Saturday, April 07, 2012

What is a Maintenance OS

What is a Maintenance OS?

Often it's unsafe to operate Windows for various reasons:
  1. There is active malware infection
  2. The file system is corrupted
  3. The hard drive may have problems
  4. Other hardware may be flaky
  5. Other running tasks may get in the way
  6. Direct hardware access is required
In these situations, you need a maintenance Operating System (mOS).  The tasks you'd use this for would fall into these broad categories:
  1. Data recovery and file system repair
  2. Management of active malware
  3. Any tasks requiring Windows to be "under anesthetic"
  4. Hardware diagnostics and firmware updates
Features of mOS are: 
  1. It does not automatically write to the hard drive 
  2. Does not depend on hard drive contents to be the same
  3. Does not run any code from the hard drive whatsoever
  4. Allows direct access to hardware
  5. Requires only a small subset of hardware to work perfectly
The traditional mOS for Windows 9x has been DOS mode, but this is no longer up to the task in the XP era:
  1. Cannot read post-FAT file systems e.g. NTFS
  2. No longer supports full range of hardware
  3. Limited memory management
  4. Modern developers may lack DOS skills and tools
  5. Licensing issues with respect to XP Home
So while one can keep XP within reach of DOS mode maintainability by comparing FAT32 vs. NTFS, hard drives over 137G etc., XP really needs a new mOS! Depending on whether you use the home or identity-based security model, you may need to limit or suppress access from a mOS.  The question then arises as how to do this:
  1. Home vs. Pro differentiation
  2. Content-determined lock-out (flag or password)
  3. Content-determined lock-in (flag or password)
XP Home is intended for stand-alone consumers accustomed to the "home" security model, so the mOS should default to running unless locked out by some sort of HD content; in fact, as malware can spoof this, I'd prefer to see XP Home as always accessible via mOS. XP Pro is intended for business use, where it may be preferable to lose maintainability if it removes the physical access hacking risk that a mOS might pose.  If the HD is inspected for content that will lock out the mOS if present, then the risk of being locked out due to hard drive corruption is smaller than if particular content was required to allow mOS access. 

Some mOS softwares are:
  1. Microsoft PE bootable XP
  2. Bart's PE Builder
  3. Various bootable Linux
  4. Driver-assisted DOS mode
  5. Non-OS environments e.g. RC, ReadNTFS
Microsoft PE builder: This would be the obvious choice, but Microsoft's licensing terms make this available to so few users (basically, only large PC factories) that it's unlikely software vendors will develop tools to run on it.  Even as a DSP (Delivery Service Partner, i.e. small-volume PC builder) and MSDN subscriber, I do not have access to this tool, and so it goes for most field techs who would be the market for data recovery and anti-malware utilities that need a mOS.

Bart's PE builder: This is a 3rd-party utility that creates a bootable XP CDR, and it's free for download (requiring your XP installation CD-ROM to build the boot CDR).  In the absence of an offering from Microsoft, this could become the de facto mOS standard, but it remains to be seen whether software vendors will write for a quasi-OS platform that exists outside Microsoft's fence.  Some Windows programs already run within Bart's PE, as long as a suitable plug-in wrapper is used.

Linux boot disks: Unlike NT, Linux can already function as its own mOS, with boot disks ranging from diskettes (such as that used to host MemTest86) through USB flash drives to CDRs.  Some Linux distros are tailored for this, e.g. Knoppix (a CDR-based Debian Linux).  However, even Linux advocates are skeptical about the safety of writing to NTFS via reverse-engineered drivers.There's been some progress there, though, and now BitDefender Live - available as one large download - comes close to a turnkey solution by fusing these three initiatives:
  1. CDR-based Knoppix (Debian Linux)
  2. Captive NTFS read/write support
  3. BitDefender antivirus
The process of getting up and running with this involves:
  1. Downloading the Torrent stub for the ISO
  2. Downloading and installing the Torrent downloader
  3. Setting up off-HD copies of NTFS driver files
  4. Getting antivirus updates
  5. Setting up these updates so the CDR can use them
There's something deeply ironic about having to learn Linux in order to salvage and maintain NT, but there you are. Driver-assisted DOS mode NT (including Win2000 and XP) does not contain DOS or a DOS mode, but you can use one from a Win9x OS or download a free DOS from www.bootdisk.com. If you avoided NTFS, you can use DOS mode as-is to formally scan for viruses and clean them, delete or rename-away files, or copy off data.  But DOS mode doesn't support Long File Names (LFNs), so you will need 3rd-party tools if you wish to preserve these. I find free Odi's LFN Tools to be useful. These are a set of non-TSR external commands that replace Command.com's internal file management commands with LFN-aware alternatives, such as LMD, LDel, LRen, LDir, LCopy etc.  LCopy is particularly powerful, as it can copy over an entire volume via syntax such as...LCopy  D:\*  C:\BadHD  /A  /S

There are free and fee TSR drivers that enable DOS mode to read NTFS, available from the www.systeminternals.com web site.  However, these don't support LFNs, and won't work with add-on TSR LFN drivers or Odi's LFN Tools, which would otherwise allow LFN preservation in DOS mode. The free TSR takes up around 300k of conventional DOS memory (i.e. double that used by the old DriveSpace 3 compression support), which doesn't leave much room to run anything else. F-Prot for DOS can run under these conditions, but will fail to scan entire NTFS volumes as the NTFS driver fails to recurse the full directory tree properly.  In any case, the free NTFS driver is read only, so a DOS antivirus would be unable to clean anything.

The fee TSR takes a different approach by acting as a wrapper for the hard drive installation's own NTFS code. This may improve the depth and version-compatibility of NTFS support, but also means that corruption or infection of the relevant hard drive code can pose problems. One can use a free non-TSR utility to view and copy off subtrees from NTFS volumes under DOS mode, though once again, LFNs will be lost. 

ReadNTFS takes a while to scan each directory and has to rescan these anew if you retrace your steps; you can't select multiple items to copy off, but you can select a directory and it will copy everything that contains.

Recovery Console: The Recovery Console can be booted from any complete, non-OEM-crippled XP CD-ROM.  It is a useful grab-bag of canned fixes for several problems, but it is not an OS; you cannot run external programs from it at all.  Unless you have set certain registry values in advance, it cannot see volumes other than C: and cannot copy anything from C: to some other disk; even if you do set the relevant values, it cannot copy via wildcards such as *.* In addition, it has to recognize a viable XP installation on the hard disk, and match that installation's (typically null) password before you can do anything. These limitations make Recovery Console useless for detecting malware, and tedious for managing malware identified via some other method. For data recovery, it ranges from totally useless to very tedious; at best, you can use it to copy individual files by name, one at a time.  Unlike ReadNTFS, it cannot copy off entire subtrees.

Wednesday, April 04, 2012

Service Control - Windows Service

What is Service Control?

The SC command duplicates some aspects of the NET command but adds the ability to create a service.
You can use Service Control(SC.exe) to Create, Start, Stop, Query or Delete any Windows SERVICE. The command options for SC are case sensitive.
Syntax: SC [\\server] [command] [service_name] [Options]

Key's:
  1. server: The machine where the service is running
  2. service_name: The KeyName of the service, this is often but not always the same as the DisplayName shown in Control Panel, Services.
  3. You can get the KeyName by running: SC GetKeyName <DisplayName>
Commands:
  1. query  [qryOpt] - Show status
  2. queryEx [qryOpt] - Show extended info - pid, flags
  3. GetDisplayName - Show the DisplayName
  4. GetKeyName - Show the ServiceKeyName
  5. EnumDepend - Show Dependencies
  6. qc - Show config-dependencies, full path etc
  7. start - START a service.
  8. stop - STOP a service
  9. pause - PAUSE a service.
  10. continue - CONTINUE a service.
  11. create - Create a service. (add it to the registry)
  12. config - permanently change the service configuration
  13. delete - Delete a service (from the registry)
  14. control - Send a control to a service
  15. interrogate - Send an INTERROGATE control request to a service
  16. Qdescription - Query the description of a service
  17. description - Change the description of a service
  18. Qfailure - Query the actions taken by a service upon failure
  19. failure - Change the actions taken by a service upon failure
  20. sdShow - Display a service's security descriptor using SDDL
  21. SdSet - Sets a service's security descriptor using SDDL
qryOpt Command:
  1. type= driver|service|all - Query specific types of service
  2. state= active|inactive|all - Query services in a particular state only
  3. bufsize= bytes
  4. ri= resume_index_number (default=0)
  5. group= groupname - Query services in a particular group
Misc commands that don't require a service name:
  1. SC  QueryLock - Query the LockStatus for the ServiceManager Database, this will show if a service request is running
  2. SC  Lock - Lock the Service Database
  3. SC  BOOT -Values are {ok | bad} Indicates whether to save the last restart configuration as the last-known-good restart configuration
Options:
The CREATE and CONFIG commands allow additional options to be set, see the build-in help: 'SC create' and 'SC config'.

Note: The qryOpt options above are case sensitive - they must be entered in lower case, also the position of spaces and = must be written exactly as shown.

Ex:SC query will display if a service is running, giving output like this:
       SERVICE_NAME: messenger
       TYPE: 20  WIN32_SHARE_PROCESS
       STATE: 4  RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
       WIN32_EXIT_CODE: 0  (0x0)
       SERVICE_EXIT_CODE: 0  (0x0)
       CHECKPOINT: 0x0
       WAIT_HINT: 0x0

To retrieve specific information from SC's output, pipe into FIND or FindStr:
  1. C:\> SC query messenger | FIND "STATE" | FIND "STOPPED"
  2. C:\> SC query messenger | FIND "STATE" | FIND "RUNNING"
The statements above will return an %ERRORLEVEL% = 1 if the text is not found
IF errorlevel 1 GOTO: my_subroutine

NET START command can be used in a similar way to check if a service is running:
  1. NET START | FIND "Service name" > nul
  2. IF errorlevel 1 ECHO The service is not running
The service control manager will normally wait up to 30 seconds to allow a service to start.
You can modify this time (30,000 milliseconds) in the registry: 
  1. HKLM\SYSTEM\CurrentControlSet\Control
  2. ServicesPipeTimeout (REG_DWORD)
Some options only take effect at the point when the service is started.
Ex: The SC config command allows the executable of a service to be changed. When the service next starts up it will run the new executable. Config changes requires the current user to have “permission to configure the service”.

Examples:
  1. SC GetKeyName "task scheduler"
  2. SC GetDisplayName schedule
  3. SC start schedule
  4. SC QUERY schedule
  5. SC QUERY type= driver
  6. SC QUERY state= all |findstr "DISPLAY_NAME STATE" >svc_installed.txt
  7. SC \\myServer CONFIG myService obj= LocalSystem password= mypassword
  8. SC CONFIG MyService binPath=c:\myprogram.exe obj=".\LocalSystem" password="" 
Imp:Watch out for extra spaces:
SC QUERY state= all Works
SC QUERY sTate =all Fails!

Tuesday, April 03, 2012

Open in New Window Option on Right Click

How to get Open in New Window Option on Right Click?

  1. Go to Start >> Run.
  2. Type regedit to open Registry Editor
  3. Before doing the following trick, take a back-up of your registry for safety
  4. Now navigate to HKEY_CLASSES_ROOT >> Directory >> shell
  5. Create a new key i.e. Right-click on shell Select New >> Key and name it as "Open in new Window" without double quotes
  6. Now, Right-click on the key which you have created now and create a sub key with the name "command"
  7. On the right pane, double click Default and enter value explorer %1
  8. Now you can see new window option on right-click on any folder
  9. To make this option available for your drives, perform the same procedure on HKEY_CLASSES_ROOT >> Drive >> shell
  10. To undo this trick, simply remove the keys which you have created

Create Shutdown/Restart icon on Desktop

How to Create Shutdown/Restart icon on Desktop?
  1. Right-click on an empty area of your desktop
  2. select New > Shortcut to open the ‘New Shortcut’ wizard.
  3. When prompted for the location of the shortcut:
  4. Enter “shutdown -s -t 01” to shut down the system, or“shutdown -r -t 01” to restart the system. 
  5. Name the shortcut and give it an appropriate icon from the ‘%SystemRoot%\system32\SHELL32.dll’ location
  6. That's it, When you click on the icon you created it will either shutdown or restart depending on the command you entered in the shortcut.

Add Hibernate Button to Shutdown Screen

How to Add Hibernate Button to Shutdown Screen?

For all those who hibernate their pc, this trick comes handy. Traditionally, to hibernate your PC, you have to hold down the shift key on the shut down screen, the Stand by button changes to Hibernate then you click on it. This trick adds a Hibernate button to the Shut down screen. Now you have all four buttons on one screen so no need to press Shift key.

The below pictures will explain more clearly.

Before:



After:


Steps:
  1. Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
  3. Right-click Windows, point to New, and then click Key.
  4. In the New Key #1 box, type System, and then press ENTER.
  5. Right-click System, point to New, and then click Key.
  6. In the New Key #1 box, type Shutdown, and then press ENTER.
  7. On the Edit menu, point to New, and then click DWORD Value.
  8. In the New Value # 1 box, type HibernateAsDefault, and then press ENTER.
  9. Right-click HibernateAsDefault, and then click Modify.
  10. In the Value data box, type 1, leave the default Hexadecimal option selected, and then click OK.
  11. Exit Regedit
  12. Restart your system.

Speed Up Start Menu Display

How to Speed Up Start Menu Display?

Steps:
  1. Open the registry editor. 
  2. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop
  3. Select ‘MenuShowDelay’ from the list on the right. 
  4. Right-click on it and select ‘Modify’. 
  5. Change the value to Something lower. 
  6. Once you’re done, reboot your computer

Note:A setting of ‘0’ is virtually instantaneous, and you might find it difficult to use the Start Menu, So experiment with other settings and set a value you’re comfortable with. 

Convert FAT32 Partition To NTFS

What is FAT32 and NTFS?

FAT32 is an old file system that is simple, well-documented, readable from a large number of OSs, and supported by a wide range of tools.
NTFS is a newer file system that is feature-rich, proprietary, undocumented at the raw bytes level, and subject to change - even within Service Packs of the same OS version.
Keeping NTFS proprietary allows Microsoft to root NT's security features deep within the file system itself, but it does cast doubts about the reliability and version-compatibility of third-party support.  Without an official maintenance OS from Microsoft, one is forced to look to 3rd-party solutions.

Also read: What is a Maintanance OS(mOS)?

You might use FAT32 if you need access from DOS mode or Win9x.
You might use NTFS if you need support for files over 4G in size, hard drives over 120G in size, or you need to implement some of NT's security management that devolves down to NTFS.
Else, weigh up the pros and cons, and remember you can use multiple volumes, with different file systems for each. Even FAT16 has niche strengths (small FAT, large cluster size, easier data recovery) that may make it attractive for certain types of content.


How to Convert FAT32 Partitions To NTFS?

Steps:
  1. Open the command prompt and type in “convert C: /FS:NTFS”,with C being the drive you wish to convert. Make sure there’s a space between the “C:” and the forward slash. 
  2. Once you press [Enter], it will ask you for a confirmation; press [Y]. 
  3. Then press [Y] and [Enter] once more to reboot. 
  4. This works for all versions of Windows XP