Sunday, July 31, 2005

Secure your Internet Explorer.

Many spywares and adwares exploit the features in Internet Explorer to sneak into the computer. These can be in the form of BHOs, ActiveX components or Toolbars. Once they get installed, they can create havoc in your PC! These spywares or adwares collectively called as malwares can redirect the sites you wanted to visit to some other sites, or they can bring pop ups which are highly irritating.

Since prevention is better than cure, it’s easy to prevent the installation of these malwares if we follow some simple procedures. Most of the bad BHOs and ActiveX’s can be blocked by using a tool called SpywareBlaster. One of the main advantages of SpywareBlaster is, it’s a “run once” tool, it don’t need to running in the background. Once you enable the protection feature in SpywareBlaster, you have to enable it again only when you upgrade the database of SpywareBlaster.

Access to "bad" websites (which drop malwares into computer) can be blocked by using a HOSTS file. HOSTS file is located in "Windows\System32\Drivers\Etc\" folder. Whenever a website is accessed through Internet Explorer, it looks in the HOSTS file for it’s IP address, if it finds the IP address of the site in question, it uses that IP address. If it does not find address related to that site, it looks up in Domain Name Servers. We can use this property to redirect the "bad" URLs to our computer itself, so that the access to original site is blocked. This done by adding the URL that is to be blocked, in HOSTS file and provide its IP address as There are many "readymade" HOSTS file available out there in World Wide Web, popular one is from MVPS. Just put this file in "Windows\System32\Drivers\Etc\" folder and Internet Explorer automatically look into it.

Another nifty tool is IE-SPYADS, this adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer, thus preventing the access to these sites.

If we use some of these tools and some common sense, we can avoid most of the spywares and adwares. Happy browsing!

Friday, July 29, 2005

Autostart locations in Windows.

Ever wondered how many Autostart locations are there in Windows? At least there are 38 of them! From simple “Startup” folder to complex looking “Winlogon” entries in Registry. These Autostart locations can be used by both legitimate and malwares. For a complete list of these locations, check this page.

Wednesday, July 27, 2005

Clean junk and erase usage tracks!

Windows and most of the software create temporary files. These files are no longer needed when the corresponding application is closed. But these files are not removed in all the cases and continue to accumulate. In most of the cases, “Temp” folder inside the “Windows” folder is used by the applications to store the temporary files.
While surfing Internet, browser like Internet Explorer stores the downloaded web pages, images and other files in the “Temporary Internet Files” folder inside “Windows” folder. Other browsers like Opera, FireFox and NetScape store these files in their own cache folders.

It’s better to clean these files regularly to maintain the computer “squeaky” clean. Another reason to clean these files is that, it has become a favorite hideout for malicious programs like viruses, spyware and/or adware.

It’s cumbersome to manually search for these files and delete manually. But, to ease up the job there are numerous software to do the job. One of them worth mentioning is CCleaner. It searches and deletes not only temporary files created by Windows and other applications but also the cache of browsers. It deletes files with extensions like .tmp, .bak, .chk among others. It also deletes the cookies set by web sites when you visit them. As they say “best things in life are free”, CCleaner is a freeware.

Now let’s come to the task of removing of “usage tracks”. Usage Tracks are registry entries created by software to “remember” the recent operation made by user. For example, when you open Windows Media Player, in the File Menu, you can see the files that are opened recently. This is also called as “MRU” standing for “Most Recently Used”. To remove these entries, there is one small freeware tool called MRUBlaster. This tool scans for the MRUs of the applications supported by it, and deletes them. MRUBlaster supports cleaning of more than 30,000 MRU items covering different applications and Windows itself. There’s also an option to run MRUBlaster automatically at startup, so that it clears MRUs at every startup.

These are the tools which should not be missed by any computer user! It’s a good practice to run these tools before shutting down the computer or after disconnecting from Internet.

Monday, July 25, 2005

Microsoft Windows Installer Cleanup Utility

Many of you might have seen automatic start up of Windows Installer, which tries to install “something”. This can happen at any time, like when you click on that Word document, instead of opening the file, Windows Installer pops up trying to install some component which may require installation CDs (See the screenshot).

Image Hosted by

In most of the cases, this is not due to incomplete or incorrect installation of the software, but it’s due to incorrect configuration of Windows Installer itself. In order to overcome this, the configuration details of Windows Installer for that specific software should be reset.

There is one nifty tool from Microsoft aptly called as “Windows Installer Cleanup”. This program lists all the software which has been installed by Windows Installer. You can select the entry of which the Installer configuration details should be reset. This does not remove either the software in question or the Windows Installer, but it removes only the configuration details. So when you encounter the automatic startup of Windows Installer trying to install certain software, you can give a try to clean the configuration details, instead of reinstallation of the software itself.

Even after using the Cleanup utility, the corresponding software fails to work, and then you have to reinstall the software in question.

Get it here

PS: I got to know about this tool from TonyKlein, and i must thank him.

Windows Registry, An introduction.

What is Registry?
Registry is a collection of all the settings for Windows and installed Applications.
Registry behaves like a Central Database for all things like, Software, Device Drivers, and File Types etc. Registry can be compared to an Attendance Register of Schools/Colleges, as Attendance Register has names of all students; Registry has entries in it about all the software, devices, file types supported etc.

Why Registry is used by Windows?
Whenever an application is started by a user, Windows looks up to Registry to gather more information about the application, like what type of application is it, what type of Files or Documents it can create or is it a Multimedia application, which may require additional support in the form of Plug-ins, like that
These are referred to as Configuration Settings of the Application.

In older versions of Windows (like 3.1), Registry was not present, and each Application or Device had text based .ini file, known as Configuration file. This .ini file contained all information about the Application/Device. So, whenever a user starts an Application, Windows refers to corresponding .ini file and takes action accordingly.

For example, let's take the configuration file of Opera Web Browser (Opera.ini file). Below only a part of the full file is shown:-
Download Directory=C:\My Documents
Direct History File=C:\PROGRAM FILES\OPERA\profile\opera.dir
Enable Wand=0
Home URL=
Special effects=1
From this, we can easily detect some of the Settings or Configurations to be applied when a user starts Opera.
Let's start from the beginning, Whenever Opera is started, main program looks up to this .ini file to know that, Default Download Directory is "My Documents", History File is "Opera.dir" in the specified path, and it also learns that "Wand" is Disabled ( Set to 0 ), Home Page is "Blank Page" and "Special Effects" are Enabled. So it starts Opera Browser with these Settings.

Although, this .ini file way of storing Configuration Settings looks easy, it does not provide a centralized place for storing information of ALL the software and devices, since each of the software and device had its own .ini file. This added further difficulty of missing/changed ini files resulting in errors.

That's why Registry was introduced, to act as a centralized configuration holder. Registry was introduced from Win95 onwards.
The .ini files are not completely eliminated, but they are highly reduced in number due to the presence of Registry.

Structure of Registry:-
Registry can be viewed/edited by running “regedit.exe” or “regedt32.exe” (for XP) in Run dialog box.
The Registry has a hierarchal (Tree structure) structure, like the directories in a Computer. Registry mainly contains Branches; these are the ones you will see on the Left Pane when you open Registry Editor.
Each Branch is called a Key; these are denoted by a Folder like icon.

Each Key can contain other Keys (often called as Sub Keys) within it or it can contain some other information called Values.

Values are the information represented on the Right Pane of the Registry Editor.
Values can be basically of three types (These can be called as Data Types ):-
1] String
2] Binary (8 bits)
3] DWORD (Double Word, Word means 16 bits, so DWORD is 32 bits)

String is analogous to the "Path of a Program" stored in .ini file as shown above. And String Data Type is used to store Textual information like Paths, Software Names, Device Names, and User Names etc.
Binary is analogous to the 1 or 0 used to specify Enable or Disable options stored in .ini file. Binary Data Type is generally used to specify/store "Enable/Disable" or "True/False" like information by making use of 0 and 1.This Data Type is also used to store Device Ids, Product Version, Passwords in Encrypted forms etc. Binary Data Types are displayed in Hexadecimal Format in Registry Editor.
DWORD is 32 bit binary data used to specify some Device driver parameters or Services. These are also displayed in Hexadecimal Format in Registry Editor.

But these Data Types (Values) are not only limited to storing Path or Enable/Disable options, they are used to store much more info, like Status of Hardware, Product Versions, Product Ids, Serial Keys etc, Passwords ( in some cases only in encrypted form ) etc.

Now let's see main Branches of Registry one by one.
In Registry, Mainly 6 Branches (5 in Windows 2000 and above) are there in default. These are the branches you will see in the Left Pane when you open Registry Editor.
They are:-

HKEY_CLASSES_ROOT:- This branch contains all of the File types supported by Windows and by installed Applications. This section has info such as, "Which Application is used to open a file type" and "Where the Application is located" and "What type of Icon is to be used to represent the File with the corresponding File Type" etc.
For Example, It contains a Key named “txtfile”, when you expand this Key, it will have further Sub Keys namely “DefaultIcon” and “Shell” inside which another Key “Open” exists, within that “Command” Key exists.
When you click on “DefaultIcon Key”, it shows a “Value” on the Right Pane, This Value is of String Data Type, and this stores the path of Icon file to be used.
When you click on the “Command Key”, it shows a “Value” on the Right Pane, which is of String Data Type, and this stores the Path of the Application i.e. Notepad which is used to open the file.

So, Windows knows about the different File Types present in the System, Icons for different File Types to be used and also the Programs for different File Types. The information stored here makes sure that the correct program opens when you open a file by using Windows Explorer. This Branch is abbreviated as HKCR.

HKEY_CURRENT_USER:- This branch is like a subset of another Branch named HKEY_USERS. This branch points to the part of HKEY_USERS appropriate for the current user.
As the name says, it contains the Configuration Information of the User currently Logged on.
For example, it contains Folder Options used, Screen color settings, Control Panel Settings customized by the User.
This Branch is generally abbreviated as HKCU.

HKEY_LOCAL_MACHINE:- This branch contains information about all of the hardware and software installed on Computer. This Branch is abbreviated as HKLM.
This is one of the important parts of the Registry. This part contains important Sub Keys like “Config”, “Hardware”, “Software” etc.

Config Key contains further Sub Keys and Values which determines Display Settings (like Resolution, Color Mode etc), Fonts used etc.
Hardware Key contains further Sub Keys and Values which stores information about Processor, Adapters (like Network Adapter, ISA Adapter etc) used in the System and COM ports present in the System.
Software Key is one of the main branches of the HKLM. This contains entries of ALL Software, Device Drivers installed in the System. This “Software” branch has numerous Sub Keys and Values of different Software. Here you can find info about every Software installed in your System (this is similar to .ini file), like Default folder of the Software, Version Number, Serial Key (Yes! in some cases), Default Languages, Passwords and you name it, it's here. You have to see it to believe it!
This is the main part which replaces the .ini files.
So, you can find your Windows 98 Serial Key (in case, if you forget it), by navigating to this Key.
HKEY_LOCAL_MACHINE > Software > Microsoft > Windows > CurrentVersion.
Click on CurrentVersion key, and in Right Side Pane, look for a Value named “ProductKey”, that is your Serial Number. Here, you can change the default location of “Program Files” or “My Documents" too!

HKEY_USERS:- This Branch contains certain preferences (such as colors and Control Panel settings) for all of the users of the computer. This is like a Super Set of HKEY_CURRENT_USER, because it has Settings of all the users.
This Branch is generally abbreviated as HKU.

HKEY_CURRENT_CONFIG:- This branch is like a Sub set of HKEY_LOCAL_MACHINE > Config Key. Because it contains Hardware Information or Configuration of only Current User (the User who is currently logged on), whereas Config Key in HKLM contains Settings of All Users.

HKEY_DYN_DATA (Windows 95/98/ME only):- This branch points to a branch in HKEY_LOCAL_MACHINE, which contains information about Plug 'n' Play Hardware.
This is termed as Dynamic because, Hardware configurations can change since the Hardware is Plug 'n' Play type (that is, Hardware can be removed/changed/added).
This branch contains many Sub Keys, which in turn contain Values. Most of these Values are of Binary or DWORD Data Type, and these are shown in Hexadecimal System. Hence understanding what these Values mean, is difficult.

How the entries are added or removed to Registry?
Whenever any Software is installed or Device Drivers for hardware are installed, these software make entries to the Registry by themselves.
Also, theoretically whenever any Software is uninstalled, it should remove the Registry Entries made by it completely. But many software fail to do so, and leave some junk info in Registry. This is where Registry Cleaners come into picture.
These Registry Cleaners search the Registry for Obsolete/Junk entries which like Path Names which point to an Application which is already uninstalled, or to a File which is already deleted.
Popular Registry Cleaners are RegCleaner, RegSupreme, and System Mechanic etc.

Where is the Registry in my System?
Registry, in its hierarchal structure, is itself a File. This is stored as User.dat and System.dat in Win9X/ME Systems. In Win2000 and above, Registry is split and each main Branch has its own .DAT file (like ntuser.dat, system.dat) situated in different Folders.