Archive for the ‘Microsoft’ Category

Final Post

October 2, 2009

No – I’m not dead yet!!

This is a final post at because I am tired of seeking knowledge and bitching about that which is. It is time to use my skills to develope the solutions to all of the problems I have discovered.

Join Me at


IE8 Privacy is an Oxymoron

September 20, 2008

I could have said that the IE8 privacy function is a lie or a joke but I happen to like the word oxymoron. In my preliminary tests I was acting as if my life and future depended on my online privacy and didn’t bother doing a comparison. I found my surfing history in cache memory, that Ccleaner didn’t wipe the cache memory information and that there was a hidden system file called PrivacIE (pronounce that “Priv A C”) which contained a hashed index.dat file which was untouchable. Not a bad find for a quick survey. I did a preliminary test against Firefox 3 automatically wiping all privacy data on closing and found a few lingering cookies which Ccleaner seemed to wipe out but no cache memory of the sites I visited.

I sort of find a hashed index.dat file (in a folder called PrivacIE) and a record of my surfing history in cache memory an insulting and direct compromise of the promise of real internet privacy.

If anyone cares about the method, I’ll do a post on it.

Vista Blue Screen of Death!

February 21, 2008

Did you ever wonder what Microsoft personnel call the world famous “Blue Screen of Death.” Well at least one programmer must have a sense of humor or submitted the following error message as a resignation.

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6000.
Locale ID: 1033

Additional information about the problem:
BCCode: 1000007e
BCP1: C0000005
BCP3: 87599BA8
BCP4: 875998A4
OS Version: 6_0_6000
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:

Read our privacy statement:

The biggest improvement over Windows 98 and Windows Me is that the Blue Screen is a quick flash before the computer goes dead whereas in the old days it would stay on your monitor to torment you. None of my friends can recall a blue screen effect with Windows XP SP2 so Vista must be engaging in a nostalgia trip.

Screwing up XP!

January 6, 2008

I’ve sort of been suggesting that part of the reason that Vista has not been universally accepted is because Windows XP is a mature, sable and secure operating system which has no need for a replacement except perhaps in the gaming community. There are many independent companies that understand the system and are writing independent security software to defend you against Virus, malware and to secure your privacy against unwanted preservation of sensitive data or images.

The truth is you can do a pretty good job of defending your machine by using Firefox as your browser with settings that insure your privacy and erase all surfing history. Naturally, you can back this up with Ccleaner and an independent antiviurus and your in pretty good shape. You may want to use your traditional XP search function to check for cookies that may have been missed and to check the images in all hidden and back-up files. After everything unwanted has been eliminated, defragment your system and overwrite your unused space with a seven pass disk wipe.

From what I know of forensics, that is probably enough to prevent the repairman at your computer repair shop from reporting you to Homeland Security and may be enough to prevent recovery of images and files after you reformat your hard drive. (However, if it were my freedom at stake, I would give the drive the Lot’s wife treatment and buy a new drive.) Overall, I am fairly well convinced that XP is a defendable operating systems for mere mortals that follow a set routine and pay attention to security.

Since this belief is probably true, it leaves, Microsoft and the government out in the cold when you choose to observe their nefarious connections. No, you cannot stop unwanted predators from connecting to your machine and probing you but you can keep your machine clean enough that there is little there to find. Now with Vista, this is clearly not the case. There are back-ups of everything as the default and many are complaining that that use of Vista will be a one way ticket to jail or unemployment as your total computer use is an open book.

So what is the answer for Microsoft and the Government to threats from a protectable XP operating system? Simple, introduce an unavoidable SP3 service pack. I mean I avoided the upgrade for IE7 forever or at least until there were so many vulnerabilities that were left unplugged until I down loaded it even though I use Firefox. I suspect avoiding SP3 will eventually leave me so exposed that I will have to do it and ultimately upgrade myself to a system as unknown and undefendable as Vista. Once this happens I may as well switch to Vista.

Oh well, shit happens.

Resistance is Futile, Knowledge is Soporific!

Vista Security-Oxymoron

December 11, 2007

Let’s start with basics, Vista Security is an oxymoron – It simply doesn’t exist.

I finally hacked an installation on a brand new machine and worked at putting an anti-virus on the machine. At the time, everything I tried was incompatable or my downloads were blocked. I tried Zone Alarm, PCcillin and Kaspersky. So I ended up with One Care which the whole world is condemning for being a weak system. I also attempted to install my Malware protection but every time I ran Spybot Search and Destroy, my computer locked up and AdAware wouldn’t update without locking up my machine.

I have now reached the end of my one month trial period for One Care so decided to check my machine and see how outside suppliers rate it. One Care says I’m at risk because I won’t let that cancerous back up program operate and I haven’t paid them. I tried running PCcillin House Call and was told that they couldn’t really check some operating systems. I tried Kaspersky on Line service and it told me I looked OK but there were 150 blocked files that they were incapable of inspecting.

I would have felt better if I was told that they inspected everything and I was clean.

I tried reinstalling Spybot Search and Destroy but it locked up when I tried to update it and I couldn’t get it to run. I tried to run it a few more times. It identified a couple of problems and shut down saying I aborted the process. AdAware refuses to update and stalls. When you force it a few more tries a screen pops up saying the update is complete without telling you what was updated. When I ran it, it took 18 minutes to get half way and finished in one more minute. I removed the cookies I found but don’t really trust the results.

If the Vista machine were used for anything more than surfing and writing an occasional post, I wouldn’t know what to do. I have no idea what kind of bug is on the machine nor do I trust any tools that are supposed to help me find and eliminate it.

Vista Security, Truly an Oxymoron.

Updating Windows XP

December 8, 2007

How often should I update Windows?

Every hour until you get it right!

One of the reason I like PcCillin is because of its independent search for windows vulnerabilities. Where this tool comes in handy is when my machine starts slowing down for no reason. I mean I did an online virus check and found no virus at all. The caveat of course was that it failed to check about 20 blocked files. I tied running AdAware but found that updates were blocked. So I know I wont trust that result no matter what.

When I did the PcCillin test, I found one vulnerability ms05-04. Since I really didn’t have a clue on trapping my pet bug, I decided to close the vulnerability knowing in the long run it was a fools game.

Keep in mind that this is a fully protected and updated computer just one month ago but yeah I do write some stuff that probably cause me to be spied on by Military Strength Malware.

The first step is to run a Windows update and it told me I needed the latest update module for it to be effective. Naturally, I clicked update and everything was successfully installed so I must be done since this is a very old bug.


Another PcCillin check is run and of course, ms05-04 is still there. So I run update again and get prompted for IE 7 and one other update. I download the one and reject the installation of IE7 so I should be done with this very old bug.


So the next time, I download and accept everything since my default browser is Firefox and I don’t really care which Explorer is not being run. Now I think I ‘m done so I check with PcCillin.


The original bug is gone but a new one ms07-?? has appeared so I download a fix, but now I’m really paranoid so I run PcCillin again to make sure I’m safe.


The new check of PcCillin shows that I now have six vulnerabilities and I run update again. Finally, I run PcCillin and it shows perfect protection


Now this reminds me that at trial, the prosecution says the machine was updated so its protected. Obviously, everybody accepts that updating closes all vulnerabilities but nothing could be further from the truth. The other problem I have is what happened to the bug that opened this vulnerability in the first place. Is it dormant, is it dead will it reappear the next time I visit a government honeypot.

Remember, pictures, documents, logs, records and files are never really destroyed but can still be recovered by forensic tools so not only is everything I’ve done in the past being stored but everything I’m doing in the futer is also being stored waiting for the bugs return.

Vista Tasklist – Cool Tool!

November 30, 2007

Alright, I finally found something decent about Vista but it actually is in Vista DOS which evolved from NT DOS and XP Pro DOS. It’s a tool called Tasklist and it’s used to get a listing of all processes by PID and which services are running in these Processes. By using various switches, you can find out what modules and executables are associated with a PID and learn about them. Knowledge leads to defense or minimally it will allow you to identify and disable your intruder.

My very First Tasklist command was:

C:\>Tasklist /svc

In my last post I found that Level 3 was connected to two unknown processes, 2060 and 988. Now I’m still not proficient with this command, but the output shows I have reason to be concerned.

Image Name PID Services
========================= ======== ============================================
svchost.exe 988 AeLookupSvc, Appinfo, BITS, Browser, gpsvc,
IKEEXT, iphlpsvc, LanmanServer, MMCSS,
ProfSvc, RasMan, Schedule, seclogon, SENS,
ShellHWDetection, Themes, Winmgmt, wuauserv
winss.exe 2060 winss

By searching for winss on Google you find that this is part of Windows One Care but has been related to malware problems and that svchost.exe is a generic host for Windows Modules that has also been suspect in malware. Still, you cannot dismantle them without hurting your operating system so you have to find the service or even specific module that is connecting to the net without your permission.

The next command I tried was

C:\>tasklist /m >> module.txt

It’s necessary to send this to a text file because the output is bigger than the DOS screen allows. The output gives you all the modules for each PID which is informitive but not necessarily useful. What would be ideal is if the IP were related to the PID which connected to a service and then connected to the modules within that service. This is what netstat -bv did and it allowed me to isolate and eliminate problems like with ccproxy.exe.

I’m sure that Tasklist is the solution, but it will take me awhile to figure it out unless somebody gives me the answer. I suspect whatever this intruder was standard malware and not Military Strength Malware. I ran all my malware eliminators and when I awoke I only had Google Talk knocking on my door.

Vista – Beyond Netstat!

November 29, 2007

Where do you find your lost car keys? You find them in the same place every time and the answer is easy.

You find them the last place you look.

When it came to XP I never got past netstat to find out who’s invaiding my privacy because it wasn’t necessary. Now there are some interesting things about DOS that I forgot but since analyzing Vista is a whole new ballgame, I thought I better refersh myself. The command of the day was netstat -ano with a few modifiers to give me a hand. After all this is still a computer and it should be able to follow a few simple commands. Check the following:

C:\>netstat -ano 10 >> fred.txt

Now this command is fairly straight forward when you learn DOS. The netstat -ano gives a listing of the protocal, the local port, the foriegn IP and port, the state and the Process ID. The 10 means the command for that information is repeated every 10 secods and since you really can’t do much with DOS output and the retained DOS data is finite, the >> fred.txt command sends it to a text file named fred and adds the new information being generated every 10 seconds to the bottom of the file.

Because of the slow speed of Vista and all the Simon Says rules, I set up DOS with the above command the night before and a second DOS window with “notepad fred.txt”. Since they were set up the night before, all I have to do when the machine comes out of hibernation is to press enter on the netstat command and about 2 minutes later press enter on the other DOS window to see wat I have captured in notepad.

Active Connections

Proto Local Address Foreign Address State PID

The first three external IP’s belong to Google Talk. The third Google connection drops out after 2 minutes and the first 2 stay connected all day. The forth IP is Microsoft and the last IP using two different processes belongs to Level 3.

Now Level 3 is an untrusted, uninvited quest but the connection only lasts for less than a minute. By the time I check the task manage and get through “Simon Says” and “processes from all users“, it’s too late to find out who is doing what to me and I have yet to discover a meaningful list of subprocesses for each PID that I might block to block the intruder. Blocking the IP is a waste of time because there are billions and the task of invading my privacy can be shifted to another server. The only perminant way is to identify and kill the process.

Tomorrow, I’ll discuss a new DOS command, at least it’s new to me and does not exist in Windows XP Dos.

But the only thing for sure right now is that I have an univited intruder invading my privacy which has made it past Windows Defender and I dont have a clue on how to stop it.

XP vrs. Vista, Netstat Tools!

November 28, 2007

There is absolutely no comparison between using netstat on XP and netstat on Vista. This example is limited to Googletalk because I have it on both machines and it seems to be the first program to make contact over the Internet when I bring my machines out of hibernation. I have used netstat to track uninvited connections some of which I blocked by turning off the process and some of which were blocked by changing the name of an executable. The reason I made a name change instead of a file deletion was in case I made a mistake, I could open in safe mode and reverse the process.

Lets slowly and carefully take a look at netstat outputs from XP and Vista.

C:\WINDOWS>netstat -ano (THIS IS XP)
Active Connections

Proto Local Address Foreign Address State PID

L:\Windows\system32>netstat -ano (THIS IS VISTA)

Active Connections

Proto Local Address Foreign Address State PID

There is not much difference in the information which can be obtained. The two different machines are using difference ports and Process Identification Numbers (PID) but the information given is exactly the same. In both cases, the only way to prove that this is Google Talk connected to the Internet is to look up the IP using a DNS service.

Now let’s take a look at netstat -bv. I have discussed this deficiency of Vista before although not in complete detail.

C:\WINDOWS>netstat -bv (This is XP)
Active Connections

Proto Local Address Foreign Address State PID
TCP Whatever:1053 ESTABLISHED 1644

C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Talk\googletalk.exe
— unknown component(s) —

TCP Whatever:1054 TIME_WAIT 0

Take note that in XP, netstat -bv clearly identifies the URL of the connection to the Internet saving you the time to look it up. Also, the link between the port and the PID are connected to the URL or in some cases the IP but the connection is always clear. Also note that all of the subprocesses of Google Talk are identified and you can look them up one by one to identify whether they are legitimate or not. If any are suspect, a replacement can be downloaded to replace the suspect file or they can be renamed to find out what happens to your machine when they are deleted.

The following is the output from netstat -bv in Vista.

L:\Windows\system32>netstat -bv (This is Vista.)

Active Connections

Proto Local Address Foreign Address State
TCP ro-in-f100:http CLOSE_WAIT
TCP kc-in-f125:5222 ESTABLISHED

The above is the output from Vista and the information is worthless. There is no link bewtween the URL, the PID or the port and the ports which are identified are not the same ones identified by netstat -ano. Also, no subprocesses are identified so the search for problem exicuitibles is hindered.

There is no defensible reason why a powerful diagnostic tool like netstat should have been debased in Vista. It would have been easier for Microsoft to spin bullshit if it had been entirely eliminated.

Vista OOBE Sucks!

November 26, 2007

As an old marketing practitioner, OOBE is an acronym for Out Of Box Experience

Forget that Microsoft has hijacked the term to mean their start up programming that bores you to tears while describing all the new bells and whistles and telling you how great they are and how much you will love them. To me OOBE includes all those factory preset conditions that make your computer act the way it does. I Know that there has been much written about how to turn off or correct many of the nasty conditions I’ll describe but that’s not the point. The average user does not know how to change the registry or turn off processes and shouldn’t have to learn.

All my complaints deal with the fact that this operating system is a total mismatch for current equipment. The worst manifestation is that it is slow, slow, so very slow. When I wake up and go to my hibernating machine I don’t know what to expect when I tap the enter key. It might spring to life in a minute it might take five minutes, only the Vista Gods may have a clue. I have programmed my human self to tap a key to wake it up before I start my morning tea and go to the bathroom, then my trusty Vista machine will probably wake up before I’m finished my morning ritual.

Now when my XP machine takes more than 2-7 seconds to come to life the first thing I do is run “netstat -ano” to see who’s connected to my machine and what they are doing. Running “netstat -bv” identifies the processes and the executables involved in each process by the connection name (This doesn’t work as well in Vista).

When I try to quickly run the netstat command on Vista DOS, Vista plays a silly game of Simon Says where it asks me if I am truly the person who clicked to open DOS and it will not open it until I click yes. I mean I am operating as administrator with administrative privileges, what’s above that? When you get to your answer for your request, you have no way of knowing how many connections were made and broken while you were playing Simon Says or waiting for your machine to come out of hibernation.

My next task is to identify the processes which the IP’s are connected to and when I run Task Manager, it plays that silly game of Simon Says again invoking my administrative privilege to proceed and then the first answer is not complete. You have to click on a box that asks if you want to see the processes for all users. I mean, I’m supposed to be the administrator with full administrative privileges and there are no other users on the machine yet more processes are identified as being operated by “system”.

By the time you get full administrative privileges there is no way to get full knowledge. All this crap slows you down so much it is impossible to know what wasn’t captured.

There are ways to work around this unnecessary crap but then why should I have to?