Grand Stream Dreams

Hell-in-a-Handbasket System Rescue – Part I: PGP WDE

2009-07-18T20:48:00.001-05:00

Some time ago in a previous post, I alluded to a series of lesson-learned posts I had regarding a particularly brutal system rescue.

I doubt anyone even remembers it, but it was so worthwhile to me that I felt obligated to post.

So here is Part I of this saga.

Hell-in-a-Handbasket System Rescue

The day started like any other typical day. One of our VIP users brought to us his PGP Whole Disk Encryption (WDE) encrypted laptop. It held one physical drive with two Windows NTFS formatted partitions. Both included in the whole-disk encryption.

It apparently experienced a HDD crash/failure of some sort which upon reboot caused PGP’s BootGuard pre-boot authentication wrapper to not accept the user’s PGP passphrase. There was little doubt that the passphrase was good and known to user. The user reported they were doing (local to system) database maintenance work when the system locked up hard—totally non-responsive. The user hard-powered the laptop off and then back on. When the system came back on, it appeared to end-user that BootGuard was damaged (?) as it would now not accept his known-good passphrase on the offered authentication screen.

The system contained local logs, reports, and database files of an organizationally critical nature.

The first-level technician attempted to fix the problem by using a Windows Setup disk from the Repair Console to check-disk (CHKDSK /R) to scan for and repair sector errors. Unfortunately this seems to have caused additional errors and rendered BootGuard damaged. A final pass at using a Windows XP Recovery console to FIXMBR (prior to decryption) left BootGuard seemingly no longer present.

It was at this stage that I got involved, apparently seen as being one of the PGP WDE mojo holders.

Off-line booting the system with my pgpwde injected PE Boot disk and executing the “pgpwde --disk # --status” command showed that drive was still reporting as PGP “instrumented” but would not boot to BootGuard.

Using the command-line pgpwde –auth --disk # --passphrase 'user passphrase' command failed. This was unsettling as I frequently use this with great success to access a PGP WDE system “off-line” on the fly with no issues.

The user was also quite concerned at this point.

Step Two: The Tease

I attempted to use a PGP WDR boot-disk but it did not seem to allow any options to perform recovery or decryption of drive…for whatever reason, it was not recognizing drive as PGP encrypted.

At this stage it looked like the data was a total loss.

I checked in with our Enterprise level PGP support consultant who suggested that it appeared we had covered all the known bases. The only alternative suggested was to send it to a professional data-recovery company (at considerable cost) and see if they could recover the system. (Big Sigh) That was a non-starter despite the fact this was a critical system for this user and the production group he supports.

So I set the system aside, took a very deep breath, and hit the books.

Step Three: Hope!

Combing through the Internet and PGP Forums I seemed to find some leads that there existed an apparently undocumented command line argument to pass the pgpwde driver to attempt recovery of the PGP key/geometry from a backup sector on the encrypted drive.

It took me the better part of a day to work it out, but by Friday I felt confident enough to toss it at the system. We had done everything else. There was little to loose and after a week of not having his system back, the user was quite resigned that the ultimate result was total loss of the data. (BTW, he was not making backups….)

I again used my custom Win PE 3.0 pgpwde injected boot disk to boot the laptop “off-line’ then the undocumented PGP WDE “recovery” command. (See a bit further down in the post for the technique.)

It scanned through the physical drive for the better part of a half-hour and eventually seemed to report that it had found and repaired the damaged (?) PGP WDE geometry references.

It still would not allow me to use pgpwde to authenticate to the encrypted volume.

I was mentally exhausted by this point at the end of the day and recognized I was a bit “punchy”. I decided to sleep on it before doing anything else.

Step Four: Decryption

On a hunch, first thing the next morning, I then again attempted to use the official PGP Recovery Boot Disk to decrypt the physical drive with the user’s known-good passphrase.

It now recognized his passphrase and began the decryption process! Hurrah!

I locked it down, ensured the A/C source was stable, and left it going. By the end of the day on Friday, the progress meter was still at 99% encrypted (8-hours later) but the drive indicator light was churning away.

Hoping for the best, I left it secured and running over the three-day holiday weekend.

When I came back, the PGP Recovery boot disk had a message that it had successfully decrypted the physical drive.

I was pleasantly stunned and amazed.

Back from the brink.

But the story is only half-way through. What would I find next on the unencrypted drive? Stay tuned for Part II.

…as well as my thoughts about a root-cause analysis on what happed to start the cascaded failure.

Now on to the technical lessons….

Using the –Recovery command argument: Explanation #1 from Claus Valca

I’ve cobbled the following below together from various PGP technical and support form pages (liked at the end of the post) as well as my own field notes.

Symptoms

On rare occasions internal or external disks that are Whole Disk Encrypted may experience the following issues:

Inability to decrypt or read the contents of a secondary or non-system disk.
System displays "Error loading operating system_" after entering the passphrase at the WDE Login screen.
Master Boot Record (MBR) corruption causing the system to no longer boot.
After starting the system with the hard disk encrypted to a passphrase and an eToken, valid passphrases are not accepted.
Using a PGP Recovery disk displays a “Internal error accessing disk, 0×80" error.

The following commands will help diagnose and decrypt the disk.

(Important Note!: These steps all assume you have “slaved” the encrypted drive to another system that has PGP WDE installed and running. In my case I didn’t do that, instead I used my own pgpwde injected PE Boot disk although you could also use PGP’s instructions PGP WDE: Customizing the PE for PGP Whole Disk Encryption to build your one BartPE based version as well.)

1. To begin working with the PGPWDE interface open a command prompt and change to the PGP installation directory (default directory shown) C:\Program Files\PGP Corporation\PGP desktop.

2. To list all installed hard disks in the system type: pgpwde --enum. Entering this command will give us a list of disks with numbers we will use in the next few steps.

3. Now type pgpwde --status --disk #. Substitute the WDE disk number listed in the previous step for the number # in the command if different. The output of this command will tell us whether the disk is still encrypted.

    * If the disk is not encrypted, "Disk 1 is not instrumented by bootguard" will be the output.
    * If the disk is encrypted, the output will display:
          o "Disk 1 is instrumented by Bootguard."
          o The total number of sectors.
          o A Highwater value (number of sectors encrypted).
          o Whether the current key is valid.

4. Type pgpwde --list-user --disk #. This will tell us the user information contained on the disk. This will help in multi-user environments to determine which user passphrase was used to implement WDE.

5. Type pgpwde --recover --disk # --passphrase “xxxxxxx” --recover will search your entire drive looking for the file information that contains the data for authenticating your disk and attempt to rebuild/restore them. This is necessary when the references that are stored become corrupted on your machine. It does not necessarily restore/repair damaged Boot Guard instrumentation.

Now you have some more choices to make.

you could place the “repaired” drive back in the original system and use your PGP Whole Disk Encryption Recovery Disk Image boot disk to decrypt the drive, or
try the following from either the working system you have slaved the drive to, or
try the following from your PGP injected Windows PE boot disk in the original system.

6. Type pgpwde --decrypt --disk # --passphrase “xxxxxxx” This will start the decryption process. To view progress, type the status command listed in step 3 and note the “highwater” number. This number will get smaller and smaller as the number of sectors encrypted decreases. . --decrypt expects the “recover” references to be correct, and therefore sometimes cannot locate the data in order to check the passphrase.

Clear?

If not look below.

Using the –Recovery command argument: Explanation #2 from the University of Alabama at Birmingham IT Department

Only later after I worked out the above culling though the Net and PGP forums did I discover the following PGP Guide for Campus Administrators which had a clear “how-to” use of the –Recovery command:

Hard Drive Recovery

If you have the drive slaved to a working machine with the same version of PGP Desktop try the following:

Open a CMD prompt.
Go to: c:\Program Files\PGP Corporation\PGP Desktop\
Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)
Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.
If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”
To determine whether the drive is still instrumented (MBR Swapped) run: pgpwde –status –disk #
If the disk is instrumented, run: pgpwde --uninstrument --disk #

Whew! Either one should give you a better chance and understanding on how to use and apply this powerfully useful argument.

Claus’s Lessons Learned

In reading around, it seems the preferred method of such a recovery is to “slave” the PGP damaged drive to a working system that has PGP WDE installed. Apparently the time to decrypt may be much faster than running it from/with the PGP WDR boot disk due to it occurring under a x32 bit OS rather than the x8 or x16 bit (I’m not sure which) OS that the PGP WDR boot disk operates under. I could be wrong on that and stand ready to be corrected by any in the know. It seems to me that using a Windows PE boot disk with PGP WDE pgpwde support injected in it would see similar performance as if it were “slaved” to a working system. This would still be my own preferred solution.

Regardless, if you do use the PGP Recovery boot disk to search drive and/or repair/decrypt it can take a VERY long time….days. Seriously.

Let it run and step away. It stayed on 99% decrypting for almost 8 hrs. when I went home. Sometime in the intervening three days later timeframe, it had completed without observation.

In hindsight, this was probably the case for when it is searching through a PGPMBR damaged drive for recovery with the PGP WDR boot disk, prior to requesting authentication. I had thought it was non-responsive but it probably was (very, very) slowly churning through the encrypted drive’s contents looking for the backup data file section needed for recovery. Had I let it complete I suspect it might have then offered me a chance to authenticate and decrypt without going through all this fuss. Unfortunately I wasn’t experienced with the process at that stage and was both impatient and frustrated by the lack of “official” documentation on the PGP site. So regardless, if you are recovering/decrypting a PGP encrypted drive, you need to seriously give it LOTS of time to run/complete.

Stay tuned for Part II where I then transition to attempting to salvage the data off the system.

It’s almost as good as I hope this post has been!

Cheers and happy --recover ‘ing

Claus V.

Bonus Linkage

Supporting PGP WDE “Recovery” linkage and reference material for the curious or desperate offered kindly below to save anyone time Googling this all up on you own. I promise it is all valuable stuff!

PGP Guide for Campus Administrators – University of Alabama, Birmingham.

PGP Whole Disk Encryption Command Line for Windows (PDF) – Official User’s Guide from PGP Corporation that documents many awesomely useful pgpwde command line operations and explains the terms PGP uses for its WDE solution. It doesn’t seem to explain, however, use of the --recover command. I’d call that a major FAIL.

Recovering a PGP Whole-Disk-Encrypted Drive – Securism Blog. Great and encouraging post by Jon Janego on his own frustrating attempt (eventually successful) to work out how to recover a borked PGP WDE drive. Slightly different technique than mine documented here, but all good and painfully similar in lessons learned.

PGP WDE: Customizing the PE for PGP Whole Disk Encryption – PGP Corporation Knowledgebase Answer.

PGP WDE will not boot - Tried Most Solutions - HELP - PGP Whole Disk Encryption for Macintosh – PGP Forum Post.

WDE Recovery: "Boot harddisk is not instrumented; advanced recovery is needed" - PGP Whole Disk Encryption for Windows – PGP Forum Post.

Master boot record became deleted - PGP Desktop 9.x for Windows – PGP Forum Post.

PGP Whole Disk Encryption Recovery Disk Image(s)– PGP Corporation Knowledgebase Answer.

PGP Whole Disk Diagnosis and Recovery - Windows – PGP Corporation Knowledgebase Answer.

PGP Whole Disk Encryption: Data Recovery (Mac OS X)– PGP Corporation Knowledgebase Answer.

List Of Commands/Options for PGP (8.x) – PGP Corporation Knowledgebase Answer.

Still seeing bootguard after decrypting whole disk encrypted hard drive – PGP Corporation Knowledgebase Answer.

HOW TO: Uninstall PGP Products in Windows Safe Mode – PGP Corporation Knowledgebase Answer.

PGP Whole Disk Encryption - Barely Acknowledged Intentional Bypass – Securology Blog. Not related (except in that it is another “undocumented” pgpwde command-line argument that is powerfully useful to technicians and system admins who work in a PGP WDE deployed environment. I’ve used it in a few situations when remotely servicing a system over-the-wires and the user needed to take off for a lunch-break.

--CV

Rainy-Day Linkfest

2009-07-18T18:24:00.001-05:00

I can’t believe it but it is raining!

Good hard rain and thunderstorms.

Haven’t seen measurable rain in almost a month (or so it feels).

Here are some links that caught my eye this past month.

Mark’s Blog : Pushing the Limits of Windows: Process and Threads – In-depth look at how processes and threads operate and the factors that limit them.
Microsoft® Tech·Ed Online – Case of the Unexplained 3. Video media presenation by Mark Russinovich on Windows issues tracked down and solutioned using Windows Sysinternals tools and an understanding of focused troubleshooting techniques.
Sysinternals Site Discussion : New Tools: ProcDump v1.0 | Updates: Autoruns v9.51, VMMap v2.1, PsExec v1.96 new and updated tools to help manage and troubleshoot Windows systems.
ProcDump – freeware – New command line tool from Sysinternals “…whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use) and unhandled exception monitoring. It also can serve as a general process dump utility that you can embed in other scripts.”
How to bypass the web page to save Internet Explorer 7 settings. – Ask the IE Team support blog. This is a great fix for a “nuisance” issue I deal with in making Windows system images. When the image is deployed, our techs have to re-do the IE 7 setup for each new user. This technique prevents the new settings page from launching. Not sure if it works for IE8 or not, though I don’t see why not at this point. We are just now deploying IE 7 across our systems but IE 8 will be a while making it to desktops so it really isn’t a big concern yet.
Creating Virtual Hard Disks with Windows Virtual PC. – Virtual PC Guy’s WebLog. Now you know.
Vista x86 patch to address 4GB+ of RAM – The Back Room Tech blog. Julie points us to a technique worked out by Remko Weijnen which is a kernel patch to get x86 versions of Windows Vista to address 4GB + of system RAM; something not supported by Microsoft. I don’t have any systems with main-boards capable of handling more than 2 GB RAM so I don’t get a chance to try it out. However if you are curious, Julie kindly provides a link to Remko explaining how his patch works.
Upgrading my Lenovo W500 to a OCZ Vertex 250GB SATA II Solid State Disk (SSD). – Scott Hanselman’s Computer Zen brags and rubs hard-disk performance in our faces with his new SSD drive. Cold boot to desktop in under 20 seconds. That’s insane! More on his new laptop rig in this Lenovo W500 post. I am so jealous. It’s the human condition to be envious I suppose.
Java Portable 6 Update 14 Released – PortableApps.com – Finally, a version of Java that you can keep on your USB stick for running Java needs on a system that Java is-not/cannot be installed on. I’m thinking it would be useful on Win PE 3.0 USB-booted system for apps that use/depend on Java.
LiberKey – freeware – Over 200 applications in a single package to drop on your USB stick (or system) that don’t need “installation”. It’s one of the most well-rounded “portable-app” packages I’ve yet come across. Available in “Basic”, “Standard” or “Ultimate” packages depending on the type and number of applications you need. The only concern I see (and it is a typical one with these packages) is if it satisfies the individual software developer’s rules about redistribution of their applications. That major issue aside, it is a great option for technicians and troubleshooters to seed their collection of tools and utilities.
Malzilla: Exploring scareware and drive-by malware. – HolisticInfoSec.org. – Announcement of a new tool that will help analyze and dissect potential malware. From the post: “Malzilla is best described as a useful program for use in exploring malicious pages, allowing you to choose your own User Agent and referrer and use proxies. While it downloads Web content, it does not render it, so it is not a browser. Think of it as WGET with a user interface and some very specific talents. In Using Malzilla, we’ll take a close look at rogue AV tactics and exploit sites in order to study the infection process utilized.”
EnScript to Export files by extension – Computer Forensics, Malware Analysis & Digital Investigations blog. Now I am just plain frustrated! I don’t use EnCase as part of my job functions. However this EnCase EnScript would be awesome to have as a system administrator! Simply put it “…will export all the files with matching extensions (case insensitive) to the folder you specify. A subfolder for each extension is made and the corresponding files are placed into their respective folders.” Golden! Only I can’t find a similar Windows utility. Or know of a way to run an EnScript without EnCase. This feature would be awesome in recovering user-data from a tanked system. I guess there could be a batch-file solution perhaps. Any tips or suggestions? For a tease on an upcoming system recovery post, I do know and have used the incredibly clever PhotoRec Sorter utility, but it doesn’t quite match this script by Lance Mueller See Lance’s updated post: EnScript to Export files based on Extension v1.1 for an update.
eXpress FreshFiles Finder – freeware – Utility I found while looking for a standalone tool to do the features in the above. This useful “standalone” tool will provide a list of the most recently updated files on your target system. Good for first-pass analyzing a system in an incident response scenario. Install the application, copy the created program folder to your USB stick, then uninstall. It ran fast and fine on my Windows 7 x64 bit system and says it is XP/Vista compatible as well. It couldn’t access some normally protected folders, even running as Administrator level. I’ll try later to see how it works if elevated to System level. Still useful.
FolderWorks – freeware – ShadWorld. Another related tool that for counting files and categorizing them by extensions or file types. No files are actually copied or moved. Solely useful for documentation and assessment work on a system.

BareGrep - Free grep for Windows – Bare Metal Software. Great tool for advanced and complex system and file searching for only 246 kB in size but very fast and very advanced for the most demanding system-inspecting needs. Simply amazing. Oh yes. It’s a single non-installing exe file and fully portable. Works great on XP through Windows 7 systems.
Quickpost: TrueCrypt’s Boot Loader Screen Options – Neat tip by Didier Stevens on how to configure TrueCrypt’s boot loader screen to display a “NTLDR is missing” error when booting a TrueCrypt encrypted hard drive. Should obscure the system from further examination by only the most seasoned techies or investigators. Of course the thing unravels fast if the actual drive is analyzed at the sector level (or forensically) when the TrueCrypt bootloader is discovered. That knowledge still won’t help the curious get into the TrueCrypt protected layer, but the gig will be up at that point. Certainly clever and a reminder to techies and incident response folks that what you see may be deceptive so you need to keep an open mind and be willing to dig a bit deeper. For the record, the legitimate error message would be “NTLDR is missing. Press Ctrl+Alt+Del to restart”

Nice being back in the blogging saddle!

Cheers!

--Claus V.

Inspiring Designs

2009-07-18T16:44:00.001-05:00

Digressing from tech again for a moment.

Somewhere in the Valca home, I have a house-plans magazine that contains a small cottage-style lake house design that totally would be a dream-home.

It is small and compact, has wood-shingle style exterior cladding. It is two-story with two under-roof bedrooms and a shared bath upstairs. Downstairs is a wide galley-style kitchen spilling into an informal country dining area. To the opposite side is a cozy craftsman-style casual living room anchored by two half-height built-in bookcases with windows above and a river-stone fireplace in-between.

It just seems the type of place I could sink into to escape. Nothing techy or modern about it.

In contrast to the lake-side cottage style that seems warm and inviting, the Germanic blood in me still gets excited and inspired by these efficient and modern designs. I think the theme in them all that appeals to me is the logical lines and the blending of the outdoors and indoors. Living on the Gulf-Coast, I love air-conditioning. Couldn’t imagine living without it. That said, most of the normal designs down here are enclosed and isolate the occupant from the natural outdoors.

These recently posted designs--as caught on my favorite architectural blog Arch Daily--seem to successfully bring the outdoors in; boldly.

Big Dig House / Single Speed Design – ArchDaily

Six Ramsgate / Wallflower Architecture + Design – ArchDaily

Cabin Nordmarka / JVA – ArchDaily

Anglesea House / Andrew Maynard Architects – ArchDaily

House K / Tham & Videgård Hansson Arkitekter – ArchDaily

House C - Prax Architects – ArchDaily

Kübler House / 57 STUDIO – ArchDaily

Open-air sculpture / MRA – ArchDaily

Bonus find: MUJI USA. Wonderfully simple designed products for practical living.

--Claus V.

Dead End Linkage

2009-07-18T16:23:00.001-05:00

cc credit: Headstones by notratched on Flickr

Nothing to see here.

Just some dead-end linkage for a project I was working on that I ran out of current levels of time and patience for.

I may come back to it later. Or not.

You cannot extract the contents of a Microsoft Update Standalone Package for Windows Vista – Microsoft Help and Support Article ID 928636

what is an .msu file? - Scribblings of a TechnoBuff.

Description of the Windows Update Stand-alone Installer (Wusa.exe) and of .msu files in Windows Vista and in Windows Server 2008 – Microsoft Help and Support Article ID 934307

Different Application Install for Different OS – Deployment Forum

Extract and View Contents of Microsoft Update Standalone Package (MSU) for Windows Vista – My Digital Life.

Left for archival and reference purposes.

Moving on…

Claus V.

VAIO Upgrade – Passing it On

2009-07-18T15:46:00.001-05:00

First weekend in a very, very, very long time that I’ve been able to come up for both air and mental harmony to allow myself a chance to drop a few blog posts.

Thanks for your patience. I assure you my “To Blog” hopper is quite full.

A Sony branded Gift Horse

About a month ago, by brother decided to upgrade his laptop to a more powerful version.

That left his previous Sony VAIO laptop out on the street looking for a good home.

He offered it to us but with one desktop system and three pretty current, x64 supported laptops (two of which are dual-core), I really couldn’t justify adopting it for our family.

Luckily I recalled an earlier conversation with a couple from Lavie & I’s younger days who were visiting our church.

They lead a ministry supporting families living in some of the poorest villages in Mexico by bringing and distributing household goods and staples that most Americans wouldn’t think twice about tossing in their shopping carts; feminine products for the ladies, shoes for the kids, TP, shampoos and soaps, stuff like that.

They had mentioned how they were looking for a laptop to help organize their ministry efforts. It needed to be modern enough to be useful, but nothing they would regret if it got battered in the process.

I mentioned this need and bro. enthusiastically OK’ed the hand-off to them.

So the passing-on-of-kindness operation ensued.

Plan XP

It is a Sony VAIO PCG-792L model. 1.0 GB RAM, a 1.73 GHz Intel Centrino processor, a 90 GB HHD, and both Ethernet and Wi-Fi support. Not a bad system. Only things of note were a stain of sorts around the edges of the LCD display…but no dead/busted pixels so it is almost not noticeable. Also, the power-cord plug is a bit cat-nibbled. Other than that is is good as new.

Bro had already data-wiped the drive.

The system had the OEM XP Home key on a MS sticker on the bottom.

I used a slipstreamed XP Home SP3 setup disk to get it going. It’s been a while since I did a scratch-install of XP so I forgot how long it took—even with a slipstreamed disk.

All was well except for one issue: no NIC drivers. I spent the day scouring Sony’s site, the Internet, and even trying other model drivers from other VIAO systems. No dice. Bro couldn’t find the OEM driver disk (may have been purged) so it looked like the XP load was scrubbed.

Plan 7

So for an alternative solution I tossed on a Windows 7 RC (x32) load.

I wish I could provide you an exciting, tooth-and-nail technical troubleshooting story filled with excitement and cleverness working around near insurmountable issues.

No such luck this time.

In about twenty minutes the system was up and fully updated from the Internet. No driver issues at all. Again the driver support (out of the box) for Windows 7 continues to amaze me; particularly on laptops.

I tossed on the Microsoft Security Essentials beta release, Open Office, Safari 4, Firefox 3.5.1, and Foxit Reader just to get them rolling.

I installed Flash Player and Java for good measure.

It really was remarkably fast (the system on Windows 7). I should have run a Windows performance rating test on it, but I was in a hurry to start my blogging work. I’ll update this post later when I do.

So this OS should keep them happy until March when it starts to do the auto-shutdowns. I figure by that time they will have likely picked up a retail version of Windows 7 and will be good to go.

So a used system is kept out of the landfill for a bit longer and finds new life spreading love and compassion in the world.

Something all to often it seems, is in short supply.

Claus V.

Security and Forensics Linkfest

2009-06-21T15:09:00.001-05:00

I got to confess, a few weeks ago while I was working on a rather challenging data-rescue project over the course of a week or so, I was having a blast.

Then I shifted gears and had the opportunity to work on a high-level workgroup and provide documentation support.

I really miss it when I’m not “getting my hands dirty” directly on systems.

Working an issue with trusted tools or searching for just the right new one to do a task better is so much fun.

Here’s a well-rounded selection of security and forensics tools and resources that are almost certainly will have you scrabbling around for a system or two to throw them at.

More Links - Windows Incident Response – Harlan has a most excellent and jam-packed post full of forensics goodies such as a reference to a new Windows memory imaging tool update for the free Win32dd. Also in that post was introduction (to me) of a new system info-gathering tool called MIR-ROR. Like similar “collective” tools such as his own RegRipper, Security Database’s Evidence Collector, and Mandiant’s First Response these multi-function info collection tools aren’t solutions in themselves, but they can make the collection of first-pass level logs and information simpler. Armed with these after careful analysis by the responder, more surgical system analysis can take place with task-specific tools. I’ll let Harlan’s own words on MIR-ROR speak for themselves…

I recently heard about a tool called MIR-ROR, put together originally by Troy Larson and then expanded by Russ McRee, both of Microsoft. Russ blogged about it here, and there's a toolsmith article available on it, as well. MIR-ROR is a batch file that is useful for running tools on a system as part of incident response; what I like about this is that Russ isn't sitting back hoping that someone does something like this, he's taking advantage of his knowledge and capabilities to put this together. And he's made it available to the public, along with instructions on how to run it. I like tools like this because they're self-documenting...properly constructed and commented, they serve as their own documentation. As always, the standard caveat applies...use/deploy tools like this as part of an incident response plan. If your plan says you need to acquire a pristine image of the drive first, you will want to consider holding off on using a tool like this...

You will have to collect many of the executables that are needed and assemble them into the package. The documentation is great. As I recall I found a few references that were off but some patient Googling turned up the correct locations and I soon had it all put together.

Memory Acquisition for First Responders – Forensic Incidence Response blog – Since I just mentioned win32dd this post by hogfly came at an opportune time. I believe that while memory acquisition and imaging is still primarily of use to forensic examiners, system admins can use the same lessons and apply them when doing incident response to a malware-infected system. As I say over and over again, too many IT Techs when getting a report of a virus/trojan/malware infection just run roughshod over the system with anti-virus/anti-malware cleaning tools and remove critical information to help understand WHAT is going on and WHY. There are LOTS of great Windows-based tools to capture memory images and data…many of them free (another post) so there’s little excuse not to capture an image of the memory of an infected system before going to town on the cleaning. Getting a sector-based image of the physical drive could also be valuable as well. This gets the end-user up and producing again and lets the analysts have more time in the lab dissecting the cadaver without everyone breathing down their neck with impatience.
Live Analysis Part I - Changing of the Guard - The Digital Standard – Thoughtful post by cepogue on just that prior theme. Sometimes some incidents (or organizational attitudes/processes just don’t support the “by-the-book” Incident Response handling methodologies. Managers want the system cleaned and up and running, users complain about loss productivity, you can’t convince anyone who matters about the need to determine what if any data may have leaked. So many techs (and “my-blood-runs-IR” analysts) have to do a crash-n-dash response. That said, with skill and pre-planning, you can still make the best of a bad IR situation and hopefully walk away with valuable info despite the organizational “head-in-the-sand” culture. I’m looking forward to Part II.
Forensics 101: Acquiring an Image with FTK Imager – SANS Forensics blog – Great how-to post on using FTK Imager to perform a GUI-based image pull from a system or storage device.
Directory Link Counts and Hidden Directories – SANS Forensics blog – This post was a neat review of Unix file-structure handling and how to leverage it for searching for hidden directories. I was wondering if there was a Windows-supported solution. I saw in the comments note that OSSEC has this ability and in poking around found an agent tool compatible with Windows in the Downloads section. Though not exactly the same there is Joanna’s tool FLISTER from her invisiblethings.org tools page which might be worth looking into as well for Windows folks.
Getting your fill of Reverse Engineering and Malware Analysis - Room362.com. An outstanding collection of links to sites/sources for reverse engineering and malware analysis tools, techniques and news. Quite bookmark-worthy.
New BackTrack 4 “Forensics Mode” - CyberSec.eu. News that the next version of BackTrack (security and pen-testing LiveCD) will offer a “forensics-mode” boot-option from the Grub loader. Nice to have this option available to a venerable security minded LiveCD. If you just can’t wait, Remote-Exploit has made the BackTrack 4 Pre Release download ISO (fyi-DVD sized) available at that link. For even more info check out the release pdf and Introduction Video.
Helix3 2009R1 FREE is once again available for download from the developers. Please see this GSD post Helix3: Thanks for the memories… to come up to speed on the issue. A recent comment by Lauren on that post got me looking around (and I did have to look hard to find it!) for the download link on the e-fense site. It can be found here. Registration is required to get to the download page, but if you hadn’t already tucked away a ISO file of the last free version, you do now have a safe option to get it fresh. Of course, to e-fense’s credit, they would rather you pony up some $ to get the newest (non-free) version of HelixPro and depending on your needs, that might be a better thing to do. Either way, it’s nice having the choice again.
Download HelixCE200401brc1.iso RC1!!! Updated – Meanwhile, out of the previous “Helix going commercial” drama mentioned above, Charles Tendell struck on a new Helix “Community Edition” version. Due to licensing and other issues (RE: IAMAL) , he had to strip out some e-fense specifically-developed apps from his build that were present in the original Helix project builds. However he continues to plug away at filling the voids with new tools from other sources. Check it out including these screenshots and application list.
Explorer Suite (PE analyzer) III – NTCore – A jam-packed tool to allow analysis and review of executable PE files. From the developer:

Created by Daniel Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

Ophcrack 3.3.0 and Ophcrack LiveCD 2.3.0. – New versions of these password auditing/cracking tools are now available. Don’t let the unsync’ed versioning fool you. The main program is version 3.3.0 and the LiveCD version 2.3.0 contains the program version 3.3.0. Go figure. Changes in the new version are described on their News page as follows:

Ophcrack version 3.3.0 includes support for our new tables vista_seven. These tables crack 99% of passwords of length 7 composed of almost any character including special characters. This table set will be included in our professional tables bundle.
New features have been added like the table size verification in order to warn the user if the tables have not been fully downloaded for example. It is also possible to tune how the preloading should be done.
An important effort was made to release a brand new LiveCD. A very interesting and refreshing distribution called Slitaz was customized to make a lighter than ever ophcrack LiveCD. It should enable us to update the LiveCD more often and to make your experience much better too. We would like to thank Slitaz team for their support in making this LiveCD. Do not hesitate to give a look at their stable distribution!

NetworkMiner v0.88 – New release on this awesome packet-capture management tool. What I really like about it is the ability to parse PCAP files for offline study as well as the ability to extract and save media files (such as audio or video files) which are streamed across a network. Supported protocols for file extraction are FTP, HTTP and SMB. I don’t have to packet-sniff often, but when I do and I need to analyze a lot of the content being moved, this is the first tool I reach for…hands down!

Wireshark version 1.2 – Speaking of network packet capturing..Wireshark got a bump to version 1.2. According to the Release notice:

This is the new stable release branch of Wireshark and many new and exciting features have been added since 1.0 was released.
In this release

Wireshark has a spiffy new start page.
Display filters now autocomplete.
A 64-bit Windows (x64) installer is now provided.
Support for the c-ares resolver library has been added. It has many advantages over ADNS.
Many new protocol dissectors and capture file formats have been added.
Macintosh OS X support has been improved.
GeoIP database lookups.
OpenStreetMap + GeoIP integration.
Improved Postscript(R) print output.
The preference handling code is now much smarter about changes.
Support for Pcap-ng, the next-generation capture file format.
Support for process information correlation via IPFIX.
Column widths are now saved.
The last used configuration profile is now saved.
Protocol preferences are changeable from the packet details context menu.
Support for IP packet comparison.
Capinfos now shows the average packet rate.

For a complete list of changes, please refer to the 1.2.0 release notes.

VirtualBox 3.0 Beta 1 released. – While Sun’s VirtualBox public (stable) release version is at Version 2.2.4, this new 3.0 Beta 1 version brings a whole mess of exciting (and probably unstable) features! Along with lots of tweaks, bug-fixes, and enhancement, the following new features are on their way in this version:

Version 3.0 will be a major update. The following major new features were added:

Guest SMP with up to 32 virtual CPUs (VT-x and AMD-V only)
Windows guests: ability to use Direct3D 8/9 applications / games (experimental)
Support for OpenGL 2.0 for Windows, Linux and Solaris guests

For more information on VirtualBox betas, drop into and monitor the VirtualBox Beta Feedback forum.

Cheers!

--Claus V.

Browser News and Tips

2009-06-20T21:20:00.001-05:00

Miscellaneous news and happenings in the world of web-browsers.

Firefox First

Firefox 3.5 RC1? and Firefox 3.5 Release Candidate 2 Released - The Firefox Extension Guru’s Blog – If you blinked this week you probably missed 3.5 RC1. I saw it was coming and pulled it down by doing a manual Check for Updates. If you didn’t or were waiting for a big public announcement…you probably missed it!

First look to Firefox 3.5 RC2 - Mozilla Links blog opens up with news that the first RC wasn’t that big a deal and this one doesn’t add much more to the party…then goes on to long-list all the neat and improved features it provides…whazz-up? It’s a good rundown and 3.5 RC2 has been rock-solid on all my various (and I do mean various) Windows systems.

But really…why the fast RC1 to RC2 release jump? Mozilla is usually very cautious and deliberate in these semi-public official releases. There has to be a story behind the story. Right?

Maybe so…

Mozilla posts yet another Firefox 3.5 Release Candidate – Betanews’ Scott M. Fulton, III digs around and comes up with this information in a really brief post.

It was apparent yesterday, after a test of the organization's latest private daily build of the Firefox 3.5 browser, that Mozilla's developers had discovered a jackpot of performance improvements in some specific areas: JavaScript math, RegEx (regular string expression) searches, and general control flow. Betanews tests yesterday gave the Thursday morning build 8% better overall speed in Windows 7 RC, and a better overall performance index score on that platform of 9.35 versus 8.81, relative to the performance of Microsoft Internet Explorer 7 on Windows Vista on the same physical machine.
Now it appears the team is willing to capitalize on that find. This morning, Mozilla's servers made available Release Candidate 2 of Firefox 3.5 to the general public. Again, the team makes these public builds available prior to a formal announcement, though word from Mozilla about RC1 was actually rather quiet this week. The possibility of an RC2 in the near term -- just days later -- may have been why.

Firefox web browser 3.5 RC2 Public Link – Mozilla’s latest public Release Candidate can be found here if you are still on the 3.0.x builds and are curious. Most of the popular extensions for 3.0 builds have been updated to support 3.5 so it might be a good time to try it out if you are curious. More technical news and warnings here: Mozilla Developer News » Firefox 3.5 Preview now available for beta users

The new Firefox icon - Mozilla Links – Besides the speed and other feature enhancements, this RC version now brings with it the updated Firefox icon. As silly as it sounds, it really does stand out as I have multiple versions of Firefox on some of my systems and seeing the icons side-by-side on my desktop the differences are clear. Well done!

Firefox/Sprints/about:me – MozillaWiki – very preliminary work on an extension that provides drill-down data on your Firefox browsing patterns. Scary stuff for some but a goldmine for OCD Firefox users. I was curious to install the very early version on my system. I read (~~somewhere but didn’t save the link~~) in this post Firefox.next peek: profiling yourself at Mozilla Links blog that this might be added in as a “feature” of future Firefox versions (Danger Will Robinson…Feature Bloat Detected…Danger Will Robinson!)

Description

A statistical analysis of the user's history, average tab load, etc. Like Google Zeitgeist, but based on their Places database.

Dietrich has an add-on that does some of this already. screenshot

Introducing Add-on Collections - Mozilla Add-ons Blog. In a effort to make the power of Firefox's extensibility even more easy for Firefox virgins to join in on, Mozilla now has a project called “Add-on Collections” that bundle popular extensions in singularly-downloadable package sets. That a Cool Thing. It’s a cool idea. If you find some collections you really like, you can add them to your RSS feed-reader to monitor changes.

….install the Add-on Collector extension for Firefox. The Collector turns your favorite collections into subscriptions in your browser, where you’ll be notified as soon as new add-ons are published to one of your collections. The extension has a number of other features, including the ability to share an add-on you have installed with a friend by e-mail, publish an add-on to one of your collections, and set up a collection that is automatically kept up to date with your installed add-ons.

We’ve made video demos of creating a collection and setting up an auto-publisher collection to show how easy it is dive in to collections.

Pop over to the Mozilla Collection Directory to see what this latest news is all about.

mozdev.org - newsfox: installation and Newsfox - Release candidate: NewsFox 1.0.5rc2 is out. My fave RSS news reader for Firefox continues to mature and become more stable and stunning each time!

Disable Firefox 3.5’ Location-Aware Browsing – Privacy – Lifehacker – Firefox 3.5 now comes with Geo-locating features. This might make some privacy browsing folks a bit uncomfortable. Lifehacker shares a simple tweak from How-To Geek site writer Asian Angel.

Go to about:config
Change the geo.enabled value to false by double-clicking on the key.

In fairness, as Lifehacker points out, even with this “Geo-Loco” feature left enabled, you would still have to (theoretically) grant your consent when prompted to share your Geo-Loco-ness info with the site.

At least you know….

Opera Sings…off key?

Opera Desktop Team - Welcome to Opera 10 Beta 1 – Opera Desktop Team blog – Nice shiny new version. Some bells-n-whistles. Opera remains nice but here in the States has quite a job ahead getting noticed with Mozilla/Firefox, Internet Explorer, and Chrome/Chromium still ruling the sand-lot.

Opera Unite – New feature embedded in Opera 10 allows for file sharing and other typically “server” based operations. It’s pretty easy to set up and configure. The API will allow other developers to publish “widgets” to interact and leverage this feature. Could be cool…or is it a sinister threat to end-user/organizational security? See two links down…

Freedom – Opera Desktop Team blog – The development team work hard to introduce this feature and convince us all what joy will come our way. Clearly they have worked hard and are proud of the accomplishment.

How secure is Opera Unite? – Betanews. Scott M. Fulton, III analyzes Opera Unite and shares some real concerns. Does the average consumer end-user really need (or want) a server embedded in their web-browser? What if someone publishes an “non-Opera approved” widget on their own website that unbeknownst to the user actually serves malware or scrapes the user’s key files/documents/pictures from their system? In fairness it’s the same charge that has been leveled at Firefox extensions, and from time to time a rouge extension for Firefox is uncovered. I’m not sold and from a sysadmin’s perspective this adds just one more layer of headache to policing the desktop systems. On the other-hand, for sophisticated browser users, these might be powerful and useful features. Jury is still out on this one.

And an Apple drops from the tree…does anyone but Newton notice?

Recently Apple took the “beta” tag off Safari for Windows 4.

Apple - Safari - Introducing Safari 4

Safari 4 final: no top tabs, performance updates for 10.6 - Ars Technica

I’ve loaded it on the Vista Home Premium 32-bit with no issues. Haven’t cared enough to put it on Windows 7 64-bit.

It’s quite nice but still ranks way down my list of browsers to use, despite being installed.

--Claus V.

Microsoft SharedView: OMG this is Free?!!!

2009-06-20T17:55:00.001-05:00

So this past week I was in Austin for a few days working on a special project. It wrapped up but the work didn’t.

When we departed, plans were made to continue and as I was tasked with documentation support, it was asked if the team contributors could share my desktop (remotely) as we continued the work via conference calls from our desks across Texas.

One of my director’s peers suggested we use Microsoft’s NetMeeting product which might be useful. It is loaded on all systems but does require each “attendee” to provide their IP address to set up the session. We don’t have any enterprise-class commercial collaboration software solutions like Live Meeting or similar applications (at the current time…that may change soon).

We needed something cheap (free would be good), XP compatible, and require very little setup or technical use for the non-technical workgroup participants. Plus it had to be fast and rock-solid-stable.

When I got back into H-Town I hit the webs and quickly uncovered the dirt on NetMeeting on XP.

Where is Microsoft NetMeeting in Windows XP? – Windows IT Pro.
How to Use Remote Desktop Sharing in NetMeeting – Microsoft Help

However after playing with it on my system I just wasn’t feeling the love. It seemed clunky, connection setup seemed awkward, and I wasn’t convinced it would really meet our needs.

Then I stumbled upon Microsoft SharedView.

The heavens opened up and the Dove of Peace descended.

Live-fire pre-deployment testing with the D-Man and Mr. No in the IT bullpens quickly confirmed it was a rocking solution.

Microsoft SharedView

Microsoft SharedView – Microsoft Connect

This is – amazingly – a free product/service offered by Microsoft.

Free.

100% free.

(Image from Free Utility: Microsoft SharedView – July 2008 Tech Net Magazine. It’s the bar at the top that contains the SharedView controls)

The Microsoft Connect hosted SharedView web-site design absolutely sucks for such a fantastic product. Bad. It is basic and really doesn’t do the product justice. Maybe that’s by design. (no pun intended). Maybe Microsoft isn’t ready to showcase this product. That’s too bad but great for us!

Microsoft SharedView is a fast, easy way to share documents and screen views with small groups of friends or coworkers; anytime, anywhere. Use SharedView to put your heads together and collaborate - create, convey, and communicate…across physical boundaries, through firewalls, and down to the smallest details.

It doesn’t support audio/video (as in web-cams for attendee shared communication). But if you can set up a phone/conference call, this is an amazing product for small workgroups, offices, and home-users. It could also be used to perform remote-connection support in a pinch…though I still prefer the ease of ShowMyPC for one-on-one remote family support sessions.

Installation was a breeze. Download the MSI installer from the link from either here (SharedView website big red button) or here (via Microsoft Downloads). No post-install system-reboot needed.

Launch the application and a inconspicuous SharedView action bar appears at the top of your display. Click the “orb” and you can create a new session. (Starting a Session - Signing in)

Follow the steps to log in with your Windows Live ID credentials (free signup if you don’t have one) and you create your session info. You can then copy/paste or insert the info into an email to send to invitees (SharedView supports up to 15 attendees in a single session). (Starting a Session – Beginning)

Use the bar at the top to attach “handouts” to the session. These are documents on your hosting system you offer to share with session participants. They must download these copies to their local systems as they will otherwise become unavailable once the session ends. (Using Handouts). During our sessions I kept having to discard them and then repost them as I updated (and resaved) the changes to the primary documents.

You then define which application, document or even your entire desktop (full desktop view) you wish to display to folks. Currently SharedView only supports the primary monitor in a multi-monitor hosting system. Nice if you want to keep some other stuff “private” but viewable while hosting. (Sharing an Application or Desktop)

You can also temporarily hand off control to a participant so they can edit a document on your system directly. Moving your mouse restores control back to you instantly. Nice. (Taking Control)

Attendees who are sent the email invitation get both a html link to the session along with the link, session name and password to join. If their system doesn’t have SharedView pre-loaded the web-page launched when logging into the session will prompt the user to download/install the software. (Starting a Session – Joining)

It seems to support both Firefox and IE browsers. Once installed IE will display the session (which may also require installation of a supporting plug-in element)

The session host is presented a “will you allow” message as each invitee checks in. (Managing and Monitoring Participation)

There are some other options like allowing each participant’s own cursor to appear on everyone’s screen views with the name. Temporary highlighting is also included. It’s really cool. (Pointing and Highlighting)

It also has a basic “chat” feature to send messages that appear on everyone’s window. (Using Chat)

Our connections were over T1 or better network lines so it was 100% smooth with no delays or stutters. Our sessions lasted over six or more hours and not once were they disconnected or dropped. Invitees were able to drop off for lunch break and rejoin with their same credentials as long as I (as the host) kept the session open. Once I closed the session it was “destroyed” and no longer would be valid unless I created a new one and then shared the login info with everyone fresh.

Attendees should be able to resize/shrink the window on their systems to allow better screen space usage.

I haven’t tested to see if participants can log into more that one separately hosted session concurrently for some awesome multi-tasking goodness.

What it Lacks

SharedView isn’t perfect.

It is limited to 15 participants per hosted session.

It doesn’t have a “whiteboard” like feature although I suppose you could use some other application on your hosted system to do the same thing…kind-of.

The chat feature is very basic and doesn’t intuitively provide a running conversation dialog sidebar. It is there. But display seems to cover a portion of the desktop you are trying to view. A sidebar arrangement would be nicer.

Much more Linkage for the Curious

Here are a whole lot of great SharedView links on the specific features.

SharedView Release Notes for Version 1.0 Release - Microsoft Connect.
Table of Contents - SharedView.
How does SharedView make my Job Easy? - Microsoft Connect.
SharedView System Requirements - Microsoft Connect.
Windows Meeting Space – Wikipedia. Not directly related but seems to be an even “liter” version.
Microsoft Groove – Wikipedia. Another MS Office/SharePoint like application.
Josh Heyse : Microsoft SharedView on Windows 7 x64 Beta Build 7000. – Windows XP/Vista users should have minimal issues with this application and installation. Windows 7 users…? Well try this Orca-utility MSI installer file hack. FYI: I installed the very latest available build of SharedView on my Windows 7 RC x64 system (build 7100) with no complaints or issues. No “hack” was needed.

Good news is that it appears that SharedView is an actively developed product at Redmond so new releases and updates will continue following.

Valca Verdict on Microsoft SharedView?

Highly Recommended!

Cheers!

--Claus V.

Microsoft Link Dump: Load #5

2009-06-20T16:31:00.001-05:00

CC Photo Credit: by Choctopus on Flickr

Got Shovel?

Virtualization Stuff

Dual-booting Windows 7 from a VHD setup on our laptops is rocking solid. I almost never drop into the main Vista system anymore. Neither does Lavie. So even though I currently have a pretty good handle, it never hurts to learn just a bit more. Here are some great tips and info.

How to use the new VHD features of Windows 7 / Server 2008 R2 - TechNet Edge. Ten minute guided video on how to set up a VHD file under Win7 or Server 2008.

Dual Boot from VHD with Windows 7 and Windows Sever 2008 R2 - TechNet Edge. Twenty-three minute video from MS pro Keith Combs on specifically dual-booting systems from VHD files. It’s quite good.

Creating virtual machines with Windows Virtual PC. – Virtual PC Guy’s WebLog – Basic stuff but a reminder that Windows 7 XP-Mode virtualization isn’t just for running XP’ish app under Win7. It is a full-features virtualization platform and you aren’t limited to just one virtualized XPM system. Make many…covering other supported OS’s as well.

UAC Under Win 7 – The Controversy Continues

User Account Control: Inside Windows 7 User Account Control. – TechNet magazine – Mark Russinovich goes to bat to try to defend MS’s positioning of UAC and try to define it’s relationship with security. I get the points but unfortunately, I think UAC has been engrained in many folk’s minds as being “solely” a security measure. MS it trying to make it more nuanced from their technical understanding of the Windows platform architecture. This is going clear over the heads of common users. From Mark’s post:

The primary goal of UAC is to enable more users to run with standard user rights. However, one of UAC's technologies looks and smells like a security feature: the consent prompt. Many people believed that the fact that software has to ask the user to grant it administrative rights means that they can prevent malware from gaining administrative rights. Besides the visual implication that a prompt is a gateway to administrative rights for just the operation it describes, the switch to a different desktop for the elevation dialog and the use of the Windows Integrity Mechanism, including User Interface Privilege Isolation (UIPI), seem to reinforce that belief.

As we've stated since before the launch of Windows Vista, the primary purpose of elevation is not security, though, it's convenience: if users had to switch accounts to perform administrative operations, either by logging into or Fast User Switching to an administrative account, most users would switch once and not switch back.

Thing is, most tech-pros and security folks just aren’t buying it. Particularly when the default user profile level in a Windows 7 setup is at “admin” level. There is just so little encouragement offered to set up the user account as a “standard” user rights. And, it appears that even with a standard-level account AND UAC that malware or maliciously coded apps can still work their magic against the user.

Windows 7 UAC code-injection vulnerability: video demonstration, source code released - istartedsomething. How applications can take advantage of Win7 and elevate permissions without UAC prompting. Darn.

UAC in Windows 7 still broken, Microsoft won’t/can’t fix code-injection vulnerability - istartedsomething. More thoughts by Long Zheng on UAC.

UAC, UAC, go away, come again some other day - Within Windows. Rafael Rivera provide the quote-byte of the week on UAC: “Here’s my million dollar question: If UAC wasn’t designed to ultimately protect us from anything, why does its icon resemble a damn shield?”

4sysops - Thoughts about User Account Control’s (UAC) primary design goal. – 4sysops - Michael Pietroforte thoughtfully sums up the problem and frustration with folks-in-the-know on UAC. Most either tolerate it and some just turn the thing off.

Windows 7 Mashup

More news and various interesting bits to sort through regarding Windows 7.

Windows 7 Kernel Architecture Changes - api-ms-win-core files. – NirSoft. Nir takes the time to explain function changes internal to some key Windows 7 dll files. This means that some calls previously used in application code might not be as efficient as newer ones. It’s interesting stuff.

New DLL Information site for Windows 7. – Nir Sofer’s NirBlog – Nir has created a new website “containing information about every DLL in the system32 directory of Windows 7 Release Candidate”: DLL File Information for Windows 7. It’s tech-head stuff but good to bookmark if you are into DLL stuff.

Will the Windows 7 price be right? - Ed Bott’s Microsoft Report

Best Buy memo leaks Windows 7 pricing? Upgrades might cost less than half than Vista equivalent. - istartedsomething.

I’m still not sure what the final prices will be, but if upgrade pricing come in as teased, I’d seriously consider dropping Windows 7 Home premium (x64) on both Lavie and Alvis’s laptops as soon as it is released. I’m not sure if I will go for Windows 7 Professional (x64) for mine. I’d actually use some of the XPM features so I might be able to justify the price which might be 2x that of the Home Premium tag.

Microsoft Hardware to Take Advantage of Windows 7 - Windows 7 Team Blog. Hardware interfacing support for Win7 gets a big enhancement.

Admiring Windows 7’s high-resolution device icons - istartedsomething. Pretty icons…and they mean something this time as well!

Creating, Saving, Sharing Themes in Windows 7 - Engineering Windows 7 – I’ve dropped a static wallpaper on my Win7 desktop, but I keep going back to the provided themesets. It’s really neat. However, creating your own theme-sets isn’t quite an intuitive thing. This is a must-read post if you want to spin your own. Turn’s out it is pretty easy-peasy!

Windows 7: Personalize your PC – Microsoft – Turns out that you can download some more “official” themes that weren’t bundled in the Win 7 release disks. These are the real-deal and quite beautiful.

Windows 7 to officially support logon UI background customization - Within Windows. Since we are on a tweaking bend, don’t forget you can tweak the login background with a bit of clever editing.

Tweak your Windows 7 Logon UI “button set” - Within Windows. Of course, you might find that if you do change the logon background you might have some default text issues. These tips will help you cycle through some native adjustments to make the login dialogs easier to see.

Microsoft Goodies

Test Your Website’s Compatibility with SuperPreview – On10 – Neat little tool for website developers that allows you see how your website looks in different browsers. What is cool is that you can open the same site in multiple browser versions at once and then “stack” them transparently. These overlays make it very easy to see rendering differences. MS Download: Expression Web SuperPreview for Internet Explorer. Spotted on Calendar Of Updates.

Sysinternals Site Discussion : Updates: VMMap v2.0, ClockRes v2.0. – Changes to two Sysinternals tools including the very cool VMMap to display memory usage details.

Use FAT16 with 64K cluster size for best performance on <=4GB ReadyBoost devices - Aaron Tiensivu’s Blog. Clever tip to enhance ReadyBoost performance. Is it just me or is ReadyBoost a non-issue with Windows7. Sure it is supported but there’s been no buzz this go round. Maybe because Win7 performs so much better with available system RAM that no one feels a need for ReadyBoost under Win7 to eek out needed performance? Besides with lessons learned from Vista from most Windows OEM platform sellers, you rarely see consumer systems offered for Vista now with less than 2 GB. 3-4 GB seems standard. I expect Windows 7 systems when they hit the market will be the same. Compare that with XP and early Vista system releases where standard system consumer configurations offered 512 MB or 1 GB. Yikes!

ImageX GUI (GImageX) – freeware – New beta version released in May by Jonathan Bennett. This new beta version supports the WAIK for Windows 7 RC. I loaded that one on my “new” laptop system along with this beta version, but found that it sometimes won’t open my Vista WAIK ImageX version WIM files. Those that it does takes a loooong time to mount. It’s a pain but there are good improvements in the Win7 Imagex version. For more info on the benefits (and the mounting delay) see this GSD post: WIM tool enhancements and Fiddling with VHD’s.

Microsoft Security Essentials: Free MS AV Solution Beta – Coming soon.

Microsoft announced that it would be entering the freely-provided AV market soon. Microsoft Security Essentials (MSE)…previously code-named Morro…this product would pick up where Windows Defender (malware focused) left off. In fact install this version and Windows Defender gets disabled as it is an “up-version” of that protection. It should appeal to the non-techie pc buyers who have a light (but growing) understanding of security needs. It will also probably play into SO/HO and small business users who need some MS-stable AV solutioning without the advanced administration requirements of larger corporations or businesses. Interface is very basic…which is probably a good thing. Though not “cloud-based” it still packs a “cloud-supported” feature to provide added protection for emergent threats and will be offered in both 32-bit and 64-bit Windows OS versions. That alone seems noteworthy.

Microsoft announces free antivirus, limited public beta - Ars Technica.

Microsoft Security Essentials: What wannabe testers need to know – Mary-Jo Foley’s All about Microsoft

How good is Microsoft’s free antivirus software? - Ed Bott’s Microsoft Report. Contains great pre-beta screenshots.

Whew!

--Claus V.

Small Tips to tame MS Office

2009-06-20T14:30:00.001-05:00

A number of weeks ago it became clear that my work-issued Dell D-610 laptop just wasn’t able to keep up with the onslaught of multi-tasking I was now throwing at it.

I had maxed out the RAM to 2GB, large/fast IDE drives were hard to find, and it was a single-core processor.

So boss was able to locate a loaner Dell D-630 laptop to tide me over the remaining six-month or so period until the next round of hardware refreshes hit our group (Latitude E6400’s). The 2 GB RAM kit from the D-610 was compatible with that used by the D-630 so I replaced the stock 512MB stick with the 2GB kit. However the D-630 supports up to 4GB for system RAM so I’ve got a 4 GB RAM kit coming along with a 7400RPM SATA drive to boost the stock D-630’s dual-core muscle. My productivity has jumped which is a good thing considering how crazy the past two weeks have been.

Anyway…all that to say that moving my system over from the older laptop to the newer one meant many of my MS Office (2003) tweaks and configs were gone and forgotten.

So I’ve been on the hunt to tweak some MS Office behaviors. Here are three of the cleverest I should have remembered.

Disable and Turn Off Microsoft Office Word 2003 Reading Layout - My Digital Life – Uhhhg! When I would open a MS Office file attachment out of Outlook it would open in the “Reading Layout” which was butt-ugly and useless. Sure I could then click around and swap the view to the “page layout” mode but it was extra clicks. Darn if I could get it swapped back to open in the “page layout” style of my old system. This post has three level of tips. The first one is in the usual options interface but may not “hold”. The second one requires some Group-Policy editing..nice. But the last is the money one. To the Registry!

…directly modify the system registry with the following value to get the same blocking reading layout effect.
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\11.0\Word\Options\vpref]
"fAllowAutoReadingMode_1886_1"=dword:00000000

How to turn off the Office Clipboard (2000, XP, 2003) – Clipboard Extender blog – for some bizarre reason every time I would copy/paste things in Office 2003 on this system the clipboard sidebar would pop up and list all my copied items. No matter how many times I told it not to display any more in the options it would continue to return. While some may find benefit in this, I’m not a multi-item copy/paster. By that I mean I copy then paste what I want to move around and don’t need to maintain on ongoing collection of copied items to paste from. When the sidebar appears it shifts the zoom level or location of my document throwing me mentally off. It had to go. The link had the standard solutions but a single comment on the post left by Meredith Sivick did the trick. Haven’t seen it since. I love a good registry hack:

This worked for me to Permantely turn off the clipboard in Microsoft Office for 2003 running Windows XP
———————————————————————-

By Bill Detwiler
Close all Office applications, including Outlook, before performing any of the following registry edits.
To Disable clipboard:
1. Click Start | Run
2. Enter “regedit” in the Open field
3. Click OK
In the Regedit window:
1. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Office\[version] \Common\General
Where [version] corresponds to your Office version: 9.0 = Office 2000, 10.0 = Office XP, and 11.0 = Office 2003.
2. Locate the DWORD value AcbControl or create the value if it does not exist.
3. Set the AcbControl value to 1. (Set the value to 0 to enable the dialog box.)
4. Close the Registry Editor and restart an Office application.

How do I turn off the Getting Started pane (Word 2003)? - dslreports.com – Despite all my attempts to locate the setting to turn this blasted feature off, I had to hit the Web to find it in the option settings. Darn it. I hate it when something is right in front of me but I can’t remember the technical name for the “feature”. In this case it is referred to as the "Startup Task Pane".

Golden!

--Claus V.

More Olympus E-P1 teases

2009-06-20T12:41:00.001-05:00

Amazon is taking pre-orders on the Olympus E-P1 kits.

Full reviews are still sparse. From what I can gather some pre-release units went out to select reviewers. Some release units also got out there, but from the “…wait for a full review…” comments in the articles…it seems like there are some agreements to not release too much info quite yet.

A Olympus E-P1 release event occurred in Germany so most of the links with “real-shots” were taken from Berlin.

Here is the latest batch of “best-of” write-ups and teases I’ve found.

Lavie is impressed with it as well. I’m still waiting for the “real” reviews to pick it apart, but I’ve been smitten with what I have seen and think it would be the perfect level/format of digital camera for the style of photos I’m looking to capture. As well as being more inconspicuous for candid street-shooting compositions.

Enjoy!

Olympus E-P1 Videos – PhotographyBLOG – Not only does the camera provide 12.3 megapixel stills, it also provides true HD-level video. This collection is amazing! Granted the art-mode filters cause slowdown in capture, but they still are quite neat. The normal mode color is spectacular, smooth and highly detailed. Can’t image what they would look like on our HD TV.

E-p1 autopsy pictures - Olympus and Panasonic rumors – Great site and neat cut-through view of the camera body/lens. Amazing work packing all that tech into the small package. Wow.

First Olympus E-P1 unboxing video! - Olympus and Panasonic rumors – Why not?

The Online Photographer: The E-P1: Not Exactly What You Want? – The Online Photographer – The title is misleading. The reviewer actually really likes his time with the E-P1.

Olympus interview: Future ‘Pen’ cameras planned (update 16 June 5pm) news - Amateur Photographer – News that Olympus may release higher/lower end versions depending on how this first model does. Higher may include a built-in viewfinder. Interesting….

Olympus E-P1 test photos – Let’s Go Digital – Bit more news and photo samples.

Google Translate – Review with LOTS of hardware photos of the device. Translated version but still quite good. Written by O. Takeshi.

--Claus V.

GSD Keep-Alive Ping + the new E-P1!

2009-06-17T22:54:00.001-05:00

cc image credit: Black Olympus Trip 35 on Flickr by Hermés

Hi all.

I’m still here. I just realized it’s been over half-a-month since the last post.

Work is crazy-wild with longer-than-normal sessions in the bull-pen and on the mound, along with weekends chock-full of special family-focused down-time.

Please remain confident that my to-blog pile is reaching critical mass.

I’ve got the usual load of Microsoft Windows OS related topics in the wings, a curiously free amazing on-line collaboration tool, stupid MS Office taming tips, a mess of browser news, and linkage galore of security-related tools and various utilities.

Also in works, a specific “while-in-the-trenches” post on a live-fire failing disk recovery session with two neat new free tools I uncovered in the process. Oh yes…I guess I need to mention the drive in focus involved a blown-out PGP Whole Disk Encryption load. Yikes! Expect some new pgpwde.exe command-line support resources as well in that pre-or-post post. (Did that make any sense?)

Completely unrelated….Olympus cameras…

I’ve been taking out my old Olympus Trip-35 and longingly holding it a bit. I haven’t worked up the courage to drop some old-school 35mm film in for kicks.

While Jonesing on the Trip-35 I found this Flickr: Olympus Trip-35 group with some great old/new photo sessions. It’s been a blast reading around. The more I research/read up on the web on the Trip-35 the more I am amazed at this little tool.

I loved taking photos with it as a kid and still think it has taken some of my favorite photos. I’m not sure of the technical reason the photos appeal to me. There’s just something about them that stands out from images from other cameras I’ve used over the years. Not being a pro I can’t explain it but there is a distinct retro-like visual appeal to them I seem to sense. Maybe it just me reading more into it because I know the camera body is probably as old as I am. Eventually I’ll figure out how to scan my negatives in on the HP scanner we bought some time ago. Failing that I will just scan some of the prints in and share.

Anyway, my love and joy of the little Trip-35 platform has kept the desire in me for a digital version. I think I would really get more use out of this format that a full-bore entry-level DSLR camera with my shooting style (more casual/photo-journalistic/street-shooting).

So recent word that Olympus might be coming out with a digital “range-finder” camera this summer intrigued me:

I’ve been scouring the Net for news and today found this website offered to me by Olympus from a news signup I registered for.

The object of my desire?

The E-P1 digital rangefinder - Olympus

cc image credit: Olympus E-P1: Sleek frame on Flickr by bfishadow

Quite likely after wasting over an hour on the website tonight as well as even more on the following reviews and linkage.

Here’s the first onslaught of E-P1 gushing to hit the web I’ve started to turn over.

Retro-Futurism: Olympus’s New Rangefinder-Inspired Digital Camera - Popular Science
Olympus E-P1 Hands-on Preview: 1. Introduction - Digital Photography Review
Olympus Digital PEN Launched - James Duncan Davidson
Olympus E-P1 First Look - Digital Camera Resource Page

And here are a collection of interesting digital photo samples of the E-P1 output in action

Olympus E-P1 Photos - PhotographyBLOG
bfishadow’s stuff tagged with ep1 - Flickr
"Hands on" • Olympus PEN E-P1 - a set on Flickr

I close with this: A shameless E-P1 viral-ad pandering to the Will It Blend? fans.

Will It Blend? - Roberts Raw!

Stay tuned!

--Claus V.

Sunday Linkfest: Last Call

2009-05-31T22:31:00.001-05:00

Turned out that I was able to stay a lot more productive this weekend than I anticipated.

Not only was I able to take care of most of the home-chore list, but in getting up my planned posts, I actually uncovered more than a few surprising gems as well.

Here are the remaining links.

Browsers

Snapshot build with preview of the *new* Skin – Opera Desktop Team – Opera 10 Alpha stuff so there’s a here be dragons warning attached. That said it is stable enough for casual browsing for the curious and will, by default, install into it’s own program folder to keep any existing release versions of Opera you may have intact. It’s a very nice browser that needs much more credit that it gets. It’s been drowned out by Firefox and Chrome and it is a shame. It’s a bit hard to tell for non-regular Opera users but the new skin is polished and sophisticated. Much more refined that either the default themes in Firefox or Chrome (IMHO). The European roots shine through.

Portable Google Chrome 2.0.172.30 Beta (Google Translate) – Direct link to Caschy’s Blog where his updated Portable Google launcher is available including a newer Google Chrome release. Spotted via Lifehacker blog.

Microsoft Watch

The Case of the Slow Keynote Demo – Mark’s Blog – Mark Russinovich uses his l33t Windows powers of observation to trace a stuttery presentation element. While the ultimate cause is probably unlikely to be encountered by most users, it is another example of using Process Monitor to deliberately drill down to the exact cause of the error.

Extended Support Begins for Windows XP—Support for XP Continues Until 2014 – Microsoft Support Lifecycle Blog. I knew this but it was good to see it again. A gentleman at our church asked me last week what he should do. He has a solid XP desktop system and two Vista systems. For some reason he was under the belief that XP support was getting dropped this summer. Not true. But he already had two Vista systems and wasn’t impressed with Vista to switch; particularly knowing that Windows 7 is just around the corner. On the other hand, he would rather pull the plug on the system than run it “unsecured” and unsupported. This was big relief.

And will likely be as well to all the enterprise deployments of XP Professional whose IT shops are patiently waiting to jump over Vista and begin taking a closer look at Windows 7 in a year or two.

From the post (emphasis mine):

Recently there has been a fair amount of press coverage regarding the end of Mainstream Support for Windows XP. Released at the tail end of 2001, Windows XP has been a solid hit in the marketplace and there has been some concern about what the move from Mainstream to Extended Support means for customers.
To be clear, Microsoft will continue to support Windows XP until 8 April 2014 – about five years from now. So what are the differences between Mainstream and Extended?
Microsoft divides support for Business and Developer products (including the Windows XP operating system) into two distinct timeframes: Mainstream Support and Extended Support. In a nutshell, Mainstream Support provides both consumers and enterprise customers with a full offering of support including complimentary support, design change requests, security updates and other kinds of updates for the product.
Extended Support does alter the range of support a bit, but for the vast majority of customers the essential core remains the same. For example, customers will continue to receive free security updates and can call in for paid support until the second Tuesday in April of 2014. Enterprise customers with Premier Support who may need non-security hotfixes (such as design change requests) should consider enrolling in an optional support program named Extended Hotfix Support (EHS). EHS is required by very few customers as the product has matured to the point where design changes are relatively infrequent. For more information on obtaining Extended Hotfix Support, enterprise customers should contact their Microsoft account representative.

Microsoft Support Lifecycle Policy – Microsoft Help and Support – Pretty charts that will probably confuse most everyone seeking to understand what the blog post above clearly states. Have at it kids.

Security/Forensics

Stuff – Windows Incident Response blog. Darn if I was clever enough to come up with catchy post leads like that! ;-) Seriously, it covers a nice swath of items including torrent use analysis, full-disk encryption evaluation, and some great System Event ID analysis.

Worth Reading: Analysing packed malware - The H Security. This was a neat find. Heise brings notice that a Piotr Bania has a free PDF paper just released covering a new method developed to circumvent packing-protection methods used by malware authors. This is great reading for malware analysts. Generic Unpacking of Self-modifying, Aggressive, Packed Binary Programs (PDF) – Piotr Bania. What was even cooler is that you may recall Piotr as the gentleman who recently brought us his Kon-Boot: Bypass Windows Login Security non-persistent boot kit tool.

Piotr Bania Chronicles – Yep. I also was able to track down Piotr’s own personal blogsite as well. Filled with some interesting posts. I hope more good stuff is shared by Piotr in the future.

DEFT Extra – The DEFT forensics team, creators of the DEFT LiveCD has just released their Windows Utility launcher collection. If you download the full LiveCD, you have two choices, boot a system into the DEFT linux environment and the associated tools, or you can put it into a running Windows system and then run the DEFT-Extra tools. It’s a very nice collection of system utilities and some forensics-related tools as well. Now you can download just that package and play with these. Definitely some sweet tools here that just about any technician or sysadmin would find a good use for. Check it out!

L0phtcrack 6 – Live and Revived! A powerful password auditing and recovery tool. They are offering a free 15-day trial version for download along with a number of various versions for purchase depending on your deployment needs. See the Learn about L0phtCrack for screenshots and more. Of course, if you are on a budget there is always the open source Ophcrack version. I’d be interested to see some side-by-side comparisons…for some reason, my money would probably be on L0phtcrack 6.

Graphics

Paint.NET has got to be one of the easiest but most powerful freeware photo/image manipulation tools there is. Sure it can’t compare with Photoshop and it’s not quite in the same graphic tool class as the GIMP either. That said if you are looking for an advanced image tool, this is well worth looking into. It does require the .NET framework.

If you are an experienced Paint.NET user and looking for a bit of the cutting-edge when it comes to performance and features, you can always try out some of the Alpha-version releases of Paint.NET. Only you won’t easily find them from the main product page. You will have to go over to the Paint.NET v3.5 Preview Center pages to get them.

Yes these are bound to be a bit buggy and in need of additional refinement, but you might just walk away impressed with the performance or feature set offered.

Microsoft Research AutoCollage 2008 v 1.1 - Windows Live – Kurt Shintaku’s Blog. This is a neat tool that auto-blend various images from folder into an integrated collage. See the main site-page AutoCollage 2008 for more information or Download it now for a free 30-day trial. Demos at that link or you can purchase for $19.99 at the Microsoft Store.

Autodesk Project Dragonfly – Now THIS is cool. Lavie and Alvis are all over this thing. Autodesk are the makers of one of the most powerful and widespread CAD programs out there. I’m frequently working with the Autodesk file viewer to cover CAD drawings into Visio for our team. Anyway, Project Dragonfly is an amazingly detailed and fun web-based 3D CAD application to do design and layout work for your home. It’s fun and no CAD experience is necessary.

GSD Fan Bonus

So this neat utility find is a bonus treat for all you faithful GSD readers who actually made it to the bottom of this post.

Psimo File Mount – freeware -- Pismo Technic Inc. (Screen Shots)

Psimo offers a number of interesting products, but the one in particular you need to look for is the Pismo File Mount Audit Package.

Now my favorite freeware tool to mount ISO files as a “virtual drive” has been SlySoft Virtual CloneDrive. Besides being free and stable, it’s just fun and easy to use. Sure there is also Daemon Tools but it hooks deeper into the system and is toolbar/ad supported which has turned many former fans off it. There are some other virtual drive mounters as well that I have posted about and also the newer Gizmo Drive freeware utility as well. (Note: Gizmo Drive also supports Windows 7 in both x32/x64 bit platforms…)

I haven’t needed (yet) a Windows 7 compatible program but it appears Psimo File Mount is the solution for virtual drive ISO file mounting in Win 7. Nice. Supports Windows 7 x32/x64 bit releases along with previous Windows OS versions.

Pismo File Mount for using ISOs in Windows 7 – Aaron Parker’s SlealthPuppy blog.

What seems so appealing is that you can not just mount an ISO file as a virtual drive, but if you don’t need drive-letter access/operation, you can also use it to mount an ISO as a folder to view/access files. That’s pretty handy. Also handles ZIP files in a similar manner.

Hopefully you will be as impressed with it as I am. Great tool for you ISO disk jockey’s out there.

Thanks for hanging around for the final call with me.

See you again at the counter real soon.

--Claus V.

Free: USAF-Hardened Windows Build (…well kinda…)

2009-05-31T15:16:00.001-05:00

Public domain photo: taken by U.S. Air Force Senior Airman Julianne Showalter

Windows: Locked and Loaded?

About a month-ago, there was a Wired story about how Microsoft had developed and offered a super-duper secure version of Windows to the United States Air Force to better protect it’s Windows deployments and users than the piddling-weak stuff that us private citizens get offered.

Microsoft Offers Secure Windows … But Only to the Government - Wired Threat Level blog.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days. The only problem is, you have to join the Air Force to get it.
The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as a template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.
Security experts have been arguing for this “trickle-down” model for years. But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Upon which everybody who pays taxes AND uses Windows moaned and complained about things not being fair that the USAF gets something we don’t; an actual secure version of Windows.

Only one problem, journalist Kim Zetter got the story pretty darn close to being correct, but left out one important detail.

Namely, that there the USAF doesn’t actually use a super-weaponized-and-hardened version of Windows made just for them.

Ooops

Microsoft: There is no special version of XP for the Air Force – The Tech Herald – Security as covered by Steve Ragan:

The problem, and the source of the confusion about the article itself, is that Microsoft did not offer a new version or a special version of XP to the Air Force. All Microsoft did was help the Air Force harden GPOs (Group Policy Objects) and images used for deployments when the Air Force made that request.
“We agreed to assist, as we do with any company that hires us to assist in setting their own security policy as implemented in Windows. The work from the AF ended up morphing into the Federal Desktop Core Configuration (FDCC) recommendations maintained by NIST. There are differences, but they are essentially the same thing,” said Roger Grimes, Security Architect on the ACE Team at Microsoft.
“NIST initially used even more secure settings in the hardening process (many of which have since been relaxed because of operational issues, and is now even closer to what the AF created),” he added.
“In the initial article, a lot of the other improvements, such as patching, came from the use of better tools (SCCM, etc.), and were not necessarily solely due to the changes in the base image (although that certainly didn't hurt). So, it seems the author mixed up some of the different technology pushes and wrapped them up into a single story. He also seem to imply that this is something special and secret, but the truth is there is more openness with the FDCC program and the surrounding security outcomes than anything we've ever done before,” Grimes continued.

Schneier on Security: Secure Version of Windows Created for the U.S. Air Force – Schneier on Security – Even Bruce got caught up and had to make an update as the facts became known.

Bruce even included additional (and public) links provided by Microsoft for these projects.

Anyone can download the FDCC settings, documentation, and even complete images. I worked on the FDCC project for little over a year, and Aaron Margosis has been involved for many years, and continues to be involved. He offers all sorts of public knowledge and useful tools. Here, Aaron has written a couple of tools that anyone can use to apply FDCC settings to local group policy. It includes the source code, if anyone wants to customize them.

I’ve been RSS feeding Microsoft’s Aaron Magosis blog and work for a while now, but even his work on this project came as a surprise to me.

F D C C – Ensuring “Aim High” applies to all

What is really awesome (to me at least…as teased in this post title) is that the FDCC settings are actually released, almost fully implemented to the standards, in updated VHD virtual machine files for XP Pro and Vista. Free (but time-bombed) for the taking, testing, and tweaking!

All this information and work is provided openly by the National Institute of Standards and Technology (NIST) and sponsored by the DHS National Cyber Security Division/US-CERT.

These recommendations were developed at the National Institute of Standards and Technology, which collaborated with OMB, DHS, DISA, NSA, USAF, and Microsoft to produce the Windows XP and Vista FDCC baseline.

F D C C – Federal Desktop Core Configuration main page
F D C C - Download Page – Filled chock-full-o-nuts of the VHD files for XP/Vista pre-configured (mostly) with these magical security settings, as well as Group Policy Objects (GPO) that could be deployed and tons of documentation on what exactly is going on.
F D C C - Agency Testing FAQ – Specifically jumps to the FAQ section on working with and using the VHD file packages for testing in Virtual PC sessions.
F D C C – FAQ – The top-page. Lots to read so kick back and take it all in.

All-in-all it is amazing stuff.

I really appreciate the value that this information and the access to the VHD files offers. It really allows system administrators and security folks to get a sense of just how usable a Windows system remains after many of these configurations has been applied. Now, granted, the Windows systems won’t be quite as friendly to use as say, the way you’ve set up Grandma Flutter’s Windows system configured, but it will be much more secure.

Think of it as a free computer-lab course in Windows security best-practices configuration for the general public.

But Wait! There’s More!

Federal Desktop Core Configuration - Microsoft TechNet’s FDCC Blog. Frequently updated with notices of new FDCC releases and configuration policy changes.

Federal Desktop Core Configuration : Utilities for automating Local Group Policy management - Microsoft TechNet’s FDCC Blog page with the tools for applying the LGPO for the FDCC configurations.

Federal Desktop Core Configuration : Kicking off the FDCC blog – Kurt Dillard introduces the mission and vision behind the FDCC release in this early (and massive) blog post. I’ve snipped it down to (IMHO) the best key takeaway parts:

…Microsoft has been collaborating with a handful of federal agencies to create actionable guidance and tools that agencies can use to implement the standard desktop and organziations who do business with the federal government can use to ensure their solutions are compatible with the locked-down configurations. I use the plural "configurations" because there are 2, one for Windows Vista and another for Windows XP. These configurations are collectively known as the Federal Desktop Core Configuration, or FDCC.
I know that many organizations are eager to see the details of the FDCC configuration. I've heard from federal agencies that want to start preparing to deploy FDCC as soon as possible. I've also talked to software companies that want to ensure their applications will be fully functional when run FDCC systems. I've also heard from systems integrators and IT services companies that want to be ready to help their federal customers to deploy and support the FDCC configurations. Microsoft has been working closely with the OMB, NIST, NSA, DISA, DHS, and the USAF and none of us want to publish guidance, tools, and other resources that will have to be updated and corrected repeatedly over the first few weeks.
At Microsoft we're creating and testing Virtual PC (VPC) images that we hope will help agencies and solutions providers to develop and test applications to run on FDCC compliant systems. These VPC images are not suitable for deployment, they'll be evaluation copies of Windows that will expire after a set period of time, but since they will be preconfigured they should help organizations to jumpstart their testing.
You still want to know more details about the settings, don't you? The single most important requirement in the FDCC is that all normal users will have to log in without administrative privileges. Experience has shown us that taking away admin rights from users causes the most challenges: some applications stop working and some users get frustrated that they can no longer install whatever software they want and they can no longer make whatever configuration changes they want to their computers. You can get an idea of what the FDCC configurations will look like by taking a look at the Microsoft security guides (listed on the Resources page), the FDCC settings are similar to the Specialized Security - Limited Functionality (SSLF) settings in our guides. Some of the settings are less restrictive in the FDCC than the SSLF settings, additionally the FDCC covers several dozen less impactful settings that are not documented in the Microsoft security guides.

Bonus Find: STIGS Security Checklist Resources

Security Checklists - Security Technical Implementation Guides (STIGS) and Supporting Documents website. Not directly related to the FDCC efforts, but provides additional checklists and documentation “…(sometimes referred to as a lockdown guide, hardening guide, or benchmark configuration)…contains instructions or procedures to verify compliance to a baseline level of security.

Browse around to see if this material could be beneficial in understanding and implementing additional system security (and program security) within your organization.

There is also a DoD General Purpose STIG, Checklist, and Tool Compilation CD in both heavy and lite versions which contains most all of the material on the site.

You might also want to take a look specifically at these offerings:

Lock and loaded, indeed!

Cheers!

--Claus V.

Outlook Thread Compressor: New Escapee from Redmond

2009-05-31T14:15:00.001-05:00

Nothing I like better than digging up an internal tool of Microsoft that gets released quietly on the web for free.

Particularly when it comes with all kind of dire warnings and a back-story about the legal-team at Microsoft not allowing it to be released on the Downloads pages by the developer for general consumption by the public for fear MS would be sued because it actually might lead folks who misuse it to delete their emails.

Fun! Sign me up!

Outlook Thread Kompressor

Last night while stumbling across some new IT sysadmin blogs I found some recent references to this internal Microsoft tool for Outlook.

It is the coding genius of a Microsoft employee named Ewan Dalton. And I think the only thing that would make it more impressive were to use the German word for “compressor…”

Outlook Thread Compressor Utility

Thread Compressor is an add-in to Microsoft Outlook, which removed unnecessary emails from a "thread" - reducing the amount of storage required (maybe keeping your mailbox within its size quota) and reducing the number of emails you need to read.
TC was developed inside Microsoft from 1999 onwards, and attracted a large following (up to 30,000 users) but has never (officially) been made available externally, due to the fact that it will delete data unless it is configured not to. I've decided to share it more widely now.
Let me say that again: Thread Compressor, as it is configured by default, WILL DELETE DATA FROM YOUR INBOX.
If you choose to download it and use it from here, you do it with the author's blessing, but it's completely at your own risk and Microsoft cannot be held responsible for what it does.
If you're in any doubt about this, then do not use this tool.

Is that cool or what!!

It even supports logging of actions taken, and some advanced exception rules.

Basically what it does is to use internal-to-Outlook message id’s to figure out the parts of an email thread. It then deletes all those emails that exist as part of a larger email thread version.

I’m horrible about this. I will keep my original (sent) email, and the reply, and all additional replies as separately-saved emails. That is likely one reason why my primary Outlook PST file is so very, very large.

Now, depending on your email-retention guidelines in the workplace you might need to save all those. But if not, this tool promises to clean house and whittle down all those multiply-appearing instances.

Installation is not for the feint of heart.

The application itself works on all Microsoft Outlook versions (Outlook 2000, 2002, Office Outlook 2003, 2007) for Windows running on all versions of Windows post Windows 2000.

From the program page:

INSTALLING
* Firstly, download the ZIP and save it locally.
* Create a folder you'll find again - I'd suggest C:\Program Files\Thread Compressor or similar.
* Start a command prompt - WindowsKey-R then
cmd <enter> (though if you're on Vista or Win7, just press WIndowsKey, type cmd, then right-click on the cmd icon and choose "Run as Administrator")
In the command prompt, type:
cd c:\program files\thread compressor (or wherever you put the files)
regsvr32 comdlg32.ocx
regsvr32 msflxgrd.ocx
regsvr32 tabctl32.ocx
regsvr32 threadc4.dll
Download the latest CDO file from here, save it somewhere, expand it out and run the install from the ExchangeCDO.msi file.
Now start Outlook: how you actually install the addin will vary depending on your version of Outlook, but try:
Tools | Options | Advanced | Add-ins,
or Tools | Trust Center | Add-ins | [then hit Go to manage COM add-ins]
and add the threadc4dll file manually. If it's successful, you should see Comrpess Threads on the Tools menu, and you'll get a splash screen next time you start Outlook.

Got all that?

By the way, “CDO” stands for the Collaboration Data Objects package.

Like I said, a geek’s tool only for brave geeks.

What surprised me even more was that there were quite a few other posts referring / reviewing / remarking on this neat utility.

Outlook Thread Compressor download now available – Ewan Dalton’s (creator of Thread Compressor) The Electric Wand blog. Good overview of the tool from the developer’s perspective.

Thread Compressor for Outlook - do you want it? – Ewan’s The Electric Wand blog post from 2007 where he teases about an earlier version and provides some credit to others who also worked on the guts of the tool.

* The really smart bit of TC was actually put together by a guy called Peter Lamsdale. All I did was take his algorithm - which I still have difficulty understanding much less explaining - and strap a UI around it. An earlier version of TC was published (unofficially) on a website and an article was written about it by Evan Morris. There is even an unconnected MSDN bit of sample code which is nowhere near as effective (IMHO)

In that post he also spells out some more warnings, besides the fact it really does an excellent job of deleting actual emails that are replicated in threaded replies:

... but some obvious potential downsides...

The assumption at the top of this post. If I reply to someone's email, but change the contents of their original message in the reply, then TC will retain the modified version and it will look like the originator really said that. There may be ways to work around this limitation now, but I never bothered to figure them out.
Legal compliance - maybe you need to keep a copy of every mail for compliance purposes: if so, users programmatically deleting messages could be a *bad thing*.
erm, can't think of any/many more...

Outlook Thread Compressor - saved 100MB of redundant e-mail for me! Use with care! - Aaron Tiensivu’s Blog

Thread Compressor for Outlook… works with 2007! – Kurt Shintaku’s Blog.

I can’t wait to get some free-time at work to load thin up on a test machine and feed it a copy of some of my PST files.

I’m planning on testing in on duplicate PST files first to I can get acquainted with it and have a better understanding of it’s operation before I go and feed it my real Outlook PST file.

This rates up there as one of the best software finds of May.

Bonus Outlook tools.

For some additional tools to help you manage Outlook files and contents, don’t forget about all the awesome (and portable) Outlook tools offered recently by Nir Sofer.

Outlook/Office Utilities - (freeware) – NirSoft.

NK2View - (freeware) - Did you know that if you use Outlook the email names used in the To/Cc fields are retained? The NK2 file is the "auto-complete" file. Great place to review if you are auditing an Outlook user's pc. Anyway, this handy utility allows you to view the N2K file, display all the email address records stored, and export them into various file formats. Handy for security techs. Also allows you to quickly edit, sort, save/restore, and delete items in the file itself. Particularly useful if you need to bulk-edit the contents due to changes/conversions in corporate address book items.

OutlookAttachView - (freeware) – This utility can help you locate, extract and/or remove attachments embedded in your Outlook email messages. It displays the list of attached files in your Outlook's mailbox, and allows you to easily select all attachments that you need, and then extract them into a folder that you choose.

OutlookStatView - (freeware) – Nir is on a roll! For all you Outlook junkies out there, this tool can gather a lot of great statistics on your email habits. Quoting from Nir’s description, “OutlookStatView scans your Outlook mailbox, and display a general statistics about the users that you communicate via emails. For each user/email, the following information is displayed: The number of outgoing messages that you sent to the user (separated by to/cc/bcc), the number of incoming message that the user sent to you, the total size of messages sent by the user, the email client software used by this user, and the time range that you send/received emails with the specified user.”

Cheers!

--Claus V.

Cisco VPN Clients and Windows 7

2009-05-30T17:09:00.001-05:00

Update: See more important information at bottom of post.

When I am outside the network and need to get in, I use a Cisco VPN client for XP Professional (32-bit).

It’s very straight-forward to install, get configured, then get connected.

So far I haven’t had to mess with Cisco VPN clients and either Windows 7 or 64-bit versions of Windows (or both at once).

However, I was asked the other day IF there was a solution for running Cisco VPN on Windows 7 64 bit.

Not a direct one that I know of, yet.

From the VPN Client - Cisco - Cisco Systems page:

The Cisco VPN client supports Windows 2000, XP and Vista (x86/32-bit only); Linux (Intel); Mac OS X 10.4; and Solaris UltraSparc (32 and 64-bit). For x64 (64-bit) Windows support, you must utilize Cisco's next-generation Cisco AnyConnect VPN Client.

Cisco AnyConnect VPN Client – Support pages has quite a lot of info on this product. In the Release Notes for Cisco AnyConnect VPN Client, Release 2.3 the supported Windows systems are pretty tight.

Windows Versions

•Windows Vista—32- and 64-bit Microsoft Windows Vista SP2 or Vista Service Pack 1 with KB952876.

•Windows XP SP2 and SP3.

•Windows 2000 SP4.

No official support for Windows 7. Though I guess someone might be brave enough to dump it on a Windows 7 64-bit system and see if the Vista 64-support is close enough to carry over.

Cisco VPN Client Solution for Windows 7 64-bit (for now)

The only work-around that come to my mind (as well as Nicholas Caito) was to create a 32-bit OS virtual machine of XP or Vista and then load the traditional Cisco VPN client into that container. Then launch and run your connection needs from within that VM.

Nicholas Caito’s illustrated how-to is linked below:

Use Cisco VPN under Windows x64 (XP, Vista and Windows 7) – Xenomorph.net Blog

Cisco VPN Client Solution for Windows 7 32-bit (for now)

Windows 7 32-bit users are also a “bit” on their own as well.

However, there has been quite a lot more work done by the frustrated sysadmin crowd on this front.

The main complaint is that once folks go to install the Cisco VPN client on Windows 7, they seem to be working fine but get treated with a BSOD on reboot.

Bummers.

Fortunately, there seem to be well-regarded workarounds…and they do require a bit of work.

How to prevent Cisco VPN client version 5.0.4.0300 installation from bluescreening Windows 7 x32 Build 7000 – Aaron Tiensivu’s Blog

From Aaron’s hard-fought efforts:

Updated with notes from JoshP - 100% working:
I have tried many--many different ways to get the Cisco VPN client install on Windows 7--all resulting in BSOD (ndis.sys). I have found the following procedure has worked 100% of the time on multiple hardware platforms (including VMware):

1. Install Cisco DNEupdate.
2. Reboot
3. Take ownership and delete ndis.sys (in c:\windows\system32\drivers).
4. Take ownership and delete ndis.sys.mui (in c:\windows\system32\drivers\en-us).
5. Install Cisco VPN Client 5.0.04.0300.
6. Reboot
7. Windows 7 will repair itself (should take a few seconds) and automatically reboot.
8. Cisco VPN Client should work without any other tweaks.

As Mark Wilson points out in his blog post (linked below) The DNEupdate is actually the Citrix Deterministic Network Enhancer (DNE) update . He provided this direct link to the installer file.

markwilson.it » Installing the Cisco VPN client on Windows 7 – Mark Wilson’s blog
How to (Successfully) Install Cisco VPN Client on Windows 7 - Brenton House’s blog

So with full props to Aaron, Mark, and Brenton, go get your Cisco VPN for Windows 7 on.

As for me?

Well, I’m resigned to the likely-hood our shop will be chugging on down the tracks on XP Pro deployments for many years to come…

It’s a mixed blessing.

Claus

Update: While chasing down another rabbit on the intertubes, I found this post which has quite a lot of great information regarding Cisco VPN clients and Windows 7 compats:

VPN Client Compatibility with Windows 7 and Windows Server 2008 R2 – Routing and Remote Access Blog

From that post, Ashish Jain the Program Manager, Routing and Remote Access provides extensive VPN client tables with linkage on the following VPN clients for Windows 7: AT&T, Checkpoint , CISCO, Citrix , F5 , Juniper , NCP , NetGear , Nortel , SafeNet , and Sonic Wall .

If you have to do VPN support, it might be worthwhile to bookmark or RSS feed the Routing and Remote Access Blog.

As I’m interested only in the Cisco client, here is an edited version of that particular table that Ashish provides:

CISCO

VPN Client	Platform	Version	Download URL	More information	Tested on Windows 7 Build
Cisco AnyConnect VPN Client (SSL VPN)	x86	2.3.x	Click Here	You must have a Cisco.com user account to download.	7048
Cisco AnyConnect VPN Client (SSL VPN)	x64	2.3.x	Click Here	You must have a Cisco.com user account to download.	7048
Cisco VPN Client (IPsec)	X86	5.0.5+	Click Here
Cisco VPN Client (IPsec)	x64	5.0.5+	Click Here	No official support for this version planned by Cisco. Use the Cisco AnyConnect VPN Client for both Windows 7 and x64 support	7048

There you go for now….

--C.V.

Kon-Boot post (minor) update

2009-05-30T15:31:00.001-05:00

Just a couple of additional notes regarding the recent post on Kon-Boot.

Kon-Boot: Bypass Windows Login Security (and some helpful blocking solutions)

TrueCrypt 6.2 Update and Kon-Boot Protection

Commenter “Bozo” posted this question:

Hey Claus, could it be that TrueCrypt gathers some info about the BIOS (for example, size of BIOS and a hash code)? and the too much memory error reflects TrueCrypt detecting BIOS corruption?

And my response was thus:

I don't think so.

Now, I'm not a TrueCrypt advanced user. I've used it in this test for whole-desk encryption/preboot authentication, but mostly I use it to create truecrypt volume files that can protect key files.

As far as I know, TrueCrypt doesn't do any BIOS hashing. And I guess that's a good thing. Imagine the headache you would have if it did and you did a BIOS flash to upgrade the system. Bummer.

While I was responding, I did check in with TrueCrypt for more info and discovered some more items that could have a bearing on Kon-Boot.

On May 11th, 2009, True Crypt released version 6.2 with new features.

The boot loader now supports motherboards with BIOSes that reserve large amounts of base memory (typically for onboard RAID controllers). Note: In order to be able to take advantage of this improvement under Windows Vista, you will have to install Service Pack 1 or higher first. Service Pack 1 for Windows Vista resolved an issue causing a shortage of free base memory during system boot. (Windows Vista / XP / 2008 / 2003)

Kon-Boot: Bypass Windows Login Security (and some helpful blocking solutions)

2009-05-25T13:41:00.001-05:00

A number of weeks ago I received a tip from TinyApps.Org Blog that has become a real safari event.

KON-BOOT - ULTIMATE WINDOWS/LINUX HACKING UTILITY – free boot utility from Piotr Bania

From the developer’s description:

Kon-Boot is an prototype piece of software which allows to change contents of a linux kernel (and now Windows kernel also!!!) on the fly (while booting). In the current compilation state it allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without any knowledge of the password. It was acctually started as silly project of mine, which was born from my never-ending memory problems :) Secondly it was mainly created for Ubuntu, later i have made few add-ons to cover some other linux distributions. Finally, please consider this is my first linux project so far :) Entire Kon-Boot was written in pure x86 assembly, using old grandpa-geezer TASM 4.0.
…it provides support for Microsoft Windows systems and also the Linux systems listed in the next sections. Kon-Boot for Windows enables logging in to any password protected machine profile without without any knowledge of the password. This tool changes the contents of Windows kernel while booting, everything is done virtually - without any interferences with physical system changes. So far following systems were tested to work correctly with Kon-Boot (however its quite possible other versions of listed Windows systems may be suitable as well):

Windows versions of logins that it supports/bypasses are: Server 2008 Standard SP2 (v.275), Vista Business, Vista Ultimate, Server 2003 Enterprise, XP, Windows 7.

Although not a “well-known” tool (yet), notice of Kon-Boot is slowly beginning to show up around the blog-o-sphere and security blogs.

Kon-Boot "root a box" on the fly .. it’s a kind of magic ! – Security Database Tools Watch
KON-BOOT for Windows and Linux (Password Bypassing Utility for Forgetting Heads) - DailyDave
Login to Windows Administrator and Linux Root Account Without Knowing or Changing Current Password - Raymond.CC Blog
Kon-Boot CD:110KB Floppy image/CD ISO to remove your Windows admin and Linux root pwd – Hacker News

I’ve avoided posting on it for some time as (like TinyApps blogger Miles) I’ve felt compelled to first try to understand what it is, how it may be working, and what impact (negative/positive) it might have on a system.

To use it, download one of the image files (I used the CD ISO) and burn the ISO file to a disk.

Boot your target Windows system from the CD and you will get the Kon-Boot splash screen.

Hit <Enter> or the spacebar to start the injection process. If the BIOS/system “supports” Kon-Boot some programming checks will be displayed and the boot will hand off to the normal Windows loader processes.

Once at a Windows login screen, enter the user account name you wish to access and bypass the password. Note: you must know this ahead of time unless the user name is set to save/display automatically.

Then you can either leave the password-field blank and click on through, or you can enter whatever garbage you want for the password. It doesn’t matter. The password has been magically bypassed!

I have tried it on a number of systems once I had some firmer knowledge of the tool and in my cases; it worked as promised. Completely bypassing the Windows GINA login on XP systems as well as Vista and Windows 7 (of which the login’s don’t actually use the GINA method of XP/W2K, but it works anyway).

Cool. Very frightening from a sysadmin standpoint, but cool nonetheless.

In my mind, it would be irresponsible to post a “come and get it” call for this tool without first trying to see if it left any malicious files, root-kits, or other “baddies” behind in it’s wake. As well as to offer some mitigation suggestions.

Thus begins the journey.

What Kon-Boot Does on the Surface

Many business (and some home users) who run Windows decide that one good method to protect their system from unauthorized access is to set up one or more (local system) user accounts. These accounts then have passwords placed on them which (theoretically) should discourage unauthorized users from logging onto the system and accessing the applications and data.

System administrators and Windows security folks know this is actually a pretty weak model.

If that is the only security measures implemented on the system, then a penetrator/hacker/administrator just needs to apply one of a number of well known and documented methods to bypass the authentication. Some of these methods include:

Ophcrack (and L0phtcrack 6) – cracking the password SAM files with tables
Offline NT Password & Registry Editor – blanking the password,
Yanking the drive and placing in another system to access the files directly, bypassing the OS, or
Booting with a “LiveCD” and accessing the files in place, again bypassing the OS.

However, these techniques have some drawbacks.

Ophcrack can/does work but unless the passwords are fairly simple, the attack can take some time to work and is not always successful in a reasonable amount of time.

The Offline NT Password & Registry editor is quite successful in its methods, but by “blanking” the password, leaves evidence to the primary user that something has been breached.

Yanking the drive or booting with a LiveCD are quite doable but may not be time-practical or hardware-practical solutions.

Kon-Boot would allow someone to drop in, boot the system directly, bypass any Windows account login security, poke around under the local account, then pull-out without letting the end-user be any wiser. Of course an incident response investigation might find some evidence tracks afterwards, but with the password left intact, it might take a while to notice the breach.

On the other hand, sysadmins and Windows gurus who have to service systems often find user’s who have forgotten to provide them the password so I suppose it could be a useful tool for legitimate and authorized situations.

What it Is / What it (May) be Doing Deeper

Turns out Kon-Boot fits nicely into a class of hack/security tools called boot kits.

These are an old and well-established small class of tools. They have recently started to gain notoriety in security circles again with a number of newer exploit proof of concepts released.

eEye BootRoot – “…presented at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh, as an exploration of technology that custom boot sector code can use to subvert the Windows kernel as it loads.”
eEye SysRQ2 – “…a bootable CD image that allows a user to open a fully privileged (SYSTEM) command prompt on Windows 2000, Windows XP, and Windows Server 2003 systems by pressing Ctrl+Shift+SysRq at any time after startup. It was first demonstrated at Black Hat USA 2005 by researchers Derek Soeder and Ryan Permeh as an example of applied eEye BootRoot technology.”
NVlabes Vbootkit 2.0 – a proof of concept tool which grants various abilities to elevate permissions to SYSTEM level, as well as start telnet server automatically and do some user-password manipulations.

While similar to root kits, boot kits operate (generally speaking) a bit differently. Depending on the specific boot-kit code they might inject themselves into the OS kernel during the boot process, patch memory registers, and then do their deed. Some may be persistent. By that I mean once loaded on a system they stay present after reboot. Others may be memory-persistent only. They are “installed” in memory, function, but when the system is reset no trace is left behind.

Kon-Boot purports to be the later.

Turns out there is a quite a lot of great and highly technical material on understanding the principles of boot kit methodologies.

0wning Vista from the boot – SecurityFocus interview with Nitin Kumar and Vipin Kumar, developers of Vbootkit.
Nitin Kumar & Vipin Kumar: "please remember to give necessary credit to the authors" PKB. - [Dailydave] – Dave Korn analyzes the code in the Kumar’s Vbootkit and finds many close similarities with eEye BootRoot code.
VLAD Magazine - Issue #2 - ARTICLE.4_4 - BIOS Meningitis Source – BIOS-based resident boot kit.
eEye BootRoot BlackHat presenation (PDF) – Detailed presentation by Derek Soeder and Ryan Permeh on the technical process behind the Windows boot process, and how BootRoot subverts the Windows Kernel. Very, very good reading.
MBR Rootkit paper from VB2008 - Malicious Code - STN Peer-to-Peer Discussion Forums – Symantec also has an excellent technical paper (quite readable) on boot kit development and operation: The Rise of MBR Rootkits (PDF).
Stealth MBR rootkit – In depth analysis of a MBR root kit based on the eEye BootRoot code. Not only shows code in comparison, but how the MBR root kit has evolved to avoid detection techniques. Also provides links to MBR boot kit detection tools mbr.exe and GMER.
Vbootkit whitepaper (PDF) - Nitin Kumar and Vipin Kumar explain their boot kit exploit at Black Hat 2007. See also their Vbootkit Presentation (PowerPoint).
D2T2 (PDF) - Nitin Kumar and Vipin Kumar explain their boot kit method in another presentation.
Dubai 2009 - NVlabs | Analyzing Security. Link to the Kumar brother’s presentation of Vbootkit 2.0 at Hack-in-the-Box Dubai 2009. Note: this article links to the presentation notes Vbootkit 2.0 Attacking Windows 7 (x64) via Boot Sectors (ODP) which is an Open Office presentation format document. Get OpenOffice, or OpenOffice Portable. Microsoft also has a converter for ODP files.
MBR rootkit: VirTool:WinNT/Sinowal.A report – Microsoft Anti-Malware Engineering Team
MBR/Mebroot/Sinowal/Torpig is back – better than ever – TrustDefender Labs
MBR Rootkits – Securology Blog
Bootkit: the challenge of 2008 – Viruslist – Excellent historical review of boot kit history.
Malware evolution: January – March 2008 – Viruslist – Even more material on boot kit exploits.
Building malware defenses: From rootkits to bootkits – Noah Schiffman article from 2007. Light but good overview.

Unlike eEye’s BootRoot and the Kumars’ Vbootkit, the developer of Kon-Boot, Piotr Bania, has decided not to release the Kon-Boot source code so examination is based (currently) on known technologies and examination of systems on which Kon-Boot was used.

IANMR (I am not Mark Russinovich) but it seems that the process by which most root kits work is fairly well understood now.

Based on what I have read and the research others have done on this and other boot kit tools that are "open" in the code, it likely hijacks the memory during the BIOS to bootloader process. From there it hooks INT 0x13 to control content of memory sectors loaded by NTLDR and begins patching areas of the kernel specifically dealing with the security profiles and user SAM files dealing with user logon authentication and the GINA/login-authentication processes. With these patched, the operator can access these profiles without any password input needed. What makes this tool (and Vbootkit) interesting is that they take the normal stay-resident MBR boot kit design and do it all on the fly (apparently) leaving no trace on the system behind. That's pretty sophisticated stuff. Particularly when it has been coded to work on both Windows as well as Linux kernels.

Because of the BIOS memory injection it appears to perform, some system BIOS’s may not be supported and could cause Kon-Boot to fail. So it isn’t a 100% success in all possible conditions. Also some users have said it BSOD their systems in various comments around the web. Some have even reported it nuked their systems for unknown reasons.

That certainly hasn’t been my experience. It was easy for me to get on a disk and booted all systems I tested it on with no ill effect (continue reading).

Many of the links posted above referencing boot kits have great illustrations and diagrams on how this works exactly. I wasn’t able to get permission to use material from those presentations, so go check them out for all the great pictures, descriptions and technical details.

It is really fascinating and cool stuff on how the BIOS memory is hijacked, and how next the injected code in memory patches the kernel and tells it to ignore password requirements for the user accounts.

It is also this shared similarity with MBR boot kits likely leaves some (as seen in various comments around the web) that it must be leaving a MBR boot kit behind.

Does it Leave a Root Kit Behind?

This is the million-dollar question.

Many folks think so.

Limited testing seems to suggest that, as Piotr claims, it does not leave any lasting or persistent changes to system on which it is executed.

It is conceivable and technically possible it could infect the BIOS, MBR, as well as allocated/unallocated hard-drive space. It might also change/patch critical Windows system files.

I tested Kon-Boot post-usage via a suite of root-kit scanners and found nothing amiss. But that may or may not mean anything. What was really needed was a detailed baseline system scan using change-detection program, reboot and use Kon-Boot, then reboot and take another system scan to check for file/folder changes.

Fortunately for us, Miles Wolbe from TinyApps.Org Blog has taken this task upon himself to try to explore.

He has graciously given me permission to post his findings.

Miles’s plan was structured as follows:

1. Save images of BIOS, CMOS, Video BIOS, and MBR with NSSI (run from bootable CD) and save snapshot of Windows install with InstallWatch Pro
2. Boot with Kon-Boot, be amazed at password bypass, turn off computer
3. Repeat step 1
4. Perform diffs

And his results were as follows (as combined from numerous emails):

Here are the results of my Kon-Boot tests:

Computer:

Dell Inspiron 600m

Changes to system after running Kon-Boot and then rebooting:

   MBR: none
   Video BIOS: none
   BIOS: none
   File system / registry: see attached ZIP file

Tools used:

Phoenix WinPhlash and dumpvgabios (BIOS and Video BIOS) as described here:

http://icrontic.com/forum/showthread.php?t=30777

NSSI (MBR and Video BIOS) Also dumps BIOS, CMOS, PCI, and more, but these did not work well for me.

diff and md5 (comparison of dump files)

InstallWatch Pro (file and registry changes)

EFS file encryption is not circumvented by Kon-Boot. That is, if you bypass the login password for "Joe" via Kon-Boot and he has an EFS encrypted file named "doc.txt", you will not be able to open it ("Access is denied" message is returned).
After bypassing login password with kon-boot, the user accounts applet shows "create a password" for the current user instead of "change password". if you try to enter a
password, the following error appears: "Windows cannot change the password."
Just to clarify: the strange user accounts behavior persists only while kon-boot is
active.

Please note that while Kon-Boot will let a user into the password protected Windows account, it will not allow access to any encrypted/password-protected files that would also have to be authenticated. I guess that is something.

Also, it does not seem to allow password-bypassing of Domain configured accounts or other network GINA supported authentication requirements. It only seems to work on Local Windows user accounts.

I haven’t had the time to try it, but I would also like to capture a memory-image ( Tools:Memory Imaging - Forensics Wiki) of a system running normally, then recapture the memory-image while Kon-Boot is running, then difference the results.

That might point out any memory resident changes Kon-Boot makes.

So, as far as we can tell at the moment it appears--based on limited testing--that Kon-Boot should be “safe” to run on a Windows system you might be authorized to access. However, I highly encourage you to do your own controlled and protected testing before making any such deployments organization-wide. Don’t blame us if something bad happens.

Messing around with boot kits and root kits is always a dangerous and dicey prospect.

As someone once said, “Trust, but Verify.”

Defeating Kon-Boot (Easy but Crippling Stuff)

So how can the system administrator defeat Kon-Boot deployments and enhance security.

Well some easy methods come to mind:

Set a password on the BIOS to require entry before booting,
Set a password on the Hard Drive (modern drives may support this) to prevent access before accessing from the hard-drive,
Disable USB/Firewire booting of a system,
Disable PXE booting of a system,
Change the boot order to prevent (or disable) booting from CD/DVD ROM drives.

Basically lock down the system so Kon-Boot can’t be used to boot the system.

Yeah. It will annoy your users to hell, but it will assist with security.

However that may not be enough, or you may want to leave a certain amount of usability to the system.

BitLocker and TPM Protection

In a discussion with cdman183 at his Hype-Free blog he put me on another technique that seems very successful in blocking Kon-Boot/boot kit operation (assuming the MBR hasn’t been pre-infected); disk encryption / pre-boot authentication.

Microsoft offers its Trusted Platform Mode (TPM) and BitLocker solutions that help authenticate supported OS versions during the boot process to ensure they have not been modified.

Trusted Platform Module - Wikipedia, the free encyclopedia
Windows Trusted Platform Module Management Step-by-Step Guide – Microsoft TechNet
Enabling Vista Bitlocker (without a TPM chip) – I Think I Broke It site
Using Vista’s Boot Manager to Boot Linux and Dual Booting with BitLocker Protection with TPM Support - Port 25: The Open Source Community at Microsoft
VBootkit vs. Bitlocker in TPM mode – Robert Hensing’s Blog contains some very good stuff so I’ve copied the items below from the above post (images not directly linked).

Before explaining how BDE mitigates this attack the following picture may help set some context for the scenario.

This is what a 'normal' OS boot from a hard drive looks like when BDE has been configured to use a TPM 1.2 module.

(NOTE: There may be some slight innacuracies in the 'All boot blobs unlocked' column according to Jamie but they aren't really important for the concept I'm trying to illustrate. :))
In a VBootkit system boot - I believe the boot process flow looks like this (any mistakes are mine)

In the picture above - you can see that the boot process has been detoured a bit by the presence of a Vbootkit CD causing an additional MBR to be read during the OS boot (this MBR presumably then jumps back to the one on the HDD after hooking INT13).
Well it is my understanding, based on my discussion with Jamie - that this will cause BDE in TPM mode to fail to boot the OS because the 'measurements' stored in the PCR in the TPM will be incorrect or will be unexpected in value - which will cause the TPM to fail to unseal the VMK which will lead to a boot failure.
What this all means is that when the boot manager (BOOTMGR.EXE) goes to unseal the VMK stored in the TPM 1.2 module - the TPM will respectfully decline. :)

BitLocker, TPM won’t defend all PCs against VBootkit 2.0 – Techworld – Basically the augment here is that it doesn’t work because many (most?) Windows OS versions are home/consumer version that do not contain the TPM support found in Windows Enterprise/Enthusiast versions. Nor does all (mostly older) hardware support TMP solutioning.

Solutions for the rest of us

So what if you have a system that doesn’t support TPM mode protection against boot kit high-jacking and you don’t want to disable all the CD/USB/etc booting methods?

Well, like I said, go with whole-disk encryption and/or pre-boot authentication.

PGP Whole Disk Encryption – This commercial solution offers protection against Kon-Boot. I tested Kon-Boot against PGP WDE system.

The system allowed Kon-Boot to load normally, Kon-Boot injected itself into the BIOS memory handoff, and then I was presented with the PGP WDE loader. It did not change the requirement to enter a valid passphrase at all. You could not bypass this requirement. So I entered a valid passphrase and the Windows system booted normally. It appeared that the PGP to Windows boot loading process completely scrubbed Kon-Boot’s memory presence away as I was not able to log into the local Windows accounts (which Kon-Boot bypasses) unless I entered a valid password.

Hurray.

PGP is a commercial solution. While they do offer lighter versions for home/SOHO users, it may not be practical for folks on a budget.

Fortunately at least two well known and trusted solutions are available for free.

TrueCrypt - “freeware” – This product offers whole-disk encryption and requires pre-boot authentication.

In my test of this solution, I used a Virtual PC session of XP Pro. I set a password and verified I could not log onto the account unless the correct password was used. Then I booted it with Kon-Boot and successfully bypassed the password.

Then I used TrueCrypt to fully encrypt the drive, set a volume password and tested again.

I booted the system again with Kon-Boot

Note that TrueCrypt could not boot the system and gave the following error:

Error: BIOS reserved too much memory: 569

It seems that once Kon-Boot had injected itself into the boot memory, there wasn’t enough left for TrueCrypt to do its thing and bring the system up. So the boot kit hack failed.

It is possible that different system BIOS may offer different amounts of available memory so this might not be fool-proof.

But it is a start.

The third solution is awesome:

CE-Infosys CompuSec – This German company offers a wonderful whole-disk encryption with pre-boot authentication solution. It is 100% free.

Then I used CompuSec to fully encrypt the drive and set up pre-boot authentication with a password and tested again.

I booted the system again with Kon-Boot

CompuSec caught a checksum error and refused to let the system boot.

Rebooted without Kon-Boot, entered the pre-boot authentication password, and was on my way back to the protected system. No Windows password bypassing was allows.

Granted, CompuSec takes a while to configure once installed (it does install quickly).

However, the developers provide almost unheard-of documentation and manuals on how to deploy, use and operate their product.

It would be good advice to read all such things before using/installing such a product, but even more so for those that deal with encrypting your entire system.

You don’t want to make a mistake here!

Final Thoughts

I don’t feel that I have done a good job really digging into Kon-Boot and boot kit threats. There is so much technical information to process and a single blog post really can’t do it justice.

I do hope that this humble post might lead the curious into exploring those better technical materials I posted by real security field experts, as well as encourage others to do like Miles did and perform their own system testing and validations of the tool.

This is not new technology, though the implementations may be repackaged a bit. The security implications remain.

General Windows Local user accounts are inherently insecure to knowledgeable penetrators and a variety of proven methods exist to breach these accounts.

Solutions exist but they generally (by design) reduce the functionality and present numerous barriers for easy and convenient operation of Windows systems by users.

Pre-boot authentication, TPM, and whole disk encryption methods might be the best (current) solution to protect against boot kits.

It remains unknown it me (at this point) what would happen if a pre-MBR boot kit infected system had any of these solutions applied, post-infection. Would the configuration fail? Would the MBR infection remain resident? Would it work afterwards?

Special thanks and public gratitude to both Miles and cdman183 for their work and guidance in helping me to understand the implications, verifications of, and mitigation solutions for this current round of boot kit attack.

Like I said, really cool, but kinda frightening…

Cheers.

--Claus V.

Sunday Linkfest Salvo

2009-05-24T15:59:00.001-05:00

USS Texas (BB-35)
Firing her 14"/45 main battery guns, during long range battle practice, February 1928.
U.S. Naval Historical Center Photograph from USN Ship Types--New York class (BB-34 and BB-35)

Windows 7 RC Shelling

As previously noted, I’ve been loading Windows 7 RC on our laptop systems here at the house. One requirement of this is to pick and install some AV/AM protection. Microsoft kindly provides links to some “free” AV/AM software that is compatible with Windows 7. Local TechBlog guru Dwight Silverman also details why this is a good idea: TechBlog: Getting the Windows 7 RC? You’ll need protection. But be careful, many of the offerings listed by Microsoft, while good, are also significantly time-limited and may require some registration hoops to go through.

Instead of going with one of these, I decided to give Sunbelt Software’s VIPRE security product a go. Thanks to a generous reach-out by Alex Eckelberry some time ago, I’ve got a few full-licenses for our home systems. As blogged before briefly here, I love VIPRE. I had seen a link ( Vipre from Sunbelt now compatible with Windows 7 – PlanetAMD64 ) that indicated that VIPRE would work with Windows 7 so I thought I would see how it did on our Windows 7 RC (64-bit) installations.

I downloaded VIPRE and (despite Windows 7 not being “officially” listed under the VIPRE Requirements tab) started an install. It went on just fine on my Gateway system in Windows 7 RC 64-bit.

However the updates would not, no matter what, kick off. It just stayed at definitions 0.

So I tried “kick-starting” it by manually downloading the VIPRE DAT files and then pointing VIPRE to update from this source file.

That did the trick. Once seeded with the definitions, all subsequent auto-update actions have launched, downloaded, and installed without fail.

Curiously, when I did the same thing on Lavie’s Compaq notebook (also Windows 7 RC 64-bit) this trick wasn’t required. It kicked off the updates just fine automatically.

I’ve not had any issues at all running/scanning/configuring Sunbelt Software’s VIPRE under Windows 7 RC 64-bit. It is rock solid and remains highly recommended.

(And yes, a GSD blog post perspective on VIPRE is still planned! Stay tuned.)

Lifehacker - Install Windows 7 on Almost Any Netbook - Windows 7 netbook – Lifehacker – Nice how-to on getting Win 7 on a Netbook. The deal here is that many netbooks do not have an optical drive. The workaround is porting your Windows 7 ISO install files over onto a USB stick and installing from there. Good info to keep handy. And even if you do have an optical drive to use on any system you are loading Windows 7 on, if your system supports it, installing from USB generally results in a faster install time as USB media is much faster in the transfer rates than optical media.

Windows 7 RC UAC security vulnerability: Auto elevation – 4sysops blog – Michael looks at an ongoing security issue with Windows 7 that doesn’t seem to have been fully solved quite yet.

The myth about the standard user in Windows Vista and Windows 7 – 4sysops blog – More security musings on Windows 7 (and Vista) from Michael. Good reading.

15 Things To Do After Installing Windows 7 RC - Tweaking with Vishal. Miscellaneous tips and pointers to consider attending to after you load Windows 7.

XdN Tweaker - (freeware) - Current Version v 0.9.1.6 just released this May now adds Windows 7 to it’s awesome tweaking support. Available in both an exe installer and a portable zip version, this tool still remains my #1 favorite (out of many, many, many) great Windows tweaking tool. A must have for Windows 7 RC users.

Native VHD Support in Windows 7 -- Windows Virtualization Team Blog. More official news and technicals on Windows 7’s VHD booting support.

Windows 7 - Seamless Apps in Windows Virtual PC (Virtual XP) and Application Compatibility – Scott Hanselman’s ComputerZen blog. Scott has a great walkthrough on deploying XPM mode virtualization on Windows 7. He provides wonderful screen-captures as well for the image-needy.

Flashy Copenhagen UX concept, white paper made available – Rafael Rivera Within Windows

Copenhagen User Experience from Copenhagen Concept on Vimeo.

Nice concept work but I have to confess. I usually disable the GUI effects on menus and such in XP/Vista. They get annoying at work when I am trying to power through the daily grunge.

Bit more at this Windows enthusiast Cullen creates "Copenhagen" user experience concept video - iStartedSomething Long Zheng’s blog. Check out the comments for feedback (lovers and haters alike).

Utility Broadsides

Highlighter v1.1.1 Released – MANDIAN M-unition Blog – This incredible log/text-file analyzer has gotten some major feature and bug fixes. Go get now!

The best MSI Extractor -- the back room tech. Julie tips us to a MSI extractor tool called Less MSIerables. Is is sexy and even supports command-line. Now, I usually always reach for my Universal Extractor software when unpacking installers in my quest for “portable” applications. However, Less MSIerables has a great GUI and handles MSI files with power. I particularly like it’s previewing features.

live.sysinternals.com – link to Sysinterals site where you can download/run almost all of the incredible Sysinterals tools without needing to unpack them. Not much there in way of descriptions or how-to’s but if you know these tools, this is a great site to use to run them on the fly. Supports execution via command-line as well. For the full roundup of tools and descriptions see Windows Sysinternals: Documentation, downloads and additional resources

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.

NirSoft Utilities Panel – Not quite as extensive as live.sysinternals above, Nir does provide this page which also has unpacked, immediately downloadable/executable versions of his most popular utilities. Get the full offerings at Nirsoft’s Freeware Tools and Utilities for Windows page.

By the way, check out Nir’s unapologetic broadside at AV companies that slam many of his tools as “malware/hackware” NirBlog: Antivirus companies cause a big headache to small developers. Nir does a great job unloading the issues and problems that many small utility developers face with their wonderful tools when crossing the big AV/AM companies. I run into this almost weekly when the company AV policy alerts and quarantines yet another valuable sysadmin/forensic tool as a “hacktool” or “trojan”. Since we lowly sysadmins don’t have access to modify the Symantec AV policy settings we have to just shrug and move on. It’s a loosing fight for us..and our customers when we can’t deploy a solution because it has been blacklisted.

The largest security tools list – Interesting website that classifies and links quite a large number of great security tools for a variety of OS platforms. At least check it out and bookmark it.

What’s My Pass? – New website (to me) that provides a large number of security-cracking posts and tools. While I don’t at all condone password cracking for fun-and-profit, as a sysadmin I am frequently called in to crack documents, systems, passwords as the user is gone or has forgotten the information. And at least by understanding and knowing these tools, as a security responder, you could have a greater knowledge in your investigation work.

What’s My Pass also offers two FreeWare tools of their own. The second is great:

TechTools 1.1 - freeware

Based off of the idea of Bryce Whitty’s “Computer Repair Utility Kit” from Technibble.com. The downfalls of Bryce’s idea was that he had the complete package with all the tools offered for download on his site, which of course sucked up bandwidth, and some authors of the applications, while freeware, wanted the only download of their software to be at their own sites.
To bypass these problems Tech Tools uses Ketarin, which is an application downloader that checks to see if an application has been updated and downloads it if so.
So I’ve compiled a list of apps that that were part of the original tool, and either
subtracted or added them due to their portability. i.e. if the program had an installer i didnt include it, I used mostly standlone executables for this first package.
You use Ketarin to first download all your tools and it will automatically extract them to their categorized folders.Once Downloaded you can then open Pstart.exe ,its menu is already configured to show the downloaded tools. You would then use Ketarin weekly to auto-update all these tech tools so you would always have a fresh copy of the program on your USB.

This is a great alternative solution as the original “Computer Repair Utility Kit” is no longer available.

See these links to see what you missed on if you didn’t grab it while it lasted:

Computer Repair Kit Packs Dozens of Tools in One Portable Package - System Recovery - Lifehacker

Be prepared! 57 great Windows repair tools all in one place – Chron.com TechBlog

Also related:

Anti-Malware Toolkit v1.06.157 – Lunarsoft – Acts as a central anti-malware/anti-virus tool and program downloader. Select the items you wish to download and it will auto-download the files to appropriate folders. In many cases, users must still “install” the applications locally, but this does provide “one-stop” downloading for harried support staff.

WSCC - Windows System Control Center – (freeware) - KLS Soft

Let me let them explain why it is so cool.

WSCC is a free, portable program that allows you to view, execute and organize the utilities from various system utility suites. WSCC is only an interface, you need to download and install the utilities separately. Alternatively, WSCC can use the http protocol to download and run the programs.
WSCC uses the included WSCC Console to execute command line applications.
WSCC is portable, installation is not required. Extract the content of the downloaded zip archive to any directory on your computer.
This edition of WSCC supports the following utility suites:

Windows Sysinternals Suite (including support for Sysinternals Live service)
NirSoft Utilities

So basically you just download the zip file and unpack it. It’s pretty tiny to start out with.

Launch it.

You can configure it to point to the location where you have stored all these tools previously (Sysinternals and Nirsoft), or set it up so it can execute the Sysinternals tools from their Sysinternals Live location on the Web.

(more details in this GSD post: Grand Stream Dreams: Windows System Control Center (WSCC): Awesome Cool!)

Cheers!

--Claus V.

Procrastinations…and Why XP can’t be VHD booted under W7

2009-05-24T13:46:00.001-05:00

As has recently become a curious pattern, I’ve continued to allow myself to be distracted with “off-list” tasks.

These are not to be confused with “honey-do’s” which are those items performed at the last minute as requested by dearest Lavie and Alvis.

No, these are when I get a brilliant idea that isn’t on my weekend project list, and when started, will distract me with singular determination. When I look up a whole day has passed.

Bother.

Such was Saturday when I took on trying to configure Alvis’s hand-me-down laptop to dual-boot Windows 7 RC and XP.

Background

Flush with my success in getting both our Vista laptops to dual-boot Windows 7 RC by using the new “boot from VHD” feature, I decided that Alvis’s laptop was next.

Her laptop is a smaller model. Still big-enough to be a laptop and not a “netbook” but much smaller than the monster laptops that Lavie and I use (monster in size, not necessarily performance BTW..).

Unlike our laptops that were already running Vista, her laptop is running XP.

Because the XP boot loader is different from Vista/Win7 I had to take a different tack.

The Operation

Alvis’s laptop has a single partition. So (using one of my custom PE 3.0 boot disks) I captured a WIM image of it using ImageX. Took about 1 1/2 hours to complete. Girl’s got a lot of icanhascheezburger images downloaded on it… WIM was dumped to a portable USB drive.

Next I re-formatted the drive and dumped Windows 7 RC (32-bit) on it. It does have a Turion64 processor so I could have gone 64-bit like I did successfully on the other laptops, but it only has 1 GB of RAM so I didn’t want to push things.

Installation went on in about 30 minutes; and in another 30 I had the basic configuration done.

Next I followed my previous steps in GSD How To: Dual Boot Windows 7 on Vista via VHD... post and created the VHD file for the XP system to go.

I then used my PE disk to re-boot the system, figured out what drive-letter the VHD file was reporting in on, and then reapplied the ImageX WIM back into the VHD file. Took about 35 min.

Reboot and….

it went directly into Windows 7 RC.

Troubleshooting

Turns out I had to do some additional bcdedit work to get the Windows 7 boot loader to correctly see and offer the XP VHD drive. Stuff I didn’t have to do in my previous VHD dual-booting work.

I used a combination of bcdedit command-line work and XdN Tweaker GUI tool to keep things organized.

Add a Native-Boot Virtual Hard Disk to the Boot Menu – MS Technet

Specifically this part:

bcdedit /set {guid} device vhd=[locate]\windows7.vhd

Once I got it all together and rebooted, the boot loader now offered me both the Windows 7 system and the XP (VHD) system.

However, once the NTLDR process kicked off inside the XP VHD, I would get a boot.ini error and the load would tank.

Soo…?

Turns out (DOH!) I should have not taken the time to even try this.

The Windows 7 boot loader is an updated version of the Vista boot loader.
You can replace the Vista boot loader file with the Windows 7 and not have any issues.
The Windows 7 boot loader supports booting from VHD…the Vista one does not.
The XP boot loader is completely different than the XP one. Not even close.
The XP boot loader, like the Vista boot loader does not support booting from a VHD.

So while the handoff can take place to the XP OS inside the VHD, once there the XP system doesn’t know (lack of driver support) how to handle using the VHD wrapper as a physical volume.

So until someone can take the time to work out tricking (or modifying) the XP OS files to mount and access the VHD file like a physical drive, it doesn’t appear you can boot any other system in a VHD file using the Windows 7 VHD booting scheme unless it is Windows 7 (or Vista if you have exchanged the original Vista boot loader with the Windows 7 version).

I’m not a Windows server guy, but if any of the Windows Server versions share a boot loader with Vista/Windows 7, I suspect they would also work in a VHD. That leaves out XP, Windows 2000, and the Linux cousins. (As far as I know at this point.)

But wait. How come we can install XP in a VHD file and launch it just fine in Virtual PC?

The Virtual PC application wraps the VHD around it's hardware abstraction functions so the XP NTLDR doesn't actually realize it is operating in a VHD. It still thinks it is a physical drive.

No problems.

It’s a different situation when asking XP to haul up itself from within the VHD with no hardware abstraction to assist.

The Windows 7 boot loader is more sophisticated and can handle this VHD drive/driver functionality internally just fine without any additional assistance.

Vista can be "tricked" into working by swapping out it's boot-loader version with the kissing-cousin found in Windows 7.

At least that's the way it seems to me.

Remediation

So in the end I had to reformat all the work I did on Alvis’s laptop, then reapply the original WIM image I took back.

It went without a hitch and was back in it’s original state with no harm done in about 25 minutes.

Thoughts on the Windows 7 experience

I will say that, like our other laptops (a Compaq Presario CQ60-215DX Notebook PC and a Gateway MT6451 notebook), I had zero (0) issues with Windows 7 RC while it was installed directly on Alvis’s laptop (a Compaq Presario V2575US model in case anyone is interested). All three appear to be 100% compatible out of the Windows 7 RC installation box experience. Including drivers for both 32-bit and 64-bit OS versions. That is great news.

So while I can’t (VHD) dual-boot Alvis’s system like I did for ours, I know it works fine and will be another candidate for upgrade when the final release comes out.

That also brings me confidence that even the old Shuttle desktop system might be up to the Windows 7 upgrade task. It’s still chugging along on XP Home right now.

I’m really looking forward to moving to Windows 7.

I was willing to accept Vista on our laptops, since they shipped that way. But while OK, I’ve always been left with the nagging feeling that it just isn’t as polished in overall performance as I would like.

Win7 seems to have cleared out the remaining cob-webs.

Additional VHD Booting Resources

Less Virtual, More Machine - Windows 7 and the magic of Boot to VHD – Computer Zen
Fun with Windows 7 – VHD Boot and DISM.exe – Daniel’s Windows World
Add a Native-Boot Virtual Hard Disk to the Boot Menu – Microsoft TechNet
Frequently Asked Questions: Virtual Hard Disks in Windows 7 – Microsoft TechNet
What’s New in Virtual Hard Disks in Windows 7 – Microsoft TechNet
Walkthrough: Deploy a Virtual Hard Disk for Native Boot – Microsoft TechNet
Windows XP to Windows 7; XP to VHD - D' Technology Weblog – Note: this isn’t so much about dual-booting, but doing a two-step to clone your existing XP system into a VHD, then install Windows 7 on the main-partition, then move the XP system inside the VHD off to another location.
XP to VHD w/ Windows 7 and IT Pro Momentum - Dugie’s Pensieve – Note: Similar process as above. Not to be confused with “dual-booting” the XP-VHD from the same hardware.
Dual Boot Installation with Windows 7 and XP - Windows 7 Forums – Note: This is information on a “traditional” dual-booting setup where each OS has it’s own partition to boot from. This works as each OS sees the actual physical drive/partition. Rather than Windows 7 which is also able to see/use a VHD as a “virtual” partition.
Boot your machine from VHD - Eric Denekamp. Content is good, but mainly linked for the comments where others have also tried to boot XP from VHD with failure.
Vhd Boot - Windows 7 Forums. Linked for the comments where others have also tried to boot XP from VHD with failure.

So that was the bulk of my Saturday daylight hours.

And the night-time hours?

Well I had to finish migrating my work laptop system from a Dell Latitude D610 to a D630 unit. And that was a whole different story….

Cheers.

--Claus V.

Updated: Goin' Win7 64-bit – It Rocks!

2009-05-16T15:03:00.002-05:00

Update

This is pretty scary, in a good way. Install of Win7-64 bit went off without a hitch. Had it fully running in about an hour and half. Performance is outstanding. I can’t get a performance rating in that I am running off a VHD file drive. However, subjectively, the laptop performance feels much snappier and crisper than in Vista Home Premium 32-bit. I did have to spend an extra fifteen minutes figuring out my wireless setup. I manually added my wireless network device, but Win7 just wouldn’t pick it up. Then I found the setting to auto-connect to the router even if SSID broadcasting is off (it is on my router). That did the trick. During the on-line update process the system found a compatible NVidia video driver which is working fantastic. The Vista 64bit printer driver is doing fine. Because the vast majority of my applications are “portable” I just have to create new shortcuts to my “standalone” programs from their folder on the main drive. The system isn’t having any trouble jumping out and running them from outside the VHD drive it is running directly from.

Imagine that. Jumping to a Windows 7 64-bit install and zero, yes, ZERO driver issues so far.

I’ve got quite a lot of “tweaking” of Win7 to do, but if it continues to run this smoothly, I’ll almost assuredly be standing in line to upgrade both our Vista Home Premium 32-bit systems to Windows 7 Home Premium 64-bit. The XP desktop system will likely remain that way for the foreseeable future. And the jury is still out on whether to upgrade the third laptop (XP Home) that Alvis uses or not. I probably will.

I’ve found that the XdN Tweaker that I have previously mentioned for XP/Vista tweaking has just released an updated version that is compatible with Windows 7.

Lavie’s asking when her laptop gets the dual-boot upgrade to Win7 64-bit next. I’ve got a whopper of a post planned for tomorrow, but maybe tomorrow night I will give her Compaq laptop the treatment as well.

Two enthusiastic thumbs up for Windows 7 (RC) 64-bit!

--Cheers! CV.

original post below….

Of course I would pick an inopportune time to do so.

Leaving in about an hour and a half to take mom out for a belated-Mommy's Day dinner in Houston.

Not the best timing to do a major OS dual-boot configuration.

I'm setting my laptop up on Windows 7 RC with the 64-bit flavor this time, just to see if there is any real performance benefit in doing so.

To keep things flexible, I'm choosing to dual-boot and retain my existing Vista Home Premium 32-bit system installation.

I'm applying the steps in this GSD post:

GSD How To: Dual Boot Windows 7 on Vista via VHD file

So far so smooth. It's going on very fast and no errors have been encountered.

Lavie is already asking me when I'm going to set her laptop up that way!

I'll give a report later tonight (if I'm not too full and tired from the dinner outing)!

Cheers!

--Claus V.

PS--been watching the Shuttle servicing mission live today on NASA TV. Really cool and amazing stuff.

Microsoft XP Mode link-dump

2009-05-10T23:13:00.001-05:00

CC Photo Credit: by Choctopus on Flickr

I’ve been besieged with too many interesting topics and issues these past two weeks. Way too many links for a borderline OCD geek to digest.

The problem with this is that when an interesting technology swells, sometimes I am unable to climb up and ride it in Instead I get wiped out and when I finally reach the beach the wave has long since crashed and I’m left with a humongous collection of linkage that serves better as a reference post than I had hoped.

That is the case this time with news that Windows 7 has a neat feature for some supported versions called XP Mode (XPM).

Windows XP Mode is available for Windows 7 Professional, Windows 7 Ultimate and Windows 7 Enterprise customers.

If you want a quick and excellent “how-to” on getting it up and running on your Windows 7 RC installation just pop over to this link. I guarantee it is the shiznizzle.

Set Up and Use XP Mode in Windows 7 - Windows 7 XP Mode – Lifehacker

It’s got everything you need to know to determine if this is for you, and what steps you should follow to get XPM running on your system.

The rest of this post is just linkage for the tech-heads or sadly curious.

What’s so Exciting Anyway?

Let’s let Rafael Rivera explain it from his Within Windows blog XPM announcement: Secret No More: Revealing Windows XP Mode for Windows 7

XP Mode consists of the Virtual PC-based virtual environment and a fully licensed copy of Windows XP with Service Pack 3 (SP3). It will be made available, for free, to users of Windows 7 Professional, Enterprise, and Ultimate editions via a download from the Microsoft web site. (That is, it will not be included in the box with Windows 7, but is considered an out-of-band update, like Windows Live Essentials.) XPM works much like today’s Virtual PC products, but with one important exception: As with the enterprise-based MED-V (Microsoft Enterprise Desktop Virtualization) product, XPM does not require you to run the virtual environment as a separate Windows desktop. Instead, as you install applications inside the virtual XP environment, they are published to the host (Windows 7) OS as well. (With shortcuts placed in the Start Menu.) That way, users can run Windows XP-based applications (like IE 6) alongside Windows 7 applications under a single desktop.

Basically XPM mode embeds a fully functional XP Pro OS build inside supported Windows 7 OS builds, then wraps it so tightly around that you might not know where the host OS begins and the virtualized XP system ends. Documents are not stored inside the XP VHD but back on the Windows 7 libraries. When you launch an application installed inside the XPM VHD, you don’t have to launch XPM first, it happens automagically.

That’s the promise, at least.

If fully delivered, it will be pretty cool and useful for a select class of users.

Supporting XPM: Virtual PC (beta)

Windows Virtual PC home page – Go here to download the Windows Virtual PC beta package specially crafted for Windows 7 systems. There is not (yet) an updated version for XP/Vista systems. So for you, you must content yourself with the current Virtual PC 2007 release build.

The Windows Virtual PC (beta) features do now include some wonderful virtualization features that VPC has been lacking;

USB support - Users can access USB devices attached to the host directly from virtual Windows XP. These devices include printers and scanners, flash memory/sticks and external hard disks, digital cameras, and more.

Seamless applications - Publish and launch applications installed on Virtual Windows XP directly from the Windows 7 desktop, as if they were installed on the Windows 7 host itself.
Folder integration between host and guest
Folder integration between host and guest

Access your Windows 7 Known Folders: My documents, Pictures, Desktop, Music, and Video, from inside the virtual Windows environment, such as Windows XP Mode.

Clipboard sharing - Cut and paste between your Windows 7 host and any virtual machine.

Printer redirection - Print directly to your attached printer from your seamless application or virtual machine.

While these features aren't remarkable in the world of other virtualization software products...they do seem like a big jump for Virtual PC which seems to have lagged in these areas.

Unfortunately for VPC fans, most of these new features have been offered by other virtualization products such as VMWare and Sun’s VirtualBox. However it is nice to see that VPC is finally stepping up on these items.

The solutioning contrast between XPM and MED-V v2 is nicely broken down in this How MED-V v2 Helps You Manage Windows XP Mode - Windows for your Business - The Windows Blog team Post.

MED-V is a solution for the enterprise-class IT shops and customer needs.

XPM is likely going to be picked up by home-using geeks who dabble in virtualization, and small offices and business who have older applications they must continue to use, but want/need to leave XP as a primary OS behind.

Say maybe they’ve got some Access 97 databases/clients and don’t want to mix Office installations. Or maybe some specially crafted applications that just don’t play well on any system except XP OS.

Why It's a Big Deal (to a select few)

XP Mode is for real: First “Windows Virtual PC” beta accompanies Windows 7 RC – Betanews

Is “XP Mode” in Windows 7 something you’d want to use? – Betanews. Scott M. Fulton, III drills in on the whole amazing thing about this (besides the W7/XP integration).

Essentially giving away a working XP kernel -- which is what Microsoft has decided to do -- is the company's boldest move toward neutralizing the negative impact of the downward compatibility argument on the operating system. The press materials last week presented by Microsoft did not explicitly specify that both Windows Virtual PC and the XP Mode drop-in (a pre-installed virtual machine) would be free, so even though a Microsoft FAQ for the general public stated they would be, we weren't certain we should report that without direct confirmation.
Over the weekend, Microsoft spokespersons rallied to confirm the licensing situation. Users of Windows 7 Professional, Enterprise, and Ultimate SKUs, a spokesperson confirmed to Betanews Sunday afternoon, will not be charged extra to download either Windows Virtual PC or the XP Mode drop-in. But the downloads will be available "for all customers," the spokesperson added, leaving open the possibility of future fee-based licensing for users of other Win7 SKUs. For now, as is the case with Vista, the Ultimate SKU is the only consumer-grade edition of Win7 that enables the business-class features of the operating system, which also include such things as group policy management.

In case Scott didn’t make that clear, try Ed Bott’s take in his ZDNet Microsoft Report blog post Why all the fuss over XP Mode?. It’s even more direct:

So why is XP Mode a big deal? It’s not the technology, it’s the licensing. For Windows Vista, Microsoft allows customers running Enterprise edition under a volume license to run up to four virtual machines with the same Windows license (downgrade rights mean the VM can run an earlier version of Windows like XP Professional). Everyone else (yes, I’m looking at the entire small business sector here), you need to buy a separate XP license to run in that VM. That’s a lot of money to pay just to run one incompatible app.
For Windows 7, Microsoft has removed that objection. If you buy Windows 7 Professional, you get the right to download and use a licensed copy of XP, neatly packaged in a VHD and ready to run in the XP Mode environment.

So if you have an Windows 7 Professional, Ultimate, or Enterprise version, you can download, install and use an unrestricted XP Pro build to your heart’s content within Windows 7; at no additional cost.

That’s two, two OS’s for the price of one.

Everyone else will still have to pony up $ for a qualifying XP OS license to run in Virtual PC 2007, or take the XP OS they bought (assuming it qualifies) and they put aside (hopefully if you are Microsoft) and then reuse it inside a virtual system and not on running hardware any longer. What a bargain!

Issue No. 2

Dwight Silverman did a great roundup review of XPM and some of the key issues related to it. He nails the second one.

Secret new option in Windows 7? It’s Windows XP! – TechBlog

With this feature, Microsoft clearly hopes to erase business objections to upgrading. If Win7 can run WinXP apps just fine, there are fewer obstacles to Win7 adoption. But this isn't a slam-dunk.
Older machines are not likely to have the horsepower to run Windows XP Mode smoothly. And running virtually - even in a preconfigured virtual machine - adds a layer of complexity both for IT managers and their users.

Not only do you have to have a system beefy enough to support running Windows 7, and an OS version of it that supports XPM, but you have to have the system hardware to support it. And I suspect that many machines (particularly older desktops and laptops that have been chugging away faithfully on XP since the beginning) just won’t cut it.

XPM requires processor-based virtualization support (Intel and AMD) to be present and enabled on the underlying PC.

OSNews’s Thom Holwerda goes to town on all the exuberant XPM news and feature postings and chides them a bit on leaving out the important details of this hardware requirement: Teacup, Meet Storm, pt. II: XPM and Intel Support.

And for non-geeks looking to upgrade their home/office systems to take advantage of Windows 7 and all the bells and whistles it offers, choosing the correct processor for the job can be daunting, as Ed Bott recounts in his ZDNet Microsoft Report blog post How many Intel CPUs will fail the XP Mode test in Windows 7?

…three years later, it appears to be time for the “Vista Capable” sequel. How much positive Windows 7 buzz will be wiped out in coming weeks and months when consumers and business buyers discover that a heavily hyped new Windows 7 feature, XP Mode, won’t work on some Intel-based products? The problem is caused by the Byzantine way Intel packages its CPU technology—adding, removing, and tweaking features like bus speed and cache size to hit the widest variety of price points for PC makers.
The new Windows Virtual PC (now available as a beta release for the Windows 7 Release Candidate) requires hardware-assisted virtualization. For your PC to run XP Mode in Windows 7, the CPU has to support Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V), and this support has to be enabled in the BIOS.
In the case of Intel’s phenomenally confusing product matrix, VT support is added and removed from CPU models for reasons that have more to do with marketing than technology. You can’t necessarily tell from the model number whether VT support is present or not. If you buy a brand-new PC and pick the wrong CPU, Windows Virtual PC won’t be able to host the virtual machine that powers XP Mode. And spending more money can actually hurt you in some configurations.

The Register’s Tim Anderson had to bang around in the BIOS a bit to get their fairly recent system’s hardware-based virtualization support engaged and running before getting XPM up and running

Windows 7’s XP Mode - Virtually worth the effort • The Register

Windows XP Mode requires hardware virtualization support from your CPU, either AMD Virtualization (AMD-V) or Intel Virtualization Technology (Intel-VT). Two snags: first, most PCs which support this have it disabled by default, and second, there are plenty of boxes out there that do not support it at all, including those based on current Intel Celeron, Pentium, and some Core 2 Duo CPUs.”

His issues and victories are good reading so be prepared for some bumps along the way with the installation process.

Does it ~~Float~~ Virtualize?

The easiest way to see if you already have the juice on your system to run XPM mode (hardware wise) is to download the free SecurAble utility from GRC. It will tell you if your laptop/desktop will support 32-bit or 64 bit OS’s, hardware-base DEP protection features, and finally, hardware-based virtualization support.

It’s a tiny EXE file so it is easy to stick on your USB stick and test different systems quickly around your shop/business/home.

(in which with the help of GCR’s SecurAble utility and Moe maid Mio’s energy beam, we find the Valca Gateway laptop is ready for Windows 7 64-bit and XPM mode assimilation)

On the other hand, if you don’t already have the system in front of you and are doing pre-homework before purchase, you have your work cut out for you, as Ed Bott found out and documented in detail.

Some sites you might want to check in at:

Processor Spec Finder -- Intel
AMD Product Specs – AMD

Be prepared for confusion.

Issue No. 3

It’s a doozie: Security of the virtualized XPM system.

I’ve not seen much discussion on how the virtualized XP system is to be secured. Will it require the XP virtualized firewall to be enabled? Will the host AV/AM software sufficiently protect it? Or will everyone have to run additional AV/AM software inside of the XPM wrapper? Will the XPM OS need to keep its patches updated? Probably so. What happens when a critical OS fault is encountered by Virtual PC from inside the XPM system. A virtual BSOD? It can happen! I’ve seen it. How about recovering after a bombed XPM system? Will XPM host system restore features? Or will you have to do all your building? How does user and system security get managed (just like any other OS)? Does it adopt the host permissions wrapper?

It supports and can use earlier release versions of Internet Explorer, you know, the less-secure ones? If a user is browsing around in XPM with IE8 and hits a drive-by malware dropper site, the Windows 7 host might remain insulated to a large degree (I hope) but the XPM system and all the user’s critical data/applications might get hosed. I mean, I can’t imagine most businesses wanting to take the time and effort to set up and support XPM on a system unless it really was “mission-critical”. So security of that XPM system is all the more important.

The questions can roll on for quite a while, but if it is a true XP OS embedded inside Windows 7, it seems to me at this stage that all the headaches and work that goes along with any other XP OS comes along with XP Mode usage.

Rafael Rivera (and others) will no doubt be exploring and expanding these concerns and issues in the months ahead of the Virtual PC for Windows 7 and Windows 7 RTM releases. But consider this that Rafael posted: Windows XP Mode Internals - Part 1 (Overview) - Within Windows.

XPM comes in two parts – The VHD package – containing a preinstalled, shrink-wrapped copy of Windows XP with SP3 — and an optional Windows update (KB958559) that deploys a variant of the upcoming Virtual PC 7 (VPC) product. After installation, your XPM installation folder will contain an expanded VHD, a text file containing the product key, and some random words in license agreement form.

If there is a VHD (Microsoft Virtual Hard Drive) file, and if there is an XP OS in in, then unless great care is given, there is a virtual pitre-dish ready and waiting for malicious code-based pathogens to grow and multiply comfortably within.

There’s even more.

Suppose for some reason law-enforcement or corporate IT incident response is marshaled against a user with such a system. Not only will they they need to assess the host system and drive contents, but then they will need to dive into the VHD OS system as well and examine that drive-within-a-drive for additional evidence.

Just one more thing to be on the look-out for in incident response cases!

Whew.

Going Behind the Emerald Curtain of XPM

For an even deeper assessment of the technologies used by XPM, Virtual PC, and the Windows 7 host, you would do well to read these excellent posts by Rafael Rivera:

Windows XP Mode Internals - Part 1 (Overview) - Within Windows – Covers the installation and hooking process that gets all these pieces aligned and synchronizing correctly.

Windows XP Mode Internals – Part 2 (Application Publishing Magic) - Within Windows – Some even more (brief) details on how the interaction between the host and client systems occur, as well as a curious limitation of XPM mode:

XPM eliminates the publishing step in the traditional Terminal Services model by incorporating monitoring logic within the Virtual Machine Services components installed on Windows XP for you, at first run. This component, amongst other things, monitors the (All Users) Start Menu for shortcut additions and deletions. For example, after detecting an added shortcut XPM adds the application to the Remote Applications white-list, nabs its icon, and performs some other internal house keeping tasks before passing the baton to the host operating system for addition to the Virtual Applications list in the Start Menu.
…one of the (current?) limitations with XPM (as a result of client Terminal Server licensing) is that only one user or channel can be open at any given time. This means you cannot execute Internet Explorer 6 while running maintenance tasks within the virtual machine, like installing updates from Windows Update. For the tinker tots, however, you may want to patch the Windows XP guest to allow simultaneous RDP sessions.

So it appears that either by design or circumstance of architecture, there may be limits to the number of things you can do within XPM at any given time. For non-technical users who were set up with a XPM configuration, this could cause some headaches for the IT staff when stuff doesn’t work the way it should from time to time. (Is that an additional process you’ve got running there or are you just unhappy to see me?)

Rafael’s post I’ve referenced above does include a nicely illustrated Flash video showing just that issue.

Do I even need XP Mode?

Short answer?

Probably not.

And you don’t need to feel bad about it anyway.

Remember, even out of the gate, many users will be excluded from XP Mode operations by the fact their Windows 7 OS builds won’t support it. Only Windows 7 Professional, Ultimate, and Enterprise builds will allow it. Then you have to have the hardware to install it. Then you have to take the time to install it, configure it, and get your XP applications running within it.

That’s a lot of work to get your app running.

For most folks, Microsoft already has been delivering a (usually) acceptable solution since XP and now in Vista.

It’s called Application/Program Compatibility Mode.

Windows XP Application Compatibility Technologies – Microsoft TechNet

Introduction
In general, applications are highly optimized for a specific operating system or operating system version. Application compatibility problems can arise when users try to run their favorite programs on a newer version of the Microsoft Windows® operating system, for example, than the one for which the application was originally written. This may be especially true when migrating many older applications to Windows XP, because it is built upon the foundation of Windows NT® and Windows 2000, and not the consumer-oriented line of operating systems (Windows 95, Windows 98, and Windows Millennium Edition).
Because Windows NT and Windows 2000 are business operating systems, many application developers with the home user in mind have chosen to write their programs solely for Windows 95 and its successors. Accordingly, migrating these applications to Windows XP must take into account the differences in the respective operating system application programming interfaces (APIs). Some of these differences are due to the new features of Windows XP, but some are due to the more stringent programming requirements of the Windows NT code base.
Applications that worked on earlier versions of Windows may fail to function properly on Windows XP for a variety of reasons—an application may expect older formats of Windows data, or it may expect user information, such as that in personal and temporary folders, to be in specific locations or formats. Problems such as these mostly apply to applications written for Windows 95, Windows 98, or Windows Me, but some applications written for Windows NT or Windows 2000 may also be affected.
To solve this problem and so enable a better user experience with legacy applications, Microsoft has integrated application compatibility technologies into Windows XP that come into play whenever an application is installed on the operating system, whether in the course of a system upgrade or during regular operations. This article first describes these technologies in detail and then outlines how they can be used and extended, in particular with the supplemental tools available in the Application Compatibility Toolkit.

The rest of the page goes into great technical detail on the technologies and methods that run and control this feature.

Knock yourself out there tiger!

Otherwise, hop down to these links for the end-user version on this feature that you may or may not already be familiar with.

How to Use Windows Application Compatibility Mode – Microsoft TechNet

How to use Windows Program Compatibility mode in Windows XP – Microsoft Help and Support ID 292533

How do I use the Compatibility tab in Windows Vista? -- TechRepublic.com

Make older programs run in this version of Windows - Windows Vista Help

Get IT Done: Make legacy applications feel at home in Windows XP -- TechRepublic.com

Program Compatibility Features and Resulting Internet Communication in Windows Vista – Microsoft TechNet

And to great delight for all those Windows 7 users who don’t have the hardware to run XPM or have a qualifying OS version, take hart, Compatibility Mode is still alive and will in Windows 7.

Compatibility Mode - Windows 7 Forums

Lots of pictures on that one!

The Bottom Lines for XPM and Windows 7

So why even bother with XPM mode for Windows 7 and all the extra headroom it requires and the security and management/support issues it brings with it?

Well, some old-school applications just won’t work under Windows 7 (or Vista) in compatibility mode. They require certain rights or DLL’s or services or permissions or system structures that Windows 7/Vista just cannot or no longer will provide. In these circumstances, Application Compatibility Mode just isn’t going to work/help what-so-ever.

And for the big-shot, enterprise level deployments, the IT shops are going to find XPM amusing and curious, but their resources and energies will be spend deploying enterprise-based MED-V (Microsoft Enterprise Desktop Virtualization) products.

So you can either stay running XP and fall further behind on the Microsoft support cycle, you can ditch your application/databases that just won’t run any other way on Vista/Windows7, or your can either purchase an XP licenses and set up a Virtual PC 2007 VHD to run it in (for Vista or XPM unsupported Win7 OS’s), or you can drink the cool-aid and belly up to the XPM saloon.

All this long post to say this,

You’ve got options for backward-compatibility in Windows 7 (and Vista) my friend.

And though they might bring a measure of headaches, they are also slick and sexy; in a geeky way.

Enough said for now.

I’m sure there will be even more as time wears on.

--Claus V.

Bonus Linkage – because one truck-load is never enough….:

You know me, I can’t leave a Web-rabbit unlinked.

Here are a few more resources and blogs related to MED-V technologies and solutions.

Microsoft Enterprise Desktop Virtualization (MED-V) – Microsoft Windows
Virtualized Desktop Products & Technology – Microsoft Desktop Virtualization
The Official MDOP Blog – Microsoft TechNet blog
Windows Virtualization Team Blog

Claus Out!

Mother’s Day Yummers! Linkfest

2009-05-10T14:12:00.001-05:00

Image attribution under CC to Anita Chu at Dessert First blog

One of the best southern grocery-store treats in our family was Mother’s Circus Cookies.

A bag of these would last only long enough in the time taken to transit the space between bag and bowl. Most were intercepted before making it.

Give me a cup of coffee and cream, Lavie and Alvis on each side and a good movie and we are in heaven.

Thus it was with deep sadness when we learned last year that Mother’s Cookies went out of business and the Circus Animals left town for good.

Some post-apocalypse survivalists no doubt purchased many supplies and kept them cached away safely. Other intrepid fans labored long hours in kitchen labs to concoct their own frosted Island of Dr. Moreau animal creations: Dessert First: Goodbye, Mother’s Cookies with more apparent success than Dr. Moreau had.

Fortunately for the masses like us, news comes that Kellogg’s has revived the brand and recipe from the bankruptcy vaults and stores across the South will again be filled this summer with these wonderful confectionary indulgences.

Rejoice!

These links aren’t quite as tasty as the cookies mentioned above, but they won’t leave colored sprinkles on the corner of your lips and fingers to give your secret passions away!

Autoruns v9.5 - (freeware) – Sysinternals tool got a major add-in element this week: video codex reporting. “This update to Autoruns…adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution. I’ve tried it and it does indeed bring this element to advanced system administrators. However, I believe that Nir Sofer’s freeware InstalledCodec utility covers a few more bases/codecs. For a fast-look Autoruns is still it, but for a trusted second opinion, you have to go with Nir’s tool.
IE Testing VPC Images Updated – Free VHD file images from Microsoft roll up XP Pro with SP3 for IE testers. I don’t test IE rendering in them but find they provide excellent reusable base XP/Vista virtual desktops for software testing and proving. The XP ones (3) are time-bombed for an August 2009 kill date. While the Vista Business images (2) expire after 120 days.
Virtual Varia : WIM2VHD Release Candidate now available! – (freeware) – If you work with WIM files and VHD files, you’ve got to check out this updated Windows(R) Image to Virtual Hard Disk (WIM2VHD) Converter. It (when coupled with the freshly available Windows 7 RC WAIK) allows you to perform some tricky conversions of a WIM file into a VHD supported format. Neat!
Upcoming Action Center Changes for Security Vendor Software - Windows Security Blog. Post details some changes in Windows Vista and Windows 7 with how security vendors software will be allowed to interact with the Security Center interface.
Viewing Folder Sizes in Explorer – Ask the Performance Team blog – Microsoft again rolls out the explanations (reasonable as they are) on why folder sizes are not reported automatically in the open in Windows Explorer. Yes, it is a performance thing…
Q&A: Windows 7 File Extension Hiding - F-Secure Weblog – Security software provider takes a look at file-extension handling under Windows 7 and finds that it (still) comes up lacking.
Switching my Windows 7 Boot Disk from D to C with BCDBoot rather than BCDEdit - Scott Hanselman’s Computer Zen blog – Scott gets himself out of a jam when he upgrades a multi-volume system to Windows 7 RC. He gets out of it, but it is a good lesson on paying attention during the install/upgrade process when you have more than one partition/disk/volume.
Windows® AIK for Windows ® 7 RC – Microsoft Download Center. Get it while it’s hot for your PE 3.0 boot disk building!
OutlookStatView - (freeware) – Nir is on a roll! For all you Outlook junkies out there, this tool can gather a lot of great statistics on your email habits.
A Very Brief History of Foxit Reader and JavaScript – Didier Stevens blog – Didier does an excellent job of succinctly explaining the differences in JavaScript handling between Adobe Reader options and those in Foxit Reader.
XBox Forensics – Science Daily – Reports in on a forensics tool being developed by David Collins at our own home-town Sam Houston State University. His tool will allow mounting of an FATX drive image for investigation. The tool is still under development but it looks promising. With the rise of console gaming platforms to be used not just for gaming, but also for Internet surfing, communication, and home-media management, these specially-purposed computers can end up being a possible source of additional evidence for investigations. David states that “…future work on XFT will involve making the toolkit into a fully functional forensic operating system (OS). This OS will be packaged as both a bootable operating system from a hard disk and a "live" bootable compact disk. "This implementation will be open source, verbosely commented and designed from the ground up as a forensic OS," says Collins, "This will remove any and all proprietary operating system dependencies, making the forensic process as transparent as possible."
Forensically sound Windows bootable environment – Help Net Security News – Notice that ForensicSoft has just released a new version of their SAFE (System Acquisition Forensics Environment). Although based on Windows PE, the software engineers have been hard at working guaranteeing that this LiveCD system booter doesn’t touch the local drives at all during the response investigation. It is a $ product, but looks like a well-implemented tool for those who need something like this.

Yummers! indeed.

--Claus V.

Firefox and Chrom(ium) News

2009-05-10T00:03:00.001-05:00

First the Fox

Alex Faaborg - » Thinking about Refreshing the Firefox Icon – Alex Faaborg. Alex begins to opine on the need to refresh the Firefox icon. Firefox has made some changes over the years on their icon and I’ve got mixed feelings on an iconic icon reboot.

Multi-processor support coming for Firefox – Mozilla Links blog. From Percy Cabello’s post:

Mozilla has started a new project to make Firefox split in several processes at a time: one running the main user interface (chrome), and another or several others running the web content in each tab. Like Chrome or Internet Explorer 8 which have implemented this behavior to some degree, the main benefit would be the increase of stability: a single tab crash would not take down the whole session with it, as well as performance improvements in multiprocessor systems that are progressively becoming the norm.

The title is a bit misleading. Firefox already runs just fine on multi-processors, and is in fact, multi-threaded as well.

What the MozillaWiki section on this feature build-in actually seems to describe is to run the chrome (GUI) element in it’s own process, and the tab content in a different process. Then the feature would be expanded to have each tab operate in it’s own process; similar to Chrome as well as IE 8. And eventually getting to the point of sandboxing each tab/process from each other. As I understand it, this is a pretty complicated process.

Also, Mr. Cabello mentions that Mozilla developers might shed their current networking stack design and pick up the one in use by Chromium.

So it seems we won’t see a multiprocess Firefox for at least a year or so. However, some decisions like taking Chromium’s networking stack to replace Necko, could accelerate the process. As you may know, Chromium is the open source version of Google’s Chrome.

This consideration on merging platform elements is an interesting development as well.

BTW,

Did you miss the NoScript – Adblock Plus stealth-war going on over the past few weeks?

I use both of these Firefox add-ons and I sure did.

NoScript Developer Apologizes For Meddling With AdBlock – InformationWeek

NoScript - AdBlock War Finds Closure… For Now – Information Week

Basically it’s like this: AdBlock is designed to block ads for Firefox users. NoScript is designed to block/control javascript and other page-load actions for Firefox users. I, like many, use both and swear by both. No Script is supported in part by GoogleAds. AdBlock would block those ads. The developer of NoScript programmed his extension to “white-list” those ads on his site by impacting the other extension AdBlock plus. As changes were made by AdBlock plus to get around those efforts, NoScript escalated its attempts as well.

Eventually Giorgio Maone got called out and the whole thing turned public, shortly after he attempted to make amends and back off the whole bull-ride he found himself on.

Mr. Maone clarified his actions, intentions, and offered a surprisingly detailed and humble (IMHO) apology on his blogsite: hackademix.net » Dear Adblock Plus and NoScript Users, Dear Mozilla Community

Good enough for me as I didn’t really know there was an issue to begin with. And I appreciate Mr. Maone’s repentance.

Granted, he’s got some major trust-rebuilding to do with the community at large, but I think everyone will come out of this much wiser and more focused than before…or at least I hope so.

Then the Chrome

Rather than using the installed version of Google Chrome, I much prefer to use the developer releases called Chromium.

I use a portable-wrapper for it created by Carsten “caschy” Knobloch which is an Auto-It scripted launcher.

I’ve been doing this for some time, but recently it seems to have been generating a page-memory fault error (BSOD)on my Vista system when I shut down after usage. Or at least that has been the pattern.

So I was pleased to find that he has released some updated versions of his portable package: Portable Google Chrome 2.0.172.23 or Portable Google Chrome 2.0.159.0. You can also find a mid-release version on Softpedia.

For the most current place to find updates you might want to keep a RSS feed on his Planet Chrome site. It’s much thinner on content, but provides the update release information you should be looking for.

I “upgraded” to his 2.0.172.23 version and haven’t had any more BSOD so although it was weird either the update in the launcher package, fixes in the Chromium builds, or the combo seems to have resolved the issue. It never happened on my XP systems…just Vista.

Another “plus” is that he has created two separate Chrome launchers in his package. One launches Chrome regularly while the other (when used) launches Chrome in it’s “private-browsing” mode.

Maintaining things is very simple. Get started by downloading and unpacking one of the portable Chrome packages noted above.

Then I use Dirhael’s (portable) Chromium Nightly Updater. Just download and unpack it as well. I keep mine (a single exe) in the same folder as the Chromium launcher. I run this tool which looks for the latest (good) nightly developer build of Chromium and then click the “download” button. It opens up my default system browser and I save the zip package to my system. I unpack that and then copy the appropriate materials over the corresponding portable Chrome folder. Done.

I’ll get around to making a visual how-to post eventually but that should be enough to walk the hard-core fans through.

Of course, I would be remiss if I don’t also bring your attention to SRWare’s Iron version build based on Chrome.

Iron has been specially tweaked to remove all the elements that present privacy of usage concerns. There are a number of features that cause browser-unique information on usage to be tracked back to the end user. Iron removes these elements providing a more private-browsing experience.

This is not to say that Iron provides anonymous web-browsing like some TOR/Proxy-based browser builds. It does not “anonomyze” web-surfing (IP) data source requests. It only removes those bits that could tie a particular browser to the user based on internal ID’s and other elements.

I’ve now probably muddled that up now, so please just hop over to SRWare’s Chrome vs Iron page and see the details. It will take just a sec.

Also nice, SRWare provides Iron in both a Installer for XP,Vista as well as a portable version.

However, you shouldn’t likely dump nightly update versions of builds into Iron the same way I outlined for the first portable Chrome package as you will almost assuredly overwrite the privacy tweaks/changes done in Iron.

I suppose you could make the changes manually again yourself, but that’s a bunch of work.

If you really are into finding a balance between a privacy-supported Chrome and the bleeding-edge Chromium builds, just go with the portable versions of both, and use each one according to your browsing needs.

Happy Surfing!

--Claus V.

Lego MiniFig Extravaganza

2009-05-09T11:26:00.001-05:00

picture clipped from Wired’s clip from Gizmodo clip…

Thanks in no small part to the Windows 7 RC release, XPM mode research, and a big “little” tip a few weeks ago from the TinyApps.Org Blog, my personal blogging workload has increased magnificently.

In trying to get all that material organized and understood, my brain-cells have melted a bit.

So I am posting this fun diversionary material.

Confession time:

Growing up I enjoyed playing with two things more than most anything else: Lego building blocks and ~~dolls~~ Star Wars action figures.

Our family (Mom, bro, Alvis, sometimes Dad) continues to enjoy them as they frequent our birthday parties as gifts.

They have become much more sophisticated than those I had growing up. I remember when getting the new triangle shapes, clear wind-screens, or the tiny wheels was awesome. We even had a small “boat” with hull pieces and a big sailboat-like ballast-weight. That was neat.

So when the first Lego mini-figs came out that was even more cool. We had the early ones and though we have a number of specialized modern ones (Star Wars) it wasn’t until I found the following posts on the web recently that I realized just how important these pieces are to the Lego universe.

Every Star Wars Lego Minifig Ever! – Wired Blog

Gizmodo - Exclusive: The Lego Minifig Timeline – LEGO – Gizmodo

Both links have awesome visual coverage about the Lego Mini-figs. I spotted more than a few from my childhood.

Gizmodo also has this really great article about some of the lesser known facts on Lego:

Gizmodo - Everything You Always Wanted to Know About Lego

Want more?

Sites where you can (while supplies last) pick up custom gear for your Lego mini-figs.

MOCpages.com : Share your LEGO creations – is a website where some nice build work is on display.

However check out The Brothers Brick for real Lego custom awesomeness.

It has a wealth of fun and original content.

Then if you really want to blow out the afternoon, check their side-bar that has a host of wonderful links to Lego official sites, the very best Lego blogs, Lego community sites (such as Brickshelf), and Lego “web-comics”.

I’ve still got two Lego Star Wars vehicle sets still in the boxes I haven’t torn into yet. I’m saving them for a rainy day when the Internet is knocked out of service. Lavie and Alvis love to help sort out parts for builds and Alvis particularly enjoys trying to beat me in “build-off” contests. (She’s got ton’s of Harry Potter Lego sets.)

Cheers.

--Claus V.