CSED 431 Week 4

CSED 431 Week 4 -- February 15

Networking
Registry editing

An excellent book for learning about Windows is the Windows XP Resource Kit (it is a book, despite the name). However, there are many such thick books about how windows works.

Most of the labs are safest if done on a virtual machine (keep a separate copy of the *.vdi file too, or else use snapshots). Examining permissions is safe on a "production" system, however. Using regedit is safe if you don't change anything unintentionally.

To get a virtual machine on another machine (presumably windows, not linux), do the following:

install VirtualBox for windows, from virtualbox.org
copy the medXP.vdi file to a USB drive to get it home (you may wish to zip it first).

Copy the medXP.vdi file to the VirtualBox/HardDisks folder on your home system, unzipping if necessary, and then create the new virtual machine. I recommend "create a new virtual machine", but when you get to the point about a hard disk, choose "use existing disk". It is slightly tricky to get your *.vdi file selected; you have to navigate a little.

Good settings for your virtual machine are: 192 mb memory, 16 mb video memory, and, if you want to maximize your chances that Microsoft won't think your virtual machine isn't genuine, use the Advanced button of the Networks setting to set your hardware address to 080027F6CF5E.

Networks

See cs.luc.edu/pld/courses/netnotes.

Ethernet
    Ethernet addresses

Brief review of IP addresses and DHCP
    IP addresses are 4 bytes
    First mention of NAT


Click here to find what the CS Dept server thinks is your IP address!

Dozier Law and Sue Scheff

Sue Scheff was a client of Dozier Internet Law, which we looked at last week. She won an $11.3 million dollar verdict in her internet-defamation case; she later wrote a book Google Bomb. The defendant was Carey Bock of Louisiana.

But see http://www.usatoday.com/tech/news/2006-10-10-internet-defamation-case_x.htm. It turns out Ms Bock couldn't afford an attorney, as she was at the time of the case a displaced person due to Hurricane Katrina, and she did not appear in the case at all.

So we don't really know what happened. However, it is clear that at this point Ms Scheff has become a master at reversing being google-bombed; if you google for her name, her multiple blogs touting her book will likely lead the list.

Dozier Law and Sue Scheff

Detecting Deep Freeze

Even detecting DeepFreeze can be obscure. My search led me to the following, all of which amounted to reasonably good evidence that DeepFreeze was enabled. Note that in the Loyola labs the DeepFreeze unfreezer application is not present on any lab computers.

My first step was to look in C:\Program Files\Faronics; this turned up the following

Directory c:\WINDOWS\Program Files\Faronics\Deep Freeze\Install C-0
containing DF5Serv.exe (which was running)
Also running is FrzState2k.exe

2. In the registry, I found the following

HKLM\SOFTWARE\Faronics\Deep Freeze 6
HKLM\SYSTEM\ControlSet001\Services\DeepFrz\Parameters

3. In the drivers directory, C:\WINDOWS\system32\drivers, there is a file DeepFrz.sys

Disabling Windows Disk Protection

Warning: almost all the steps here will break future removal or reinstallation of WDP.

We know we can disable WDP from the Steady State application. We will investigate disabling WDP by tweaking the filesystem and registry directly. In this sense, we are using WDP as an example of a potential virus, that we also might need to disable manually.

First, note that if we do the following to a clean copy of windows

make copies of the registry files (booting from a second windows instance)
install SteadyState and enable Windows Disk Protection
restore the registry (again booting from a second windows instance)

then WDP will be disabled. (The desktop icon will still be there, but it will not run.) The disk cache file will have to be deleted manually. (Note that we will be unable to reinstall SteadyState successfully.)

Second, note that if we instead attempt to delete the drivers, wdfldr.sys and wdf01000.sys, the system will be unbootable.

A third attempt might be to remove the cache file. Attempting this is part of today's lab.

A fourth attempt is to edit the registry remotely, from another instance of windows (remember that editing the registry on a system with WDP enabled is useless).

To edit the registry remotely, first open regedit as usual. Then select HKEY_USERS, and choose File => Load Hive. Select the registry hive file you wish to edit, eg E:\windows\system32\config\system, or E:\Docs&Settings\owner\ntuser.dat. You will then have to provide a "mount point" name that represents the "link-in" point to the existing registry; a nonsense name is fine or, if you are editing a user profile, you can use the username. Now you can browse or search the registry hive, and make changes as appropriate. When searching, remember that the search will continue on into the rest of the registry.

If you are accessing a frozen machine via a linux boot CD, you will have to copy the registry hive file onto, say, a USB drive, and use that to carry the file to a real windows installation for editing. Reverse the steps to get the modified registry hive file back to its original location. And always leave a copy of the original, perhaps with the suffix ".backup", in its original directory.

The Registry

This is a hierarchical database. Internal nodes are known (decidedly nonstandardly) as keys and subkeys. Leaf entries are <name,data> pairs, reached via a path of keys; the Microsoftism for these is values though traditionally that word would be used only for the data portion. Here's an example of a keypath/value set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies]
“WriteProtect”=dword:00000001

The top-level keys are:

HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_USERS

The HKLM key has four subkeys: SAM, Security, Software, and System, that correspond to the four hive files in c:\windows\system32\config of those names.

The keys HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, and HKEY_CURRENT_CONFIG are actually "links" to subkeys of the above.

The name part of a <name,data> pair is always a string; the data can be a 32-bit word (REG_DWORD), a string (REG_SZ or REG_EXPAND_SZ or REG_MULTI_SZ), or raw binary data.

Editing the registry can be done several ways, eg:

Using the Control Panel
regedit (slightly changed in 64-bit versions of Windows 7, but not by much)
*.reg files
scripts (simple programming commands); eg using Windows Script Host methods
Group Policy

A collection of registry hacks can be found at www.theeldergeek.com/registry_edits.htm.

Exporting the registry file as text

Diffs (from http://oreilly.com/pub/h/2887)

Look at what these people have to say:
http://www.spywareremove.com/removeHKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSuperHiddendword00000000.html
Their claim that "WARNING! HKCU\Software\Microsoft\Windows\CurrentV ersion\Explorer\Advanced\SuperHidden = dword:00000000 registry key is related to spyware" is complete nonsense.

Note, however, that they do this with impunity.

There are many websites and books that publish registry tweaks. Most warn of the dangers of catastrophe. Note that backing up the registry of a booted system can only be done with a special software interface; if you try just to copy the hive files in %WINDIR%\system32\config, you will find that they are "locked" because they are "in use". (You can, as we did last week, go into that directory after booting off another system drive, and just copy the hive files.)

While there are many registry edits possible, usually it is safer to do it the "standard way", eg through the control panel. But two exceptions are when editing multiple accounts, or (better) creating default entries for a user before their account itself has been created.

The registry and Group Policy

Most of the Group Policy options are propagated to domain members by making (remote) settings in their registries. (An exception are basic security policies including user-rights assignment, password policies, and audit policies; these are not registry-based.) In order for a group policy to be enforceable, first and foremost there must be a registry setting recognized by the domain-member system that can enforce the desired behavior.

Not all GP options have to do with computer restrictions; many settings are simply configuration options.

Many group-policy settings affect only specific Microsoft software, such as Internet Explorer, Windows Media Player, Netmeeting, etc. In an environment where Firefox is available, GP control over IE may not have much effect.

Here are a few options from the System.adm tab of the WindowsServer2003SP2GroupPolicySettings file.

Remove and prevent access to the Shut Down command -- (line 363) This disables all Microsoft-provided ways of shutting down the system in software. Physically turning off the system is unaffected, and some third-party software allows shutdown.
Prevent changes to Taskbar and Start Menu Settings -- (line 365) See text
Delete cached copies of Roaming Profiles -- (line 18) See text (and also following items); the basic caching mechanism is perhaps most effective for roaming or dialup users. Generally, the network version of the profile is to be preferred, but sometimes profiles get decidedly large.
Don't display the Getting Started Welcome screen -- (line 35) See also line 36
line 269

Some demos from www.theeldergeek.com/registry_edits.htm:

1. Launch programs at login without using the Startup folder:
http://www.theeldergeek.com/launch_programs_at_login.htm

2. Force use of the Classic Start menu
http://www.theeldergeek.com/force_use_of_classic_start_menu.htm

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Modify/Create the Value Name according to the Value Data listed below.
Data Type: REG_DWORD [Dword Value] // Value Name: NoSimpleStartMenu
Value Data: [0 = Default / 1 = Force Classic Start Menu]
Exit Registry and Reboot

3. Hide/Show the My Documents folder on the desktop

Regedit method:

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.
Data Type: DWORD // Value Name: Attributes
Setting for Value Data: [Default = 0xf0400174 / Hidden = 0xf0500174]
Exit Registry and Reboot

Mundane method:

Right click on any open area of the Desktop
Click [Properties], select the [Desktop] tab, then click [Customize Desktop] button
Select the [General] tab
In the [Desktop Icons] section place or remove the checkmark next to My Documents

4. Sort Start Menu automatically
This one has to do with tweaking permissions:
Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder

Here's an alternative approach, from http://support.microsoft.com/kb/177482:
To sort the Programs menu, the Documents menu, or the Favorites menu, right-click any item on the menu, and then click Sort by Name.

5. Delete Shared Documents folder:

[Start] [Run] [Regedit]
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders
Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.
Locate key {59031a47-3f72-44a7-89c5-5595fe6b30ee}
Right click the key and select delete.
Exit Registry and Reboot

Go back to "Detecting DeepFreeze" and "Disabling Windows Disk Protection" above for more registry examples.

Lab

Phoning the Mother Ship

In this exercise, you are to install SteadyState yet again. However, this time you are to disable the network and log all attempts to connect. As SteadyState is installed, it attempts to contact Microsoft to validate your computer.

Verify that your IP address is 10.0.5.x. (The x might be 2, 3, or 4.)
In the linux command window, run the command sh blocknonDNS.sh. This blocks (non-DNS) traffic to/from the outside world, but you can still see connection attempts.
Verify that accessing the web fails in windows
In the linux command window, run the snort packet-sniffer via: snort -vde -i tap0, or with sh sniffall.sh.
Open the browser in windows again. You should see some activity in the linux window. All packets should be coming from 10.0.5.4 (except those involving port 53). The third line printed for each packet should begin ******S* (S for SYNchronize, meaning an attempt to initiate a connection).
Run SteadyState.msi. During the installation, it should attempt to contact various web addresses. What are they? (One of them should be 65.55.28.12). Despite the intaller software's claim that it is validating your copy of windows, which cannot be done if the network is blocked, the steadystate installation does in fact succeed.

The Registry

Use the "diff" method, or random exploration, to figure out how to set/unset the following Folder Options => View settings from the registry:
    Show hidden files and folders
    Hide extensions for known file types
    Hide protected operating system files

Try to create a show.reg/hide.reg registry file to do this automatically (by doubleclicking it). Here's a sample .reg file that changes the wallpaper:

REGEDIT4

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"="C:\\WINDOWS\\web\\wallpaper\\Bliss.bmp"

It took me quite a while to figure out (can anyone find where it says this on the web somewhere?) that the backslashes in the filename have to be doubled. (I assume this is so because they are part of the string data, and backslashes within strings have long had to be doubled.) If you are setting a numeric value, the following syntax would be more typical:

"CaretWidth"=dword:00000001