do to kick off something 'custom' from a Win PE startup is either modify an .ini file or write a custom batch-script and save it in the right location/name?

For more than a few hours I felt like this:

image

(I'm An Idiot ' xkcd.com)

After a while of fiddling with and boning up on both the Winpeshl.ini and the Startnet.cmd methods, I ended up concentrating on the startnet.cmd vector.

If you mount a base Win PE 2.0 WAIK wim and take a look in the startnet.cmd file (to be found at the %SYSTEMROOT%\System32 location), you will see it contains a single line:

wpeinit

That's it.  This ensures plug-n-play/networking support. 

Wpeinit is a command-line tool that initializes Windows PE each time it boots. When Windows PE starts, Winpeshl.exe executes Startnet.cmd, which launches Wpeinit.exe. Wpeinit.exe specifically installs PnP devices, processes Unattend.xml settings, and loads network resources.

I wanted to custom launch PStart, and needed a way to identify which drive letter I was running from in my batch-process so I could call to the correct location to execute PStart.

I found this great tip:

RunOnceEx from CD ' by Alanoll at Unattended Windows site

After much coding, wim mounting, changing files, saving wim changes and Virtual PC session testing of the modified WIM I arrived at a realization.

This method works, you can get it work, but it is pretty clunky and once you have seen Angelina Jolie as Lara Croft, substitutes just don't satisfy.  Sorry.

I searched through various forums and found many great and custom examples of both startnet.cmd and winpeshl.ini files and the more I read, the more I understood.

Wait for it'.

Maybe I needed to reconsider my choice of focus on startnet.cmd and use an alternative Windows shell loading under the winpeshl.ini instead.

VistaPE uses BS Explorer. Maybe I could make up my own WInPE 2.0 using that custom one.

There are a number of others to check out if alternative Windows shell replacements are your thing. Most are freeware/OpenSource/shareware products. Some are commercial ($).  I am familiar with many of them, but have not tested any of them for compatibility and support in the Win PE environment.

As I was working this avenue out I decided to load up the resulting VistaPE WAIK build WIM file to take a look at what was going on there.  Maybe I could get some more pointers.

So I mounted the vistape.wim file I had previously created and took a look starting with the critical files I had learned were valid Win PE 2.0 launching points.

By this time I was fairly comfortable looking for and interpreting the structure of these particular files, and I surmised that VistaPE must be using something similar.

It was.

[LaunchApps]
vpeldr.exe
"x:\Program Files\BSExplorer\Explorer.exe"
cmd.exe, /k

This seemed too simple.  I then investigated the vpeldr.exe (VistaPELoadeR perhaps). Next to it was a vistape.cfg (configuration) file.  I opened that up to take a look and'

Eureka!

Instead of re-inventing the wheel, what would happen if I extracted the core elements I needed out of a compiled VistaPE project and 'injected' it in the Win PE 2.0 build WIM that was already meeting three of my four critical custom Win PE 2.0 needs?

  1. Win PE base to boot a Windows system off line. (check)
  2. Injected PGP WDE driver compatibility. (check)
  3. Loads Dell Optiplex 7xx USB keyboard drivers natively. (check)
  4. Sexy VistaPE shell GUI. (still missing)

The solution to #4?

Next post.

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

The Ultimate Dogfooding Story


In software circles, dogfooding refers to the practice of using your own products. It was apparently popularized by Microsoft:



The idea originated in television commercials for Alpo brand dog food; actor Lorne Greene would tout the benefits of the dog food, and then would say it's so good that he feeds it to his own dogs. In 1988, Microsoft manager Paul Maritz sent Brian Valentine, test manager for Microsoft LAN Manager, an email titled "Eating our own Dogfood" challenging him to increase internal usage of the product.


Buried deep in Eric Sink's post Yours, Mine and Ours is perhaps the ultimate example of the power of dogfooding.



If you'll indulge me briefly, I'd like to tell you what I
think is the best dogfooding story ever. However, it's not a software story.
It's a woodworking story.



The primary machine tool in any well-equipped woodshop is a
table saw. Basically, it's a polished cast iron table with a slot through
which protrudes a circular saw blade, ten inches in diameter. Wood is cut by
sliding it across the table into the spinning blade.



A table saw is an extremely dangerous tool. My saw can cut
a 2-inch thick piece of hard maple with no effort at all. Frankly, it's a tool
which should only be used by someone who is a little bit afraid of it. It
should be obvious what would happen if a finger ever came in contact with the
spinning blade. Over 3,000 people each year lose a finger in an accident with
a table saw.



A guy named Stephen Gass has come up with an amazing
solution to this problem. He is a woodworker, but he also has a PhD in
physics. His technology is called Sawstop.
It consists of two basic inventions:



  • He has a sensor which can detect the difference in
    capacitance between a finger and a piece of wood.

  • He has a way to stop a spinning table saw blade within
    1/100 of a second, less than a quarter turn of rotation.



The videos of this product are amazing. Slide a piece of
wood into the spinning blade, and it cuts the board just like it should. Slide
a hot dog into the spinning blade, and it stops instantly, leaving the
frankfurter with nothing more than a nick.



Here's the spooky part: Stephen Gass tested his product on
his own finger!
This is a guy who really wanted to close the distance between
him and his customers. No matter how much I believed in my product, I think I
would find it incredibly difficult to stick my finger in a spinning table saw
blade.




The creator actually did stick his own finger in a SawStop on camera, apparently on the Discovery Channel show Time Warp, but I can't locate any web video of it. There is a video of the sawstop in action on YouTube, using a hotdog in place of an errant digit. Personally, I find this demonstration no less effective than an actual finger.




Does it work? Yes, but it still has unavoidable limitations based on the laws of physics:



The bottom line is that this saw cuts you about 1/16" for every foot per second that you're moving. If you hit the blade while feeding the wood you're likely to get cut about 1/16" or less. If you hit the blade while you're falling you'll likely get a 3/16" deep cut instead of multiple finger amputation. If you hit it while pitching a baseball for the major leagues the injury will be even worse.


Dogfooding your own code isn't always possible, but it's worth looking very closely at any ways you can use your own software internally. As Mr. Gass proves, nothing exudes confidence like software developers who are willing to stick their own extremities into the spinning blades of software they've written.


Update: I found this quote from Havoc Pennington rather illustrative.



It would be wonderful discipline for any software dev team serious about Linux 'on the desktop' (whatever that means) to ban their own use of terminals. Of course, none of us have ever done this, and that explains a lot about the resulting products.





[advertisement] In charge of a mountain of Windows servers? PA Server Monitor to the rescue! Download the Free Trial!



Read More...

[Source: Coding Horror - Posted by Kishore Vengala]

Your Ad Here

More Browser Bits

A bitty collection of browser related linkage this week.

  • Newsfox NEXT v1.0.5rc1 ' IMHO simply the best RSS feed Add-on extension for Firefox there is hands down.  Development has slowed but the developer continues to tweak it.  I'm using it right now and it performs great and is stable on my systems. The RSS feed that describes this release doesn't pull up the actual update post yet so I have copied it below.

      This will become version 1.0.5 after bug fixes. This will not happen for months due to time constraints/scheduling. I expect that this version can be used without any difficulties.

      The usual disclaimers apply: this is a beta release so use it with caution on a backup of your Newsfox folder.

      The new features (where to look for bugs to fix):

      • Relative references allowed for NewsFox folder
        The folder for NewsFox has been hard coded which creates an annoyance, but not lack of functionality, when using portable Firefox. The annoyance being that the new directory needs to be chosen each time, and in fact if the newsfox directory is not carefully chosen so that it doesn't exist as a non-NewsFox folder on other machines, there could be problems running NewsFox. This version allows relative filenames such as ../../newsfox (. is the current directory and .. is the parent directory) and uses a default of ./ where .=the newsfox folder contained in the profile folder. Hence if you use ./, there should be no problems with portable Firefox. Existing users may wish to change their NewsFox folder to use a relative reference, either in Options > General tab > NewsFox directory or by setting newsfox.global.directory equal to './'. Equivalently, the about:config preference newsfox.global.directory can be reset(removed), which will cause the default to be used.
      • Expanded search option dialog if search is not over all feeds (bug#20506)
        It is now easier to set a search over a collection of feeds that is not a regular group. See the bug for more information.
      • Blank source or XHTML in source
        Now if a source is set in a feed and it has a blank name, NewsFox uses .... Also if XHTML is in the source name, NewsFox processes it correctly.
      • Sound for new articles (bug#20218)
        For sound notification set newsfox.global.notifyUponNewSound equal to true. If the file NFsound.wav exists in the profile directory, it will be played when there are new articles. If the file NFsound.wav does not exist, the system beep will be played.

      • R Pruitt (wa84it AT gmail.com)

  • Official Gmail Blog: New in Labs: Multiple Inboxes ' This seems a bit inaccurate.  As I understand it, you can still only have one 'inbox' in Gmail. You can't display other account inbox's in your gMail account view. What you can do is set up additional 'viewing panes' that display items from your primary 'inbox' that meet certain custom filter/label settings you configure.  Still, it's pretty cool for power gMail users.  For more related links and tips:

  • Official Google Blog: Dive into the new Google Earth ' Not really browser related, but still cool.  New Google Earth 5.0 includes additional features such as sea-floor 'imagery', tour layers, and a 3D map of Mars.  All pretty cool.  No word if/when these will be added to Google Maps.  See also Google Earth, Google Ocean: mysteries of the seafloor are mapped for the first time | Technology - guardian.co.uk

  • Mozilla Add-ons Blog - How to develop a Firefox extension ' An updated walkthrough on the basic stages needed to develop a Firefox extension.  There are other great (and more technical) how-to's on this subject already on the Net, but this might be one of the best places to start.  Assumes you have a fair bit of coding knowledge as well as familiarity on the Firefox application structure for folders/files.  I'd like to write a mini-add-on that adds a button on the toolbar that lets you instantly 'back-up' your bookmark to a JSON file with a single click instead of having to browse through the menu-bar dropdowns and bookmarks manager.

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

This week in security and forensics

Just a smattering of links this week.

Not that there wasn't a lot going on'.

  • Sample Analysis System - F-Secure Weblog ' F-Secure is now offering a new way to submit malware samples (or suspected malware samples).  Users can register or submit anonymously'though being anonymous has its limits.  Registered users are able to access reports, track usage, and (it appears) retrieve reports on items they have turned in in the past.  This might encourage dedicated contributors as well as help organize regular users' data.

  • How Do They Make All That Malware? ' Larry Seltzer at eWeek does a short post that outlines how malware writers bulk-create their naughty-naughties as well as how the A/V companies leverage web-based scanning services to bulk up on their own DAT signatures.  It's a constant arms race with many being caught and protected against, but like those little swimmers, it just takes one to make it through.

  • Forensic Links ' Windows Incident Response blog ' Nice collection of links related to Windows forensics. Some memory and registry review linkage.

  • TimeLine Analysis  ' Windows Incident Response blog ' One of the challenges in forensics work is trying to lay out a time-line for events.  While one would think that with all the file-dating, file access dating, logging, and other excitement that Windows is constantly doing, it would end up in a simple open-n-shut case.  Turns out that is much harder to do'at least do accurately and do well.  Different applications and systems record time data in different ways and formats. It takes a multitude of tools and skill from the examiner to slowly peel back all the layers and lay out a solid scenario of events.

  • The Security Shoggoth: Strings and update ' The Security Shoggoth blog ' Light but useful examination on the use of Strings from Sysinternals.  Specifically how some additional arguments on the command-line can pull either ASCII or UNICODE strings out of search parameters.

  • Browser Plugins, Add-Ons and Security Advisers ' Hackademix blog. Giorgio Maone goes on an offensive defense of Firefox security when it comes to Add-ons and other things.  Yes, clearly all these elements make Firefox great, but also open the browser to security issues if a malicious add-on is adopted. Fortunately, as Giorgio shares, there is a whole lot of cross checking going on in the community.  As long as you are getting your Add-ons from trusted sources, you should be good.

  • OpenDNS to block Conficker - heise Security UK ' This great DNS service on Monday will begin to block Conficker attempts to connect to potential control servers. Administrator alerts to the presence of the worm will be available and should help efforts to locate infected systems. The service is free to both businesses and home users, but will require registration to access the tracking and logging features. I use OpenDNS at home and have configured our router to use it as the DNS service.  Never had any issues.  It is an amazing service.

Breaking Update to post

  • Some tricks from Conficker's bag - SANS-ISC Handler's Diary has some more information on the Conficker virus.  Interesting findings: First that is checks to see the way it was executed  Depending on what it finds, it acts accordingly.  Secondly, it patches (in memory) the MS flaw that allows it to attack a system in the first place.  This is to presumably prevent the system it is running on from being cross-attacked by other malware using the same exploit it is.  It's not an altruistic move as it isn't a permanent patch.  Finally (and this was new to me), it uses an Microsoft code element to delete all System Restore points for the system.  This prevents responders/users from going back to a previous 'pre-infection' recovery point.  Mighty nasty!

  • Bits from Bill: Protection is Here for Win32/Conficker.A and .B ' WinPatrol father Bill Pytlovany shares a few more news and tips regarding the Conficker headache.

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Utility and Software Lookout

Whew.  I'm exhausted from those last to PE 2.0 posts.

Prepare for some rapid-fire light posting.

These are freeware utilities and stuff that might be worth looking into that I found this week.

  • Process Explorer ' version 11.33. One of the ultimate Microsoft Sysinternals tools. 'This update fixes a bug where the history graph tooltips could display the wrong data point and reduces the memory footprint of the structures that store graph history.'
  • Autoruns for Windows ' version 9.33. The other ultimate Microsoft Sysinternals tool. 'This Autoruns update fixes a couple of minor bugs and adds a new Windows 7 location.'
  • WinPatrol v16 Monitors Changes to UAC Settings ' If you are a Windows fan and have been anywhere alive over the past week, you probably have hear of some Win7 UAC design 'feature' controversy.  Microsoft heard their customers and relented. However, if you use WinPatrol 2008 the upcoming version 16 will provide monitor and notification of changes to UAC settings.  That's a nice layer to monitor, despite what Microsoft says.
  • AutoRun Eater - (freeware) ' We've covered AutoRun issues and defenses here before. This neat security utility provides a different take.  It runs in the system tray full-time and monitors execution of autorun files when devices are inserted or executed.  Upon discovery it first performs an analysis. If a suspicious pattern is found, it blocks execution, tosses up a dialog window, and presents the suspicious code.  Then it allows the user to block or ignore execution.  Amazingly clever.  Certainly not a cure-all, but it might very well provide a first and easy to use line of defense for non-technical users as well as experienced system administrators who don't want to use some of the tougher/lock-down methods against blocking all autorun executions.  Check out the Frequently Asked Questions page for details.  Spotted via Donna's SecurityFlash blog.
  • Free Task Manager - (freeware) ' I know it is kinda sacrilegious to mention any other Windows Task Manager in the same post as Process Explorer (my default manager), but this one might provide some features for less-technical users.  It doesn't really 'replace' the default Task Manager but provides some extended features such as Disk I/O graphing, port monitoring by application, and a locked-file identifier.  I have and use much more focused and specialized tools for all of those tasks, but for someone looking to move up from the standard, but doesn't need the power-hitting utilities I use for those things, this might be worth looking into.
  • MyLastSearch v1.35 - (freeware) ' NirSoft app that ''scans the cache and history files of your Web browser, and locate all search queries that you made with the most popular search engines (Google, Yahoo and MSN). The search queries that you made are displayed in a table.'  This version now lets you filter results by Web browser (in Advanced Options) .
  • IECacheView v1.25 - (freeware) ' NirSoft app that ''that reads the cache folder of Internet Explorer, and displays the list of all files currently stored in the cache. For each cache file, the following information is displayed: Filename, Content Type, URL, Last Accessed Time, Last Modified Time, Expiration Time, Number Of Hits, File Size, Folder Name, and full path of the cache filename.'  This version now has an option to filter cache results by displaying only URLs which contain the specified filter strings.  Cool.
  • highlighter - (freeware) ' Neat log file viewer and analysis tool spotted via SANS ISC Handler's Diary post this week and offered by Mandiant.  I downloaded the msi installer and in a moment had it up and running. Besides being another tool to read log files, you can highlight words to focus on, and remove 'good word patterns' to narrow down your view.  It also provides a neat GUI view in a dynamic image format to show content and structure of the file, along with a histogram view to show patterns in the file. It sounds like a lot but the utility is light, fast and easy to grasp.  It also comes with a nice help file.  Check it out.  If it's from Mandiant, it must be good!
  • HolisticInfoSec.org: Mandiant Memoryze is the 2008 Toolsmith Tool of the Year ' Deserved recognition for Mandiant.  Post has some neat tips on their Memoryze capture and analysis tool.
  • Threat Detector - Cyber Patrol ' Web-based application that will scan a system (Internet Explorer only) and look for usage patterns for dangerous, malicious, or 'bad' sites.  Might not help if the history/cache/browsing history has been nuked or if PrivateBrowsing was used.  However, for parents who have systems where the family uses IE exclusively, it might be worth doing a quick scan to see what comes up.  Just a tool, use with a grain of salt.
  • GBridge - (freeware) - 'Gbridge is a free software that lets you sync folders, share files, chat and VNC securely and easily. It extends Google's gtalk service to a collaboration VPN (Virtual Private Network) that connects your computers and your close friends' computers directly and securely.'  I'm a big fan of ShowMyPC for free remote desktop support, but setting up a remote-to-my-pc connection is a $ feature and getting one set up and running with the open-source tools can be challenging.  MakeUseOf has a great how To: Extend Google Talk Into A Remote Access Tool With GBridge that shows you how to really make this work.
  • Wireshark: Wireshark 1.0.6 Released ' Open Source network sniffing tool had various bug and security concerns fixed in this update.  In both full install and portable versions.

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Windows 7 News Roundup #7

Lots of stuff going on with Windows 7 this week. 

Fortunately it has been concentrated in a few key areas: SKU's for Windows 7 and more back-n-forth action with UAC than we say during this year's Super Bowl.

  • How well does Windows 7 handle 512MB? - Ed Bott's Microsoft Report.  'Very well' apparently is the answer.  I'm not surprised and I suppose some real low-end systems might be used to run Windows 7 (along with 'netbooks') but I wouldn't want to have to use a system with anything less than 2GB RAM now.  Call me spoiled but I like the extra headroom.

  • A closer look at the Windows 7 SKUs - Windows 7 Team Blog and Six of 7: Microsoft announces Windows 7 versions ' Chron.com TechBlog.  Details emerge from the W7 levels for sale.  Do want Windows 7 Home Premium or Windows 7 Professional?   A single DVD will contain all versions offered for Windows 7, so if you go cheap and regret it, you get instant upgrade satisfaction (with some extra greenbacks).  As you crawl up the SKU food-chain, you keep all the features of the lower versions, but get more. Then if you are in a 'specific market' there is Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Enterprise.  Then there is Windows 7 Ultimate which offers the whole kit-n-caboodle.   Yep.  Leave it to MS to make product selection still clear as mud.

  • Windows 7 DirectAccess ' Features and Windows 7 DirectAccess ' Experiences ' 4sysops blog takes a look at this VPN-replacement feature for Windows 7 clients and Server 2008.  It has lots of features and supports automatic, VPN'ish connections between the user's system and the remote server with no end-user interaction once set up.  However it does seem to have some high requirements to function on the server side.  Looks to be pretty cool but I'm not seeing it as a replacement for traditional VPN setups anytime soon.

And then there was that whole UAC fumble and recovery'

  • Engineering Windows 7 : Update on UAC ' Engineering Windows 7 Blog ' Microsoft goes in depth on why W7 UAC is so much better than Vista UAC. Not only that, they feel malware will have an even harder time getting on a W7 system than a Vista system.  And that people (sysadmins and security folks) just aren't getting those facts correct.  Key takeaway quotes were 'One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.' and 'Recapping the discussion so far, we know that the recent feedback does not represent a security vulnerability because malicious software would already need to be running on the system.'  I know they are working hard at listening to test users, but they just weren't also listening to the outcry from the security researchers and folks who have to clean up the messes users make on their systems, despite UAC.

  • Windows 7 auto-elevation mistake lets malware elevate freely, easily - Within Windows. R.Rivera then found that not only was the previous issue with UAC still bad, a new weakness was found.  If (malicious or otherwise) code uses a 'trusted' MS binary to launch another code under an elevated process (malicious or otherwise) UAC settings for notification/approval of the elevation was bypassed.  Oops.

  • Second Windows 7 beta UAC security flaw: malware can silently self-elevate with default UAC policy ' istartedsomething ' Long Zheng details R.Rivera's findings a bit more and makes them easy and clear to see the danger this presents.  Even if 'UAC is not a security boundary.'

  • List of Windows 7 (beta build 7000) auto-elevated binaries - Within Windows ' R.Rivera then goes through the binaries in Windows 7 and identifies 68 selected binaries that could be potentially used (some more likely than others) to auto-elevate any code they are asked to execute on behalf on the application that has engaged them to do so.

  • Engineering Windows 7 : UAC Feedback and Follow-Up  ' Engineering Windows 7 Blog ' Windows developers finally listen to the outcry from it's professional users and relent on UAC design and conceptualizations:

    With this feedback and a lot more we are going to deliver two changes to the Release Candidate that we'll all see. First, the UAC control panel will run in a high integrity process, which requires elevation. That was already in the works before this discussion and doing this prevents all the mechanics around SendKeys and the like from working. Second, changing the level of the UAC will also prompt for confirmation

    The first change was a bug fix and we actually have a couple of others similar to that'this is a beta still, even if many of us are running it full time. The second change is due directly to the feedback we're seeing. This 'inconsistency' in the model is exactly the path we're taking. The way we're going to think about this that the UAC setting is something like a password, and to change your password you need to enter your old password.

    The feedback is that UAC is special, because it can be used to disable silently future warnings if that change is not elevated and so to change the UAC setting an elevation will be required.

Windows 7 and VHD Mounting

A lesser-know feature of Windows 7 is its native support to recognize and access virtual hard drive files.  Now to be clear, this won't be the same as actually virtually 'running' any OS the virtual hard drive may have (a la Virtual PC 2007).  It is more like mounting an 'off-line' version of the virtual hard drive so you can access the files contained within.

But how to do this is neither intuitive or well documented.

Thank goodness for the Virtual PC Guy

In Windows 7 / Windows Server 2008 R2 VHD support is now part of the platform.  This means that you do not need to enable Hyper-V to mount and manipulate virtual hard disks.  You can mount virtual hard disks directly on your Windows 7 / Windows Server 2008 R2 system in two ways.  The first is to use the Disk Management UI:

  1. Open the Start menu
  2. Right click on Computer and select Manage
  3. Expand Storage and click on Disk Management
  4. Click on the Action menu and select Attach VHD
  5. Enter the Location and name of you virtual hard disk (there is a browse button you can use)
  6. Click OK

And you are done - simple!  To unmount the virtual hard disk you just need to right click on Disk entry for the virtual hard disk and select Detach VHD.

The other option is to use diskpart.  To do this you will need to:

  1. Open up an administrative command prompt.
  2. Run diskpart
  3. Type in SELECT VDISK FILE=insert your VHD file path and name here
  4. Type in ATTACH VDISK

When you are done you can unmount the VHD using the DETACH VDISK command under diskpart.

Awesome work there Ben!

Though I personally think Microsoft should just go ahead and add it natively to the right-click shell context menu to instantly allow for right-click mounting/dismounting of the VHD's.  I think it will only be a short matter of time before someone is clever enough to do so via a registry hack like the method Robert McLaws came up with for handling WIM file mounting/dismounting.

Cheers!

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Custom Win PE Boot Disk Building: Step Four Pulling it all together.

Hang on. This may be a doozie.

It will (hopefully) wrap up this project.

Summary

The purpose of this ongoing project is to build a Win PE 2.0 based boot-disk, that has a great VistaPE GUI interface (instead of the standard CLI shell) and the PGP WDE drivers injected so we can 'liveCD-boot' a PGP WDE system (assuming we have the user's passphrase).  Oh yes, and it has to handle the Dell GX 7xx series USB keyboard drivers.

If you are just joining us, please go back and review the following posts to get up to speed:

Note: I'm serious about this, if you haven't read and stepped through the previous posts there is a good chance you will be lost.  Also, this post assumes you are familiar with working with Microsoft's ImageX WIM files; mounting them, committing changes to them, etc.  If not then there is a good chance I will loose you here.

Mkay?

Onward!

When last we left our intrepid hero'

At the end of the last post, I was poking around in the VistaPE WAIK build WIM file and looking at how it worked.

I had started with the winpeshl.ini file that loads the VistaPE project's shell replacement.

That was handled by the custom executable vpeldr.exe and it's configuration file vistape.cfg.

Turns out that the VistaPE project developer, NightMan, has already provided us with all the documentation we need to understand just how that miracle functions:

It's a good read and I really encourage everyone to take the time to read and understand it. It really is an amazing piece of work from NightMan and he should be fairly recognized for it.

When I opened up my particular vistape.cfg file to review, I found it contained almost all the information I needed to trace out, extract, and then inject the 'ripped' contents into my already PGP Injected Win PE 2.0 wim.

Sweet.

WIM Mounting

I'm sure if you are still reading this post, you have already configured your system to allow for the mounting of ImageX wim files.  If not, please take a moment to read this earlier post:

Yes, you can use ImageX to mount your wim files via the CLI, but with all the work we have done and have yet to do, it seems much more efficient for me to work with them from a GUI interface.

For the longest time I preferred the method of adding this quick-mount feature to the Windows right-click shell context: Mounting WIM Images from Windows Explorer - Robert McLaws: Windows Vista Edition

However, I would occasionally get lost with my mount/unmount points and wims in progress and would trip myself up.

Then I graduated up to the ImageX GUI (GImageX) coded by Jonathan Bennett.

The latest version is v2.0.14 released in October 2008 and it is sharp.  He actually now has a beta version that supports the upgraded version of ImageX found in the Windows 7 Beta WAIK.

So either way, be prepared.  I'm using the GImageX to do my work here.

Bonus Tip:  I'm also using the freeware dual-pane/tabbed window explorer alternative FreeCommander not just because I love it but the dual-pane window makes file-copy actions like what we are about to do so much easier than Windows Explorer.  There are a lot of other great alternative file managers as well you might want to look into trying.  Your call'

Organ Harvesting

I created an empty folder at the root of C: called 'mounted_wim' to use as my mounting point for wim files.  That was a carryover from my foray into using Robert McLaw's mounting solution.  I've kept with it.

I also created another empty folder at the root of C: called 'extracted_items'.  This is where I am going to temporarily place the files/folders I pull out of the VistaPE WAIK project that I need.  You might want to go ahead and make a 'system32' folder in there as well while you are at it.

Using whatever your preferred method of wim mounting is, go ahead and mount up the VistaPE wim you created in our Custom Win PE Boot Disk Building: Step Three ' VistaPE 12 RC1 Walkthrough step.

If you followed those steps, you should find it in the following location:

C:\VistaPE_WinBuilder_v12RC1\Target\VistaPE-Core\vistape.wim

OK?

Browse to the location you mounted it and copy the following items into your 'extracted_items' folder.

Depending on how you roll, you might want to make some notes on a scratch-pad of where stuff came from so you can put it back correctly.

From the VistaPE.wim file we want to copy:

  • 'Program Files' <'the folder and all its sub-contents.  Note I just copy this folder as is into the extracted_items folder.

Now browse deeper into the windows\system32 folder and locate and copy the following items into your 'C:\extracted_items\system32' folder:

  • devcon.exe
  • hw.bat
  • HWPnp.exe
  • HWPnP.htm
  • HWPnPDLL.dll
  • vistape.cfg
  • vpeldr.exe
  • winpe.bmp
  • winpeshl.ini

Want to explore this particular WIM a moment since we are here?  Fine.  Just don't take any more relics this time round.

All done?

Unmount your vistape.wim file from your system.

Stage 1: Transplant the Brains

Now go and this time mount up our previously PGP WDE driver injected Win PE 2.0 WIM file.

C:\winpe_x86\ISO\sources\boot.wim

This time, be sure to mount it 'Read and Write' so we can actually make changes to it.  (Note: you might want to make a copy of the working original first, just in case you make a mistake!)

Into the C:\mounted_wim\Program Files folder, let's copy back the sub-folder contents from our C:\extracted_items\Program Files location.

Got em all tucked in?  Great!

Now browse to your C:\extracted_items\system32 and copy all those items into the C:\mounted_wim\Windows\System32 folder.

You are doing great!

Tweak the HWPnP module

Now, in previously looking at the vistape.cfg file, I located that it called to a HWPnP.exe file that uses the hw.bat file to supplement it.  Research on that file indicates it is a Plug-n-Play helper used in BartPE and VistaPE projects.

The VistaPE WAIK build shows the second line the hw.bat file acts off of is as follows:

HWPnP.exe +all -storage\volume -USB\ROOT_HUB +USB\ /log /p /u /d+ /a

Since I knew the Dell USB keyboard hub controller driver was giving me fits, I decided to err on the side of caution and disable this.  This may not actually be needed.  It's up to you.

Open up the hw.bat file and add two colons in front of it to REM it out thusly

::HWPnP.exe +all -storage\volume -USB\ROOT_HUB +USB\ /log /p /u /d+ /a

Save the modified file back.

Dismount that wim and be sure to use the option to 'commit changes' so our changes actually get written and applied to the winpe.wim file.  This part might take a while to process as the changes are written and the wim file is updated.

Stage 2: Transplant the Lungs

Now, we know from our l33t Win PE 2.0 hacking skillz that any files/folders we add into the C:\winpe_x86\ISO folder will be included on the root of our final boot disk.  Right?

So lets work on that next.

Browse back to 

C:\VistaPE_WinBuilder_v12RC1\Target\VistaPE-Core

In there, copy the following items:

  • 'Programs' <'the folder and all its sub-contents.
  • vistape.cfg

And paste them into the following folder.

C:\winpe_x86\ISO

I always be sure I have a copy of the ImageX.exe file copied in there as well.  That's up to you.  It makes system imaging and capture so easy.

You can add in other things as well to that folder (once you figure out how much extra space you have) such as portable system utilities and other stuff. Just don't add anything that modifies or overwrites the things we have already added in there.  I prefer to make another subfolder called 'utilities' and dump all my special stuff in there just to be safe.

Stage 3-option 1: Sewing it Up (for standard CD disk media)

Go to the Start menu and under All Programs find the Microsoft Windows AIK folder and launch Windows PE Tools Command Prompt, or open a command prompt and type

cd c:\program files\Windows AIK\Tools\PETools.

Then, type

oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

(all one line)

An ISO file will be created inside the c:\winpe_86 folder.

With the ISO image file created, you can now burn the image file to CD.

Stage 3-option 2: Sewing it Up (for standard DVD disk media)

I personally stick with the CD sized builds as almost every system we touch (old and new) comes with a CD-ROM drive.  Newer systems have DVD-ROM drives, but if I go to service an older system the DVD disk isn't going to help me.

If you try to burn a DVD sized ISO with the normal instructions above it will error out.  You must use the undocumented "-m" argument in your string to force it to build the ISO over the normal CD-sized ISO size.  Use the -m switch to override the creation of ISO images larger than 700 MB

In that case (because you got all crazy with adding lots of extra custom utilities and stuff into your C:\winpe_x86\ISO folder) type

oscdimg -n -h -m -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

(again, all one line).

With the image file created, you can now burn it to a DVD disk. (assuming that the combined file-size isn't larger than the DVD's storage capacity.)

Testing

I ALWAYS pre-test my built boot ISO files in a Virtual PC 2007 session first before burning.  That way if I did something wrong I will see it before making coasters.

If all goes well you should see the following (click for a slightly larger view and yes, I know the wallpaper may be a bit different on yours'read on for how to customize that).  Note the PGP drivers are working (even though the virtual drive I am using isn't actually PGP WDE encrypted').

image

If it looks good and seems to work cleanly, burn your custom 'Win PE 2.0 + PGP WDE driver injected + VistaPE WAIK build ripped + Dell Optiplex USB keyboard driver working' Frankenstein'ish ISO (located as C:\winpe_x86\winpe_x86.iso) to a disk and see what happens on your live systems!

Caveats

Ripping out the core elements of Vista PE WAIK build as I have documented works.  But it might make NightMan and other hard-core VistaPE/WinBuilder pro's groan.  I'm also likely leaving some critical bits behind.

So there are some applications that would work fine in traditional VistaPE build that error out and will not run under this GSD project.  Be aware of that.

Second, if you go back in and mount the 'C:\winpe_x86\ISO\sources\boot.wim' file, make more changes (wallpaper below for example) and re-commit the changes, you will likely notice your boot.wim file size continues to grow.   This is not just because you added stuff, even if you 'delete' stuff from your mounted/committed wim, it may still grow.  That's because with this method of wim management the changes haven't been optimized to the wim.  You need to actually export your wim file in a different ImageX process to reclaim the space when you have modified it.  See this post (and the Google) for more information on that.  I normally don't bother as my final ISO size is still under the limits for a CD burn.

Also, if you compare the vistape.wim used to boot a standard VistaPE WAIK project to the one we did using a (PGP modified) base Win PE 2.0 boot wim you will see close to the following:

  • C:\VistaPE_WinBuilder_v12RC1\Target\VistaPE-Core\vistape.wim  Size = 102.86 MB
  • C:\winpe_x86\ISO\sources\boot.wim Size = 187.11 MB

NightMan and all have worked hard on the original VistaPE WinBuilder project to remove many files/folders and other items from the standard Win PE 2.0 WAIK wim file that are not necessary or needed to work in his project.  That's why the size is so much smaller.

But in doing so, something caused the Dell Optiplex 7xx 'USB Keyboard Hub' and related HID drivers from loading.

This method works around that.

I haven't tested it on other systems, just those that I and my team service and support.  It might work just fine on other hardware system configurations with that same issue.  It might not.  I don't know. 

If you take the time to do all this and find it does help you load previously unavailable USB keyboard devices on your own particular system, please leave a note in the comments so others (and myself) will learn of your success.

As always, what works for me and our systems, may not for you.  Your mileage may vary.

Also, I've got at least one more related post in this series planned to address coming developments I have found with future VistaPE/WinBuilder projects as well as Win PE 3.0 in general.

So stay tuned for that.

Optional Tweaks and Tips

As I mentioned before, if you want to kick things up a notch, add in some additional portable applications, and fire them up off via PStart you can add a modified version of this to your startnet.cmd file before you pack up your customized wim: (via RunOnceEx from CD by Alanoll)

wpeinit

cmd.exe

For %%i IN (D E F G H I J K) DO IF EXIST %%i:\cd-specific_filename SET CDROM=%%i:

%CDROM%\PSTART\PSTART.EXE

Also, if you want to add a sexy custom desktop wallpaper (please comply with any work-rules if you distribute such builds in your workplace and use something tamer) just find your image (I prefer to use 1024x786 sized), and convert it to a BMP format file and save with the name 'winpe.bmp' and place back in your custom wim's windows\system32 folder overwriting the original one we extracted from the VistaPE WAIK built wim.

I have also discovered that if you want to plug in a USB storage device to your Win PE booted system it doesn't always pick up the new drive.

Open a cmd session and run the command 'DiskPart' then do a 'list disk',

That is usually sufficient for the OS to scan for any drives and mount what it detects.

Refresh your windows explorer tool (in this build it would be Cubic Explorer) and you should see it now just fine.

Tomb Raiding using the PGP WDE drivers and pgpwde.exe

Remember, one of the other reasons I needed to go through all this pain and learning was to be able to boot one of our PGP WDE encrypted systems 'off-line' with a VistaPE'ish Win PE boot disk and use the PGP injected drivers to access the 'on-the-fly' decrypted contents of the drive rather than taking hours (or more) to do a full off-line drive decryption using the stock PGP WDE recovery boot-disk (and see this PGP link on how to use), before being able to access the contents with a traditional boot-cd.

Our hard work and dedication has now given us a much more flexible and powerful tool!

Boot the PGP WDE system with our custom boot disk.

Of course, you will need to know the user's PGP WDE passphrase for on-the-fly file/system access and recovery to work'.

Open up a CMD session.

The basic commands I use are as follows

  • pgpwde 'enum
  • pgpwde --disk 0 'status
  • pgpwde --disk 0 --auth -p 'xxxx'   (NOTE: put passphrase in '  ' if separated with spaces.)
  • pgpwde -h

The first one 'enumerates' the system disks and volumes.

The second one shows the status of any pending WDE encryption/decryption activities.  This might tell you if WDE was initialized and is x% completed.

The third command is the money-shot.  This is what our tomb-raiding has been working towards. It allows you (with the user's PGP WDE passphase) to decrypt the drives 'on-the-fly' from the Win PE 2.0 environment so you can recover the files from a non-bootable system if the OS has crashed (or for other reasons).  The trick to this one is that if the user's PGP WDE passphrase has spaces in it, you must enclose it all in quotations marks.

I haven't tested to see if this will take a PGP WDE recovery token and if so, what impact that might have.  In our cases (so far) the user is present and can provide us with their passphrase.  If they have disappeared and their passphrase is not available, then you would need to try a PGP WDE recovery token instead.  I'll let you know if I try it and it works.

There are many, many more powerful PGP commands and arguments for the pgpwde.exe executable. Do the fourth command to list them all.  Then search the Google for some powerful and undocumented ones as well.

Either on a live PGP booted system or a LiveCD PGP injected system, the pgpwde.exe command line tools are very good to know and be familiar with if you support such systems.

Final Warning: You must inject and use the PGP WDE drivers/tools specific to the version of PGP WDE deployed on your system(s).  Failure to do so might seriously muck things up!  Mkay?

Whew!

Thanks for sticking with me.  I hope this helps someone (or two).

I also suppose if you had the VistaPE USB system keyboard sensing issue but didn't need the PGP WDE drivers, you could just skip over that step and not do that.  The rest should work fine.

Wicked Cool and Sexy, isn't it?

Just like I promised'.

Cheers!

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Miscellaneous Hard Drive Security Links

image

('Master' ' dual desktop via Mandolux)

My brain is still swimming in whole disk encryption issues from the past week at work.

Found these links particularly insightful or amusing; maybe both.

  • Cracking budget encryption - heise Security UK ' Really great and extended article that show the process by which researchers analyzed and broke the on-board encryption methods used by a particular USB hard-drive system. It is great analysis work and might be useful from a forensics perspective as well. 
  • Hard Drive Passwords Easily Defeated; the Truth about Data Protection - Computer Technology Review: Data Storage and Network Solutions.  Great (though a bit old) whitepaper post on different strategies and techniques used in drive encryption. Software-based whole-disk encryption is the strongest solution currently available.  Using the firmware-based HDD locking might seem like a fast and easy solution, but law-enforcement and data-recovery specialists can bypass this with a bit of effort.
  • What happens when you overwrite data? - SANS Computer Forensics, Investigation, and Response.  Update by Dr. Craig Wright on the mechanics when data is overwritten and recovery is attempted.  Nice images and very readable.  Continues to expand  his Overwriting Hard Drive Data post earlier presented by Dr. Wright at the same blog.
  • Security ' As found on the always geeky and insightful xkcd webcomic blog

image

Other Personal Observations:

Having a cool security sticker/label on you systems that lets everyone know your system is encrypted offers no security if the system is a laptop and 'lifted' while it is running and not locked down.

Just because the label says it is encrypted it in no way guarantees that the drive itself has actually been encrypted.  Security auditors still have to log and verify by accessing the system that the encryption solution has been correctly applied to the drive(s). If a technician images the system and forgets to apply the encryption solution (if not automatically deployed via system policies), the sticker provides a false and dangerous sense of security completion and protection for both management and the end-user.

While a properly encrypted system does protect and guard the data on the hard-drive itself, it

  1. Doesn't mean that the data can't be easily lifted by malware/trojan running on the system when the system is live and operating in an 'unencrypted' mode,
  2. Doesn't mean that the system no longer has 'theft value' as someone could remove and discard the drive, drop in a replacement and sell the sucker at a pawn shop or eBay,
  3. Doesn't mean that the data is protected enterprise-wide if the data is accessed/replicated across various desktop/laptop systems in the organization and any one of those systems escapes the disk-encryption process,
  4. Doesn't help anything if people keep their access password or passphrase taped under their keyboard, to their monitor, or cpu base.

I'm fully supportive and highly value properly applied whole-disk encryption solutions.  However, it must be seen as just one more hardened layer of protection among many in a properly configured and applied organizational computer security structure.

--Claus V.



Read More...

[Source: Grand Stream Dreams - Posted by Kishore Vengala]
Your Ad Here

Multiple Logins in yahoo without Software

1) Go to Start
2) Navigate to HKEY_CURRENT_USER-->Software-->Yahoo-->Pager-->Test
3)ON the Right side if the page , Right click and choose new Dword Value.
4) Rename it as " Plural ".
5)Double click and assign a decimal value of 1.
6) Now close registry and restar yahoo messenger and try Multiple Login

Read More...

[Source: Awesome Computer Tricks - Posted by Kishore Vengala]
Your Ad Here

Add Your Name (or) Application to right click Of My Computer

Caution ..
As it is related to Windows regisrty it can be dangerous
so,Try This at ur own risk


To write your name on right click application
please follow the steps.

1.Copy/Paste the following code in Notepad And then Save it as .reg

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Registry Editor]
@="Your Name Or Name of the Application"
[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Registry Editor\command]
@="Location Of The Application"

2.
Now edit it and then Type your name In

Eg:

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Registry Editor]
@="Rajesh"

3. If u want to get any application, once you click Your name or name of application
Then , Type the location Of the application Which u want to open In:

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Registry Editor\command]
@="Location Of The Application"

For eg.C:\Program Files\Yahoo!\Messenger\messenger.exe
Thats It finally save it And then Run it .


------------------------------------------------------------
To add Application Control Panel

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Control Panel\command]
@="rundll32.exe shell32.dll,Control_RunDLL"

To add Application Add/Remove

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\Add/Remove\command]
@="control appwiz.cpl"

To add Application Reboot

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\[Reboot]\command]
@="shutdown -r -f -t 5"

To add Application Shutdown

[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\[Shutdown]\command]
@="shutdown -s -f -t 5"

-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-....-......----..--.-...--.-..-



Read More...

[Source: Awesome Computer Tricks - Posted by Kishore Vengala]
Your Ad Here

Secret Codes for Nokia

Codes :
1) *#06# For checking IMEI(international Mobile Equipment Identity)
2) *#7780# Reset to factory settings
3) *#0000# To view software version
4) *#2820# Bluetooth device address
5) *#746025625# Sim clock allowed status
6) #pw+1234567890+1# Shows if ur sim as any restrictions

Read More...

[Source: Awesome Computer Tricks - Posted by Kishore Vengala]
Your Ad Here

Updated trick for enabling Folder option

Many times Windows users face a common problem. The �Folder Options� in �Tools� menu is not visible. Even It can�t be accessed from Control Panel. Also �Registry Editor� is disabled.
Follow the simple steps mentioned in this tutorial and your problem will be solved:

1. If Folder Options is disabled but Registry Editor is still working in your system, then you can enable Folder Options by editing Windows Registry.
Type regedit in RUN dialog box and press Enter.
it�ll open Registry Editor, now go to following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\ExplorerHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer
In right-side pane, check whether a DWORD value named NoFolderOptions exists or not? If it exists, delete it.

2. If you are not familiar with editing the registry, then you can simply download following file, extract it and then run the .REG file:
Folder_option.zip

................................................................................................................
If u cant run regedit ....
Seems like your system is infected with a virus. Pls follow following link:
http://www.askvg.com/is-your-system-infected-with-a-virus-spyware-adware-trojan/

..................................................................................................................
Some ppl find that "show hidden files and folders" option ll not b enabled..
though enabled they cant c the hidden folders...
for that dont worry
--open RUN
--type regedit
--HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Explorer\Advanced
And in right-side pane, change value of �Hidden� to 1 and refresh My Computer window and you�ll be able to see hidden files again

Read More...

[Source: Awesome Computer Tricks - Posted by Kishore Vengala]
Your Ad Here