How I’d Hack Your Weak Passwords (John Pozadzides/Lifehacker)

April 8, 2010

Internet standards expert, CEO of web company iFusion Labs, and blogger John Pozadzides knows a thing or two about password security—and he knows exactly how he’d hack the weak passwords you use all over the internet.

Note: This isn’t intended as a guide to hacking *other people’s* weak passwords. Instead, the aim is to help you better understand the security of your own passwords and how to bolster that security.

Read more at source …


Registry – An Explanation of Wwk8R2 Registry

March 1, 2010

The registry is essentially a hierarchical database – at the top level we see a collection of HKEY objects …


Clicking on the marker to the left of any of these items will expand it and show the keys underneath – much like browsing a folder structure through Explorer.

A common mistake when discussing the registry is to incorrectly call those things we assign data to as “keys”.

If a key is analogous to a FOLDER on disk, then a value is a FILE (and actually holds data).

The keys are just containers, forming part of the path to one or more values.

Keys have no type, they just “are”, whereas values can be of the following types:

  • String Value (REG_SZ)
  • Binary Value (REG_BINARY)
  • DWORD (32-bit) Value (REG_DWORD)
  • QWORD (64-bit) Value (REG_QWORD, 64-bit Windows only)
  • Multi-String Value (REG_MULTI_SZ)
  • Expandable String Value (REG_EXPAND_SZ)

NOTE: When querying the registry, the type of the value must match or we get no result, so when you see the summary of details to manually add a value, make sure you get it correct.

Each key has an unnamed REG_SZ value when it is created, which cannot be renamed or deleted – this is displayed as “(Default)” in the Registry Editor but is referenced with a null name.
(If you look at an exported .reg file of a key where the “(Default)” value has been given “xyz”, you will see under the key: @=”xyz”.)

If you have ever used Process Monitor to log registry I/O for troubleshooting, there are a few things to be aware of regarding the Result field…

“NAME NOT FOUND” is not always an error – code often probes for the existence of a value in order to make a decision about how it will behave next, but if there is no such value (resulting in the return result which looks like an error) then we assume the default behaviour, whatever it may be.

“BUFFER OVERFLOW” is also not an error, despite the prevalence of “buffer overflow exploits” by malware.  In this context we are querying the registry for the data held in a value which does not have a fixed length, so the first query we make we say our buffer is zero characters long – the registry API will report “you don’t have enough space to hold this data” (buffer overflow), and how many characters you are short… now the call can be made again with a buffer exactly the right size to hold the data – thus avoiding potential for overflowing the buffer.
Ref: MSDN ZwQueryValueKey API

There are some special cases to be aware of when browsing the registry online…

HKEY_CURRENT_USER is a pointer to the user profile hive user HKEY_USERS which is used by the processes running in that particular session – if you consider a Remote Desktop Server with 10 users logged on, each of them has their own concept of “current user” but would like to be independent of each others’ sessions whilst using a standard path.
For my user account, it is easier to refer to HKEY_CURRENT_USER than to HKEY_USERS\S-1-5-21-1721254763-462695806-1538882281-2548689.

[ NOTE: HKEY_CURRENT_USER is abbreviated to HKCU ]

Under HKEY_USERS you will also see an extra key per (non-BUILTIN) user that is (or has been) logged onto the server, that ends with _Classes – this is the part of the user profile that never roams as it is machine-specific.
This is mounted as HKCU\SOFTWARE\Classes, and also merged with HKEY_LOCAL_MACHINE\SOFTWARE\Classes to be presented as HKEY_CLASSES_ROOT – the per-user definitions overriding the system default ones where a collision occurs.

[ NOTE: HKEY_LOCAL_MACHINE is abbreviated to HKLM, whilst HKEY_CLASSES_ROOT is abbreviated to HKCR ]

For this reason, HKCR is really only useful to read the “effective setting” of a particular object, and a decision needs to be made when wanting to update a value as to whether it should be per-machine (HKLM\SOFTWARE\Classes) or per-user (HKCU\SOFTWARE\Classes) – the result is seen instantly under HKCR.

Under HKLM\SYSTEM there are a number of ControlSetxxx keys, and one CurrentControlSet key – the latter is just a reparse point to one of the other keys… but how to know which one?
If you look at the value Current under the key HKLM\SYSTEM\Select then you can see which is being used (you can also see from the other values which was the last control set that failed and which was the last known good).

Traditionally we had just ControlSet001 and ControlSet002 to toggle between – but from Vista onwards we can go beyond this whenever a system is restored.

As with HKCU, we only care about “effective” settings under HKLM\SYSTEM\CurrentControlSet, and any changes here will be reflected in the corresponding ControlSetxxx key only – so if you have a problem that occurs “every other boot” then here is where you want to take a look (identify which is the bad control set and rename the key when it is not in use).

HKEY_CURRENT_CONFIG is a pointer to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current, and is an indicator to the hardware profile in use.

HKLM\HARDWARE is a key that is dynamically built when the system starts up, an enumeration of the buses and devices that comprise the system – it would make little sense to have this stored as non-volatile data as this way we know the key should reflect the underlying hardware more reliably.

There is a SOFTWARE\Policies sub-key under both HKCU and HKLM – this is where group and local policy settings are applied in order to have an effect whilst they are active, per-user and per-machine respectively.

This is also why you will see a lot of queries for non-existent keys and values under these 2 locations when running Process Monitor when doing certain activities – the process is checking to see if there is a setting defined by a system administrator which will take preference over any locally-defined setting.
Given that there are thousands of potential settings for many component parts of Windows, there is a lot of this kind of checking going on all the time, most getting “not found” as a result, but as explained this is not an error.

Note that I said “online” above – if you mount a raw registry hive from the %systemroot%\SYSTEM32\CONFIG folder of a system that is not currently booted, you will not see the merged, dynamic or reparsed registry keys.

It is useful to be aware of this path in case you end up with an unbootable system due to registry corruption – there is a RegBack sub-folder which contains a backup of the hives from the time the system was installed, should it be needed in an emergency.

The files on disk that comprise the registry:

Note that there are no file extensions, they are memory-mapped at system startup and are not accessed other than through the APIs.

For more information, check out TechNet (covers up to Windows Server 2003 R2, but the principle is the same) or the book Windows Internals Fifth Edition.

Source …

Windows 7 – Automated Installation of Windows 7 Overview

February 26, 2010

The Automated Installation method for installing Windows 7 is recommended if your business has 200–500 client computers, at least one location with more than 25 users, and managed networks based on Windows Server, possibly in multiple locations.

Automated Installation of Windows 7 Overview.doc …

Windows 7 – Building a Standard Image of Windows 7 Step-by-Step Guide

February 26, 2010

Designed specifically for small and medium business that may not have prior experience with Windows deployment or do not have an enterprise deployment infrastructure, this step-by-step guide explains how to install a custom image by using an operating system image that includes your customizations and applications.

Building a Standard Image of Windows 7 Step-by-Step Guide.doc.docx …

Travel – Buy Cheaper Heathrow Express Tickets

February 26, 2010

Before buying your Heathrow Express ticket online try the links below for discounts on standard price tickets…

At the time of this post, ANA was the cheapest offering an 11% discount on a Single Express Ticket.

Group Policy – Troubleshooting

February 25, 2010

Troubleshooting GPOs …


Read it like this:

I have a problem. Did the GPO apply? (Check the event log)

Moving down the left side of the tree : If yes, did the setting apply? (Check the RSoP)

If yes, follow the tree and check the suggestions in the blue box: Do a GPUpdate to make sure the policy is refreshed. Check the inheritance to make sure the setting isn’t getting over-written. Make sure your Active Directory and Sysvol versions are the same to make sure that file replication is working correctly. Is your processing set to be Asynchronous? If so, that extension may not be processing at every GP refresh…etc etc

You can take a similar trip down the right side of the tree:

I have a problem. Did the GPO apply? (check the event log)

If no, was the GPO denied?  (found from the event log)

Yes it was! (move to the right) Why was the GPO Denied? Could it because of some security filtering that you didn’t see? Was the “computer settings” side of the GPO disabled? Is there a WMI filter that evaluated to false?

Or…not, it was not denied, but it still did not apply. (move to the left-most blue box) Could it just need to be refreshed? Did the GPO fall outside of the scope of management? Is there a network connectivity issue and the DC is not communicating properly?

Source …

Microsoft Looking Into Windows 7 Battery Issues

February 24, 2010

Microsoft says it’s investigating reports of notebook PC owners encountering battery life problems after upgrading their Windows XP and Vista machines to Windows 7.

After installing the Windows 7 upgrade, many customers have seen their machine’s battery life dwindle significantly, even when working with a freshly charged battery. They’ve also been confronted with the Windows 7 warning message: "Consider replacing your battery. There is a problem with your battery, so your computer might shut down suddenly."

Customers have been complaining about this problem on Microsoft’s TechNet forum since last June, when Windows 7 was still in Release Candidate stage. Some forum posters claim that their notebook batteries have been rendered completely unusable after installing the Windows 7 upgrade, and that downgrading back to an earlier version of Windows doesn’t fix the problem.

Ironically, Windows 7 was supposed to extend battery life on notebooks. During the Windows 7 beta, Microsoft said it has discovered that faulty drivers in Vista notebooks had prevented them from entering a quiet state, and that this caused Vista notebook batteries to drain faster than normal.

Microsoft confirmed the existence of the problem late last week, and the company will provide "information and guidance as it becomes available," a spokesperson said Monday in an e-mail.

Microsoft is working with its hardware partners to determine the root cause of the issue, which appears to be related to system firmware (BIOS), the spokesperson said.

Judging from the TechNet forum, however, customers aren’t buying Microsoft’s explanation that the issue is BIOS-related. Many have noted that the problem appears to affect notebooks from all major vendors, and some claim their vendors have informed them that it’s a Microsoft problem.

Source …