|
|
|
FREE ASSISTANCE
ALERTS - PHISHING - FRAUD
WINDOWS |
Sometimes updating your
operating system or software and drivers resolves most conflicts and
protects you from security threats. Saving your System
Information, provides information needed by
technicians.
Security/Protection of your Files, Personal Information and System Protect not only your personal information, but your system and data/files created as well. Besides accidentally deleting data inputted by yourself, friend or family member, I am sure you are aware of other means such has hard drive failure, viruses, be it from e-mails or a backdoor attack by virus or attacker/hacker that can cause havoc to your system or other means as theft and/or disaster. First line of defense is daily/weekly updating your virus protection program's definition library and internet security w/ firewalls in place. Another defense measure is updating your computer's operating system (OS), software, and hardware. Microsoft comes out with critical security file updates/downloads for many of your OS components i.e. Outlook, Explorer, etc., that are found to be vulnerable by would be attackers. Many computer users never update their OS of these critical updates or know about the site to visit. If you use XP, make sure in/under System Properties, select the Automatic Updates tab that the items you wish are checked. The following link provides a system check for updates based on your OS, however it does not work using Netscape. http://v4.windowsupdate.microsoft.com/en/default.asp Second line of defense is backing up only the files you created by a program used. How often is up to you, in what you feel comfortable with. Using a removable storage device, i.e. Zip Drive, CD's, DVD's or Hard Drive is a very good alternative to storing on your hard drive only. Now where to store this removable media? Another places, be it a friends house, work, or fire proof safe. As a retired firefighter, many things are stored in the refrigerator/freezer, usually after a fire items in the refrigerator/freezer are untouched. Also, there are those who go on vacation who leave emergency information in the refrigerator/freezer in how to contact them, in the event their home burns while they are gone. Another place to store your files is if you have a web host (domain), with plenty of storage, FTP (file transfer protocol) to your site these files.
Virus Detection and Prevention Tips - Viruses and Hoaxes
System Abruptly Stops/Shuts Down - Windows File Protection - System File CheckerSystem stops unexpectedlyYou must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.
4. Under Write Debugging Information, choose the type of information you want Windows to record when the system stops unexpectedly:
Notes
Windows File ProtectionThe Windows File Protection "concept" was first introduced by Microsoft into the Windows Millennium operating system, as a way of stabilizing the software. In Windows XP we have a much better version of this service and this article has been written to inform the reader of it's benefits. For those of you who remember using Windows 95 and 98 computers, a frequent problem was the operating system become erratic or just completely freezing for no apparent reason. Well, the often underlying cause of these woes was the unprotected system files being overwritten, corrupted or even deleted! This led to most of the support issues and was often referred to as "DLL HELL" because things could get so bad... Now with the Windows File Protection service in place technical support is much easier! What is windows file protection... The windows file protection service is an "invisible" service that is enabled by default and runs constantly in the background after a successful logon. (It does not load in safe mode.) ALL SYS, DLL, EXE, and OCX files that ship on the Windows XP CD are protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf - are also protected. They are all "backed up" to a special folder called dllcache. The location of this file is: %SYSTEMROOT%\system32\dllcache The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. This will also reveal other hidden system files so be careful! e.g. pagefile.sys Windows File Protection works by detecting the replacement/overwriting of these system files. It then scans the file in question against several catalogue files it has access to (nt5.cat, nt5inf.cat etc...). Should the file not be the correct digitally signed version it is expecting, Windows File Protection will then replace it with the cached version stored in the %SYSTEMROOT%\system32\dllcache folder, or in cases where no cached version exists you may be prompted for the Windows XP CD in order to restore the file with a supported version. (NB - In my separate article on the scannow sfc utility I show you how to get around this annoying request for the XP CD.) To test this go to the dllcache folder yourself (probably C:\WINDOWS\system32\dllcache on your computer) and rename the file acctres.dll to acctress.dll Close the explorer window and reopen at the same location. You will now see the windows file protection service has replaced the file acctres.dll (now delete acctress.dll) This action is recorded in
the system Log (via Event Viewer):
Is Windows File Protection a good thing... YES it IS!It exists
to protect the Windows system files from being modified, whether accidentally or
otherwise. As a network administrator I am VERY pleased with this feature – no
more running around fixing machines due to someone installing/deleting something
they shouldn’t have. You’d be surprised what people are told to delete in these
email virus hoaxes that are being sent around. Another important reason for
having this service running is Trojan/viruses that try to overwrite system files
to then pass on information on your machine. If this happens windows file
protection will kick in! What about when system files are updated by Microsoft...
Well Microsoft has made the following methods Windows File Protection "aware" Meaning the newer files will replace the old system files and a copy of the new file will be stored in the dllcache folder. The security catalogues are also updated so the Windows File Protection service always knows what version of the digitally signed file is current!
Replacement of protected system files is supported using the following
mechanisms: Can I turn off Windows File Protection... The official answer form Microsoft is NO and this is be design. (The only exception is if you are using a kernel debugger.) However, there is a way to do it, BUT I can think of no reason for you to do so!!! On a close inspection of the system file sfc.dll it is possible to see a reference, in part of the code, that checks the value of the SFCDisable in the WinLogon key... (Something we talk about in a moment!) This key is: 0ffffff9dh This is NOT a documented feature from Microsoft and should NOT be used unless you REALLY are sure you need to disable the service! (NB - It is interesting to note that the virus "W32/CodeRed.D", that caused so much mayhem by shutting down Internet Servers in the summer of 2002, used this very same undocumented setting to stop the Windows File protection service from running. The virus could then release its Trojan payload to do damage and replicate itself around the Internet! The registry key to change is: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable By default, SFCDisable is set to 0, which means Windows File Protection is active. Setting
SFCDisable to 1 will disable Windows File Protection . Setting
SFCDisable to 2 will disable Windows File Protection for the next
system restart only (without a prompt to re-enable). To verify that Windows File Protection has been disabled after rebooting click on Start menu > Control Panel > Administrative Tools > Event Viewer. An event will be logged to indicate Windows File Protection is disabled on the PC. If this event hasn’t been logged in Event Viewer then the service has NOT been disabled... Customizing Windows File Protection... The Windows File Protection service can be customized in several ways with the simplest way of modifying the options being through the Group Policy Editor. Click on Start Menu > Run box > type in gpedit.msc and hit the Ok button. Expand Computer Configuration > Administrative Templates > System then select the Windows File Protection folder... ANY changes made here will update the registry keys at: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection Administrators PLEASE note: When Windows XP starts up, the Windows File Protection service synchronizes (copies) the Windows File Protection settings from the following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File
Protection HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
All registry settings for this service are located in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon By default, only
Administrators and System will be able to modify these settings. If you
don't know hex, here's some samples: Please read my separate article on the scannow sfc command line utility that allows you to manually use the Windows File protection service on your PC. Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.
Windows File ProtectionBy default, Windows File Protection is always enabled and
allows Windows # Hotfix distributions # Operating system upgrades # Windows Update # Windows Device Manager If you introduce a file replacement in any other way, Windows File protection will overwrite your file! An important part of Windows File Protection is the command line utility: System File Checker (sfc.exe) You will often see references to scannow sfc in online newsgroups etc. This is a great tool for troubleshooting Windows XP problems.
How to use scannow sfc... The main reason for using this utility is when you suspect there may be a problem with a Windows XP system file. Perhaps you get a dialog box appear informing you of a problem with a .dll file, or your program will just not load! It is therefore worth checking to see if there are any corrupt system files using scannow sfc. To do this simply go to the Run box on the Start Menu and type in: sfc /scannow This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. The following should appear to give an indication of how long the process is taking.
In an ideal world that would be the end of the story... Any corrupt, missing or incorrect files would be replaced by this process. However, things can go wrong and the following guide should help! The #1 complaint with scannow sfc is the following dialog box appearing:
Why does this happen? Well, in your computer's registry, are several settings that are checked when you run scannow sfc. As mentioned earlier in this article, the Windows File Protection service constantly monitors for any changes to the main system files. Well Windows XP keeps a cache (copy) of these essential files at the following location: C:WINDOWS\System32\Dllcache (assuming C: is your system root which it probably is.) NB - The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. If that's the case on your computer then there is normally no need for the original XP CD to be inserted as your computer has a "copy" it can get hold of in this cache... But, if the Dllcache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy! Having said that not ALL installations of Windows XP have ALL the system files cached into this folder! You may only have around 50MB of files in this folder under Windows XP depending on the quota settings in the registry. (Under Windows 2003 Server the default is 300MB of system files!) Annoying, YES! Is there a workaround YES! As well as having a cache of all the system files on your PC, I like to have the I386 folder from the XP CD installed on the computer as well. After doing this I then modify the registry to tell it the source path for these files... Why? Well not only does this prevent 99% of request for the the XP CD with Windows File Protection. But the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD too! NB - With today's large hard drives you are not going to notice this 475 MB folder on your computer, but older systems may not have the space for this... Step 1 You will need to get your XP CD and locate the folder called: I386 This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C:\ so you should end up with a folder that looks like: C:\I386 ----------------------------- Step 2 Now you will need to tell your computer you now have the files on your PC. We do this is the registry (type regedit in the Run box on the start menu) by navigating to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ You will see various entries here on the right hand side. The one we want is called: SourcePath It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All we need to do is change it to: C:\ Simply double click the SourcePatch setting and a new box will pop up allowing you to make the change. Now restart your computer and try scannow sfc again! ------------------------------ Other Problems with scannow sfc... #1 Has the CD Drive's drive letter changed (perhaps by the addition of another
hard drive, partition, or removable drive) since Windows XP was first installed?
If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM #2 Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ Example: #3 If the problem persists and you have the correct path for your I386 folder
then the I386 folder is corrupted. To solve this problem copy I386 folder from
the CD-ROM to your system restart the system and then #4 You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder. #5 You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath Make sure the entry here is the same path to the I386 folder as used above. #6 Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File
Protection HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon This will not effect scannow sfc so much, but WILL make an impact if any of the other sfc.exe "switches" have been used! (More about these at the end of this article.) #7 When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon the values available are: 0 = disabled, 1 = enabled ------------------------------------ What about Windows Updates..... You may be asking yourself how does sfc.exe know how to check for updated Windows system files? Well during OS upgrades, service pack installations etc.. the dllcache folder should be updated with these new files. As an example the recent Windows XP Hotfix - KB828035 updated the system file wkssvc.dll A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$ There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles When you install a service pack, like SP1. Any new system drivers are cached in this location too. If you have odd problems with running scannow sfc and nothing else in the article has resolved it, then take a look at the entry in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ This should be pointing to the location C:\WINDOWS\ServicePackFiles (assuming C:\ is the boot drive.) ------------------------------------------------------- For those of you who are familiar with sfc.exe under Windows 2000 professional. It is worth noting that the following two options are NOT available under Windows XP. These are: sfc /cancel - In Windows 2000, this command immediately
cancels all pending scans of protected system files. This option has no effect
in Windows XP. More info can be found about the various switches available with sfc.exe under Windows XP here. HOME - ABOUT US - SEARCH THIS SITE - SERVICES & PRICES - SITEMAP - VIRUSES-HOAXES Computer-Firstaid - Your Computer 9-1-1 Service
|
|
To Report Site Problems - Invalid Links - Contact Us More than a Computer Service - Begnal Enterprises - Fire Fighters - Safety - Genealogy - Photography - Quilting - Weddings and more. Shop Online and Save$$ or Get Your Own Personal Mall And Earn $$
100% Free - No-Investment - Begnal-Enterprises.com |
It
is paramount for protection and security to stay current with updates for all
software installed. 
