uSOFT items

  Xorrades XP  

Disable Malicious Software Reporting Tool transmissions [From: http://www.support.microsoft.com/kb/891716/]

Q3. How can I disable the infection-reporting component of the tool so that the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set, the tool will not report infection information back to Microsoft.

This functionality is automatically disabled if the following registry key value exists:

This registry key value indicates that the computer is connected to an SUS server.

If you want to see the actual report or at least the data that the MRT finds, type the following from a command line: ("mrt.log" is a unicode text file) notepad c:\windows\debug\mrt.log

  Xorrades de Windows  

shortcuts : CONTROL = abre Control Panel MSTSC = activa Escritorio Remoto APPWIZ.CPL = Add or Remove Programs ! DCOMCNFG = Management Console : Visor de Sucesos, Servicios, Componentes. how to know whether an OS is 32 bit or 64 bit ? command prompt and type set. Look for the processor type : x86 is 32bit, x64 is 64bit. Start -> Run, and type dxDiag cmd.exe /? has some goodies, as Auto-Complete. Set HKEY_CURRENT_USER/Software/Microsoft/Command Processor/CompletionChar to 9, and you have TAB completion (start typing a file or dir name, press TAB, and matching file/dir names appear). The difference between "runas.exe" and "Run as Administrator" I asked Microsoft the difference between the following two mechanisms for starting a cmd prompt: "runas /u:administrator cmd" Right-click cmd.exe and hit the "Run as Administrator" option Well, it turns out every program that is ever started with runas.exe is started in the ordinary logged in context, specifically, the reduced capability context. Hence, you might start a cmd.exe prompt with runas.exe, but it will run in the same reduced capability mode your login shell runs in. If you really want to elevate and then run, you must use the right click method. That produces an unrestricted Administrator program. This works even for Internet Explorer. W 2008 Server details Keep in mind that media files, like any other files, can be re-associated at any time. For example, if you decide you want to associate MP3 files with another program at some point you can simply locate an MP3 file, hold the Shift key and right-click the file. At this point a menu will appear and you can select Open With and then choose the application you want to use to play MP3 files. Check the box next to "Always use the select program to open this kind of file" and the next time you double click an MP3 file it will open that program. How to kill any process ? drwtsn32 -p < process-id > How to know the process-id of a program ? Task Manager or TLIST.EXE url or TaskList From here [got it here ] Ver PULIST.EXE ... dresseres : run services.msc run gpedit.msc Display Desktop icon : create a file "Show Desktop.scf" located at [NT, W2K, XP] C:\Documents and Settings\Username\Application Data\Microsoft\Internet Explorer\Quick Launch [Shell] Command=2 IconFile=explorer.exe,3 [Taskbar] Command=ToggleDesktop url Lock PC : Right click an empty area of your desktop. Choose New/Shortcut and enter this line as the command line: rundll32.exe user32.dll, LockWorkStation Expand Control Panel in Start Menu W2K : To make the Control Panel act like submenu of the Start Menu, right-click the Task Bar in an open area, and choose Properties. In the "Taskbar & Start Menu Properties" window that appears, click the "Advanced" tab. Under the Start Menu Settings, check next to "Expand Control Panel." Now, when you click Start, Settings, Control Panel, you can choose one of the Control Panel applets, such as Add/Remove Programs, right from there. url WXP : Right-click the Start menu button, then choose Properties. From the Taskbar & Start Menu Properties window, click the Customize button, then click the Advanced tab. You should see three options for Control Panel: Display as Link (default), which means it opens in a separate window when you click it, Display as Menu, which means that when you click it, or even hold the mouse over it, the Control Panel items will open as a sub-menu, and Do not display this item, which will remove it from the Start Menu completely. url Com saber quin Fix Pack es instalat ? See Add/Remove Programs in Control Panel ... Install KB835732 disable "Caps Lock" : see here --------------------------------------------------------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout] "Scancode Map"=hex:00,00,00,00,00,00,00,00,02,00,00,00,00,00,3a,00,00,00,00,00 --------------------------------------------------------------------- trace "log" errors to Event Viewer / Security Log : Administrative Tools + Local Security Policy + Local Policies + Audit Policy + Audit account logon events Thankx Albert (again) com veure quina versió tenim instalada ? winver W2K : Winver : uSoft Windows Version 5.0 (Build 2195:Service Pack3) System : uSoft Windows 2000 5.00.2195 Service Pack 3 W98 (P4) : Winver : windows 98 System : W98, Segunda Edicion, 4.10.2222 A IE5 busca dins uS si la URL no es bona Tools - Internet Options - Advanced - "Do not search from Address bar" paràmetres per instalar NT 4.0 : E:\I386>winnt /? Installs Windows NT. WINNT [/S[:]sourcepath] [/T[:]tempdrive] [/I[:]inffile] [/O[X]] [/X | [/F] [/C]] [/B] [/U[:scriptfile]] [/R[X]:directory] [/E:command] /S[:]sourcepath Specifies the source location of Windows NT files. Must be a full path of the form x:\[path] or \\server\share[\path]. The default is the current directory. /T[:]tempdrive Specifies a drive to contain temporary setup files. If not specified, Setup will attempt to locate a drive for you. /I[:]inffile Specifies the filename (no path) of the setup information file. The default is DOSNET.INF. /OX Create boot floppies for CD-ROM installation. /X Do not create the Setup boot floppies. /F Do not verify files as they are copied to the Setup boot floppies. /C Skip free-space check on the Setup boot floppies you provide. /B Floppyless operation (requires /s). /U Unattended operation and optional script file (requires /s). /R Specifies optional directory to be installed. /RX Specifies optional directory to be copied. /E Specifies command to be executed at the end of GUI setup. So, my command line was : c:> d:\i386\winnt /s:d:\i386 /b WIN2000 no té /B com instalar SP6 en un NT 4.0 en castellà Q250867 says : To work around this issue and prevent the version-number scanner from comparing the Schannel.dll file versions : Use any text editor (such as Notepad) to open the Update.inf file in the I386\Update folder in the service pack source files. Place a semicolon (;) before the reference to the Schannel.dll, Security.dll, and Ntlmssps.dll files in the [CheckSecurity.System32.files] section of the Update.inf file. Save and then close the Update.inf file. Install the service pack. Ignacio la ha millorat : Lanzar la instalación del Service Pack 6a, lo cual descomprimirá una serie de ficheros en el subdirectorio del directorio apuntado por la variable TEMP (por ejemplo d:\temp\ext9830). Antes de responder al diálogo en el que se nos pide que aceptemos los términos de la licencia, buscar dicho directorio temporal y copiar los archivos a otro sitio. Aceptar el diálogo, lo cual intentará lanzar la instalación, pero mostrará error, borrando los ficheros del subdirectorio inicial. Ir al directorio con las copias, y modificar el fichero UPDATE.INF como se indica en el artículo de Microsoft. La sección [CheckSecurity.System32.files] debe quedar así : [CheckSecurity.System32.files] ; SCHANNEL.DLL ; SECURITY.DLL ; NTLMSSPS.DLL Lanzar la instalación ejecutando UPDATE.EXE ; esta vez no aparecerá el error. com instalar SP6 HIGH-ENCRYPTION en un NT 4.0 en castellà Hay que ir al directorio %SystemRoot%\system32\ donde encontraremos tres archivos rsaenh.dll enhsig.dll schannel.dll Hay que renombrarlos o cambiarles la extension (por ejemplo: rsaenh.dl_, enhsig.dl_ y schannel.dl_). Despues de esto hay que reiniciar el sistema y una vez arranque se puede instalar el SP6a. versions de SCHANNEL.DLL Export -> 40-bit U.S. Domestic -> 128-bit existeix RSAENH.DLL => High-Encryption (128 bit). SU-0013 - no MS-DOS boot partition, installing W98 on 2-nd hard disk. Netscape "updating client registry" : c:\windows\nsreg.dat on son els cookies (i altres trasses) dels navegadors ? Netscape : c:\Program Files\Netscape\Users\default\cookies.txt Disable bye setting user_pref("network.cookie.cookieBehavior", 2); in prefs.js ! IE 5.5 : c:\windows\cookies (hidden) and c:\windows\Temporary Internet Files\Content.IE5\INDEX.DAT IE 5.5 settings are quite hidden in Internet options + Tools + Security + "Custom Level" eines interessants : CoolSwitch (taskswitch.exe) : ALT TAB replacement PowerToy for XP Resource Meter (c:\windows\Rsrcmtr.exe) tlist -s, from SUPPORT.CAB (w2K) - display active processes. "-s" switch shows the list of active services in each process. For more information about the process, type tlist pid. From here minimum swap size (manual management) : less than 32 MB of RAM : 2,5 times your amount of RAM less than 64 MB of RAM : 2 times your amount of RAM more than 64 MB of RAM : equal the amount of RAM configurador interessant (W9x) : msconfig o un clone uninstall hidden XP components : c:\windows\SYSOC.INF - remove the hide word (leave comas), so they appear in Add/Remove dialog. Link and link. configure XP 100 % : gpedit.msc from here. customize SendTo menu, by creating shortcuts and placing them in c:\windows\SendTo [XP] remove Error Reporting Service service using msconfig. Tweak-UI : the must have tool. Search uS for PowerToys. Or download it ! (v 1.33) XP [XP] SuperGuide change text in Explorer's title bar The title bar of Internet Explorer displays the text "Microsoft Internet Explorer," along with the title of the page you're visiting. If you're tired of constantly being assaulted with images and words from Big Green up in Redmond, you can change that text to anything that you want. From a command line or from the Run line, run regedit Select the folder HKEY_CURRENT_USER and follow the folder path \Software\Microsoft\Internet Explorer\Main Add a new String Value named Window Title. In the Value field type in the text you want to appear and then hit OK. Close Internet Explorer if it's open, and restart it. The title bar will now have your new text. If you want your title bar to have no text in it aside from the title of the page you're currently visiting, create the Window Title string value, but leave the Value field empty. CAB Extract from here Sample : from the Windows 2000 installation CD's Support\Tools folder, extract the TLIST.EXE utility from the Support.cab file. HOSTS file location : W95 : W98 : ??? W2K : c:\WINNT\System32\Drivers\etc (sample in c:\WINNT\I386) WXP : windows releases numbers : 4.00.950 = windows 95 & 95 A (FAT16, no FAT32) 4.00.1111 = windows 95 B & 95 C (FAT32) 4.10.2222 = windows 98 B & 98 se 4.90.3000 = windows Me

  Xorrades 2000  

PWS & IIS

Here it says :
PWS is not supported and cannot be installed on any version of Windows XP.
Windows XP Professional is designed for business users and contains Internet Information Services (IIS) version 5.1. IIS 5.1 includes Web and FTP server support, as well as support for Microsoft FrontPage transactions, Active Server Pages, and database connections.

So, PWS was for W98 only

IIS :

• Installing IIS under XP
  You can install IIS, add optional components, or remove optional components for IIS by using the Add/Remove Programs dialog box in Control Panel.
  Installation guide

  LocalHost documentation !

• LockDown tool v 2.1
• MetaEdit utility
• Resources
• TroubleShooting ASP in IIS 5.0

Problemes amb el IIS :

• the server failed to load application '/LM/W3SVC/1/ROOT'
  • The most likely cause of this problem is that the DTC coordinator service has not started. Solucio : "msdtc -resetlog" !
    From here
  • To correct this problem, run the SyncIwam.vbs utility in the InetPub/AdminScripts directory.
    cscript synciwam.vbs
    From here

• The COM Application ... failed to activate out of process
  • Here it says the solution is this (IWAM Account).

    To resolve this problem, you must make sure that the passwords for the IUSR and IWAM accounts are synchronized in all three of the above-mentioned locations.

    Read here :

    • Obtain the IUSR account password : cscript.exe adsutil.vbs get w3svc/anonymoususerpass
    • Obtain the IWAM account password : cscript.exe adsutil.vbs get w3svc/wamuserpass
    • Set the IUSR account password : cscript.exe adsutil.vbs set w3svc/anonymoususerpass "password"
    • Set the IWAM account password : cscript.exe adsutil.vbs set w3svc/wamuserpass "password"

    From here

  Note : when you try to obtain the password in Windows NT 4.0, the password appears as clear text; however, the password appears as asterisks in Windows 2000. To obtain the password in clear text in Windows 2000, you must modify Adsutil.vbs so that it displays the unmasked password. To do this, follow these steps:

  1. In Notepad, open Adsutil.vbs.
  2. On the Edit menu, click Find, type IsSecureProperty = True, and then click Find Next.
  3. Change "IsSecureProperty = True" to "IsSecureProperty = False".
  4. Save the changes to Adsutil.vbs, and then close Notepad.

  Change the password in MTS or Component Services : cscript.exe synciwam.vbs -v
  You may need to restart IIS for all changes to take effect. To restart IIS, from the Start menu, click Run, type iisreset, and then click OK.

• ADSUTIL

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
 Windows="%SystemRoot%\system32\csrss.exe
 ObjectDirectory=\Windows
 SharedSection=1024,3072,512
 Windows=On
 SubSystemType=Windows
 ServerDll=basesrv,1
 ServerDll=winsrv:UserServerDllInitialization,3
 ServerDll=winsrv:ConServerDllInitialization,2
 ProfileControl=Off
 MaxRequestThreads=16"
 

  How to read a MiniDump  

If user selects so, a "Small Memory Dump" (64 KB) is generated on system failure. Select CP + System Properties + Advanced + Startup and Recovery Directory of C:\WINNT\Minidump 18/09/2003 09:25 65.536 Mini091803-01.dmp 17/10/2003 10:14 65.536 Mini101703-01.dmp 08/10/2004 08:32 65.536 Mini100804-01.dmp To read its contents ... N.I.Y. Header structure Hot to read a minidump ... W2000/NT ... WXP To install it : W2K - Windows 2000 CD-ROM: Install the Support Tools by running Setup.exe from the Support\Tools folder on the CD-ROM. By default, Dumpchk.exe is installed to the Program Files\Support Tools folder. Windows NT 4.0 CD-ROM: Support\Debug\<Platform>\Dumpchk.exe Windows XP: Install the Support Tools by running Setup.exe from the Support\Tools folder on the CD-ROM. By default, Dumpchk.exe is installed to the Program Files\Support Tools folder.

  Keyboard shortcuts  

Copy = CTRL + C Cut = CTRL + X Paste = CTRL + V Mark = SHIFT + <left> or <right> arrow Mark to EOL = SHIFT + <End> Select All = CTRL + A Refresh = PF5 Mouse Right Button = Shift + PF10 ALT+SPACE: Displays the main window's System menu From the System menu, you can restore, move, resize, minimize, maximize, or close the window. General keyboard-only commands How to move a window when its title bar is off the screen Hold down Alt + Spacebar Press the M key Use the arrow keys to relocate the window Press the Enter key when you have the Window in the desired location.

Tecla Acción F1 Help F2 Rename F3 Search F4 Abrir la lista desplegable d ela barra de herramientas. F5 Refresh F6 o TAB Circula el foco por la lista F10 o ALT Pone el foco en la barra de menús ALT + ESC Desplaza el foco entre aplicaciones abiertas. ALT + TAB Abre una ventana con iconos representando los archivos y carpetas abiertos. Mantener pulsado ALT y pulsar TAB para ir al siguiente. Para ir al icono actual, soltar ALT. ALT + SHIFT + TAB Igual que el anterior, pero en sentido inverso. CTRL + ESC Abre el menú Inicio. ALT + F4 Cerrar la aplicación actual. ALT + SB Abre el menú de control de la ventana activa. (icono de la esquina superior izquierda de la ventana) SHIFT + IMPR PANT Copia la pantalla actual en el portapapeles (use Paint). ALT + IMPR PANT Copia la ventana activa en el portapapeles (use Paint). Apendice B, Windows NT Server 4.0, ISBN 1-57231-333-1. Keyboard shortcuts for Windows

  Main fixes  

  Complete fixes list  

Complete (and LARGE) list + short description : url {*****} 1998 thru 2007 ! [22/6/2007 had 574 entries]
Jul 2007 : H:\Guindous_Fix_Packs has [all 2007, 2006 down to MS06-050].

Parches de uSoft por meses :

WinUp = parches hasta el 1 de Enero del 2008. Requiere : XP con SP2 instalado.

SP2 {KB835935} download : [ES], [EN]

SP3 - To install SP3, either Windows XP Service Pack 1a (SP1a) or Windows XP Service Pack 2 (SP2) must already be installed.

  Guindous Debug  

From SysInternals blog - they end up using SoftIce ...

URL

1. download and install the "Debugging Tools for Windows"
   http://www.microsoft.com/whdc/DevTools/Debugging/default.mspx
2. let's say you've installed the debugger in d:\windbg
3. if you service executable is myservice.exe then you can do
   d:\windbg\gflags /p /enable myservice.exe /debug d:\windbg\windbg.exe

   Start your service and it will pop up in the debugger and you can do whatever debugging you need.
   When you are done debugging you must do:

   d:\windbg\gflags /p /disable myservice.exe

The real nice thing about this is if you are working on a dll like say myserv1.dll and myserv2.dll. Then you can do the same thing as above except you change the /enable myservice.exe to /enable myserv2.dll. This one you have to be careful with because if you have multiple process that loads that dll then each one will pop up in the debugger when it's loaded. This is also disabled the same way as mentioned above.

BTW, this can be done for any executable not just a service also gflags can be used for much more than this. This is just one nice thing I've found over time. I guess the nice thing is that gflags handles all the registry updates for you so you don't have to do it yourself.

Garfield A. Lewis

  Temas misceláneos  

• Notepad inserts x'EF.BB.BF at the beginning of a (large) XML file (BOM = Byte Order Mark)

• Programs that are started at Windows Logon :
  [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

  See mr Russinovich's autoruns.exe

• The programs that are started at Windows StartUp are located in
  HKLM -> Software -> Microsoft -> Windows -> Current Version -> Run #1 /winnt/profiles/egb/start menu/programs/startup [/windows/profiles is still present but mostly unused] ["egb" profile is now /Documents and Settings/egb] #2 /winnt/profiles/all users/start menu/programs/startup [/Documents and Settings/All Users] #3 HKCU/software/microsoft/windows/CurrentVersion/run (found that pesky AOL Instant Messenger here) #4 HKCU/software/microsoft/windows/currentversion/runonce #5 HKCU/software/microsoft/windows NT/CurrentVersion/windows/run #6 HKLM/software/microsoft/windows/currentversion/run #7 HKLM/software/microsoft/windows/currentversion/runonce #8 HKLM/software/microsoft/windows/currentversion/runonceex #9 HKUsers/.DEFAULT/software/microsoft/windows nt/currentversion/windows/run (this is the default user; it gets copied to each new user, so if you want something to not be copied, remove it from here.) #10 HKUsers/S-1-5-.../software/microsoft/windows/currentversion/run That's my SID, the "S-1-5-..." stuff. This is me under my SID. It is the same as #3 above #11 HKUsers/S-1-5-.../software/microsoft/windows nt/ currentversion/windows run - same as #4

  AutoStart locations : 53 = 35 Registry + 12 files + 6 folders.

  GRC : Sub7 insinuates itself into Windows in a few clever ways. It installs in the seldom used "run=" line of the deprecated WIN.INI file. It also installs under the "Run" key of the registry. And it inserts a much smaller 10k "runner" into the Windows Shell "command/open" key. All of this pretty much guarantees that Sub7 will keep running inside the system. It's difficult to shake it loose.

• To enable or disable automatically running CD-ROMs, controlled by file Autorun.inf, do :
  • open Control Panel and double click System Properties
  • select Device Manager tab
  • double-click the CD-ROM icon and right-click your CD-ROM drive
  • select Properties and click the Settings tab
  • Uncheck the Auto insert notification check box

  Using TweakUI, one of PowerToys, this can be disabled by turning off the Play audio CDs automatically and the Play data CDs automatically options in the Paranoia tab.

• ACL modify :
  c:\> CACLS Displays or modifies access control lists (ACLs) of files CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] filename Displays ACLs. /T Changes ACLs of specified files in the current directory and all subdirs. /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke specified user's access rights (only valid with /E). /P user:perm Replace specified user's access rights. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access. Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command.

• how to Disable Windows File Protection (Windows 2000/XP) - url
  Go to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] and change the value of "SFCDisable" to equal "ffffff9d" to disable WFS or "0" to enable it.

• To force an "Admin" logon at Startup, ...

       HKLM -> Software -> Microsoft -> Windows NT -> Current Version -> WinLogon
       AutoAdminLogon := 1 ;
  

• To clear the Documents menu every time you start, click on the Paranoia tab and turn on the Clear Document history at logon option.
  Or, in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  set (DWORD) ClearRecentDocsOnExit to "1".

• To remove programs listed in the Control Panel's "Add/Remove Programs" section, open

       HKLM -> Software -> Microsoft -> Windows -> Current Version -> Uninstall
  

  and delete the program entry here. Then, restart the machine.

• XP security hole - any file will be deleted if the file's name is incorporated into a URL beginning with hcp:// and IE is induced to visit the URL. Fixed in SP1.

• TaskList - when you type "Ctrl+Alt+Del" under W95, you get the Task List. Here is a page to understand its contents

  My "usual" entries are :

  • Explorer - end-user interface : desktop, task bar, start menu, etc. *** Vital ! Leave untouched ***
  • Daemon
  • Ibmbaysn - UltraBay ?
  • Systray - runs Windows System Tray, part of the Task Bar. *** Leave untouched ***
  • Navapw32 - Norton Antivirus Auto-Protect for Windows 32-bit.
  • C4ebreg - PC scan from Germany. --- Removable --- :
  • Idhelper
  • Loadwc - Internet Explorer's Load WebCheck. *** Remove *** Used this to find that.
  • Nhldaemn - Notes.
  • Nupdate - Notes.
  • Nwrdaemn - Notes.
  • Pcscm
  • Pcs_agnt
  • Pcs_srvr
  • Rxapi

• large list of startup applications. Here I found SENTRY !!!
  Mind file win.ini

• Here are a lot of good W95 tips and tricks. They have them ALL !
  • to copy a "system" floppy, use diskcopy a: a:
  • to remove manually a program :
    • HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall - remove reference in the "Add/Remove Programs" tool.
    • HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY LOCAL MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Start/Run/Msconfig/Startup

• W98 "Windows Protection Error" troubleshooting
  Run msconfig and choose Selective Startup.

• To socksify the TCP/IP stack, use
  • c:\windows\system\WSOCK32.DLL
  • c:\windows\system\HCLSOCK5.DLL
  • c:\windows\system\SOCKS.CNF
  
  Sucesor (IBM) : PIX, as Blue ICE (Internet Connection Environment) from Cisco.
  If you are behind a firewall, and ping www.yahoo.com fails, or W95 tracert, your TCP/IP stack is socksified, as PING is not socksifyable.

  SOCKS is an implementation of what is known as a circuit-level proxy. A proxy is a device that makes a connection on your behalf.
  PIX performs what is known as "stateful packet inspection".

• Windows 2000 TCP/IP Implementation details : browse or download
  Large doc ! got it. Server 2003 : also

• Windows TCP/IP troubleshooting :
  • "ping error 10043" : TCP not installed. Use winipcfg to verify it.
  • "Unable to browse the network" : did not Log into the network (initial screen).

  URL

• W2K network traffic (to Tinet)
  using netstat -an or TcpView, you can see that W2K periodically opens local port 3710 (and UP) and remote port 135, scanning ranges of IP addresses [SYNC_SENT].
  Services registered for this port ( from Neohapsis ) :
  tcp - epmap - DCE endpoint resolution
  tcp - loc-src - NCS local location broker
  udp - epmap - DCE endpoint resolution
  udp - loc-srv - location service

  135 = RPC End-Point Mapper

  Chicago University problems talk about "Port 135 is essential to the functionality of Active Directory and Microsoft Exchange mail servers, among other."

  W32.Blaster.Worm uses port 135
  See forum

  What to do ? Here they say : The simplest way to turn off 135 is to go to your Network Properties and disable File Sharing. Also, click the ADVANCED tab and DISABLE NetBIOS over TCP/IP.

  Search Google for a utility named FPORT : here

  Goto https://grc.com/x/ne.dll?bh0bkyd2 and run a port scan, and see if the port is really open or not

• IE configuration :

   HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN
   

• The file "C:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat" contains information about websites you have visited, cookies you have received, etc. It is not displayed by MS Explorer, never, no way (thanks, Bill). To delete it under W95, place at the begin of "autoexec.bat", the line "deltree /Y c:\windows\tempor~1\"

  Under W2K, move it ! To find out where the real cache is, go to Internet Explorer and select Tools, Internet Options. On the General tab, click Settings. In the Settings dialog box, click View Files to bring up your real cache folder.
  URL

   1.376.256  index.dat    BEFORE
      32.768  index.dat    AFTER
  

  UnLocker, Privacy Keeper, DelIndex (no XP/NT/2000).

  Source

• startup "hot" keys :
  
  • W95. From here
    • F5 = Safe Boot.
    • F8 = boot Menu - goto "safe boot".
  • W2K
    • F8 = Safe Boot. From here
  • XP
    • F8 = Safe Boot. From here

  Remove PWL files ... forever  

By default Win95 keeps a record of passwords for everyone who logs into windows. It does this by creating a .pwl file in the windows directory. This file is encrypted, but it has been reported that it is very easy to decrypt.
To turn off this "feature" of Win95 you need to run the policy editor for Win95. This is called poledit.exe and can be found on the Win95 CD. It is not installed by default. It is located in \admin\apptools\poledit on the CD. Or get it from uSoft.
Once you start poledit, you need to "Open Registry" under the File menu. You will then see a "Local Computer" icon; double click this. Then go to Network / Passwords and check the box next to "Disable password caching". Once you restart windows, it will no longer make those silly .pwl files.

W95 produces RC4 keys of 32 bits to protecl the .pwl files. The 20 first bytes of any .pwl files contains the username, which is the same as the filename, in capitals, padded with 0x00.

RC4 is a stream cipher, it generates a long pseudo random stream that it uses to XOR the data byte by byte. This isn't necesarily weak encryption if you don't use the same stream twice: however WIN95 does. Every resource is XORed with the same pseudo random stream. What's more the 20 first bytes are easy to guess. This is easy to exploit: XOR the 20 bytes starting at position 0x208 with the user name in uppercase, and slide this string through the rest of the file (xoring it with whatever is there) . This reveals the 20 first bytes of the different resources.

  W95 startup process  

Link

The Windows 95 startup process can be broken into the following steps:

1. The read-only memory (ROM) Basic Input-Output (BIOS) bootstrap process
2. The master boot record (MBR) and boot sector
3. The IO.SYS file (must be the first entry in the root directory)
   MS.DOS must be on entry number two !
4. Real-mode configuration
5. The WIN.COM file and the Windows 95 Environment

• 1.The Power On Self-Test (POST) occurs.
• 2.The A drive is checked for the existence of a boot disk.
• 3.If a boot disk is not found in the A drive, the ROM BIOS bootstrap checks for a hard disk. If a hard disk is found, the ROM loader transfers control to the operating system loader.
• 4.The master boot record and partition table are read. Microsoft and several original equipment manufacturers (OEMs) have defined a Plug and Play BIOS specification. This specification defines the interactions between the Plug and Play BIOS, Plug and Play devices, and option ROMs. If your computer has a Plug and Play BIOS, the following additional steps are performed:
• 5.The Plug and Play BIOS checks non-volatile random access memory (RAM) for input/output (I/O) port addresses, interrupt request lines (IRQs), direct memory access (DMA) channels, and other settings needed to configure Plug and Play devices on the computer.
• 6.All Plug and Play devices found by the Plug and Play BIOS are disabled.
• 7.A map of used and unused resources is created.
• 8.The Plug and Play devices are configured and re-enabled, one at a time. Windows 95 Configuration Manager queries the Plug and Play BIOS for device information, and then queries each Plug and Play device for its configuration. If your computer does not have a Plug and Play BIOS, Plug and Play devices are initialized using their default settings when you start your computer. These devices may be reconfigured dynamically when Windows 95 starts.

Step 3 - The Io.sys File
The following steps occur when the IO.SYS file loads into memory :

• 1.A minimal file allocation table (FAT) file system is loaded.
• 2.The MSDOS.SYS file is read.
• 3.The "Starting Windows 95" message is displayed for < n > seconds, or until you press a Windows 95 function key. The amount of time the message is displayed is determined by the BootDelay=< n > line in the MSDOS.SYS file. The default is 2 seconds.
• 4.If you have multiple hardware profiles in Windows 95, you receive the following message and must choose a hardware configuration to use: Windows cannot determine what configuration your computer is in.
• 5.The LOGO.SYS file is loaded and displays a startup image on the screen.
• 6.If the DRVSPACE.INI or DBLSPACE.INI file exists, the DRVSPACE.BIN or DBLSPACE.BIN file is loaded into memory.
• 7.The IO.SYS file checks the system registry files (SYSTEM.DAT and USER.DAT) for valid data.
• 8.The IO.SYS file opens the SYSTEM.DAT file. If the SYSTEM.DAT file is not found, the System.da0 file is used for startup. If Windows 95 starts successfully, the System.da0 file is copied to the System.dat file.
• 9.The DBLBUFF.SYS file is loaded if the "DoubleBuffer=1" is in the MSDOS.SYS file, or if double buffering is enabled under the following registry key: HKLM\System\CurrentControlSet\Control\WinBoot\DoubleBuffer Windows 95 Setup automatically enables double buffering if it detects that it is required.
• 10.If you have multiple hardware profiles in Windows 95, the hardware profile you chose is loaded from the registry.
• 11.The IO.SYS file processes the Config.sys file.

• 1.The Config.sys file loads drivers into memory. If the Config.sys file does not exist, the Io.sys file loads the following required drivers:

             IFSHLP.SYS
             HIMEM.SYS
             SETVER.EXE
  

  The IO.SYS file obtains the location of these files from the "WinBootDir=" line of the MSDOS.SYS file. These files must reside on the hard disk.
• 2.Windows 95 reserves all global upper memory blocks (UMBs) for Windows 95 operating system use or for expanded memory support (EMS).
• 3.The AUTOEXEC.BAT file loads files and terminate and stay resident (TSR) programs into memory.

• 1.After the AUTOEXEC.BAT file is processed, the WIN.COM file is run.
• 2.The WIN.COM file accesses the VMM32.VXD file. If there is enough available RAM, the VMM32.VXD file loads into memory, otherwise, it is accessed from the hard disk. This may result in a slower startup time. The VMM32.VXd file is similar to the WIN386.EXE file used in earlier versions of Windows.
• 3.The real-mode virtual device driver loader checks for duplicate virtual device drivers (VxDs) in the Windows\System\Vmm32 folder and the VMM32.VXD file. If a VxD exists in both the Windows\System\Vmm32 folder and the VMM32.VXD file, the duplicate VxD is "marked" in the VMM32.VXD file so that it is not loaded.
• 4.Real-mode VxDs can be loaded into memory in any of the following ways : Real-mode device drivers or TSRs that respond to the Windows 95 INT2F broadcast load their embedded VxDs when Windows 95 starts. Drivers internal to the Vmm32.vxd file that are not "marked" are loaded from the following registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD If the real-mode virtual device driver loader finds a "marked" driver, it changes its registry entry from a VxD (a driver preceded with an asterix "*") to a file with a .vxd extension so that the external driver is found in the Windows\System\Vmm32 folder. When the external driver is found, it is loaded into memory. VxDs that are not already loaded by the Vmm32.vxd file are loaded from the [386 Enh] section of the Windows\System.ini file. Some VxDs are required for Windows 95 to run properly. These required VxDs are loaded automatically and do not require a registry entry. The following VxDs are required by Windows 95:

               *BIOSXLAT   *CONFIGMG    *DYNAPAGE
               *DOSMGR     *EBIOS       *IFSMGR
               *INT13      *IOS         *PAGESWAP
               *SHELL      *V86MMGR     *VCD
               *VCACHE     *VCOMM       *VCOND
               *VDD        *VDMAD       *VFAT
               *VKD        *VMCPD       *VPICD
               *VTD        *VTDAPI      *VWIN32
               *VXDLDR
  

• 5.The real-mode virtual device driver loader checks that all required VxDs loaded sucessfully. If not, it attempts to load the drivers again.
• 6.Once the real-mode virtual device driver loading is logged, driver initialization occurs. If there are any VxDs that require real-mode initialization, they begin their process in real-mode.
• 7.Vmm32 switches the computer's processor from real-mode to protected-mode.
• 8.A three-phase VxD initialization process occurs in which the drivers are loaded according to their InitDevice instead of the order in which they are loaded into memory. The VxDs are carried out in the following sequence:
  • a.SYS_CRITICAL_INIT (SYSCRITINIT): Interrupts are disabled during this phase. This gives VxDs time to prepare for device initialization without being interrupted by the system. No file I/O is allowed during SYSCRITINIT, so all SYSCRITINITs are not written to the Bootlog.txt file until after SYSCRITINIT is complete for all VxDs.
  • b.SYS_DEVICE_INIT (DEVICEINIT) The bulk of the VxD initialization takes place during this phase. File I/O is allowed during DEVICEINIT, so each VxD's DEVICEINIT is logged as it occurs. The one exception is during Ifsmgr's DEVICEINIT. Ifsmgr takes over the real-mode file system, and disk I/O is not allowed until Ifsmgr's DEVICEINIT succeeds. For this reason, Ifsmgr does not appear in the DEVICEINIT phase. When a DevLoader VxD is called, it loads other drivers it is responsible for, regardless of their InitDevice order. The DevLoader examines the Registry and finds drivers (for example, portdrivers [such as.mpd files]) and any associated support drivers. It then initializes the device associated with these drivers. During this phase, if a VxD failed to initialize, it was unable to properly communicate with the hardware or service it drives. Typically, this is due to incorrect hardware settings or the service not being installed. The remaining static VxDs continue with the initialization phase. Also, dynamic VxDs may begin initializing during this phase. They do not have a SYSCRITINIT phase. However, a dynamic VxD may also load anytime after Windows 95 has started.
  • c.SYS_INIT_COMPLETE (INITCOMPLETE) VxDs that successfully pass the InitComplete phase should be working properly. If a VxD was listed in one of the previous phases but is not successful in this phase, that VxD is unloaded from memory. GUI Components: After all the static VxDs are loaded, the Krnl32.dll, Gdi.exe, User.exe, and Explorer.exe (the default Windows 95 shell) files are loaded.

  DLL-hell  

Side by Side was "invented" by Microsoft in order to overcome the "DLL-hell" problem. DLL-hell is where a particular dll might have multiple versions and different parts of the same program require different versions. Another form of DLL-hell is where a program is happy with the currently installed version A of a dll. At that point, a new version is installed, fixing "known bugs" in the old version. Then the program no longer works.

DLL-hell has been a problem since the early days of Windows 3.1. Furthermore, I have never heard of an application program or a software developer having the problem with their own DLL's. Translated, DLL-Hell is a term used to describe the Windows software development teams' inability to do proper design and testing of software. It's "Ain't it awful" from the Microsoft software development teams.

The update problem mentioned above could easily have been avoided if the application developers had statically linked their programs. However, no such capability exists in Windows. The reason is that generally, libraries for static linking are not provided by Microsoft. Were the applications statically linked, updating DLL's would not effect the already delivered and working application.

Static linking was not traditionally done in Windows 3.1 due to the resulting memory requirements for multiple programs running simultaneously. An interesting observation is that if you, as I did, ran only one program at a time in the brittle Windows 3.1 environment, then there was no memory benefit of a DLL. A second benefit for Windows 3.1 was the reduced disk foot print. Static linking would have the effect of multiple copies of the DLL on disk. With dynamic link libraries, only one copy of the library would be on disk -- theoretically. Practially, there were dozens of copies of the same DLL but different versions.

  USB support under W95  

• under Control Panel, select System and General tab.
  You shall have version 4.00.950 B or superior.

• to determine whether you are running OSR2.1 :
  • under Control Panel, select Add/Remove Programs and check for USB Supplement to OSR2.
  • Then, check for version 4.03.1212 of the Ntkern.vxd in the Windows\System\Vmm32 folder. This is done using Windows Explorer and selecting Properties of the file, and then clicking Version tab.

• but Sony says no-no to dscp9

Copy / Move a File

Aplicacions "rodones"

• Zone Labs - tallafocs. url
• CD Burner XP - grabacio CDs. url

Pendent / dubtes

• quin us té el Computer Security Identifier (SID) ? url

• que fa en un portatil la funcio "Import Foreign Disk" ?

• al instalar un programa sota W2K, al final, pot crear : (Rexx ?)
  • add a desktop shorcut
  • add an icon to Quick Launch Toolbar
  • add an icon to the Start Menu
  • add a search link in Start Menu "Find"

• diferencies entre
  • regedit
  • regedt32

• eina per netejar
  • View and delete Temporary Internet Files including the corresponding index.dat file.
  • View and delete Internet Cookies including the corresponding index.dat file.
  • View and delete Internet History including the corresponding index.dat file.
  • Clean auto complete web forms.
  • Remove typed URLs.
  • View and remove Internet Explorer plugins.
  • Delete the contents of Windows Temp folder
  • Empty Recycle Bin
  • Clean Windows Recent Documents folder.
  • Remove Windows Search history.
  • Remove Windows Run history.

  In Windows NT, 2000 and XP, the folders are located in these locations:

  • C:\Documents and Settings\[Username]\Cookies\
  • C:\Documents and Settings\[Username]\Local Settings\History\
  • C:\Documents and Settings\[Username]\Local Settings\Temporary Internet Files\Content.IE5\

  See INDEX.DAT contents ... using Index Dat Viewer.

  Use Internet Sweeper ? Window washer ?

• how to Print a file from DOS under Windows 98 ?
  • Exec ('c:\windows\notepad.exe', '/p '+Filename);
  • copy <file_to_print> LPT1:

• SC.EXE dins del "Resource Kit" ... Qué és ?
  NT Service Controller and services

System crash

• CP + System Properties + Advanced + Startup and Recovery :
  c:\WINNT\Minidump\MiniMMDDQQ-nn.dmp

• c:\winnt\system32\drwtsn32.exe
  • c:\WINNT\System32\drwtsn32.log
  • c:\WINNT\System32\user.log

Tips & Tricks

• Use c:\sdwork\binwin\reboot.exe to re-boot your machine !
  Thanks, Cerys !

• NT, 2000, XP, Server 2003 - URL :
  • How do I run a series of 'jobs' in Windows 2000, the next time a user logs on? URL
  • Microsoft has released a tool to verify the installation of Windows 2000 hotfixes. URL

• Creating program aliases :
  To create a new alias, create a sub-key, and call it the name of the alias you wish to create (e.g. "JBLOGGS.EXE").
  Modify the (default) value of the sub-key to equal the fully qualified path and filename of the application you want to be launched when you execute the alias (e.g. "c:\windows\notepad.exe")

• Word : here.

Blank Admin Pwd

  Handles are an extremely valuable resource, so leaking handles is more virulent than leaking memory. [MSDN at Process Class]  

Links

• MSDN On-Line (***)
  Registry Functions (***)
  Registry e.p.
  RegFlushKey to write Registry to disk.
  How to use the Registry (***)

• Windows memory diagnostic

• Annoyances : Good !

• LongHorn - the three highlighted technologies for Longhorn are :
  1. Avalon - A replacement for the Windows GDI and HTML programming models.
     GUI and GUI creation.

  2. Indigo - Communication Services through Web Services. Remote procedure calls are out and Web Services are in. Remote procedure calls require tight coupling between client and server; Web Services require only loose coupling.
     Communications.

  3. WinFS - A transaction enhanced NTFS file system and a SQL engine on top. Properties of content (jpg size, jpg width and height; document authors; document key words; XML data) can all be indexed automatically.
     Removed

  WMIExplorer is a GUI built on top of PowerShell.

  Introducing Longhorn for Developers

   Longhorn supports two methods for creating applications :
  
       1. Write code -- the traditional approach
       2. Write Markup -- using Extensible Application Markup Language (XAML).
  

    64-bit is the path to Longhorn, mark my words   [egb, 28042005]

  Differences between Windows Server 2003 and Windows Server 2008 (a.k.a. Longhorn): URL

• Process library : description of lsass.exe, service.exe, svchost.exe, etc
  smss.exe : Session Manager
  lsass : Local Security Authority Subsystem

  Common Windows files : nupdate.exe
  Default Processes details - can end / cannot end.

• Windows to Linux roadmap

• Windows command line mailer : BLAT 1.88

• Total Commander

• Windows Hex editor [ Pro !!! ] From Pc World.

• Free and Good utilities :
  • AVG antivirus
  • Diskeeper Lite
  • Reg Cleaner

• Boot from CD : ERD Commander 2002

• Register Backup : ERUNT
  The Export registry function in Regedit is USELESS for making a complete backup of the registry. Neither does it export the whole registry (for example, no information from the "SECURITY" hive is saved), nor can the exported file be used later to replace the current registry with the old one. Instead, if you re-import the file, it is merged with the current registry without deleting anything that has been added since the export, leaving you with an absolute mess of old and new entries.
  URL

• search Microsoft KB (Support Knowledge Base)

• FTC recomienda ... DriveSnapShot [ better than GHOST !!! ]

• XP and W2K boot CD : Bart's PE Builder URL

• NAV : NAVCPU & NAVWHEN

• XP Experts NewsGroup : U/K := bacardinet@hotmail.com/KpGrs
  How to set AutoReboot Off without Control Panel ? Start here: "Resources for Troubleshooting Startup Problems in Windows XP" URL

• uSoft W2K Server HowTo's list

• uSoft System Eror Codes

• Inside the Native API [SysInternals]

• Outlook versions

• WIN32 programming FAQs

• Register Hack tips

• How to surf and read e-mail safely as an Administrator !?!?!? (uSoft)

• Win Links

• Bink.nu - uSoft news, technology and downloads.

• Open ?

• Stop WGA notifications

• Top 15 most controversial Microsoft quotes

• Mark Minasi's W Tech letter. @/k

• Windows products lifecycle index (by product), policy (& roadmap), select a product.

  Few samples : W2000Pro = Mar 2005. WXPPro = Jan 2009. W2000Server : soporte técnico = 2005; soporte ampliado = 2010.

• Intel Core 2 problems : Intel problem list, Geek,

• Excel can't multiply ? Que diu uSoft. Una altra opinió. Va de "IEEE 754" ...
• How to use Registry Editor to identify an unknown PCI device
• Auto actualitzacions ? (WU)

• New Passport account

• uS protocols

• Previous page

• C cleaner.

• Back to main page

• Site map

• Escriu-me !

Site under construction.

Updated 24/06/2009 (a).