Cyber Attack on Poor Old Harry / General Chatting / Forums

Forums

4hv.org :: Forums :: General Chatting

« Previous topic | Next topic »

Cyber Attack on Poor Old Harry

previous 1 2 3 4 next

Move Thread

LAN_403

Proud Mary

Mon Aug 10 2009, 11:51AM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

Steve McConner wrote ...

Windows slowly decays because it's based on the silly concept of having the OS and all programs store their configuration in a single database, the registry. As time goes on, the registry bloats, slowing down every program that has to access it, which is to say, every program on the system.

Why can't there be a 'registry restore' feature, Steve, so at the click of a mouse the registry could be reverted to its original virgin state?

Steve Conner

Mon Aug 10 2009, 12:07PM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

Don't know, ask Nick

But you can achieve something similar by taking a disk image of your computer just after you install Windows and all your favourite apps. Use Acronis True Image or similar. Then in future you just need to nuke the disk and restore it from that image.

Nicko

Mon Aug 10 2009, 12:46PM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

Harry wrote ...

Why can't there be a 'registry restore' feature, Steve, so at the click of a mouse the registry could be reverted to its original virgin state?

It's already there. System Restore - thats what you are referring to. It tracks changes to Windows system files automatically, and it's part of XP onwards... You can place a named marker, called a Checkpoint, at any time, and revert all your system files back to that point (or any other named checkpoint) at will. All checkpoints are time & date stamped automatically.

A lot of system-ish installs automatically take a Checkpoint, though you can turn it on, if it's not already, by going to Start->All Programs->Accessories->System Tools->System Restore. If System Restore is not enabled, this will bring up the My Computer properties dialog box. Make sure the "Turn off System Restore" check box is clear and allocate a few gig to the service. A shortcut to this is to right-click on My Computer, and the select the System Restore tab...

Now, assume system restore is enabled, restart the app via Start->All Programs->Accessories->System Tools->System Restore.

You can force a Checkpoint by selecting "Create a restore point" and clicking Next. You can then enter a description of the point, e.g. "Before I completely cocked about with the system". The press Create. A new checkpoint is created. If you return to the home screen of this app and select "Restore my computer to an earlier time", you will be presented with a list of checkpoints to which you can revert your system files.

See

and

Its very easy, really. And ever so useful when you are installing new drivers etc.

HTH

Steve Conner

Mon Aug 10 2009, 12:59PM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

Except it doesn't always work. Any half-decent trojan will delete all of your system restore points. And I've had it fail to get rid of bad drivers, too.

Chris Russell

Mon Aug 10 2009, 01:03PM

... not Russel!
Registered Member #1 Joined: Thu Jan 26 2006, 12:18AM
Location: Tempe, Arizona
Posts: 1052

Steve McConner wrote ...

Don't know, ask Nick

This is what I do. First, wipe the entire hard drive by booting from a linux live disc, or a separate linux install, and do something like cat /dev/zero > /dev/sda (there's a reason I want all zeros instead of something more secure, like /dev/urandom). Do a fresh install of windows. Get all the drivers working, because usually something critical like the network card driver isn't supported by default, which is a huge pain. I install programs that I know I will need, but not too many, as I am trying to keep this as a small base install. I get all the updates. Then, before things can get any more moved around, I'll boot back into linux, and grab a compressed image of the disk, usually using something like dd bs=512 if=/dev/sda | gzip | of=xx/systemrestore.img.gz, where xx is the path to an attached USB drive, a second internal hard drive used for linux and/or backups, or perhaps even a remote filesystem mounted via ssh. The fact that the entire HD was wiped to zeroes means that any free space, assuming files haven't been moved around too much, will compress down to basically nothing. An alternate route might be to mount the NTFS partition under linux with read/write, cat a zero file to it that takes up every byte of free space, delete the file, and then proceed as normal.

This way, I end up with an image for the entire hard drive, so that I can always get back up and running relatively quickly. Simply boot into linux, write the image to the hd (piping through gunzip), then reboot into your fresh windows install and update with all the latest patches.

Of course, I'd rather not use windows at all. Unfortunately, I end up using it quite frequently, simply because my computer is my TV, and full screen flash video is still ugly under linux. I don't care to spend the time it would take to reboot half a dozen times a day, so unfortunately, I tend to stay in windows.

Proud Mary

Mon Aug 10 2009, 01:17PM

Registered Member #543 Joined: Tue Feb 20 2007, 04:26PM
Location: UK
Posts: 4992

Oh I yes, Nick, I know System Restore and use it from time to time, but are you suggesting that I should go right back to the Windows installation date to revert the registry to its orignal, faster, state?

As Steve pointed out, I've once or twice found Windows claiming that it wasn't possible to do a system restore, though without offering any explanation that I remember. I can only imagine that the data needed no longer existed in any uncorrupted form, or something of that sort.

Anyway, lads, it's time for my overdue lunch and a little something hopefully more toxic to Pig 'Flu than the much vaunted Tamiflu, which just makes you feel ill and emotionally upset.

Nicko

Mon Aug 10 2009, 01:19PM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

Steve McConner wrote ...

Except it doesn't always work. Any half-decent trojan will delete all of your system restore points. And I've had it fail to get rid of bad drivers, too.

This is probably a fairly futile discussion - Windows certainly has weaknesses, as do all large software systems. The main problem is that its rarely set up properly - running users without local admin privileges (as we do, and I do at home) is a very good start - anything running with administrator privileges is capable of causing problems, as is anything on a Unix system running as root. Security through obfuscation (c.f. your comment about Unix rc files) is a non sequitur. Have a go with Tenable Nessus (if you haven't already) - it can be a real eye-opener... the number of exposed Unix systems running unpatched Apache, MySQL and other outwardly facing vunerable applications is a shocker....

Both at work & home I use Acronis TrueImage - a wonderful product - Take full backups of the PCs at weekends, then just do differentials during the week - all done by its internal scheduler.

Steve Conner

Mon Aug 10 2009, 01:48PM

Registered Member #30 Joined: Fri Feb 03 2006, 10:52AM
Location: Glasgow, Scotland
Posts: 6706

I won't continue the debate, as you say it's futile, and I can't argue with anyone who likes Father Ted. That is arguably the main problem with Windows, that it comes out of the box with administrator access for everyone! MacOS doesn't, and you have to enter the root password any time you want to do anything dangerous, or the system wants to do something dangerous on your behalf.

I didn't realise that Acronis was a backup tool as well as a disk imager. Can you access a backup made with Acronis using other software, though, or is it a compressed format that only Acronis itself can read? I'm thinking of getting it for use at work.

I don't imply that .rc files are more secure than a registry. Just that the .rc file paradigm is immune to registry bloat, because every application knows which .rc file is its own and doesn't care (or even know) about the others.

Backyard Skunkworks

Thu Aug 13 2009, 12:24AM

Registered Member #1262 Joined: Fri Jan 25 2008, 05:22AM
Location: Maryland, USA
Posts: 451

I had something like this happen on my laptop not that long ago. I somehow got some form of malware though a banner ad while browsing a (legit) website. I instantly opened task manager to find around five suspicous processes running, after copying all their names I hard powered off the computer.

I was also running XPSP2

I attempted to boot in safe mode, but the malware had disabled it.

I popped out my BartPE recovery disk and booted into it. After poking around the filesystem a bit, I found the suspicous entries in program files that let me ID what malware I had. After that, I manually went through all the EXEs and DLLs in system32 and moved anything suspicous to my ramdisk.

After a couple hours, all the suspicous files were gone and I copied any essential windows files that had become infected from another box.

I then booted back into windows, but command prompt was disabled. At least there was no more malware running though.

I shut down, tried safe mode, it was still disabled.

I finally booted back into BartPE and manually removed my registry files, and then replaced them with copies out of system volume information from the previous week.

This fixed everything.

In this case my AV software was fairly useless, and my knowledge of the windows filesystem allowed me to clean everything out while on a LiveCD. And of course, Linux generally doesn't get viruses.

rp181

Thu Aug 13 2009, 01:46AM

Registered Member #1062 Joined: Tue Oct 16 2007, 02:01AM
Location:
Posts: 1529

Same thing happened to me, I ended up deleating the windows partition (I was running ubuntu and windows in a dual boot). I did everything nicko said, to no avail.

previous 1 2 3 4 next

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob