Blogs

Volume 8, Number 1

  • Comments 2
  • Likes
**********************************************************
THE SYSINTERNALS NEWSLETTER
http://www.sysinternals.com
Copyright (C) 2006 Mark Russinovich
**********************************************************

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
March 2, 2006 - In this issue:

1. INTRODUCTION
2. TOOL UPDATES
3. LICENSING UPDATE
4. SYSINTERNALS FORUM
5. MARK'S BLOG
6. MARK'S ARTICLES
7. MARK'S SPEAKING SCHEDULE
8. LIVE HANDS-ON INTERNALS/TROUBLESHOOTING CLASSES
9. NEW SYSINTERNALS TROUBLESHOOTING VIDEO LIBRARY

Winternals Software is the leading developer and provider of
advanced systems tools for Windows. It was designated a 2006 "hot
company" by Info Security Products Guide (see
http://www.infosecurityproductsguide.com/hot2006/WinternalsSoftware.h
tml)

Also, Recovery Manager and Administrator's Pak won
SearchWinSystems.com's 2005 Products of the Year Awards. Recovery
Manager was awarded Gold in the Desktop Management category, while
Administrator's Pak was recognized as the Silver Award winner in the
Systems Management group
(http://searchwinsystems.techtarget.com/productsOfTheYear/0,294801,si
d68_ayr2005,00.html)

For full product details, multimedia demos, webinars, or to request
a trial CD of either product, please visit http://www.winternals.com
~~~~~~~~~~~~~~~~~~~~~~~~~

1. INTRODUCTION

Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has
60,000 subscribers.

In February, Sysinternals had 1.26 million unique visitors and 20
million page views. It's now ranked the number 6,900 web site on
the internet by Alexa.com (http://www.alexa.com/data/details/?
url=www.sysinternals.com).

The most downloaded tools are:
- Procexp: 375,000 downloads/month
- Autoruns: 120,000 downloads/month
- Rootkit Revealer: 120,000 downloads/month
- Filemon: 100,000 downloads/month
- Regmon: 90,000 downloads/month
- Tcpview: 63,000 downloads/month

Filemon, Regmon, Process Explorer and Autoruns have been picked as
the "best of the best" by alt.comp.freeware newsgroup participants
(see http://www.pricelesswarehome.org/2006/about2006PL.php).

Life got interesting last November when I published my findings on
the Sony rootkit. I had my first national TV appearance and radio
interview in addition to dozens of press interviews and articles in
magazines and newspapers. Things have settled down now, which means
I've been back at work enhancing the Sysinternals tools. You'll
find a full write-up of changes since the last newsletter below.

I'm also very excited about the new Sysinternals Video Library, a 6
DVD set covering key Windows troubleshooting topics featuring the
Sysinternals tools. They should be available by June. Watch
Sysinternals for preview video clips and a free download of one of
the videos.

Finally, if you are attending a conference where I'm speaking,
please stop by to say hello. Or, spend 5 days with me and Dave
Solomon at one of our live Windows Internals & Advanced
Troubleshooting classes in London, San Francisco, or Austin.

-Mark Russinovich

2. TOOL UPDATES

Lots of tools were updated since the last newsletter in August.
Since I update the tools frequently, make sure you're using the
latest version.
The best way to keep up with changes is to subscribe to my RSS feed
at http://www.sysinternals.com/sysinternals.xml (and if you're not
yet using RSS to keep up with web sites, you need to start!).

Here is a detailed list of changes by tool:

Process Explorer v10.06

This major Process Explorer update has an extensive list of new
features and enhancements aimed at usability and malware hunting.
Just some of the examples include Runas and Run As Limited User
commands, process restart, column sets, enhanced process tooltips
for service-hosting and Rundll32 processes, working set breakdown
columns, and DLL image verification and packed-image detection.

RootkitRevealer v1.7

This new RootkitRevealer release includes more sophisticated rootkit
counter-measures, scanning of all Registry hives including user
profiles, runs from Windows XP remote desktop sessions, support for
NTFS volumes with cluster sizes larger than 4 KB, and includes a
number of bug fixes and reduces the number of false positive
discrepancies. Even the Hacker Defender rootkit's paid anti-
detection versions don't hide from this release.

RegDelNull v1.1

Use this new applet to find and delete Registry keys that
are "undeleteable" by standard Registry-editing utilities because
they have embedded null characters in their names. In response to
the use of such keys by malware, RegDelNull can now unlock and
delete keys that not only have embedded nulls, but that also have
security permissions that make them otherwise inaccessible.

Sigcheck v1.3

Sigcheck, a powerful command-line file version information and
signature verification tool, now includes a new flag that has it
only show a file's version number.

PsExec v1.7

This PsExec update includes a new -l switch for use by
administrative accounts to run processes with limited-user account
privileges. Run a low-rights Internet Explorer before IE 7 (in
Vista) comes out simply by creating a shortcut to launch it with the
switch.

Autoruns v8.42

Autoruns now knows about yet more autostart locations including the
Winlogon boot verification Registry value, Shell open hijacks,
kernel-mode drivers, print monitor DLLs, and Explorer column
handlers - all of which have been used by real malware. Also added
is on-demand signature verification for individual items and
dramatically improved scan time performance when image verification
is selected.

Autoruns now supports arbitrary length Registry and file system
paths, adds a find capability to search through configured items,
introduces a comparison feature to compare current autostarts with a
previously saved version so that you can easily identify new
additions.

ProcFeatures v1.0

This applet reports processor and Windows support for Physical
Address Extensions and No Execute buffer overflow protection.

DiskView v2.2

Diskview, a utility that lets you look at the cluster allocations of
a volume, now shows a summary of a file's fragments when you double-
click on any of the file's clusters and the Show Next button
navigates to the next fragment of a selected file.

DebugView v4.5

DebugView is a developer tool that captures user and kernel mode
debug output. After many user requests for the feature DebugView now
has an option to create a new log file and clear the display each
day.

AccessEnum v1.3

AccessEnum is a powerful security utility that makes it easy to spot
misconfigured file and Registry security descriptors. Version 1.3
includes bug fixes, Windows XP theming, and a new file format that's
compatible with Excel importing.

Livekd v3.0

LiveKd, a utility that allows you to view the local system as if it
were a crash dump using the standard Microsoft kernel debuggers, now
supports x64 versions of Windows and includes some minor bug fixes.

Regmon v7.02

This minor update has clearer error messages for when an account
does not have privileges required to run Regmon or Regmon is already
running and consolidates the 32-bit and 64-bit (x64) versions into a
single binary.

3. LICENSING UPDATE

We get asked often what the rules are for our freeware tools. We've
started to put a End User License Agreement popup that is displayed
the first time you run a tool - the text reads as follows:

"You are allowed to use software published on this Web site at home
or at work without paying a commercial license fee provided that you
downloaded the software yourself directly from Sysinternals, use the
software on computers for which you are the primary user, use the
software on systems for which there is no primary user (e.g. a
server, including a terminal server) and you are a full-time
employee of the company that owns the server, or use the software on
a computers within a home of which you are residence."

The Sysinternals freeware license page at
http://www.sysinternals.com/Licensing.html now explains scenarios
under which a paid commercial license is required for use.

4. SYSINTERNALS FORUM

Come visit one of the 16 interactive Sysinternals forums
(http://www.sysinternals.com/forum). Besides dedicated forums on
each of the major tools, there are four technical Windows forums:
Malware, Troubleshooting, Internals, and Development.

With over 7352 members (up by almost 6000 in 6 months), there have
been 14667 posts to date in 4384 different topics, which comes to
2000 posts a month for the last 6 months!

5. MARK'S BLOG

My blog received a new level of attention with the publication of my
findings on the Sony rootkit, but there have been several other
postings not related to the Sony issue. Here is a list of articles
since the last newsletter:

2/6/2006 Using Rootkits to Defeat Digital Rights Management
1/18/2006 Inside the WMF Backdoor
1/15/2006 Rootkits in Commercial Software
1/3/2006 The Antispyware Conspiracy
12/30/2005 Sony Settles
12/12/2005 Circumventing Group Policy as a Limited User
11/30/2005 Premature Victory Declaration?
11/16/2005 Victory!
11/14/2005 Sony: No More Rootkit - For Now
11/9/2005 Sony: You don't reeeeaaaally want to uninstall, do you?
11/6/2005 Sony's Rootkit: First 4 Internet Responds
11/4/2005 More on Sony: Dangerous Decloaking Patch, EULAs and
Phoning Home
10/31/2005 Sony, Rootkits and Digital Rights Management Gone Too
Far
10/19/2005 The Bypass Traverse Checking (or is it the Change
Notify?) Privilege
10/2/2005 Registry Junk: A Windows Fact of Life
9/19/2005 Multi-platform Images
8/28/2005 The Case of the Intermittent (and Annoying) Explorer
Hangs

For a full list of articles, see
http://www.sysinternals.com/blog/blogindex.html

6. MARK'S ARTICLES

My latest article in Windows and IT Pro Magazine was on AccessEnum,
which scans a specified volume, subdirectory, or registry key to
help you find potential trouble spots in your security settings.

It is available online to subscribers at
http://www.windowsitpro.com/Article/ArticleID/47638/47638.html?Ad=1

7. MARK'S SPEAKING SCHEDULE

Last fall I spoke at the Microsoft 2005 Professional Developers
Conference (September in Los Angeles), Windows Connections (November
in San Francisco, CA) and Microsoft IT Forum (November in Barcelona,
Spain).

My next conference talks are at Microsoft TechEd 2006 in Boston in
June. I'm presenting a preconference tutorial with Dave Solomon on
advanced malware cleaning on June 11
(http://www.msteched.com/content/precons.aspx). I'll also be
delivering four breakout sessions on topics including Vista kernel
changes, troubleshooting with Filemon and Regmon, analyzing Windows
crashes and hangs, and advanced malware cleaning techniques.

For the latest updates, see
http://www.sysinternals.com/Information/SpeakingSchedule.html

8. LIVE HANDS-ON INTERNALS/TROUBLESHOOTING CLASSES

If you like Sysinternals, the book Windows Internals, or want to
learn more about Windows OS internals, including what's coming in
Vista, then you'll want to attend the only scheduled seminars where
both Dave Solomon and I deliver our 5-day hands-on (bring your own
laptop) Windows Internals and Advanced Troubleshooting seminar. This
year's dates are:
London, June 26-30, 2006
San Francisco, September 18-22, 2006
Austin, TX, December 11-15, 2006

In this class, you'll gain an in-depth understanding of the kernel
architecture of Windows, including the internals of processes,
thread scheduling, memory management, I/O, services, security, the
registry, and the boot process. Also covered are advanced
troubleshooting techniques such as malware disinfection, crash dump
(blue screen) analysis, and getting past boot problems.

You'll also learn advanced tips on using the key tools from
www.sysinternals.com (such as Filemon, Regmon, & Process Explorer)
to troubleshoot a range of system and application issues, such as
slow computers, virus detection, DLL conflicts, permission problems,
and registry issues. These tools are used on a daily basis by
Microsoft Product Support and have been used effectively to solve a
wide variety of desktop and server issues, so being familiar with
their operation and application will assist you in dealing with
different problems on Windows.
Real world examples will be given that show successful application
of these tools to solve real problems. And because the course was
developed with full access to the Windows kernel source code AND
developers, you know you're getting the real story.

And if you have 20 or more people, you may find it more attractive
to run a private on-site class at your location (email
seminars@... for details).

For more details and to register, visit
http://www.sysinternals.com/Troubleshooting.html

9. NEW SYSINTERNALS TROUBLESHOOTING VIDEO LIBRARY

Dave Solomon and I recently shot a new video series to be
called "The Sysinternals Troubleshooting Library". It will be a 6
DVD set covering essential Windows internals and advanced
troubleshooting topics, featuring the Sysinternals tools. The disk
titles are:
Disk 1 - Tour of the Sysinternals Tools
Disk 2 - Troubleshooting with Process Explorer
Disk 3 - Troubleshooting with Filemon and Regmon
Disk 4 - Troubleshooting Memory Problems
Disk 5 - Crash Dump & Hang Analysis
Disk 6 - Troubleshooting Boot & Startup Problems

We expect to have some sample video content available for download
this month. The disks should be shipping by June. We will have a
discounted price when we open up pre-orders - hopefully in May.
When they are available for preorder, we will send a notice to this
interest list.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Thank you for reading the Sysinternals Newsletter.
Comments
  • PingBack from http://devastator.wordpress.com/2006/11/10/music-mafia-shake-down/

  • Great utility, and a nice idea the command

    DBGVIEWCLEAR

    What about a new command

    DBGVIEWCLEAR <pid>

    to only delete the messages of a process ?

    I need to monitor many processes.

    At its end, each process can issue

    DBGVIEWCLEAR <pid>

    so only if it crashes, dbgview keeps the messages.

    Have a great year!