Who is hogging My CPU:IE & SVCHOST acting for akamai ( Adobe download manager)

To find a change from  investigating client issues, today I decided to spend some time with my vista system analyzing its performance..

Thought of clearing the %temp% first.. Lot of active .tmp files where present.. That means.. I couldn't delete them..  Got curious about this and decided to investigate it further.. Fired up Process Explorer and Searched for .tmp file in the "Find Handle" option. To my great surprise, all those files were held up by Internet Explorer. I use IE8 on Vista..

I have lots of RSS feeds saved, so suspecting something related to that, decided to review the Feed reader configuration.. Dumb me.. It was accidently configured as 15 mts sync. with my 50+ feeds.. sycning every 15mts.. Now I know why sometimes my system was behaving really odd..

But that didn't answer the .TMP file question.. closed down all IE Windows.. and the files went off..Fired IE windows.. those files came up..
With each tab there were around 4 to 5 new .tmp files created.. So its not just the temporary internet files that IE uses for caching.. It uses
%temp%. Finding out the exact details of this behavior has been stored as a low priority item in my to do list..

I decided to move on.. Playing around with process explorer.. One application was taking so much of private bytes.. the process name was searchindexer.exe hosted as a service " Windows Search". So its the indexing service that is using some resources for searches that I rarely do.. Not a recommendation.. I decided to turn off the service for some days to monitor. The result is very evident..

The next biggest consumer was SVCHOST.EXE a poor generic service host who has to take blame of all the services it hosts.. Windows decided to go ahead with this multihost model to conserve resources..

But this time I am surprised, really really surprised..  As much as I read till this time, SVCHOST Can not be used by third parties to host their application..

And here is one Akmai Download Manager, which I installed to download an Adobe product ( Akmai is Adobe's download manager ) using SVCHOST to serve him..  On top of it, there were large context switches happening..



There weren't any  download happening at that time. So for sure the application was mis behaving.. There was an unistaller in the product folder using which I uninstalled the product.. I should say the system is much better now..

20 mts of small investigation using Process Explorer.. The system is back on feet.. but opened up a pandora's box full of questions to be answered...

Enabling extended logging for Windows Update Agent Service

The Windows Update Agent Service ( wuauserv ) is responsible for keeping the system updated by scanning the system for missing updates and installing those if properly configured to do so..

WSUS and the Windows Update Site uses this client agent to accomplish tasks.. If you are aware of MBSA, which is a Microsoft Tool to asses your system security compliance level, also uses the windows update agent for scanning. Additionally if you have any custom application which uses windows update APIs to perform scan / installation of updates also uses the same service..

Pretty critical eh.. It leaves behind a log file.. which is very difficult to decrypt for fresh eyes.. Even then some times the logged information proves insufficient to identifiy some issues..That is when you should be considering the extended logging option of Windows Update Agent.

How to do that ?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace
Value name: Flags
Value type: REG_DWORD
Value data: 00000007

Value name: Level
Value type: REG_DWORD
Value data: 00000004

This registry key turns on an extended tracing to the %systemroot%\Windowsupdate.log file. Additionally, this registry key turns on an extended tracing to any attached debuggers.

Refer to the MS Documentation for additional details. http://support.microsoft.com/kb/902093

P.S. : While investigating a very peculiar MBSA Scan issue ( offline scan wouldn't work if network cable is disconnected.. Then why shoud it be called an offline scan right ? ). Once the extended scanning was enabled, it gave some references to the ipV6 interface not being up and stuff..

In windows xp, the ipV6 stack can be installed or removed easily by

c:\>ipv6 install

and

C:\> ipv6 uninstall

The system that gave issue did not have the ipv6 stack enabled. Taking clues from the log file, I enabled it and scan started working. .Not happy yet as I am yet to reach to the root cause.

Big Surprise! Where did the /etc/inittab file go ???

This is what happens when you switch technologies..

Its like going back to your old mate with out knowing what happened while you were away..

One file that my seniors/ Unix gurus @HCL adviced me to be very careful with is /etc/inittab while teaching me the ABC's of SCO Unix and Linux.. They said..

It is Systems Configuration Database.
The system (init process ) reads configuration from this file.
If this file is corrupt you are GONE.

I do respect my seniors and gurus.. I always used to take back up of those files before editing / changing them..

Time moved on.. My new role is purely a windows based role.. Since I knew nothing in windows, I had to put in lot of efforts to learn some thing about the OS.. Result, I had to leave my long time buddy, linux..

Old habits die hard.. When I got some spare time, I decided to install the latest Ubuntu version and try out my memory.. type couple of ls, clear commands.. ;-).. seeing the black screen I got nostalgic and missed the "vi" badly.. And how can I forget the /etc/inittab file.. Alas !! the file was not present..
I was pretty sure.. I am out now.. I knew a bit of linux... no longer true..

UPSTART he has taken my init away..

"Upstart is an event-based replacement for the /sbin/init daemon which handles starting of tasks and services during boot, stopping them during shutdown and supervising them while the system is running. "

Feature Highlights

• Tasks and Services are started and stopped by events


• Events are generated as tasks and services are started and stopped


• Events may be received from any other process on the system


• Services may be respawned if they die unexpectedly


• Supervision and respawning of daemons which separate from their parent process

Communication with the init daemon over D-Bus

Known Users

• Ubuntu 6.10 and later


• Fedora 9 and later


• Debian (as an option)


• Nokia's Maemo platform


• Palm's WebOS


• Google's Chrome OS

http://upstart.ubuntu.com/

Atleast now I will ask my friend who call me up still to find out if there are any linux residue left about the distribution they are using before asking them to edit the /etc/inittab..

Windows Task Manager "Mem Usage" and VM Size column

A quick post :-)

You know how to bring up the task manager.. ( refer http://sreekarun.livejournal.com/7267.html ) 

As mentioned in the blog, the Mem Usage gives you only the figure of amount of physical memory used or the working set.

The VM Size gives you the private bytes; The amount of virtual memory, or address space, committed to a process

Lets learn Windbg: the !cpuid extension

Its an effort to learn and document windbg extensions..

So here is the first one !cpuid

lkd> !cpuid

CP  F/M/S  Manufacturer     MHz  
0  6,23,6  GenuineIntel    2394  
1  6,23,6  GenuineIntel    2393

the first lkd> means the current debug session is a local kernal debugging. How do we do that ? Open Windgb; Select File -> Kernal Debug and select local. 

Well I have seen this doesnt work with Vista normally. And as you can see, other options are remote kernal debugging which include COM, 1394, USB 2.0  and ET ( yes you can do it over TCP/IP as well )

A small lesson on VbScript - Learned the hard way

Today, we were required to write a script to gather some information from Windows client systems.  The script seemed to work fine till the "Quality Control" ghost took control.. Obviously..it was me who suggested this catastrophic idea of having "error handling" mechanism.

VbScript,  by defaul throws any error during execution as run time error.. This is a controllable behaviour though..

The two important statements are

On Error Resume Next

On Error Goto 0

The first one enables the error handling mechanism.. ie you will not be getting run time errors as earlier.. So you need to handle it manually..

And the second one disables error handling mechanisms.. any code error = run time error..

Now how to work with error handling


Err.Number will give you the error number.. and more down here

On Error Resume Next
strComputer = "fictional"
Set objWMIService = GetObject("winmgmts:\\" & strComputer)
If Err.Number <> 0 Then
    WScript.Echo "Error: " & Err.Number
    WScript.Echo "Error (Hex): " & Hex(Err.Number)
    WScript.Echo "Source: " &  Err.Source
    WScript.Echo "Description: " &  Err.Description
    Err.Clear
End If

http://www.microsoft.com/technet/scriptcenter/resources/scriptshop/shop1205.mspx#EMC

All that theory is just fine.. However, the script which has grown to around 600+ lines made us go mad.. One specific module to modify  a registry hive wont work..

And finally we found where we went wrong..

"An On Error Resume Next statement becomes inactive when another procedure is called, so you should execute an On Error Resume Next statement in each called routine if you want inline error handling within that routine."

http://msdn.microsoft.com/en-us/library/aa266173(VS.60).aspx

 

We had around 5 to 6 functions in the script. We added the "On Error Resume Next" stuff on all those and we were back on track after that.. A lesson learned in the hardway.. Long live the VbScript Error Handling.

Cheers !!

Sree

Wow... I am on Twitter now..

Yep.. Just wanted to try out what is happening out there.. Thanks to Shashi Taroor..  :-)

https://twitter.com/sreekarun

43 weird things said in job interviews

Have a good laugh guys..


My Choice:

"So, how much do they pay you for doing these interviews?" -- Jodi R.R. Smith, Mannersmith Etiquette Consulting

http://www.cnn.com/2009/LIVING/worklife/07/22/cb.you.said.what.interview/index.html

IRP Function codes and procmon

Hi guys...

Our team use Procmon a lot for troubleshooting issues.. I always get confused on different IRP messages that I see in the traces. The effort here is to map the common IRP messages and what it exactly means in a normal sense..

It will take an edit or two to take this document to an acceptable level.. so keep watching.. :-)

To Start with.. I have captured couple of points from here from MSDN



IRP_MJ_CREATE

The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened. Normally this IRP is sent on behalf of a user-mode application that has called a Microsoft Win32 function such as CreateFile or on behalf of a kernel-mode component that has called IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, ZwCreateFile, or ZwOpenFile. If the create request is completed successfully, the application or kernel-mode component receives a handle to the file object.

IRP_MJ_CLEANUP

Receipt of the IRP_MJ_CLEANUP request indicates that the handle reference count on a file object has reached zero. (In other words, all handles to the file object have been closed.) Often it is sent when a user-mode application has called the Microsoft Win32 CloseHandle function (or when a kernel-mode driver has called ZwClose) on the last outstanding handle to a file object.

It is important to note that when all handles to a file object have been closed, this does not necessarily mean that the file object is no longer being used. System components, such as the Cache Manager and the Memory Manager, might hold outstanding references to the file object. These components can still read to or write from a file, even after an IRP_MJ_CLEANUP request is received.


IRP_MJ_CLOSE

Receipt of the IRP_MJ_CLOSE request indicates that the reference count on a file object has reached zero, usually because a file system driver or other kernel-mode component has called ObDereferenceObject on the file object. This request normally follows a cleanup request. However, this does not necessarily mean that the close request will be received immediately after the cleanup request.

IRP_MJ_DIRECTORY_CONTROL

The IRP_MJ_DIRECTORY_CONTROL request is sent by the I/O Manager and other operating system components, as well as other kernel-mode drivers. It can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as ReadDirectoryChangesW or FindNextVolumeMountPoint or when a kernel-mode component has called ZwQueryDirectoryFile.


IRP_MJ_WRITE

The IRP_MJ_WRITE request is sent by the I/O Manager or by a file system driver. This request can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as WriteFile or when a kernel-mode component has called ZwWriteFile.

IRP_MJ_READ

The IRP_MJ_READ request is sent by the I/O Manager or by a file system driver. This request can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as ReadFile, or when a kernel-mode component has called ZwReadFile.

The Boot optimization in Windows XP and performance issues

Windows XP Boot Optimization

BootOptimizeFunction

The following registry entries are located under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOptimizeFunction.

"Enable"    

Accepted values for this entry are Y or N.

If the entry is set to Y, Windows automatically optimizes the file location for boot optimization. This optimization occurs automatically if the system is idle for 10 minutes. Boot optimization improves startup time by locating startup files in contiguous clusters on the volume, reducing the movement of the disk head when reading the volume.

A reflection : What might happen if we disable boot optimization.. I dont think anything harmful will happen..Since this is a performance optimization entry, it might lead to a performance degradation.

"LcnEndLocation"

Stores the logical cluster number (LCN) that specifies the end location of the files moved by Disk Defragmenter for boot optimization.

This is a dynamic value.

"LcnStartLocation"

Stores the LCN that specifies the starting location of the files moved by Disk Defragmenter for boot optimization.

This entry also is a dynamic number.

"OptimizeComplete"

Stores the value that indicates whether the optimize operation is complete.

"OptimizeError  "

Stores an error message if an error was encountered during the optimization process.

Ref: http://technet.microsoft.com/en-us/library/cc784391(WS.10).aspx


Lets listen about the Boot Optimization from Mark Russinovich  :-)

"For boot, the prefetcher by default traces from system start through the 30 seconds following the start of the user’s shell (typically Explorer) or, failing that, up through 60 seconds following Windows service initialization or through 120 seconds, whichever comes first."

Ref: Windows Internals 4th Edition.

This is an interesting point.. If boot optimization is enabled, then the prefetcher listens to all the file system operations and records the same.  This information is later used to create the layout.ini file and passed to the defragment utility once in three days to optimize the area.. Now the question is .. if we do not have the prefetch mechanism listening to and logging all the transaction during boot time and other wise, will that lead to a performance issue.. Ideally it shouldn't..


Now lets refer the documentation on "Windows Performance" on technet.

Ref: http://technet.microsoft.com/en-us/library/bb457057.aspx

Section: Defragmentation

"Once every three days, by default, Windows XP will perform a partial defragmentation and adjust the layout of the disk based upon current use. The files to be moved are written in the file Layout.ini (found in the Prefetch directory under the System Root directory)."

Now the file optimization is not done everyday..  Its done once in 3 days, when the system is idle.. One more interesting thing about this operation is that it does not perform a full defrag. It optimizes for files contained in the layout.ini file.

There are additional Prefetch related entries, which in turn are related to the Boot Optimization

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

EnablePrefetcher

Possible Values are (0 = disabled, 1 = Application launch prefetching, 2 = Boot prefetching, 3 = Both prefetching).

Ref: http://www.tomshardware.com/forum/51893-45-boot-defrag


So you may decide either permenantly or for testing to opt for no prefetching, Boot Prefetching or both..

What if the prefetch folder is corrupt..  It can add to your worries slowing down your system further.. If in doubt, delete the prefetch folder once..

http://support.microsoft.com/kb/915163 




 

An insight into Windows Access Control and DACL

Its some time that I have written something.. I wouldn't say I was so busy that I couldn't  post even once.. Point No 1: a bit lazy these days :-) and point 2.. I was a bit busy.. :-)

This time around I will be discussing a bit on the Windows Access Control Entries...


Every securable object in windows do have a security descriptor associated with it. the object could be vary from file to a service.

The windows built in sc command has an option to list the security descriptor of the service..

Here is how you can do this..

cmd -> sc sdshow <service_name>

and example would be

sc sdshow wuauserv

Where wuauserv is the service name for windows update agent.

The output of the command would look like some thing like this..

D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

If you are sure what you are doing, you may set the security descriptor with the

sc sdset <service_name> <security_descriptor>

Note: do this if you are really sure what you are doing..

Now lets analyze the output of the sc sdshow wuauserv command.

Format

D:dacl_flags(string_ace1)(string_ace2)(string_ace3).....(string_acen)

D: -> DACL Entry ( other possibilities are S: -> SACL    O: -> Owner  G:   -> Primary Group  )

Format of (string_ace1)

(ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid)
 

(string_ace1)

(A;;CCLCSWRPLORC;;;AU)

ace_type = A

A - SDDL_ACCESS_ALLOWED

ace_flags = blank here

rights : CCLCSWRPLORC

CC: SDDL_CREATE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
LO: SDDL _LIST_OBJECT
RC: READ_CONTROL

object_guid: blank in this case

inherit_object_guid : blank here

account_sid : AU

AU  - SDDL_AUTHENTICATED_USERS

(string_ace2)

(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)

ace_type = A

A - SDDL_ACCESS_ALLOWED

ace_flags = blank in this case

rights : CCDCLCSWRPWPDTLOCRSDRCWDWO

CC: SDDL_CREATE_CHILD
DC: SDDL_DELETE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
WP: SDDL_WRITE_PROPERTY
DT: SDDL_DELETE_TREE
LO: SDDL _LIST_OBJECT
CR: SDDL_CONTROL_ACCESS
SD: SDDL_STANDARD_DELETE
RC: SDDL_READ_CONTROL
WD: SDDL_WRITE_DAC
WO: SDDL_WRITE_OWNER

object_guid: blank in this case

inherit_object_guid : blank in this case

account_sid : BA

BA  - SDDL_BUILTIN_ADMINISTRATORS

(string_ace3)


(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

ace_type = A

A - SDDL_ACCESS_ALLOWED

ace_flags = blank in this case

rights : CCDCLCSWRPWPDTLOCRSDRCWDWO

CC: SDDL_CREATE_CHILD
DC: SDDL_DELETE_CHILD
LC: SDDL_LIST_CHILDREN
SW: SDDL_SELF_WRITE
RP: SDDL_READ_PROPERTY
WP: SDDL_WRITE_PROPERTY
DT: SDDL_DELETE_TREE
LO: SDDL _LIST_OBJECT
CR: SDDL_CONTROL_ACCESS
SD: SDDL_STANDARD_DELETE
RC: SDDL_READ_CONTROL
WD: SDDL_WRITE_DAC
WO: SDDL_WRITE_OWNER

object_guid: blank in this case

inherit_object_guid : blank in this case

account_sid : BA

BA  - SDDL_BUILTIN_ADMINISTRATOR


Its not so easy to decipher this always.. However we may write simple scripts to do the same.. :-) Not sure if I will be writing one..

Cheers guys.. Enjoy the weekend..

References: 

SID Strings : http://msdn.microsoft.com/en-us/library/aa379602(VS.85).aspx


Security Descriptor Definition Language:  http://msdn.microsoft.com/en-us/library/aa379567(VS.85).aspx

Security Descriptor String Format  : http://msdn.microsoft.com/en-us/library/aa379570(VS.85).aspx

ACE_HEADER Structure :  http://msdn.microsoft.com/en-us/library/aa374919(VS.85).aspx

ACE Strings: http://msdn.microsoft.com/en-us/library/aa374928(VS.85).aspx


 

Internet Explorer - A Mammoth description

Internet explorer

Kidachaaachuuu......... ( Hurrey!!!.. I got it... :-) )

                                                                       

Nokia 770 Internet Tablet

My friend Phanidra reddy (Phani) is really a gadget geek. He has so many of them already and he keeps buying them so often.

He introuduced me to this cool device couple of weeks back, the NOKIA 770 Internet Tablet. 



No, this isn't a mobile phone. It is kind of a linux based palm top.. 

http://europe.nokia.com/A4145104

The operating system is customized, called the OS 2006. I know phani did load higher versions meant for the 800 family on to this device. Those are not officially supported on this device..

Interface



OS Version in Control Panel



What is there for you in this device:

• Network aware ( WLAN and Bluetooth) configurable mobile linux device ( need anything more!!)
• A media player. ( I wont call it state of the art)
• Decent enough graphic capability.
• MicroSD support I guess up to 1GB officially.. Phani the great did try a 2GB card and it worked. :-)
• Coolest thing.. It costs around RS 7500 ( was listed in indiatimes shopping sometime back)
• Options are not really limited as the interfaces are still configurable.. :-) I will leave it to your imagination

P.S. : Dr. Manmohan singh to be sworn in as the Prime Minister tomorrow.. Guess who is dreaming of driving the railways.. No prizes for guessing.. No Lalu this time.. It  is going to be Mamata. :-)

Internet Exporer 8: An interesting process handling and Memory consumption behaviour

I and Rejin were testing Internet Explorer 8 when we found this interesting behaviour. I decided to dig it a bit further..

My observations below...

Observation 1:
Opened up an Explorer window, the task manager has shown me  two instances of iexplore.exe running.  I understand this is by design and could  be attributed to the loosely coupled architecuture which enables Internet Explorer 8 to have features like crash recovery.




Observation 2:

Opened up a new tab in the existing window. The number of iexplore.exe processes in the taskmanager becomes 3.
This again is by design. This ensures that once tab if hung will not make other sessions hang.





Observation 3:

This is the most interesting part of it. When I closed down the tab that I just opened, the number of iexplore.exe process ilsted in Task Manager  did not change. It remained at 3. I couldnt believe that such a straight forward memory leak is possible for a tested product like IE 8.





I decided to test this further, opened up 4 more tabs, ensured that 5 iexplore.exe processes were listed in task manager. Then next thing I did was to close down all the additional tabs, and then I proceeded for a 5 minutes coffee break.

Surprisingly enough, when I came back and looked at the Task Manager window,  the number of iexplore.exe processes listed were only 2.  My initial impression was right, a product like IE8 can not have a bug as  straight forward as this.

During the next trial, I turned on the stop-watch and closely observed the additional iexplore.exe processes disappearing timing.. Interesting enough.. it had a pattern... 

The additional iexplore.exe's were dying down after 60 seconds of closing the correspoding tabs. I guess this also has to do something with the session recovery and to the new design..( not really sure)..

Violet Lillies by Mahesh

This man, with a smile mixed with innocence ( dont think he is so innocent though !) and fun, has always walked ahead of the crowd. He amused us with his Eigen, his indigenous project on signal processing, shown his vision and organizational talent during our college event Principia. 

He was my classmate during my graduation. As a lateral entry guy ( one who joins from 2nd year of an already set batch :))  I was initially asked to write couple of papers from the year that I missed by the university. Branded as the 'C' expert of the class, Mahesh's name was suggested by many to ask advice on 'C' exam that I had to appear..

I found him in library one day and voiced the million dollar question, "Mahesh, which book would you suggest for 'C'  ? " The answer was a smile, curious look with some words following after a 20ms delay  " Valleytta.. ( Big Brother, thats how they used to call me) , these are just weired concepts ( ???? what are ???)  If you think about the truth of the life, you do not really need a book to study 'C'. Everything is very evident "

I was not used to such enlightening words earlier.. So I left the task of searching the books to my eyes and found "Let Us C'. From that day, I have been very careful handling this man..

Mahesh alias MRV stories are plenty.. We had many discussions on things that were half practical, however was fun to discuss..

One who already has a craze in technology, imagine the after efects of he being affected with a bad habit of capturing light .. Mahesh has shown reasonable justice to the Canon (or Nikon ?)  SLR that he is owning.  ( Dont ask him what happened in bangalore after he tried to fix his tripod and then adjusted the CAM to shoot one of the important place. Poor Bangalore police thought he was upto something. )

http://www.flickr.com/photos/maheshravivarma/

Was planning to write a little more.. But time to move for me !!!! :-)

P.S.: Mahesh secured 2nd rank in GATE exam 2009 with a perfect 1000/1000 .. Well done Mahesh !!!

Nishant's Query on Windows XP basic networking

My friend Nishant asked me if I can help him configure a network between two Windows XP Systems.

I thought I will put down the common things involved in accomplishing such a task.

First lets see if we have the network card drives loaded for the device. You may right click on  the "My Computer" icon and then select "Properties". 

Select "Hardware" tab and then select "Device Manager"

See if we have the network card driver loaded by observing if we have any error or exclamation icon on the network card entry listing. If you dont have  a network card listed listed, then it might mean that the device is not enabled in BIOS or it does not have the proper drivers loaded.

So lets see if everything is fine here.. If you are seeing something like below with out any exclamation mark (yellow) or error mark (red) then that does suggest everything is fine.





The next thing we need to do is to configure the IP or the Internet Protocol

To do this open the "Network Places" by selecting "Open" as shown below.



This will open up the "Network Connections" Window. Here you will find icons and links for all the basic networking related tasks.

Now lets right click the "Local Area Connection" and then select properties ( Note: The "Local Area Connection" is default name for the local area connection :-). I mean.. if you wish, you may rename it like " My connection to ISP X")




This will open up the "Local Area Connection Properties" window.

Select "Internet Protocol (TCP/IP) as shown in the below graphic and click properties.



Now lets assign the IP address for the system. Since we are configuring our system as a private network ( one that is not connected to internet with a valid public IP) we may use the standard private IP address series 192.168.100.1  with a netmask of 255.255.255.0.

Note: An IP address of 192.168.100.1 with a mask of 255.255.255.0 means that I am allowed to change only the last octet ( if w.x.y.z is the ip address then my last octet is z) to be able to communicate with systems in my local network ( provided they too keep their w.x.y same). if I change my w or x or y then I will require a router to communicate)



Now lets click "OK" as many number of times needed and then start verifying the configuration.

Lets open up a command prompt




Now in the newly opened up command prompt, lets type the "ipconfig /all" command.

This will show you the ip configuration of the system.




Dont worry about those 0.0.0.0 ip address and a similar mask. Did you notice one entry above that ? "Media Disconnected". I dont have the cable connected. Hence the system will not be showing up the ip address even if you configure the same.

So If you have the cable conected you should be able to see the IP Address 192.168.100.1 address with 255.255.255.0 mask over here.

Let me run through you about a fanstatic command called PING. This would help me understand if the system is able to reach to and communicate with the other system or not ( conditional: you need to have icmp protocol enabled ( enabled by default ) and your firewall should not be blocking ping.)

Following two graphics show two PING examples

A ping showing system to be un-reachable



A successful loopback ping



Try pinging your loop back ip 127.0.0.1 then your self ip 192.168.100.1 then 192.168.100.2 once we configure this second ip to the next system.

On the second system we need to repeat all these systems. Make sure you are giving a different IP (192.168.100.2 ) in the same series on system II





So once we are through we will be able to access other system and use any services offered including File and Print sharing.

System Management Mode

Hello there..

Today while reading through the Intel Architecture Software Developer’s Manual Volume 1: Basic Architecture  under section 3.1 I found something really interesting . The section was around modes of processor operation Viz The Protected  Mode, Real mode and System Management mode.

I did hear about first two modes earlier, however the third one was completely new to me. I decided to google a bit on it.

From what I read, the System Management Mode is transparent to the operating system and the BIOS uses it quite frequently to keep the system in shape. This would mean that the processor is made to do a lot of hard work beside the work assigned by the operating system. Your thoghts ?

Lets read a nice post by  Federico Biancuzzi 

"As a matter of fact, SMM is routinely used. Operating systems run in protected mode. But operating systems are not meant to be able to
handle very specific hardware events (Real Time Clock-related issues, Thermal sensor signals or other external events, the list is really endless...). In case such an event occurs, the chipset of the system generates a physical interrupt on the motherboard called an SMI (System Management Interrupt). Upon reception of the SMI, the processor will store its entire context and switch to SMM to run the code - which I'll call the SMI handler from now on. By context, I mean most processor registers including control registers, task registers, instruction and stack pointers. It runs the code that has been written by the BIOS or motherboard manufacturer to handle the SMI, that is to handle the hardware-specific event that caused the SMI to be generated in the first place. When the handler runs the assembly language instruction "RSM," the processor will restore its entire context and switch back to protected mode.

So, as far as the operating system is concerned, nothing happened. The operating system did not notice the CPU switching to SMM and back to protected mode. Code execution in SMM is transparent from the operating system point of view.

During normal operation of a PC, SMIs are routinely generated, but neither the operating system nor the end user are aware that they exist and that the CPU is handling them."

This feature also has been exploited by lots of root kits..

Reply to a very old query

There was a query on one of my earlier post  (Reference : Posting  on Processes and threads ) asking  how would a simple 'C' code with no explicit thread create statement behave.

I decided to track all the activies by a simple executable compiled from the below code.. Yes the 1st program that you wrote.. The hello world.

The procmon utility captures everything including the Process Create and  Thread Create calls.
 

Lets examine a very simple 'C' Code to explain the windows thread creation and execution.

Consider the following code.

 

#include "stdio.h"
#include "conio.h"

int main()
{
printf("Hello World! \n");

getch();
return 0;
} 

 

Now lets see what happens in the back ground. As you might have observed, eventhough there is no explicit thread creation routine in the
code snippet, windows creates a thread and queues it for execution.

So, in short even a very simple hello world application will have  a thread created.

HelloWorld.exe Process Start 
HelloWorld.exe Thread Create 
HelloWorld.exe Load Image C:\Users\skarunakaran\Desktop\HelloWorld.exe
HelloWorld.exe Load Image C:\Windows\System32\ntdll.dll
HelloWorld.exe Load Image C:\Windows\System32\kernel32.dll
HelloWorld.exe RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HelloWorld.exe RegOpenKey HKLM\COMPONENTS\AssemblyStorageRoots
HelloWorld.exe RegOpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option
HelloWorld.exe RegOpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HelloWorld.exe RegQueryValue HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
HelloWorld.exe RegCloseKey HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
HelloWorld.exe RegOpenKey HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HelloWorld.exe Load Image C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcr90.dll
HelloWorld.exe RegOpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HelloWorld.exe RegOpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HelloWorld.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\MSVCR90.dll
HelloWorld.exe RegOpenKey HKLM\System\CurrentControlSet\Control\Session Manager
HelloWorld.exe RegQueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
HelloWorld.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
HelloWorld.exe RegQueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
HelloWorld.exe RegOpenKey HKLM\System\CurrentControlSet\Control\Nls\CustomLocale
HelloWorld.exe RegQueryValue HKLM\System\CurrentControlSet\Control\Nls\CustomLocale\en-US
HelloWorld.exe RegCloseKey HKLM\System\CurrentControlSet\Control\Nls\CustomLocale
HelloWorld.exe Thread Exit 
HelloWorld.exe Process Exit 

Our Short and Sweet Trip :-)

                                                                    


The idea of visiting Vizag or Visakhapatnam came natural  to me.. I always loved this place. A hectic life and job in those areas for almost 4 years just couldn't make the place boring for me..

It is really a nice feeling to be at a place after a gap, where you have spent good amount of time ... You start relating things.. You start switching between past and present... You start seeing places in an all new perspective..

It was a short trip for us.. around 4 days..  We tried the new train service Garib Rath for the first time... A real nice experience... We checked in to a hotel named "Orange".. A comfortable stay.. Vizag has some real nice beaches.. And a must watch is a decommissioned submarine put up as a mesuem... Kailasa Giri ( Kailasa Hill ) is one hill very close to the sea.. You have "Rope Way" to go up and Tram service to see around... Real nice view.

One place that topped our "Must watch places "    is Arakku Valley.  The best time to be there is during November-December when the whole valley appear as yellow.. This I heard is the best hill station in Andhra, and the next one is Horsleay hills.

I am back :)

It has been quite long a silence. I was indeed busy with couple of key project deliverables. :-)

Has been doing some reading on Robocopy and other possible data transfer mechanism to perform a bulk data transfer.

Last week I did try booting up and installing "Ubuntu" too.. 

Will see you guys soon with more posts !!

P.S. I am a much fit person now :-). I started getting up early in the morning these days..  And yes !! I am playing badminton too..  See what change a medical report with a note on high cholestrol can make to a person. :-)

Cheers !!!

 

Do Threads run concurrently ?

I saw this sweet little query on my earlierpost related to  Processes and Threads.
 
Thanks for the query :-). My Apologies for not making use of the reply option..I couldn't attach the screen shot I wanted. So I am here.. With a new entry :-)

"At the operating system level there could be many concurrent threads, however at the processor execution level it is dependent on your architecture. HYPER THREADED ??   MULTI CORE ??? MULTI CORE HYPER THREADED ??"

Let me try to explain this a bit.

First thing I did  after reading the query was to hit Ctrl + Shift + Esc to bring the Task Manager Up. I want a small screen shot for the purpose..

The Snipper tool in Vista is cool.. Sitting on my XP System I really miss that.  ( snipper tool make the process of taking the screen shot much easy.... No more Alt + Print Screen.. mspaint  and stuffs..  Try it.. there is a high chance that you will like it.)


                                                             

Referring to the above Task Manager entry, I should say Current Thread count is 787.

Now.. If my understanding is correct, not all of them are in "Running" state. The other possible states for  thread are :

Aborted
AbortRequested
Background
Stopped
StopRequested
Suspended
SuspendRequested
Unstarted
WaitSleepJoin

Ref : msdn.microsoft.com/en-us/library/system.threading.threadstate(VS.80).aspx


 
At the hardware level, It is your processor who is performs all the execution for you. Refer to my earlier post on Multi Core CPU's,  If the processor is DUAL CORE  it will run two threads concurrently. If it QUAD CORE, the number will be 4.

How do we account for the mismatch then ?

                                             787 - (some suspended/ currently not running threads )  is not 2 any way ( I have a dual core system ).

This is where the scheduler comes in to picture.. All threads are time shared.. and most of them appears to be running concurrently...  Scheduler makes sure that all the threads get attention from Processor based on the assigned priority..


More on scheduling soon !!!!

BTW,  a query to theone how posted this query..Do we know each other  :-)


 

Processes and Threads

When ever we turn pages of a book written on Microsoft Windows operating system or we read through web sites explaining the same we always get to hear these terms.. Processes.. Threads ?

Let me start with a question..  Can processes RUN ? My view is, it cant. :-)

Lets look at the defenition for the term Process provided in the 2003 Server resource kit help.

Process

A process is a running instance of an application or executable file, along with all the system resources that have been allocated to that instance. In general, a process is equivalent to a single application or service; for example, Microsoft Word runs in the Winword.exe process.
 

Thread

Each process is composed of a set of threads. A thread is a unit of work that runs simultaneously with other units of work on the computer; each process must have at least one thread.

Threads represent the basic unit of execution in an operating system. When a thread starts, the operating system Memory Manager allocates enough physical memory and page file space to allow the thread to run. While a thread is running, it can request additional memory to enable it to complete its task. When a thread ends, it releases the memory it was using back to the Memory Manager for reallocation.

So its thread that is run.. :-)

WINSXS directory in Windows Vista: What is it and why is it so large?

Of the many blogs that I read daily, the Core Team Blog  really interests me.

The below article on WinSxS is explains a lot about vista changes.

You may read full the article  @ http://blogs.technet.com/askcore/archive/2008/09/17/what-is-the-winsxs-directory-in-windows-2008-and-windows-vista-and-why-is-it-so-large.aspx

Effort is to capture some core points :

• Vista is no more an INF described OS. It uses componentization.
• A component in Windows is one or more binaries, a catalog file, and an XML file that describes everything about how the files should be installed.
• All of the components in the operating system are found in the WinSxS folder. The WinSxS is called Component Store quite often.
• The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store.
• there is only one instance (or full data copy) of each version of each file in the OS, and that instance is located in the WinSxS folder.  
•  Looked at from that perspective, the WinSxS folder is really the entirety of the whole OS.

The bulleted points above explains why the folder is big initially. Further to this, the article explains the reason, why the folder grows with time.

•  In previous versions of Windows the atomic unit of servicing was the file, in Windows Vista it’s the component. 
• When Microsoft updates a particular binary, theyrelease a new version of the whole component, and that new version is stored alongside the original one in the component store.
• The higher version of the component is projected onto the system, but the older version in the store isn’t touched. 
• This is the reason for the component store to grow so large.
• Not every component in the component store is applicable, meaning that not every component should be projected onto the system.  For example, on systems where IIS is available but has not been installed, the IIS components are present in the store, but not projected into any location on the system where they might be used.
• So a single Post SP1 GDR package that contains an update to one component will end up installing four versions of that component in the WinSxS folder

Why the older components are not removed from the component Store ?

• The reason for this is to make the system more reliable.
• The component store, along with other information on the system, allows us to determine at any given time what the best version of a component to project is.
• That means that if you uninstall a security update we can install the next highest version on the system – we no longer have an “out of order uninstall” problem.

Still I am short of space.. Can I reduce the size of this folder ?

• The only way to safely reduce the size of the WinSxS folder is to reduce the set of possible actions that the system can take – the easiest way to do that is to remove the packages that installed the components in the first place.
•  This can be done by uninstalling superseded versions of packages that are on your system.
• Service Pack 1 contains a binary called VSP1CLN.EXE, a tool that will make the Service Pack package permanent (not removable) on your system,  and remove the RTM versions of all superseded components.

Reusing Joseph's - Author of this article - words to conclude this "So yes, the WinSXS folder is very large, and it will continue to grow as the OS ages. "


PS: The C:\Windows\winSxS folder on my Vista system is 5.6 GB :-)

What are the differences between Windows Updates, Automatic Updates, and Microsoft Updates?

I always get confused with Windows update, Microsoft update and Automatic Update. Today we ( Rejin, Vipin and I ) had a small debate on  this.. It helped.. It helped to add to confusion.. :-)

I googled on it for some time and landed on this document. Even though not so elaborate, the following MS article expains it a bit.

http://www.microsoft.com/windows/downloads/windowsupdate/FAQ.mspx

An excerpt below:

"While Windows Update provides you with updates specifically for Windows, Microsoft Update expands the service to download and install updates for other Microsoft software, such as Microsoft Office and Windows Live. Automatic updating is a feature that allows you to set your PC to automatically download and install updates using either service, making it easy and convenient for you to keep your Windows PC current. "

In short :

Windows Update :  Manual, the user needs to browse to the site.
Microsoft Update  :  Manual, allows additional updates (office, windows live)
Automatic Update : This is automatic. Can happen from an intranet WSUS Server or Microsoft Server.

To configure the system for proper Automatic update
Check the following Registry Key

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ P O L I C I E S \ M I C R O S O F T \ W I N D O W S \ W I N D O W S U P D A T E \ A U


UseWUServer  REG_DWORD                1

If the above registry key is "1" it is pointing to  an intranet server. If this value is "0" it will point to Microsoft server for downloads.

The internal servers can be defined at

H K E Y _ L O C A L _ M A C H I N E \ S O F T W A R E \ P O L I C I E S \ M I C R O S O F T \ W I N D O W S \ W I N D O W S U P D A T E

WUServer                REG_SZ  http://yourservername/
WUStatusServer    REG_SZ  http://yourservername/

Cloud Computing..

Today afternoon my friend, Binoy, called me up and asked about Cloud Computing.  I was taken by surprise by this question. Even though I heard about it many times, I couldn't explain it properly.

When I came back to desk, the first thing I did was to google about Cloud Computing..

The explanations are messy in most of the documents and to be very frank I am still reading docs to get a clear picture.

To my understanding, in Cloud Computing architecture:

1. You have a minimal configuration system with good enough internet connectivity.
2. You do everything else on internet. Be it document creation, mail and everything.
3. You effectively pay for the hardware and the services you use..

Now I am ready to take a blame on me if any of these statements are wrong. This is rather a premature document.

http://virtualization.sys-con.com/node/632257
http://webtrends.about.com/od/enterprise20/a/cloud-computing.htm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006439

Task Manager - A detailed Analysis

I have been on a date the whole day... Yes... A date with Windows Task Manager.. 

My effort here is to list out some simple terms that I read really carefully today. Coz I had very less room for an understanding issue today..  we hear these terms day after day.. yet we forget..

Lets run through the important Task Manager terms.

First, open up the taks manager. How ? 

Ctrl+Shift+Esc  OR Ctrl + Alt + Del and select Task managaer OR Right click on taskbar and select Task manager OR Start -> Run-> Taskmgr

Clck on Processes Tab in Task Manager
Select  the below referenced columns  (View -> Columns )

Processes Tab Explanation

CPU Time	The total processor time, in seconds, used by the process since it was started.
CPU Usage	The percentage of time the threads of the process used the processor since the last update.
Memory Usage (Working Set )	The amount of main memory, in kilobytes, used by the process.
Memory Usage Delta	The change in memory use, in kilobytes, since the last update. Unlike System Monitor, Task Manager displays negative values.
Nonpaged Pool	The amount of memory, in kilobytes, used by a process. Operating system memory that is never paged to disk. Paging is the moving of infrequently used parts of a program's working memory from RAM to another storage medium, usually the hard disk.
Paged Pool	The amount of system-allocated virtual memory, in kilobytes, used by a process. The paged pool is virtual memory available to be paged to disk. Paging is the moving of infrequently used parts of a program's working memory from RAM to another storage medium, usually the hard disk. The paged pool includes all of user memory and a portion of system memory.
Peak Memory Usage	The peak amount of physical memory resident in a process since it started.
Virtual Memory Size ( Private Bytes)	The amount of virtual memory, or address space, committed to a process.

Reference: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/prork/preb_mon_nbcl.mspx?mfr=true

IPv6 Address configurations

Just thought of summarizing some key points about IPv6 ( Internet Protocol Version 6 ).

Key points about IPv6

• It has been designed to replace the age old, reliable IPv4.
• IPv4 has been very good. Has done its job.. It just cant take the current load.
• IPv6 is efficient and more secure.

Let me start with asking you guys a question ?

How do we assign an IPv6 address. Read on :-)

 
Address configuration.

stateful Address Configuaration

• Address configuration with DHCP

Stateless Address Configuration :

• Hosts automatically configure themselves.
• Addresses derived from prefixes advertised by local routers
• The presence of a router is not mandatory

IPv4 had the concept of Unicast Broadcast and Multicast. For unicast and Multicast, the explanation remains the same. There is no broadcast as such in IPv6. A good news.. :-) Less network chaos..

 Address types

 Unicast Addresses

A unicast address identifies a single interface

The following types of addresses are unicast IPv6 addresses:

Global unicast addresses

·         equivalent to public IPv4 addresses.

·         globally routable and reachable on the IPv6 portion of the Internet.

·         The three high-order bits are set to 001. The address prefix for currently assigned global addresses is 2000::/3

Local use Unicast Addresses.

There are two types of local-use unicast addresses:

·         Link-local addresses.

·         Automatically configured.

·         Always begin with FE80

·         Comparable to IPv4 APIPA ( Automatic Private Internet Protocol Addressing )

·         The scope of a link-local address is the local link.

·         Site-local addresses.

·         Equivalent to the IPv4 private address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).

·         Not routed on internet.

·         A site is an organization network or portion of an organization's network that has a defined geographical location (such as an office, an office complex, or a campus).

·         Not automatically configured. Must be assigned either through stateless or stateful address configuration processes.

·         Always begin with FEC0

 

Unique local IPv6 unicast addresses

·         Designed to replace site-local addresses with an address that is private to an organization, yet unique across all of the sites of the organization.

·         All unique local addresses have the address prefix FC00::/7

·         Unique local addresses have a global scope but their reachability is defined by routing topology.

·         Organizations will not advertise their unique local address prefixes outside of their organizations or create DNS AAAA entries with unique local addresses in the Internet DNS.

 

Special addresses

·         Unspecified address

·         Unspecified address (0:0:0:0:0:0:0:0 or ::) is only used to indicate the absence of an address.

·         Equivalent to the IPv4 unspecified address of 0.0.0.0.

·         The unspecified address is never assigned to an interface or used as a destination address.

·         Loopback address

·         The loopback address (0:0:0:0:0:0:0:1 or ::1) is used to identify a loopback interface, enabling a node to send packets to itself.

·         Equivalent to the IPv4 loopback address of 127.0.0.1.

 

Compatibility Addresses

·         IPv4-compatible address

·         The IPv4-compatible address, 0:0:0:0:0:0:w.x.y.z or ::w.x.y.z (where w.x.y.z is the dotted decimal representation of an IPv4 address), is used by IPv6/IPv4 nodes that are communicating using IPv6.

·         When the IPv4-compatible address is used as an IPv6 destination, the IPv6 traffic is automatically encapsulated with an IPv4 header and sent to the destination using the IPv4 infrastructure.

·         IPv4-mapped address

·         The IPv4-mapped address, 0:0:0:0:0:FFFF:w.x.y.z or ::FFFF:w.x.y.z, is used to represent an IPv4-only node to an IPv6 node.

·          It is used only for internal representation.

·         The IPv4-mapped address is never used as a source or destination address of an IPv6 packet.

·         6to4 address

·         The 6to4 address is used for communicating between two nodes running both IPv4 and IPv6 over an IPv4 routing infrastructure.

·         The 6to4 address is formed by combining the prefix 2002::/16 with the 32 bits of a public IPv4 address, forming a 48-bit prefix.

 

 

Multicast Addresses

·         In IPv6, multicast traffic operates in the same way that it does in IPv4.

·         Always begins with “FF”.

·         Multicast addresses cannot be used as source addresses or as intermediate destinations in a Routing extension header.

Solicited Node Address.

·         Replaces the IPv4 ARP mechanism.

·         The solicited-node address facilitates the efficient querying of network nodes during address resolution.

·         The solicited-node multicast address is comprised of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.

·         By using the solicited-node address, very few nodes are disturbed during address resolution.

 

Anycast Addresses

·         An anycast address is assigned to multiple interfaces.

·         Packets addressed to an anycast address are forwarded by the routing infrastructure to the nearest interface to which the anycast address is assigned.

What I heard from Anirban today

We, (I and Anirban) always enagage in small discussions on life.. sports ( I remain a listener most of the time)... Music.. and stuff like that..

This is what he said today.. And I immediately liked it...

"You should never make a decision when you are angry nor should you make a promise when you are very happy."

How to enable user environment debug logging in retail builds of Windows

To troubleshoot issues with user log on and Group policy issues, enabling tracing of log on activity is helpful.

Make the following changes to enable tracing.

Use Registry Editor to add or to modify the following registry entry:
Subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 10002 (Hexadecimal)
UserEnvDebugLevel can have the following values:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
LOGFILE 0x00010000
DEBUGGER 0x00020000
The default value is NORMAL|LOGFILE (0x00010001).

Note To disable logging, select NONE (0x00000000).

You can combine these values. For example, you can combine VERBOSE 0x00000002 and LOGFILE 0x00010000 to get 0x00010002. Therefore, if UserEnvDebugLevel is given a value of 0x00010002, LOGFILE and VERBOSE are both turned on. Combining these values is the same as using an OR statement.
0x00010000 OR 0x00000002 = 0x00010002
Note If you set UserEnvDebugLevel to 0x00030002, the most verbose details are logged in the Userenv.log file.

The log file is written to the %Systemroot%\Debug\UserMode\Userenv.log file. If the Userenv.log file is larger than 300 KB, the file is renamed Userenv.bak, and a new Userenv.log file is created. This action occurs when a user logs on locally or by using Terminal Services, and the Winlogon process starts. However, because the size check only occurs when a user logs on, the Userenv.log file may grow beyond the 300 KB limit.

The 300 KB limit cannot be modified.

Windows XP SP3 and IE7 - The unistallation puzzle

Case 1 : You have IE7 on XP SP2. Install XP SP3 on top of it.  You wil not be able to unistall IE7 and revert to IE6 unless you un-install XPSP3.

Case 2. : You have IE6 on XP SP2. Install XP SP3. Then install IE7. If this configuration is followed IE7 can be unistalled and reverted to IE6 with out uninstalling SP3.

Below is an excerpt from IE Blog:

" If you choose to install XPSP3, Internet Explorer 7 will remain on your system after the install is complete. Your preferences will be retained. However, you will no longer be able to uninstall IE7. If you go to Control Panel->Add/Remove Programs, the Remove option will be grayed out.

This behavior is by design and here is why. When we install IE7 on Windows XP SP2, we backup the existing IE6 files in an uninstall directory.  Those IE6 files are the ones that shipped on XPSP2 plus all the security updates you’ve installed while using IE6. Windows XP SP3 contains a newer version of the Internet Explorer 6 files. If you have XPSP3 on your system and uninstall IE7, your system would revert to the backed up (older) version of the IE6 files rather than the newer XPSP3 version. You would end up in a mixed file state in Windows where most files would be the upgraded XPSP3, except for the IE6 files restored when uninstalling IE7. This state is not supported and is very bug prone. To ensure a reliable user experience, we prevent this broken state by disabling the ability to uninstall Internet Explorer 7.

If you must uninstall IE7 after you have upgraded to XPSP3, then you have to first uninstall XPSP3, and then uninstall IE7. After this series of uninstalls, you will be reverted back to a XPSP2, and a stable version of IE6, so feel free to upgrade to XPSP3 again.

If you install IE7 after you install XPSP3, then you will be able to uninstall IE7 at any point and be reverted to the newer IE6 version that ships in XPSP3. The restriction on uninstalling only applies to when you install a Windows Service Pack release on top of a standalone IE release.

Keeping this in mind, you might want to uninstall IE7, upgrade to XPSP3 and then install IE7 again so you can uninstall IE7 in the future if need be."

http://blogs.msdn.com/ie/archive/2008/05/05/ie-and-xpsp3.aspx

 

Autorun Vulnerability. Are we really safe ?

If the latest National Cyber Alert System document from US-CERT can be believed, the W32.Downadup worm issue is even more serious as the Microsoft work around of disabling Autorun through registry is not disabling it completely.

An excerpt from the document is provided below:

Impact
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
To import this value, perform the following steps:

Copy the text
Paste the text into Windows Notepad
Save the file as autorun.reg
Navigate to the file location
Double-click the file to import it into the Windows registry
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take.

I haven't personally tested any of these work arounds. Will be adding up here as I dig more in to this.

References :

http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html

Nick Browns blog: Memory stick worms - <http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>