Edit
  • Article

[Newsletters Archive ^] [< Volume 7, Number 2] [Volume 8, Number 2 >]

The Systems Internals Newsletter Volume 8, Number 1

http://www.sysinternals.com
Copyright (C) 2006 Mark Russinovich

March 2, 2006 - In this issue:

  1. INTRODUCTION
  2. TOOL UPDATES
  3. LICENSING UPDATE
  4. SYSINTERNALS FORUM
  5. MARK'S BLOG
  6. MARK'S ARTICLES
  7. MARK'S SPEAKING SCHEDULE
  8. LIVE HANDS-ON INTERNALS/TROUBLESHOOTING CLASSES
  9. NEW SYSINTERNALS TROUBLESHOOTING VIDEO LIBRARY

Winternals Software is the leading developer and provider of advanced systems tools for Windows. It was designated a 2006 "hot company" by Info Security Products Guide (see http://www.infosecurityproductsguide.com/hot2006/WinternalsSoftware.html)

Also, Recovery Manager and Administrator's Pak won SearchWinSystems.com's 2005 Products of the Year Awards. Recovery Manager was awarded Gold in the Desktop Management category, while Administrator's Pak was recognized as the Silver Award winner in the Systems Management group (http://searchwinsystems.techtarget.com/productsOfTheYear/0,294801,sid68_ayr2005,00.html)

For full product details, multimedia demos, webinars, or to request a trial CD of either product, please visit http://www.winternals.com

INTRODUCTION

Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has 60,000 subscribers.

In February, Sysinternals had 1.26 million unique visitors and 20 million page views. It's now ranked the number 6,900 web site on the internet by Alexa.com (http://www.alexa.com/data/details/?url=www.sysinternals.com).

The most downloaded tools are:

  • Procexp: 375,000 downloads/month
  • Autoruns: 120,000 downloads/month
  • Rootkit Revealer: 120,000 downloads/month
  • Filemon: 100,000 downloads/month
  • Regmon: 90,000 downloads/month
  • Tcpview: 63,000 downloads/month

Filemon, Regmon, Process Explorer and Autoruns have been picked as the "best of the best" by alt.comp.freeware newsgroup participants (see http://www.pricelesswarehome.org/2006/about2006PL.php).

Life got interesting last November when I published my findings on the Sony rootkit. I had my first national TV appearance and radio interview in addition to dozens of press interviews and articles in magazines and newspapers. Things have settled down now, which means I've been back at work enhancing the Sysinternals tools. You'll find a full write-up of changes since the last newsletter below.

I'm also very excited about the new Sysinternals Video Library, a 6 DVD set covering key Windows troubleshooting topics featuring the Sysinternals tools. They should be available by June. Watch Sysinternals for preview video clips and a free download of one of the videos.

Finally, if you are attending a conference where I'm speaking, please stop by to say hello. Or, spend 5 days with me and Dave Solomon at one of our live Windows Internals & Advanced Troubleshooting classes in London, San Francisco, or Austin.

-Mark Russinovich

TOOL UPDATES

Lots of tools were updated since the last newsletter in August. Since I update the tools frequently, make sure you're using the latest version. The best way to keep up with changes is to subscribe to my RSS feed at http://www.sysinternals.com/sysinternals.xml (and if you're not yet using RSS to keep up with web sites, you need to start!).

Here is a detailed list of changes by tool:

Process Explorer v10.06

This major Process Explorer update has an extensive list of new features and enhancements aimed at usability and malware hunting. Just some of the examples include Runas and Run As Limited User commands, process restart, column sets, enhanced process tooltips for service-hosting and Rundll32 processes, working set breakdown columns, and DLL image verification and packed-image detection.

RootkitRevealer v1.7

This new RootkitRevealer release includes more sophisticated rootkit counter-measures, scanning of all Registry hives including user profiles, runs from Windows XP remote desktop sessions, support for NTFS volumes with cluster sizes larger than 4 KB, and includes a number of bug fixes and reduces the number of false positive discrepancies. Even the Hacker Defender rootkit's paid anti- detection versions don't hide from this release.

RegDelNull v1.1

Use this new applet to find and delete Registry keys that are "undeleteable" by standard Registry-editing utilities because they have embedded null characters in their names. In response to the use of such keys by malware, RegDelNull can now unlock and delete keys that not only have embedded nulls, but that also have security permissions that make them otherwise inaccessible.

Sigcheck v1.3

Sigcheck, a powerful command-line file version information and signature verification tool, now includes a new flag that has it only show a file's version number.

PsExec v1.7

This PsExec update includes a new -l switch for use by administrative accounts to run processes with limited-user account privileges. Run a low-rights Internet Explorer before IE 7 (in Vista) comes out simply by creating a shortcut to launch it with the switch.

Autoruns v8.42

Autoruns now knows about yet more autostart locations including the Winlogon boot verification Registry value, Shell open hijacks, kernel-mode drivers, print monitor DLLs, and Explorer column handlers - all of which have been used by real malware. Also added is on-demand signature verification for individual items and dramatically improved scan time performance when image verification is selected.

Autoruns now supports arbitrary length Registry and file system paths, adds a find capability to search through configured items, introduces a comparison feature to compare current autostarts with a previously saved version so that you can easily identify new additions.

ProcFeatures v1.0

This applet reports processor and Windows support for Physical Address Extensions and No Execute buffer overflow protection.

DiskView v2.2

Diskview, a utility that lets you look at the cluster allocations of a volume, now shows a summary of a file's fragments when you double- click on any of the file's clusters and the Show Next button navigates to the next fragment of a selected file.

DebugView v4.5

DebugView is a developer tool that captures user and kernel mode debug output. After many user requests for the feature DebugView now has an option to create a new log file and clear the display each day.

AccessEnum v1.3

AccessEnum is a powerful security utility that makes it easy to spot misconfigured file and Registry security descriptors. Version 1.3 includes bug fixes, Windows XP theming, and a new file format that's compatible with Excel importing.

Livekd v3.0

LiveKd, a utility that allows you to view the local system as if it were a crash dump using the standard Microsoft kernel debuggers, now supports x64 versions of Windows and includes some minor bug fixes.

Regmon v7.02

This minor update has clearer error messages for when an account does not have privileges required to run Regmon or Regmon is already running and consolidates the 32-bit and 64-bit (x64) versions into a single binary.

LICENSING UPDATE

We get asked often what the rules are for our freeware tools. We've started to put an End User License Agreement popup that is displayed the first time you run a tool - the text reads as follows:

"You are allowed to use software published on this Web site at home or at work without paying a commercial license fee provided that you downloaded the software yourself directly from Sysinternals, use the software on computers for which you are the primary user, use the software on systems for which there is no primary user (e.g. a server, including a terminal server) and you are a full-time employee of the company that owns the server, or use the software on a computers within a home of which you are residence."

The Sysinternals freeware license page at http://www.sysinternals.com/Licensing.html now explains scenarios under which a paid commercial license is required for use.

SYSINTERNALS FORUM

Come visit one of the 16 interactive Sysinternals forums (http://www.sysinternals.com/forum). Besides dedicated forums on each of the major tools, there are four technical Windows forums: Malware, Troubleshooting, Internals, and Development.

With over 7352 members (up by almost 6000 in 6 months), there have been 14667 posts to date in 4384 different topics, which comes to 2000 posts a month for the last 6 months!

MARK'S BLOG

My blog received a new level of attention with the publication of my findings on the Sony rootkit, but there have been several other postings not related to the Sony issue. Here is a list of articles since the last newsletter:

  • 2/6/2006 Using Rootkits to Defeat Digital Rights Management
  • 1/18/2006 Inside the WMF Backdoor
  • 1/15/2006 Rootkits in Commercial Software
  • 1/3/2006 The Antispyware Conspiracy
  • 12/30/2005 Sony Settles
  • 12/12/2005 Circumventing Group Policy as a Limited User
  • 11/30/2005 Premature Victory Declaration?
  • 11/16/2005 Victory!
  • 11/14/2005 Sony: No More Rootkit - For Now
  • 11/9/2005 Sony: You don't reeeeaaaally want to uninstall, do you?
  • 11/6/2005 Sony's Rootkit: First 4 Internet Responds
  • 11/4/2005 More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
  • 10/31/2005 Sony, Rootkits and Digital Rights Management Gone Too Far
  • 10/19/2005 The Bypass Traverse Checking (or is it the Change Notify?) Privilege
  • 10/2/2005 Registry Junk: A Windows Fact of Life
  • 9/19/2005 Multi-platform Images
  • 8/28/2005 The Case of the Intermittent (and Annoying) Explorer Hangs

For a full list of articles, see http://www.sysinternals.com/blog/blogindex.html

MARK'S ARTICLES

My latest article in Windows and IT Pro Magazine was on AccessEnum, which scans a specified volume, subdirectory, or registry key to help you find potential trouble spots in your security settings.

It is available online to subscribers at http://www.windowsitpro.com/Article/ArticleID/47638/47638.html?Ad=1

MARK'S SPEAKING SCHEDULE

Last fall I spoke at the Microsoft 2005 Professional Developers Conference (September in Los Angeles), Windows Connections (November in San Francisco, CA) and Microsoft IT Forum (November in Barcelona, Spain).

My next conference talks are at Microsoft TechEd 2006 in Boston in June. I'm presenting a preconference tutorial with Dave Solomon on advanced malware cleaning on June 11 (http://www.msteched.com/content/precons.aspx). I'll also be delivering four breakout sessions on topics including Vista kernel changes, troubleshooting with Filemon and Regmon, analyzing Windows crashes and hangs, and advanced malware cleaning techniques.

For the latest updates, see http://www.sysinternals.com/Information/SpeakingSchedule.html

LIVE HANDS-ON INTERNALS/TROUBLESHOOTING CLASSES

If you like Sysinternals, the book Windows Internals, or want to learn more about Windows OS internals, including what's coming in Vista, then you'll want to attend the only scheduled seminars where both Dave Solomon and I deliver our 5-day hands-on (bring your own laptop) Windows Internals and Advanced Troubleshooting seminar. This year's dates are:

  • London, June 26-30, 2006
  • San Francisco, September 18-22, 2006
  • Austin, TX, December 11-15, 2006

In this class, you'll gain an in-depth understanding of the kernel architecture of Windows, including the internals of processes, thread scheduling, memory management, I/O, services, security, the registry, and the boot process. Also covered are advanced troubleshooting techniques such as malware disinfection, crash dump (blue screen) analysis, and getting past boot problems.

You'll also learn advanced tips on using the key tools from www.sysinternals.com (such as Filemon, Regmon, & Process Explorer) to troubleshoot a range of system and application issues, such as slow computers, virus detection, DLL conflicts, permission problems, and registry issues. These tools are used on a daily basis by Microsoft Product Support and have been used effectively to solve a wide variety of desktop and server issues, so being familiar with their operation and application will assist you in dealing with different problems on Windows. Real world examples will be given that show successful application of these tools to solve real problems. And because the course was developed with full access to the Windows kernel source code AND developers, you know you're getting the real story.

And if you have 20 or more people, you may find it more attractive to run a private on-site class at your location (email seminars@... for details).

For more details and to register, visit
http://www.sysinternals.com/Troubleshooting.html

NEW SYSINTERNALS TROUBLESHOOTING VIDEO LIBRARY

Dave Solomon and I recently shot a new video series to be called "The Sysinternals Troubleshooting Library". It will be a 6 DVD set covering essential Windows internals and advanced troubleshooting topics, featuring the Sysinternals tools. The disk titles are:

  • Disk 1 - Tour of the Sysinternals Tools
  • Disk 2 - Troubleshooting with Process Explorer
  • Disk 3 - Troubleshooting with Filemon and Regmon
  • Disk 4 - Troubleshooting Memory Problems
  • Disk 5 - Crash Dump & Hang Analysis
  • Disk 6 - Troubleshooting Boot & Startup Problems

We expect to have some sample video content available for download this month. The disks should be shipping by June. We will have a discounted price when we open up pre-orders - hopefully in May. When they are available for preorder, we will send a notice to this interest list.

Thank you for reading the Sysinternals Newsletter.

Published Tuesday, May 02, 2006 4:29 PM by ottoh

[Newsletters Archive ^] [< Volume 7, Number 2] [Volume 8, Number 2 >]