Girl Geekette

Here is a link I definitely thought was worth mentioning. A List of all the start up programs in Windows XP and wheter or not they NEED to run or are dangerous.

http://www.sysinfo.org/startuplist.php?letter=&filter=&count=50&offset=12500

If you are like I am and you are always trying to streamline your XP box to get only the services you NEED running in MSCONFIG or want to see if some programs are adware, viruses, trojans, drivers, etc.. this list has some of the most common, whether they are required and what they are. This has to be one of the most excellent resources I have seen.

To check to see what startup programs you have, Click on START then RUN And type MSCONFIG in the RUN box and hit ENTER. You will see a new window come up and the STARTUP tab on the right has all of the programs that start up when your computer boots. Just check these programs against the list and see if that program is needed or not.

Needless to say, I was inspired by an article on Windows Security that did a test using Windows 2000 to try my own test with Windows XP using NTFS. Below are my findings and screen by screen snapshots (Thumbnails are shown, click them to see a larger picture that Opens in this window):

ADS test using Windows XP

1. I begin by making a test directory and copying the c:\windows\system32\calc.exe to it. Notice the original date and timestamp (last modified time and date stamp) of the file is 8/23/2001 8:00AM and the size is 112KB.

Alternate Data Streams WinXP Image 1

Here is a listing in DOS that shows the directory with the copied calc.exe file.

Alternate Data Streams WinXP Image 2

2. I append an ADS (Alternate Data Stream) to the Windows Calculator program I copied to the test directory with another Windows program (Notepad - c:\windows\notepad.exe).

While searching around, I happen to run across something that caught my eye. It deals with Microsoft’s NTFS and security. ADS 0r Alternate Data Streams - was originally created to provide compatibility with HFS (Macintosh Hierarchical File System).

Although widely unknown by most that ADS even exists, it is has been used by sometime by people to exploit Windows Boxes that use NTFS. Not all anti-virus programs will pick up alternate data streams. It is easy to exploit the ADS and let it go undetected for some time. Although with technology getting better, some anti-virus scanners are now picking up the ADS when changes have been made to the default configuration.

Security Focus has a demonstration of how this is used by rooting or exploiting a lab box using the MS04–011 vulnerability. The Metaspoilt Framework can allow someone to break into a computer via the lsass overflow.