Slow File Transfers on Windows Vista

File copying in Windows XP seems better than it is in Windows Vista. Microsoft has even acknowledged the problem in their knowledge base. The hotfix is only available from Microsoft PSS, unless you look around a bit. I found this web site here that offers up some suggestions on fixing this problem, including a link to a web site called TheHotFixSite. This web site hosts hotfixes that Microsoft releases only via the PSS (i.e. does not make available to the general public). Contacting the PSS usually involves paying a fee for the hotifx. KB931770 which is mentioned in the Microsoft knowledge base, is available from TheHotFixSite.

Please note that this hotfix will be incorporated in the next service pack for Windows Vista and that this hotfix in its current form is not widely tested. Use at your own risk!

– Soli Deo Gloria

Adaption of Windows Vista: Real Numbers

Someone recently asked on Experts-Exchange how many people are using Windows Vista in the world. I decided to do some research (ad hoc mind you) what the real numbers are. From my own web site, these are the stats:

Operating Systems  
Versions Hits Percent
Windows XP 15116 61.7 %
Windows NT 39 0.1 %
Windows Me 19 0 %
Windows Vista 6113 24.9 %
Windows CE 13 0 %
Windows 98 180 0.7 %
Windows 95 1 0 %
Windows 2003 427 1.7 %
Windows 2000 878 3.5 %

93% of the operating systems that visited my site were Windows, so if we are just talking about Windows itself that would be:

Windows XP: 66.3%

Windows Vista: 26.8%

Windows 2000: 3.8%

In the thread, I gave the number as 32.8%. This is because I was manually counting from analog’s log. The numbers at boingboing.net are a bit more interesting. To date this month, boingboing.net has 1,126,157 unique visitors. Their break out given by AWstats is as follows:

Windows XP 59.4 %
Windows NT 0.9 %
Windows Me 0.2 %
Windows Vista 2.4 %
Windows CE 0 %
Windows 98 0.6 %
Windows 95 0 %
Windows 2003 0.5 %
Windows 2000 3.2 %
Windows 3.xx 0 %

If we break this down to just Windows, that would be:

Windows XP: 87.9%
Windows Vista: 3.6%
Windows 2000: 4.8%

So how does this compare to Windows XP’s launch? We would need some access.log files from around October 2001. I found AWstats for a Princeton department website covering this time period. Two months after the XP launch (12/2001), 6.4% of the users were using Windows XP to access the site. In 4/1/02 (6 months after the Windows XP launch), the number jumped to 10.3%. In 12/2002, Windows XP was at 23.8%. Another site called mariley.com gives some data to play with: In 1/01/02, 1.8% visits were from Windows XP, 69.7% for Windows 98. 4/1/02 (6 months after Windows XP launch) produces Windows XP at 8.3%, Windows 98 at 58.3%. Computerking.org gives XP 2.76% in 01/01/02 and 4.98% on 4/01/02. There’s a nice chart from W3C on historic OS usage here.

Taking the average of all three of these stats and you get a 3.56% growth rate for Windows XP 2 months after launch. It took around a year and half for Windows XP surpass the Windows 98 market share at 34.63% verses 24.93%. We really won’t know how Vista is really doing for probably at least a year, but given these current statistics (and given they after a holiday season), Vista seems to be keeping pace with Windows XP’s launch.

IDC predicts strong growth for Windows Vista. It’s been 5 long years since the last update. I predict Vista numbers to soar past Windows XP’s.

-Soli Deo Gloria

Columbo Files: Limited or No Connectivity

I had an interesting problem recently. A user called and was not able to get on the network. After arriving at the user’s desktop, I noted the PC had an APIPA address and the NIC noted that it had “Limited or No Connectivity”. After disabling/re-enabling the NIC, removing/readding it and rebooting the PC, I ended up with the same result. Thinking it was a network problem, I proceeded to switch ports on the network switch and trying another network jack. Same thing. I then tried another NIC in the PC: same thing. I then bought over a laptop and plugged it in: it got an IP address right away. I left the laptop with the user and bought the computer back to my desk for inspection.

When I tried pinging any host on the network, I would get a “y” symbol with two little dots above it. Ah, here it is: ӱ. Charmap lists this as a “Cyrillic Small Letter U with Diaeresis”. Well, thanks for clearing that up! I ran Winsock XP Fix and the PC connected to the network just fine! Weird.

About a day later, the mystery was starting to unravel. The same user called again starting that Internet Explorer wouldn’t start due to the fact that it was looking for a file called msvcrl.dll. This file looks innocent enough, so I went searching for it on another Windows XP workstation, but alas I could not find the file anywhere. Using my old trusty friend Google, I discovered that the file was “a Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.” That’s great, on a computer that some one runs our finanicals on too!

The major threat was already gone, but how was I to repair Internet Explorer? A search of the registry did not produce any results for msvcrl.dll. Perhaps it was tucked away in some binary value in the registry? I tried to reinstall IE, but it told me that a newer version was already installed. Using the “IsInstalled” registry trick from Microsoft would not fool the computer into reinstalling IE. Bummer. After digging around on Google some more, I found IEFIX. This utility repairs Internet Explorer back to its clean state by re-registering the original files from your Windows XP CD. I ran on this on the PC in question and it was fixed (finally!).

– Soli Deo Gloria

Rootkits: A New Form of Malware

Recently, two of my “high risk” Internet users caught a nasty spell of malware. How nasty? Try rootkit nasty! Rootkits go above and beyond spyware by replacing system files and concealing themselves from system utilities. The first PC had a combination of spyware named TSPY_QQPASS.BUY and a rootkit named Greypigeon. Both PCs had the latest version of Symantec Corporate Antivirus with the latest virus definitions.

I will once again will voice my displeasure with Symantec. They claim that SAV does greyware detection and therefore you should disable Windows Defender if you are running Windows Vista. However, this is the second time in 3 months that Symantec has completely failed us. It did detect the spyware on the first PC, but it was unable to clean it. It was also impossible to unload or terminate SAV to clean off the virus, as it pops in your face every time you try to delete a file. Removing the spyware was impossible: I spent over 2 hours trying to get it off only to have the executables keep returning. I ended up doing a System Restore within Windows XP to restore startup sanity and then cleaning up the dormant spyware files by hand (neither Symantec nor Mcafee would identify the majority of the bad files: I ended up Googling some of the files I kept seeing reappear like “gg.exe” and “zz.exe” and then backtracked other filenames mentioned in the article like newinfo.rxk, then deleted those one-by-one).

The spyware was clever, quite clever actually. Most spyware files are dated with the date they infect the system. However, this spyware was pre-dated back to August 2004, along with most of the other legitimate Windows files. Someone went through a lot of trouble to keep this stuff hidden, as this is the date that service pack 2 was released for Windows XP, therefore most legitimate files are dated 8/4/04. The spyware also took on legitimate looking Windows names, such as rpcs.exe and svchost.exe. Not being digitally signed, however, gives them away.

On to the next PC…this time it was called into the Help Desk as being a problem with Microsoft Excel. It seems that data in Excel wasn’t scrolling when the user scrolled with the mouse cursor using the right side bar. Excel was also slow and “crash prone”. I suggested we try to remove Microsoft Office and reinstall it. Upon trying to doing this, I noted the system was extremely sluggish. Opening the process list in Process Explorer revealed 4 copies of svchost.exe running: unsigned of course, along with something called rpcs.exe that was kicking off iexplore.exe and other files such as “nortons.exe” and “winform.exe”. Cleaning this up was easy actually: using a combination of Process Explorer and Autoruns, I was able to clean off most of the bad guys, except rpcs.exe kept showing back up after reboots.

Unfortunately, Rootkit Revealer would just freeze up on this system. I then tried the System Repair Engineer from kztechs.com. Right away SRE lets me know that something is wrong:

Clicking on details gives me this:

The really funny part is if you go into Windows explorer and go to C:windowspss, you will see nothing there. That’s because this rootkit is incepting our calls to see this directory and is feeding us false information. If you were boot from BartPE, you would actually see the files there. We’ll proceed to the Smart Scan within SRE…all this does is create a text report of any bad stuff going on with our system. From this report, we are warned once again about C:windowspss3.dll being a dangerous API hook, as well as 3.exe running as a hidden process. SRE also goes through the services and shows us any services that aren’t digitally signed. I find that Greypigeon installed a service for us! Pigeons usually crap all over the place and this is no exception: attacking via a service is not common attack vector and therefore will likely get missed (I missed it myself the first few passes).

SRE also has a few nifty repair utilities in, including the ability to restore hijacked file extensions, restore Winsock back to its default state, restore default Windows policies and restore safe mode services (some spyware removes the Safeboot key to keep you from booting into safe mode to remove them). Unfortunately, SRE cannot terminate hidden processes or locked files: we have to use Icesword for that. Icesword was written in Chinese and was translated to English, so you don’t get any documentation with it. However, it’s pretty easy to use and who ever reads documentation anyways? As Dogbert once said: “While you’re waiting, read the free novel we sent you. It’s a spanish story about a guy named “Manual” .

We can click on the Process icon and find our victim:

We can then go back into SRE and delete the GreyPigeon service:

If someone could combine Autoruns, Process Explorer, Icesword and SRE into one product, that would be so cool!

If you want to play around with this rootkit, I’ve uploaded it here. Make sure you only load it into Virtual PC or VMware and not on your PC! THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY AND I CANNOT BE HELD RESPONSIBLE FOR ANY RESULTS YOU GET FROM RUNNING IT! YOU HAVE BEEN WARNED!

So the lesson here is that just because a user gets malware does not mean we have to wipe the machine. What would we learn if we wiped the machine? Interacting with various types of malware and program bugs brings us a closer understanding of the operating system.

– Soli Deo Gloria