09 September 2016

A rather quiet traffic for Windows 10 Rs1

Finally replacing Windows 8.1 with Windows 10! Within my first three days I need to make sure  that my internet connection didn't abused by Windows and under my control. Having experienced Windows 8.1 before, where explorer, rundll32 and svchost acted as ping bot or downloader this time there is more coming in Windows 10 despite during installation I've opted to turn off "sharing my stuff" with MS features.

Note the following tips are completely favor "bandwidth saving" over "security"

Let's start with services.msc
In XP, I just need to disable Windows Update and BITS, now we get telemetry (note every apps compiled with VS 2015? seems to inherit this ability, intended or not, managed or unmanaged)

- Background Intelligent Transfer Service (BITS)
"supposedly" and used to be the main downloader, but no longer

- Windows Update (wuauserv)
this need tuned on when installing offline update files

- Connected User Experiences and Telemetry (DiagTrack)
why I still need to disable this? well it still popped out sometime.

- Program Compatibility Assistant Service
this one is unrelated, but I need to mention here as this thing keep get in the way, choked up, and eventually dying and bring down system resources. Especially when I do three parallel sessions of mingw compilation script for 24 hours. Additionally in this case, using exclusion for Defender will help too.

Move to gpedit.msc
Contrary to usual mantra of dumbed-down Windows: "We (SYSTEM) will manage it for you", gpedit.msc give us tons of rules that SYSTEM will ahem.. *supposedly* obey. But I don't know why they sometime get telepathy with Redmond to do something else.

Disabled:
Allow definition updates from Microsoft Update
Allow real-time definition updates based on reports to Microsoft MAPS
Allow search and Cortana to use location
Allow Telemetry
Check for the latest virus and spyware definitions on startup
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates (err, this claimed not apply to W10, but just in case)
Initiate definition update on startup

Enabled:
Define the order of sources for downloading definition updates
Disable all apps from Windows Store *Enterprise/Education only
Do not allow web search
Don't search the web or display web results in Search
Turn off access to the Store
Turn off Application Telemetry
Turn off Automatic Download and Update of Map Data
Turn off game updates
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Search Companion content file updates
Turn off the offer to update to the latest version of Windows
Turn off Windows Update device driver search prompt

Windows Update advanced options:
defer feature updates (like LTSB ?)

Into Windows Firewall rules:
Programs Inbound/Outbound:

%SystemRoot%\explorer.exe

Others:
- Service  (Background Tasks Infrastructure Service, I think) that spawn BackgroundTransferHost.exe

  Within a logon session, it activated during the first-time the internet connected. I ca't find any reference reference from registry. Firewall is impotent to block it. I think this is modern app version of BITS. I need to kill BackgroundTransferHost manually.
- Spawned Rundll32 that spawn svchost (uh oh, or something like that),  there is ping activity but not bandwidth intensive. I need to kill rundll32 manually.

At the moment that's all I can do and it's considerable quiet for dial-up user like me.
I recommend ProcessHacker to monitor process and network activity.

Update:
There are several  BackgroundTransferHost.exe, in System32(or SysWOW64) and deep inside subdir of winsxs (or winsxs\wow64) so include them all in firewall might works, if not put it on Applocker?

09 March 2016

32-bit OSes in Windows XP Era

Another retro post to celebrate XP consistency on double digit market share for 14 years as seen from http://www.netmarketshare.com. A prove that windows users are generally conservative (including Windows 7 users) and only about 10% who always want new shiny OS (considering most migrated Windows 10 users came from Windows 8.1) and those are likely who bragging their screenshot all over the internet despite far skewed reality. And I believe XP still have significant usage on non-connected/intranet/industrial computers.

XP era which started when it was released in Oct 2001 throughout 2006 until MS made (supposedly successor) Vista in beginning of 2007. The timespan itself is unusual, 5 years compared to 2-3 years for other versions. Here is few list, I have tried most them in the past though few are really hard to find.

Release date Operating System Notes
Oct 2001 Windows XP The last 32-bit *only* Windows (XP64 is Windows 2003)
SP3 in 2008, EOL 2019 (XP POSReady)
Dec 2001 OS/2 4.52 Last version, FP15/CP5 in 2005. Last update 2007
Apr 2002 Plan 9 r4 Last major version
enhanced by 9atom, forked by 9front
Aug 2002 MVS 3.8j TK-3 24bit mainframe turnkey from 1981 S/370 [Hercules]
can be patched into MVS/380 (31bit alternate to MVS/XA)
Aug 2003 Netware 6.5 Last version, SP8 in 2008. EOL 2010
Oct 2003 BSD/OS 5.1 Last version (formerly BSDi), EOL 2004
Anyone has this?
Jun 2004 UnixWare 7.1.4 Last version, MP4 in 2008
Jun 2004 QNX 6.3 6.3.2 rollup update in 2007
Jul 2004 SkyOS 5 beta Last major version, dead in 2008 and still beta
Aug 2004 eComStation 1.2 OS/2-based
Jan 2005 Solaris 10 Last version that mostly 32-bit on Intel port
U11 in 2013. EOL 2018
Jan 2005 Inferno r4 Last major version [Hosted]
Feb 2005 RHEL 4.0 U8(4.8) in 2009, U9 in2011, EOS 2012 (extended 2015)
Mar 2005 PhOS beta6 Last and beta only, enhancement of leaked BeOS 5.1
Mar 2005 z/VSE 3.1 Last version that is 31-bit [Hercules]
Apr 2005 MorphOS 1.4 Amiga-like, 1.4.5 available for free [WinUAE?]
Apr 2005 Mac OSX 10.4 First hackintosh and last version that mostly 32-bit
Last with Classic Env. 10.4.11 in 2007, Last update in 2009
May 2005 Darwin 8.1 Last available standalone Darwin
May 2005 Windows Mobile 5
Jun 2005 OpenServer 6.0 Last version, MP4 in 2009
Oct 2005 Minix 3.1 3.?.x are development releases
Nov 2005 FreeBSD 6 6.4 in 2008. EOL 2010
Dec 2005 Syllable 0.6 Dying at 0.6.7 in 2012
Dec 2005 NetBSD 3.0 3.1 in 2006. EOL 2009
Apr 2006 Zeta 1.2 Dead at 1.5.1 in 2007, BeOS-based
May 2006 Contiki 1.3 [Hosted]
Jun 2006 (K)Ubuntu 6.06 6.06.1 update for desktop. EOL 2009
Jul 2006 SLES 10 SP4 in 2011. EOS 2013 (extended 2016)
Jul 2006 Symbian OS 9.3 Last version by Nokia before turned to Symbian^1 [WINS]
Sep 2006 Menuet32 0.83B Dying.. focus goes to Menuet64
Sep 2006 ReactOS 0.3 0.3.x are development releases
Nov 2006 VxWorks 6.4 Older 5.5 in 2002 [VxSim]
Nov 2006 RISC OS 6 Last major version 6.x and 5.x [VirtualRPC]
Dec 2006 AmigaOS 4.0 First to use PPC [WinUAE]
May 2001 OpenVMS 7.3 Last version. EOL 2012 [SimH]
Oops this one before XP...
Funny how many PC commercial OSes dying/died during XP era.

06 February 2016

How to "use" isobuster for free

Since the day when CD burners don't have buffer underrun protection and that my HDD free space actually smaller than CD capacity this little software with cool batman icon always become a lifesaver. That time isobuster still free (pre 1.0 version), now within few years we might discard optical media for data completely (backup is OK though).

Isobuster interpret multisession disc, all kind of ISO 9660 extensions (Joliet, RR), UDF, extra track such HFS or FAT and El-torito boot image. It also show you the important thing: LBA! so you can tell by its physical location which files is vulnerable to disc defect. Finally isobuster do interruptible copying for recovery purpose. The old 0.99.9 still works on modern Windows as long as you run as administrator (or just add elevation manifest to it) but there is no support for UDF.

I know that Isobuster can be used in free (sometime nagging) mode but I'm not talk about that. The tool is FTK Imager Lite by accessdata. This forensic tool known to bundle isobuster 2.4 as shared library from version 2.6 onward, you can get older (and smaller) version via archive.org too. For current version: http://accessdata.com/support/adownloads

The basic important functionality is there, no LBA column list though instead placed in file property panel. No ISO image dumping except forensic image format. And no data carving (isobuster 3?). Overall what make isobuster so special already covered. Enjoy!

Two advanced free hex editors for Windows

Back in the day when all of my software were pirated software, WinHex is the single best thing I ever need. Now to replicate its functionality I have to combine two application HexEdit and TinyHexer or more.

TinyHexer

1. TinyHexer was my first free hex editor, it was the best during its time and probably still if only it support big file. The homepage www.mirkes.de has gone so you need to find mirror for mpth_18.exe or mpthme_18.exe. Here is mirror from softpedia http://download.softpedia.com/kRHV01DUV2Ym8XNnMprEEBK6t2a4wgfe/software/programming/.

TinyHexer's strength lies on good manipulation features and plugins which serious user will establish workflow with this tool. Furthermore tinyhexer is highly extendable, it has Delphi SDK (the file is gone?), scripting and macro replay. TinyHexer also has good reference help including scripting but not covering many of its plugins. One to note somehow tinyhexer doesn't allow paste in overwrite mode, make it hard when you have to combine/patching part of files, another minor inconvenient is the full page mouse scrolling.

HexEdit

2. HexEdit (okay what an ambiguous name here :P) the homepage is http://www.hexedit.com/. Personally I use this as tinyhexer replacement, but not for all features otherwise some are overlapped between the two. For example HexEdit missing opening process' memory but beside that HexEdit is completely different kind of hex editor. The overwhelming editing aids such track changes, mark/bookmark, highlighter, etc really make HexEdit like a word processor for binary files. Manipulation feature also extensive, lots of bitwise operation and conversion it even has data encryption (built-in) and arbitrary compression (via Zlib). HexEdit also have user expandable file structure template for analysis similar to tinyhexer.

One of its unique feature (WinHex can do this) that I like is "Keep Same Time" toggle which keep file date modification once you done editing. Its search function is comparable (no regexp unfortunately) but slower to tinyhexer. Startup also rather slow probably because its complex UI (based on MFC). The bundled manual is excellent, you'll need it for something like this. HexEdit also extendable via macro replay. In short HexEdit is the most advanced (if not overkill) open source hex editor I have ever used.


The niche extras. Two more hex editor deserve mention here for its built-in live disassembly and other for low-level operation.

FileInsight

3. FileInsight from McAfee http://www.mcafee.com/us/downloads/free-tools/index.aspx is hex editor specific for malware analysis so large file support is not a concern. Live disassembly is done using libdasm, by the way it will produce assembly for *any* interpretable binary data. The interface is rather flashy :D, I think this is a Delphi app. Its PE structure analysis is on par with the tinyhexer's plugin. And despite being niche, FileInsight also extendable, this time using JavaScript (via built-in spidermonkey engine) or Python (need preinstalled python). Note that open source wxHexEditor also can do live disassembly (via udis86) with other feature similar to the popular HxD.


disk editor
 
4. Active @ Disk Editor http://lsoft.net/disk_utilit.aspx is a low-level access hex editor that I have no other free comparison. The first two hex editor here able to open disk in raw however without the ability to traverse or sync with actual filesystem those two miss the usefulness. Most forensic tools also do low-level (raw mode) but usually for read-only acquisition and reinterpret the filesystem wholly including orphaned files (recovery) which Active @ Disk Editor doesn't (that what paid Active @ UNDELETE will do). Supported filesystem include: NTFS, FAT, HFS+, ExtFS, UFS and BtrFS. Like hexedit and tinyhexer, diskeditor also have templates in this case: boot record, partition table and so on. I found the interface rather confusing (Qt based) and could be more streamlined but this is no major issue. As bonus it could edit disk images too.

 

28 January 2016

NatGeo CNG image converter

Love geography? or you have downloaded their free huge magazine scans library? then you may interested in this tool from http://diplograph.net/posts/decoding_the_complete_national_geographic_images

In short cng2jpg de-obfuscate NatGeo's jpg files (lossless operation).

This is win32 version of C commandline application by Paul Knight, I just change the filemode to make windows version work.

cng2jpg.7z 11Kb

Alternatively .NET GUI application available at https://github.com/keithn/cng2jpg/releases

23 January 2016

Alternative build for XScreenSaverWin

I found great screensaver port from Linux at http://katahiromz.web.fc2.com/xscreensaverwin/eindex.html contain more than 200 screensavers. Okay that's a LOT, in fact Windows will only list the first 100. Fortunately it come with random.scr which is a screensaver loader.

About half of them are opengl accelerated and with some of these I have error when exiting. I made minor workaround for that error which a least works for me. I also made minor modification in the directory organization so that all screensaver goes to one folder. This way the folder can be copied to Windows folder and random.scr loader can be placed in system32/syswow64 to minimalize "pollution".

Here is the download and modified source
version 0.77
XScreenSaverWin32.7z (2.74 Mb, 220 Screensavers)
XScreenSaverWinSrc.7z (2.71 Mb, VS 2008 Source)

I wonder if there is a MyPaint brush like that?




 

16 January 2016

How to download from sourceforge when it goes down

Many probably aware about SF's occasional hiccup while it usually don't last long it could be annoying when you're in hurry. There are several SF official mirror that allow you to enter their file server through classic http file index, all you need to know is the project name (that used in the url). Some of them do not support direct access though.

just name a few:
http://jaist.dl.sourceforge.net/project/[projectname]/
http://iweb.dl.sourceforge.net/project/[projectname]/
http://heanet.dl.sourceforge.net/project/[projectname]/
http://liquidtelecom.dl.sourceforge.net/project/[projectname]/
http://tenet.dl.sourceforge.net/project/[projectname]/

But that's just the usual links isn't it? yes, the trick is the last trailing slash, otherwise it will redirect to sourceforge webfront and not all mirrors support this trick.

Hosting behavior also varies, some purge old downloads after period of time, some may have different interface (different web server).

There are also many alternatives mirror/access url from google search

for example:
http://www.mirrorservice.org/sites/ftp.sourceforge.net/pub/sourceforge/n/n7/n7xmaslist/

but those tend to have inconsistent url path pattern and lengthier.


Basically, you could always provide true direct link if you have too! (skipping all those ever crowded dodgy ads if you wish to)

For those not realize it yet, I hope this helped

15 January 2016

8 Songs bundled with Windows

Windows that released during 2001-2010 have bundled songs. That is the home multimedia era, now with everything moved to cloud Windows 8 and later no longer bundling songs.

Here is the list of songs that I know:

XP:
Windows Welcome music by Microsoft
Like Humans Do (radio edit) by David Byrne
"Highway Blues" by New Stories
Symphony No. 9 (Scherzo) by Ludwig van Beethoven

2003:
No Hay Problema by Pink Martini

7 (Vista?):
Maid with the Flaxen Hair by Richard Stoltzman
Sleep Away by Bob Acri
Kalimba by Mr. Scruff

Apparently Microsoft aren't interested in mainstream genre such as Pop or RnB. I like that attitude!

Windows 10 is

I found handful information about Windows 10 from google since I unable to get a hand of it (neither I want to download it, mind you I killed B.I.T.S on my Windows 8.1)

Windows 10 is yours to enjoy – and absolutely free
Windows 10 is designed to be compatible with the hardware, software, and  peripherals you already own
Windows 10 is familiar and easy to use, with lots of similarities to Windows 7 including the Start menu
Windows 10 is now running on more than 200 million devices
Windows 10 is a personal computer operating system released by Microsoft as part of the Windows NT family of operating systems
Windows 10 is here to change the game
Windows 10 is spying on everybody, and it's all thanks to Microsoft itself
Windows 10 is so familiar and easy to use, you'll feel like an expert
Windows 10 is a free update, making it easier for Microsoft to push the new operating system
Windows 10 Is Tracking You
Windows 10 is an entirely new version of the veteran Windows operating system – a version that is make-or-break for Microsoft
Windows 10 is off to a good start
Windows 10 is an operating system from Microsoft Corporation for servers, desktop PCs, laptops, tablets, phones, and other connected devices
Windows 10 is only free for one year
Windows 10 Is Randomly Deleting Programs, Files, Associations
Windows 10 is Great, Except for the Parts That Are Terrible
Windows 10 is for suckers
Windows 10 Is Malware
Windows 10 is collecting more information than some people may have realized
Windows 10 is specifically designed to give Microsoft a much wider and much tighter grip on consumers
Windows 10 is quickly replacing previous versions of Windows in the enterprise
Windows 10 is harvesting more of YOUR data than any other Microsoft operating  system
Windows 10 is a Broken POS
Windows 10 is not hugely different from Windows 8
Windows 10 Is Catching Up to XP
Windows 10 is doing well overall, and far, far better than Windows 8 as Microsoft hoped
Windows 10 is the best version yet – once the bugs get fixed
Windows 10 Is the Product of a Chastened, Changed Microsoft
Windows 10 is nice
Windows 10 is actually pretty awesome
Windows 10 is 'the last version of Windows'

Let say it's about 75/25 of pros/cons opinion. My take I think Windows 10 will doing OK for Home consumer but failed for business and enterprise unless major changes made. Seriously this "one OS for all" just ridiculous.

Not that I hate Windows 10, I think I can use Vista, 7 or 8 (been 2 years now) just fine. However in term of *Personal* Computer Operating System, XP is the one better. My analogy goes like this:

XP is your dog: Maybe primitive but obedient and loyal though will bite if abused.
Vista is your mother-in-law (connotation): Noisy and strict ready to drive you nuts
7 is your big brother: Reliable and tolerant but you hardly can talk back in an argument
8 is a hired assistant: Maybe suit you or maybe not, a stranger that harder to approach
10 is double agent Cortana: In front of you it's nice and all, behind your back it is controlling YOU.
 

Visual True Type for XP

Been years looking how to download this thing from Microsoft. Previously this was only available "by request" to Microsoft typography group or something, however it's near impossible to get a reply. Originally the program itself released circa 1999-2001 (yeah Win 9.x era and slightly updated when XP released). Now that it was made freely available https://www.microsoft.com/en-us/download/details.aspx?id=48728 (previously MS VOLT also made free and has been regularly updated). Together with other free tools in https://www.microsoft.com/typography/default.mspx are extensive font development tool for Windows. But there is one problem: VTT 6 is not for XP! geh

So I ask an anon question at stackexchange regarding backporting vista apps. I kind of expecting to get l33t answer like reconstructing IAT and some OllyDbg hacking session but it was shim method that come up. Well it was a technique commonly practiced anyway.

To summarize:
- VTT.exe need CompareStringEx and InitializeCriticalSectionEx which unavailable in XP kernel.
- Both functions available in msvcp140.dll (part of Visual C++ 2015 redistributable) with slightly different name along with other interesting backported functions
- VTT.exe is compiled with linker's osversion set to Vista (6.0)
- VTT.exe also protected with Microsoft digital signature

The shim will sit between vtt.exe and kernel32.dll+msvcp140.dll, so we could use renamed function redirection or loadlibrary way. I choose the first since there are not much of imported functions.

Basically I made shim that contain lowercase version of the function (you could use MSDN or MinGW headers to see the correct declaration) which call the actual function in kernel32.dll and msvcp140.dll for the missing one.

for example:
...
// CompareStringEx
WINBASEAPI int WINAPI __crtCompareStringEx (LPCWSTR lpLocaleName, DWORD dwCmpFlags, LPCWCH lpString1, int cchCount1, LPCWCH lpString2, int cchCount2, LPNLSVERSIONINFO lpVersionInformation, LPVOID lpReserved, LPARAM lParam);

WINBASEAPI int WINAPI comparestringex (LPCWSTR lpLocaleName, DWORD dwCmpFlags, LPCWCH lpString1, int cchCount1, LPCWCH lpString2, int cchCount2, LPNLSVERSIONINFO lpVersionInformation, LPVOID lpReserved, LPARAM lParam) {
__crtCompareStringEx (lpLocaleName, dwCmpFlags, lpString1, cchCount1, lpString2, cchCount2, lpVersionInformation, lpReserved, lParam);
}
...

and compile with:
gcc -shared -Wl,--kill-at -o vttforxp.dll vttforxp.c -L. -lmsvcp140 -s

Next we need to rename imported functions in VTT.exe to lowercase too (yeah kind of risky here) and rename kernel32.dll to vttforxp.dll, we can use hex editor.

Next we remove the digital signature, since it obviously become invalid now. we can use osslsigncode:
osslsigncode remove-signature -in vtt.exe -out vtt.exe

Next we need to downgrade os.version PE header to 5.1 (XP). we can use editbin or pehdr-lite
pehdr-lite vtt.exe -osver 5.1 -subsysver 5.1

As a bonus step, we can use Microsoft mt to add xptheme manifest

That's it! Well of course this case is rather simpleton but still is a real-world case :)
heck some apps even simply set the higher os.version (due to never compiler default) so that it could spew stupid error message like "invalid win32 application"...