Archive for the ‘System Basics’ Category

As stated earlier in this chapter, the Windows XP/Windows Server 2003 boot sequence closely resembles that of Windows NT/2000. Listed below are the processes that take place when Windows NT-based operating system successfully starts on an x86-based computer:

  • Power On Self Test (POST)
  • Initial startup process
  • Boot loader process
  • Operating-system selection (if you have a multi-boot system)
  • Hardware detection
  • Hardware-profile selection
  • Kernel-loading process
  • Kernel-initialization process
  • User-logon process
Note The startup sequence quoted above applies to systems started or restarted after a normal shutdown. The startup processes begin when you do one of the following:

  • Turn on the computer
  • Reboot the system

However, this startup sequence does not apply when resuming from hibernate or standby modes.

When you log on, the process of loading Windows NT/2000, Windows XP, or Windows Server 2003 is completed, as well as are most of the initialization procedures. However, the startup can only really be considered as successfully completed after you log on to the system.

The following requirements need to be met to successfully begin the Windows NT/2000/XP/Windows Server 2003 startup:

  • Correct initialization of all the hardware.
  • Presence of all required files for starting the OS. If any of these files aren’t present in the correct folder or are corrupt, the startup will fail.
Advertisement

In most network environments, it’s a good idea to document the reasons for shutting down or restarting computers. With unplanned shutdowns, you can document the shutdown in the computer’s system log by expanding the syntax to include the following parameters:

/e /c "UnplannedReason" /d MajorCode:MinorCode

where /C “UnplannedReason” sets the detailed reason (which can be up to 127 characters in length) for the shutdown or restart, and /D MajorCode:MinorCode sets the reason code for the shutdown. Reason codes are arbitrary, with valid major codes ranging from 0 to 255 and valid minor reason codes ranging from 0 to 65,535. Consider the following example:

shutdown /r /e /m \\Mailer1 /c "System Reset" /d 5:15

In this example, you are restarting MAILER1 and documenting the reason for the unplanned restart as a “System Reset” using the reason code 5:15.

With planned shutdowns and restarts, prefix the reason codes with p: to indicate a planned shutdown, as shown here:

/e /c "PlannedReason" /d p:MajorCode:MinorCode

For instance, consider the following code:

shutdown /r /e /m \\Mailer1 /c "Planned Application Upgrade" /d p:4:2

With remote systems, you need to specify the UNC name or IP address of the system you want to shut down or restart using the /M parameter. Thus, the basic syntax for shutdown, restart, and cancel delayed shutdown become

Shutdown remote system:

shutdown /s /t ShutdownDelay /l /f /m \\System

Restart remote system:

shutdown /r /t ShutdownDelay /l /f /m \\System

Cancel delayed shutdown of remote computer:

shutdown /a /m \\System

In this example, MAILER1 is restarted after a 30-second delay:

shutdown /r /t 30 /m \\Mailer1

In this example, the system with the IP address 192.168.1.101 is restarted immediately and running applications are forced to stop running:

shutdown /r /f /m \\192.168.1.101

On a local system, you can manage shutdown and restart using the following commands:

Shutdown local system:

shutdown /s /t ShutdownDelay /l /f

Restart local system:

shutdown /r /t ShutdownDelay /l /f

Cancel delayed shutdown of local computer:

shutdown /a

where /T ShutdownDelay is used to set the optional number of seconds to wait before shutdown or restart, /L optionally logs off the current user immediately, and /F optionally forces running applications to close without warning users in advance. In this example, the local system is restarted after a 60-second delay:

shutdown /r /t 60

Normal—Backs up the files you select, and marks the files as backed up.

Incremental—Backs up the files that changed since the last backup, and marks the files as backed up.

Differential—Backs up the files that changed since the last backup, but doesn’t mark the files as backed up.

Copy—Backs up the files you select, but doesn’t mark the files as backed up.

Daily—Backs up the files that changed that day, but doesn’t mark the files as backed up.

Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Often the data are being salvaged from storage media such as hard disk drives, storage tapes, CDs, DVDs, RAID, and other electronics. Recovery may be required due to physical damage to the storage device or logical damage to the file system that prevents it from being mounted by the host operating system.

The most common “data recovery” issue involves an operating system (OS) failure (typically on a single-disk, single-partition, single-OS system), where the goal is to simply copy all wanted files to another disk. This can be easily accomplished with a Live CD, most of which provide a means to 1) mount the system drive, 2) mount and backup disk or media drives, and 3) move the files from the system to the backup with a file manager or optical disc authoring software. Further, such cases can be mitigated by disk partitioning and consistently moving valuable data files to a different partition from the replaceable OS system files.

The second type involves a disk-level failure such as a compromised file system, disk partition, or a hard disk failure —in each of which the data cannot be easily read. Depending on the case, solutions involve repairing the file system, partition table or MBR, or hard disk recovery techniques ranging from software-based recovery of corrupted data to hardware replacement on a physically damaged disk. These last two typically indicate the permanent failure of the disk, thus “recovery” means sufficient repair for a one-time recovery of files.

A third type involves the process of retrieving files that have been “deleted” from a storage media, since the files are usually not erased in any way but are merely deleted from the directory listings.

Although there is some confusion as to the term, the term “data recovery” may be used to refer to such cases in the context of forensic purposes or spying.

Recovering data after physical damage

A wide variety of failures can cause physical damage to storage media. CD-ROMs can have their metallic substrate or dye layer scratched off; hard disks can suffer any of several mechanical failures, such as head crashes and failed motors; tapes can simply break. Physical damage always causes at least some data loss, and in many cases the logical structures of the file system are damaged as well. This causes logical damage that must be dealt with before any files can be salvaged from the failed media.

Most physical damage cannot be repaired by end users. For example, opening a hard disk in a normal environment can allow airborne dust to settle on the platter and become caught between the platter and the read/write head, causing new head crashes that further damage the platter and thus compromise the recovery process. Furthermore, end users generally do not have the hardware or technical expertise required to make these repairs. Consequently, costly data recovery companies are often employed to salvage important data. These firms often use “Class 100” / ISO-5 cleanroom facilities to protect the media while repairs are being made. (Any data recovery firm without a pass certificate of ISO-5 or better will not be accepted by hard drive manufacturers for warranty purposes

Recovery techniques

Recovering data from physically-damaged hardware can involve multiple techniques. Some damage can be repaired by replacing parts in the hard disk. This alone may make the disk usable, but there may still be logical damage. A specialized disk-imaging procedure is used to recover every readable bit from the surface. Once this image is acquired and saved on a reliable medium, the image can be safely analysed for logical damage and will possibly allow for much of the original file system to be reconstructed.

Hardware repair

Examples of physical recovery procedures are: removing a damaged PCB (printed circuit board) and replacing it with a matching PCB from a healthy drive, performing a live PCB swap (in which the System Area of the HDD is damaged on the target drive which is then instead read from the donor drive, the PCB then disconnected while still under power and transferred to the target drive), read/write head assembly with matching parts from a healthy drive, removing the hard disk platters from the original damaged drive and installing them into a healthy drive, and often a combination of all of these procedures. Some data recovery companies have procedures that are highly technical in nature and are not recommended for an untrained individual. Any of them will almost certainly void the manufacturer’s warranty.

Disk imaging

The extracted raw image can be used to reconstruct usable data after any logical damage has been repaired. Once that is complete, the files may be in usable form although recovery is often incomplete.

Open source tools such as DCFLdd or DOS tools such as HDClone can usually recover data from all but the physically-damaged sectors. Studies have shown that DCFLdd v1.3.4-1 installed on a Linux 2.4 Kernel system produces extra “bad sectors” when executed with certain parameters, resulting in the loss of information that is actually available. These studies state that when installed on a FreeBSD Kernel system, only the bad sectors are lost. DC3dd, a tool that has superseded DCFLdd, and ddrescue resolve this issue by accessing the hardware directly. Another tool that can correctly image damaged media is ILook IXImager.

Typically, Hard Disk Drive data recovery imaging has the following abilities: (1) Communicating with the hard drive by bypassing the BIOS and operating system which are very limited in their abilities to deal with drives that have “bad sectors” or take a long time to read. (2) Reading data from “bad sectors” rather than skipping them (by using various read commands and ECC to recreate damaged data). (3) Handling issues caused by unstable drives, such as resetting/repowering the drive when it stops responding or skipping sectors that take too long to read (read instability can be caused by minute mechanical wear and other issues). and (4) Pre-configuring drives by disabling certain features, such as SMART and G-List re-mapping, to minimize imaging time and the possibility of further drive degradation.

Problem: What Is the IP Address of a Router?

A typical home network router possesses two IP addresses, one for the internal home (LAN) and one for the external Internet (WAN) connection. How can you find the router IP addresses?

Solution:

The internal, LAN-IP address is normally set to a default, private number. Linksys routers, for example, use 192.168.1.1 for their internal IP address. D-Link and Netgear routers typically use 192.168.0.1. Some US Robotics routers use 192.168.123.254, and some SMC routers use 192.168.2.1. No matter the brand of router, its default internal IP address should be provided in documentation. Administrators often have the option to change this IP address during router setup. In any case, however, the private LAN-IP address remains fixed once set. It can be viewed from the router’s administrative console.

The external, WAN-IP address of the router is set when the router connects to the Internet service provider. This address can also be viewed on the router’s administrative console. Alternatively, the WAN-IP address can be found by visiting a Web-based IP address lookup service like http://checkip.dyndns.org/ from any computer on the home LAN.

Another way to identify the public IP addresses of routers, involves executing a ping or “traceroute” command. From inside a home network, the (DOS) command “ping -r 1” will send a message through the home router that will cause its IP address to be displayed. For example, “ping -r 1 http://www.yahoo.com” should result in a message like the following displayed on the command prompt:

Reply from 67.84.235.43: bytes=32 times=293ms TTL=56
Route: 209.178.21.76

In this example, the IP address after “Route:” (209.178.21.76) corresponds to the router WAN address.

On corporate networks, network discovery services based on SNMP can automatically determine the IP addresses of routers and many other network devices.

Power-on self-test (POST) is the common term for a computer, router or printer’s pre-boot sequence. The same basic sequence is present on all computer architectures. It is the first step of the more general process called initial program load (IPL), booting, or bootstrapping. The term POST has become popular in association with and as a result of the proliferation of the PC. It can be used as a noun when referring to the code that controls the pre-boot phase or when referring to the phase itself. It can also be used as a verb when referring to the code or the system as it progresses through the pre-boot phase. Alternatively, this may be called “POSTing.”

For embedded systems power-on self-test (POST) refers to the testing sequence that occurs when a system is first powered on. POST is software written to initialize and configure a processor and then execute a defined series of tests to determine if the computer hardware is working properly. Any errors found during the self-test are stored or reported through auditory or visual means, for example through a series of beeps, flashing LEDs or text displayed on a display. Once the POST sequence completes, execution is handed over to the normal boot sequence which typically runs a boot loader or operating system. POST for embedded systems has been around since the earliest days of computer systems.

On power up, the main duties of POST are handled by the BIOS, which may hand some of these duties to other programs designed to initialize very specific peripheral devices, notably for video and SCSI initialization. These other duty-specific programs are generally known collectively as option ROMs or individually as the video BIOS, SCSI BIOS, etc.

The principal duties of the main BIOS during POST are as follows:

  • verify the integrity of the BIOS code itself
  • find, size, and verify system main memory
  • discover, initialize, and catalog all system buses and devices
  • pass control to other specialized BIOSes (if and when required)
  • provide a user interface for system’s configuration
  • identify, organize, and select which devices are available for booting
  • construct whatever system environment that is required by the target OS

The BIOS will begin its POST duties when the CPU is reset. The first memory location the CPU tries to execute is known as the reset vector. In the case of a hard reboot, the northbridgewill direct this code fetch (request) to the BIOS located on the system flash memory. For a warm boot, the BIOS will be located in the proper place in RAM and the northbridge will direct the reset vector call to the RAM.

During the POST flow of a contemporary BIOS, one of the first things a BIOS should do is determine the reason it is executing. For a cold boot, for example, it may need to execute all of its functionality. If, however, the system supports power savings or quick boot methods, the BIOS may be able to circumvent the standard POST device discovery, and simply program the devices from a preloaded system device table.

The POST flow for the PC has developed from a very simple, straightforward process to one that is complex and convoluted. During POST, the BIOS must integrate a plethora of competing, evolving, and even mutually exclusive standards and initiatives for the matrix of hardware and OSes the PC is expected to support. However, the average user still knows the POST and BIOS only through its simple visible memory tests and setup screen.

While Windows Vista may be Microsoft Corp’s most secure operating system ever, it’s far from completely secure. In its fresh-from-the-box configuration, Vista still leaves a chance for your personal data to leak out to the Web through Windows Firewall or for some wicked bot to tweak your browser settings without your knowledge.

But by making a few judicious changes using the security tools within Windows Vista — and in some cases by adding a few pieces of free software –you can lock down your operating system like a pro.

1. Use Windows Security Centre as a starting point

For a quick overview of your security settings, the Windows Security Center is where you’ll find the status of your system firewall, auto update, malware protection and other security settings. Click Start, Control Panel, SecurityCenter, or you can simply click the shield icon in the task tray. If you see any red or yellow, you are not fully protected.

For example, if you have not yet installed an antivirus product on your machine, or if your current antivirus product is out of date, the malware section of the Security Center should be yellow. Windows does not offer a built-in antivirus utility, so you’ll want to install your own. For free antivirus,

I recommend Avast 4.8 Home Edition.

2. Use Windows Defender as a diagnostic tool

The malware section of Windows Vista also protects against spyware using Windows Defender. The antispyware protection in your antivirus program usually trumps the protection Microsoft provides, but there are several good reasons to keep Windows Defender enabled. One is that every antispyware program uses a different definition of what is and is not spyware, so redundant protection can actually offer some benefit.

Another reason to keep Windows Defender enabled: diagnostics. Click Tools, and choose Software Explorer from the resulting pane. You can display lists of applications from several categories such as Currently Running Programs, Network Connected Programs and Winsock Service Providers, but Start-u

p Programs is perhaps the most useful. Click on any name in the left window, and full details will appear in the right pane. By highlighting, you can remove, disable or enable any of the programs listed.

3. Disable the start-up menu

Windows Vista keeps track of all the documents and programs you launch in the start-up menu. This can be convenient for some users, but it can also compromise your privacy if you share a computer within an office or household. Fortunately, Windows Vista provides an easy way to tweak this setting

. To protect your privacy, follow these steps:

* Right-click on the task bar and select “Properties.”

* Click on the Start Menu tab.

* Uncheck “Store and display a list of recently opened files.”

* Uncheck “Store and display a list of recently opened programs.”

* Click “OK.”

4. Get two-way firewall protection

No desktop should be without a personal firewall, but even if the Security Center says you’re protected, you may not be. The Windows Firewall within Vista blocks all incoming traffic that might be malicious or suspicious — and that’s good. But outbound protection is not enabled by default. That’s a dangerous situation if some new malicious software finds its way onto your PC.

Microsoft did include the tools for Windows Vista to have a true two-way firewall, but finding the setting is a little complicated. (Hint: Don’t go looking the Windows Firewall settings dialog box.

To get two-way firewall protection in Windows Vista, do the following:

* Click on the Start button; in the search space, type “wf.msc” and press Enter.

* Click on the Windows Firewall with Advanced Security icon. This management interface displays the inbound and outbound rules.

* Click on Windows Firewalls Properties. You should now see a dialog box with several tabs.

* For each profile — Domain, Private and Public — change the setting to

Block, and then click OK.

Even if you do this tweak, I recommend adding a more robust third-party firewall. I suggest either Comodo Firewall Pro or ZoneAlarm, both of which are free and fare very well in independent firewall testing.

5. Lock out unwanted guests

If you share your computer with others — and even if you don’t – Windows Vista includes a neat way to keep unwanted guests from guessing your systems administrator password. When you set up users and declare one user as administrator with full privileges, Windows Vista allows an outsider unlimited guesses at the password you chose. Here’s how to limit the guesses.

* Click Start, then type “Local Security Policy.”

* Click Account Lockout Policy.

* Choose Account Lockout Threshold.

* At the prompt, enter the number of invalid log-ins you’ll accept (say, three).

* Click OK and close.

6. Now audit your attackers

With the Account Lockout policy in place, you can now enable auditing to see any account attacks. To turn on auditing for failed log-on events, do the following:

* Click the Start button, type “secpol.msc,” and click the secpol icon.

* Click on Local Policies and then Audit Policy.

* Right-click on “Audit account log-on events policy,” and select Properties.

* Check the Failure box, and click OK.

* Right-click on “Audit log-on events policy” and select Properties.

* Check the Failure box and click OK.

* Close the Local Security Policy window.

You can then use the Event Viewer (by running eventvwr.msc) to view the logs under Windows Logs and Security.

7. Secure your Internet Explorer settings

The Windows Security Center will also report whether your Internet Explorer 7(or IE 8) security settings are at their recommended levels. If the screen shows this section as red, you can adjust the settings within the browser itself.

* Within Internet Explorer, click Tools in the menu bar.

* From the drop-down menu, click Internet Options.

* Choose the Security tab.

* Within the Security tab, click Custom Level.

Here you’ll see a window with all the security options for the browser. If any are below the recommended level (if, say, some malware reconfigured your browser settings), these options will be highlighted in red.

To change an individual setting, click the appropriate radio button. To reset them all, use the button near the bottom of the tab. You can also change the overall security setting for Internet Explorer from the default Medium-High setting to the recommended High or Medium, if you wish. Click OK to save and close.

8. Use OpenDNS Domain Name System (DNS) servers act as a phone book. When you type “pcworld.com” in the address bar, for instance, your browser sends that common

-name request to your Internet service provider’s DNS servers to be converted into a series of numbers, or an IP address.

Lately, DNS servers have come under attack, with criminals seeking to redirect common DNS preferences to servers that they control. One way to stop such abuse is to use OpenDNS.

Go to Start, Control Panel, Network and Internet, and then click Network and Sharing Center. Under the tasks listed on the left, click Manage Network Connections. In the Manage Network Connections window, do the following:

* Right-click on the icon representing your network card.

* Click Properties.

* Click Internet Protocol Version 4.

* Click the Properties button.

* Select the Use the following DNS server addresses radio button.

* Type in a primary address of 208.67.222.222.

* Type in a secondary address of 208.67.220.220.

* Click OK.

9. Live with User Account Control

One area where some people might want to see the Windows Security Center turn red is User Account Control (UAC), perhaps the most controversial security feature within Windows Vista. Designed to keep rogue remote software from automatically installing (among other things), UAC has a tendency to thwart legitimate software installations by interrupting the process several times with useless messages.

In Windows 7, you’ll be able to set UAC to the level you want. Until then, you do have some options. One is to disable UAC. I would caution against that, since UAC is meant to warn you of potential danger.

Instead, install TweakUAC, a free utility that enables you to turn UAC on or off as well as provides an intermediate “quiet” mode that keeps UAC on but suppresses administration-elevation prompts. With TweakUAC in quiet mode, UAC will appear to be off to those running as administrator accounts, while people with standard user accounts will still be prompted.

10. Check your work

Now that you’ve tweaked Windows Vista, you can keep tabs on your system’s security with the System Health Report. This diagnostic tool takes input from the Performance and Reliability Monitor and turns it into an information-packed report that can spotlight potential security problems.

* Open Control Panel.

* Click System.

* In the Tasks list, click Performance (near the bottom).

* In the resulting Tasks list, click Advanced tools (near the top).

* Click the last item on the resulting list — “Generate a system health report.”

The report will list any missing drivers that might be causing error codes, tell you whether your antivirus protection is installed and declare whether UAC is turned on. You may want to run this report once a month just to make sure everything is still good.

WINDOWS XP HIDDEN APPS

To run any of these apps go to Start > Run and type the executable name (ie charmap).

=========================================

1) Character Map = charmap.exe (very useful for finding unusual characters)

2) Disk Cleanup = cleanmgr.exe

3) Clipboard Viewer = clipbrd.exe (views contents of Windows clipboard)

4) Dr Watson = drwtsn32.exe (Troubleshooting tool)

5) DirectX diagnosis = dxdiag.exe (Diagnose & test DirectX, video & sound cards)

6) Private character editor = eudcedit.exe (allows creation or modification of characters)

7) IExpress Wizard = iexpress.exe (Create self-extracting / self-installing package)

8) Microsoft Synchronization Manager = mobsync.exe (appears to allow synchronization of files on the network for when working offline. Apparently undocumented).

9) Windows Media Player 5.1 = mplay32.exe (Retro version of Media Player, very basic).

10) ODBC Data Source Administrator = odbcad32.exe (something to do with databases)

11) Object Packager = packager.exe (to do with packaging objects for insertion in files, appears to have comprehensive help files).

12) System Monitor = perfmon.exe (very useful, highly configurable tool, tells you everything you ever wanted to know about any aspect of PC performance, for uber-geeks only )

13) Program Manager = progman.exe (Legacy Windows 3.x desktop shell).

14) Remote Access phone book = rasphone.exe (documentation is virtually non-existant).

15) Registry Editor = regedt32.exe [also regedit.exe] (for hacking the Windows Registry).

16) Network shared folder wizard = shrpubw.exe (creates shared folders on network).

17) File siganture verification tool = sigverif.exe

18) Volume Contro = sndvol32.exe (I’ve included this for those people that lose it from the System Notification area).

19) System Configuration Editor = sysedit.exe (modify System.ini & Win.ini just like in Win98! ).

20) Syskey = syskey.exe (Secures XP Account database – use with care, it’s virtually undocumented but it appears to encrypt all passwords, I’m not sure of the full implications).

21) Microsoft Telnet Client = telnet.exe

22) Driver Verifier Manager = verifier.exe (seems to be a utility for monitoring the actions of drivers, might be useful for people having driver problems. Undocumented).

23) Windows for Workgroups Chat = winchat.exe (appears to be an old NT utility to allow chat sessions over a LAN, help files available).

24) System configuration = msconfig.exe (can use to control starup programs)

25) gpedit.msc used to manage group policies, and permissions