Since the release of the first antivirus products many people have believed in a conspiracy theory where antivirus companies generate their own market by paying virus writers to develop and release viruses. I don’t subscribe to that theory and trust the...

I’m proud to announce that a major step forward in the legal phase of Sony's rootkit: Scott Kamber and Sony have filed a proposed settlement for the national class-action suit brought by Scott. While I didn’t participate directly in the negotiations,...

Active Directory Group Policy settings are widely used to secure Windows systems because they can be customized to target and deploy to specific computers and users in an Active Directory-based network. In a previous blog post I warned that one of the...

Two weeks ago I declared victory in what the media is now referring to as the “Sony rootkit debacle”, but now I’m wondering if I jumped the gun. It turns out that the CDs containing the XCP rootkit technology are still widely available, there’s still...

I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost entirely . While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing...

There have been several significant developments in the Sony DRM story since my last post. The first is that, despite Sony’s and First 4 Internet’s claims that their rootkit poses no security risk, several viruses have been identified in the wild that...

A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site....

First 4 Internet , the company that implements Sony’s Digital Rights Management (DRM) software that includes a rootkit, has responded to my last post, More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home . They rebut four of the points I raise...

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including...

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic...

Privileges are special security powers that you assign to accounts in Local Policies->User Rights Assignment node of the Local Security Policy editor, secpol.msc. When a user logs in, the Local Security Authority Subsystem process - Lsass.exe - creates...

Registry cleaners have always been popular, but I never paid much attention to them. I originally thought that there might be valid reasons for their existence, but over time changed my mind, only to recently recognize that even today they can help maintain...

Single-image download and execution with no setup program has been a hallmark of almost all of the tools that Bryce and I write and distribute on Sysinternals. I think most visitors agree that it’s more convenient to download a 200 KB ZIP file, extract...

I have several computers in my home network where each one has a general designated purpose. For example, one is my game machine, another is my home development system, and a third is where I manage my pictures and home videos (and they all double as...

Have you ever terminated an application only to see in your favorite task manager ( Process Explorer , of course) that the process still exists? Or have you tried logging out or shutting down only to have the logoff or shutdown stall indefinitely for...

A Windows service provides functionality to the operating system and user accounts regardless of whether anyone is logged into a system. Windows XP comes with around four dozen services enabled by default, including ones that many people consider superfluous...

A few months ago I began experiencing periodic system freezes of about a second where even my mouse would pause during a movement. Needless to say, this became very annoying very quickly. A few minutes with Process Explorer, however, and I not only determined...

A couple of weeks ago I came across a site in my web wandering and had a popup. This, despite the fact that I’m running either Avant Browser or Maxthon . Avant Browser and Maxthon are applications that wrap Internet Explorer (IE) with all the features...

One of the topics I cover in the security module of the Windows internals seminar that I teach with Dave Solomon is auditing. I demonstrate object access auditing by enabling failure auditing in the Local Security Policy Editor (which you launch by typing...

Last time I talked about buffer overflow errors that you might see in Filemon traces. Now I’ll turn my attention to the same errors, but in Regmon traces. Recall that a buffer overflow error in this context is not a security hole, but a way for the system...

No, I’m not talking about the kind of buffer overflows that viruses can take advantage of to inject malicious code onto other systems, I’m talking about the kind that, if you use Filemon or Regmon , you’ve probably seen in their traces. If you’ve never...

Last week I got an HP xw9300 workstation equipped with two 2GHz Opteron processors, the same type of system most of the Windows kernel team uses. The system came with 32-bit Windows XP preinstalled, but I decided to buy into all the 64-bit hype coming...

Group policy settings are an integral part of any Windows-based IT environment. If you’re a network administrator you use them to enforce corporate security and desktop management policy, and if you’re a user you’ve almost certainly been frustrated by...

The other day I was intently editing code in Visual Studio and hit F7 to compile my latest batch of changes when I was interrupted with a dialog box that informed me that my file couldn’t be saved to disk: I viewed the suggested cause with suspicion because...

My last blog entry on the memory bloat of managed (.NET) applications generated the controversy and misinterpretation of my primary points that I expected, so I’m following up with some clarification. First, I stated that managed code is ideal for client...