28 KiB
You are being Tracked!!
by: Harmless Strategies <http://canadiantom.com/menu.htm>
Corporations and government are able to go inside your computer and violate your privacy anytime they want! The creator of the Windows operating system , has conveniently imbedded some interesting files inside each computer keeping track of all your movements. Here is a small excerpt from the tutorial on the BruteForce cd-rom
Want proof? Win95/98
Launch windows explorer. Under "Tools" click on "find" Now, look for these files on your hard drive; if you decide to view them, use a good editor like Ultra Edit to see what is inside. Normal editors like Notepad will not show you what is contained.
SYSTEM.INI
Contains details about the locations and software that you are running on your system, as well as other personal things that might be helpful for rogues to find out - like preferences and the like.
USER.DAT
This is an important file! Inside this monster there are masses of data about you: The last few dozen places you've visited on the Internet; Your name; email address, telephone number, various user ID's and passwords, details about software you use and your preferences, locations of files and folders, and literally hundreds of other personal things! Even the unencrypted names of the usenet groups you have been playing with lately…
Have a look at your own user.dat using an editor like ultraedit. This should freak you out. Most of the file is encrypted but you can make out enough references that are in plain text to give you a scare. You can get a free editor here ( www.completelyfreesoftware.com )
Details Make a local copy of it (from your c:\windows\profiles\Yourself) and browse it using an"editor". You'll be amazed at the wealth of information about yourself that this huge database holds… among other things all the search strings you have recently used! There is a lot of encrypted stuff here as well! The question you have to ask yourself is, "Why is this file there?" Don't alter it in anyway! Windows will not work right if you do. They do notwant you to change it!
SYSTEM.DAT
Even worse, Once again, lots of personal details, including the location of all your windows passwords (login, screen saver, network, LAN, etc.), every conceivable thing about your computer, its hardware and setup, and full details of all the software you're using or you have ever used. You'll have the surprise of finding all the names of applications you have installed in the last couple of years on your computer! Again, you will have to use "edit" to inspect these files yourself.
*.PWL (pwl)
Located by knowing your user name, or by looking up the above file. Inside here are all your passwords. These are easily decrypted (if necessary)
nsform??.TMP
All the data inside every Netscape form you've ever submitted, with and without Secure Socket Layers.
Inbox, Outbox, Sent, Trash
A complete copy of all your incoming, outgoing, sent, and soon-to-be-deleted email. All in plain text without any encryption.
MsWord, Excel, Access, Power Point
All these programs, as well as windows itself, cache the filenames of the most recent documents you have been working on. This leads any attacker directly to your recent work!
You are being Tracked ..
Without looking inside the software, we would have no idea that many programs give critical access for filing and writing into the registry of our operating systems. This is buyer beware tactics on behalf of corporations (with government happily looking on, calculating the potential for their own misuse.) There are even more details on what
Microsoft is doing with your information whenever you allow the program called "RegWhiz" to collect information.
See essay "RegWiz"
In the world of reverse engineers, the operating system is slave to the owner. Not it's creator!
Here is an example of easy to learn reverse engineering using a Harmless Strategy
Do not buy software to do something you can easily do for yourself!
That is a simple rule of thumb. Why would you pay for software to eliminate cookies when you can follow the simple directions below or download one of many free software products to do the job for you? This is a fine example of the media's ability to promote a commercial product rather than a practical suggestion.
The best way to eliminate all cookie planting, is to create a directory "cookies.txt" inside Netscape's directory (where the file cookies.txt originally is). This directory will get priority over the targeted file, and all cookies will be sent to..wherever!
Hyperspace….. Once you have created this new cookies.txt directory, reset "Options"/ "Network""preferences""protocols"/"show an alert before accepting a cookie to NO, in fact, the sites that you visit will "believe" that they planted their cookies in your hard disk, and let you through without delay. Only you will know that no cookie was planted!
Wanna get into really scary things? Read this!
The registration wizard ::- (by Andrew Schulman, Senior Editor, O'Reilly & Associates)
The "Online Registration" feature of Microsoft's Windows 95 (Win95) (also in Win 98), also known as the "Registration Wizard" (RegWiz), has been the subject of much rumor and more or less idle speculation. Of special concern is RegWiz's ability to collect information on applications (both Microsoft and non-Microsoft) that a user has installed on their hard disk, and to send this information back to Microsoft via the Microsoft Network (MSN). As explained below, the internal name for this process is "Product Inventory": it is a feature of the PRODINV.DLL module included with Win95.
That Win95 can apparently tell what applications you have installed has generated numerous angry reactions online. For example, a posting in the comp.risks newsgroup claims that Win95 "transmits your entire directory structure in [the] background" to MSN. (MSN). Similar claims have appeared on Microsoft's forums on CompuServe, under headings such as "WIN95: Bye, ByePrivacy" and "Computer espionage by M$".
Ralph Nader's Consumer Project on Technology has even urged President Clinton "to prevent federal agencies from buying Windows 95 until the information gathering features of the 'Registration Wizard' are disabled or modified".
Microsoft has responded with a white-paper clarification (http://www.microsoft.com/windows/pr/regwiz.htm - Microsoft white paper clarification on Windows 95 Online Registration Wizard) which acknowledges that the Win95 Registration Wizard (RegWiz) collects the names of applications, but which also points out that the user must explicitly consent before this information is sent via modem to MSN, and that the information can be viewed in the file REGINFO.TXT. While the Microsoft clarification states that RegWiz "is simply an electronic version of the paper-based registration card," this appears not to be true. RegWiz's apparent ability to sniff out what applications you have is not matched by the printed registration card, which merely asks for general information on the sorts of software you use with your computer (Reference & Education, Games & Entertainment, Personal Finance/Organizer, etc.).
To see exactly what happens during Windows 95 "Online Registration," I used a utility called FILEMON (File Monitor), by Stan Mitchell (73227.1463@compuserve.com), "Monitoring Windows 95 File Activity in Ring 0," Windows/DOS Developer's Journal, July 1995, pp. 6-24. Mitchell is writing a book on the Windows 95 file system, to be published by O'Reilly & Associates in 1996. FILEMON lets you completely monitor all file-system activity under Windows 95 This makes it perfect for getting to the bottom of the the rumors that have been circulating about RegWiz. The bottom line is that RegWiz, far from conducting an indiscriminate search of a user's hard disk, instead searches for about 100 specific applications, both from Microsoft and from its competitors. RegWiz is launched by clicking the "Online Registration" button in WELCOME.EXE, which is a small program that provides the initial "Welcome to Windows 95" tips and options. Clicking "Online Registration" launches a program named \WINDOWS§YSTEM\REGWIZ.EXE (the full command line is "regwiz -i Software\Microsoft\Windows\CurrentVersion". REGWIZ.EXE in turn loads a dynamic-link library, \WINDOWS§YSTEM\PRODINV.DLL This is the "Product Inventory DLL," normally used for compliance checking of upgrades to Microsoft Office programs such as WinWord. (In fact, PRODINV.DLL's internal module name for "COMPLINC," for "compliance checking.")
Of course, when you buy the upgrade edition of something like WinWord, there needs to be a mechanism to check that in fact you really do have some previous word processor – be it a previous version of WinWord, or a competitor's word processor, such as AmiProc or WordPerfect. So there's an encrypted database (the reasons for this encryption are discussed below) inside PRODINV of about 100 or so products, indicating that if a given EXE of a given size range is found within a given subdirectory, then you've got a given product, and are entitled to the reduced-price upgrade. Examining the file PRODINV.DLL turns up some intriguing-sounding strings, such as "Registry Search", "INI File Search", "Big Search", and "Hard Disk Search". The DLL exports a function called "RegProductSearch," which is called by REGWIZ.EXE. Examining the file REGWIZ.EXE turns up the names of the people who worked on it:
- Software development: Tracy Ferrier
- Program management: David Gonzalez, Peggy Angevine
- Quality assurance: Sharmilli Ghosh
- Special thanks to: Evelyn and Lauren
RegWiz will list up to twelve applications that a user owns; these are stored in the text file REGINFO.TXT and in the registry, and are uploaded via MSN. The product inventorysection of one REGINFO.TXT might look like this:
Product Inventory 1 = Microsoft Word for Windows
Product Inventory 2 = Personal Oracle 7
Product Inventory 3 = Borland C++ for Windows
Product Inventory 4 = Microsoft Visual C++
Product Inventory 5 = Putt Putt
Product Inventory 6 = Treehouse
Product Inventory 7 = Lotus Notes
Product Inventory 8 = CompuServe
Product Inventory 9 =
Product Inventory 10 =
Product Inventory 11 =
Product Inventory 12 =
It's worth noting that the sample "Product Inventory" screen in Microsoft's white-paper clarification shows only Microsoft programs. But the upset generated by RegWiz has been due, of course, to its collection of information regarding non-Microsoft programs. The applications in which RegWiz takes an interest are as follows (the names come directly from the PRODINV product inventory): Applications Detected by Win95 Registration Wizard: (probably more in
Win 98)
3-D Dinosaur Adventure Aldus Pagemaker for Windows
Aldus Persuasion America On-line
AmiPro for Windows Approach for Windows
Bookshelf 94 for Windows Borland C++ for Windows
Borland Dbase Borland Delphi
Borland Paradox for DOS Borland Paradox for Windows
CA - Visual Objects Charisma
Charisma for Windows Clipper
Complete Baseball for Windows Comptons Multimedia Encyclopedia
CompuServe Corel Draw for Windows
Crayola Art Studio Creative Writer
Creative Writer - Ghost Mysteries DataEase
DataEase for Windows dBase for Windows
Director's Lab DOS Encarta
Fine Artist Flight Simulator
FoxPro for DOS FoxPro for Windows - Standard
Freddi Fish Gupta SQL Windows
Harvard Graphics Haunted House
Internet In A Box Kid Pix DOS
Kid Pix WIN Lion King Print Studio
Lion King Story Book Lotus 123 for Windows
Lotus Notes Lotus123 for DOS
Mathblaster Episode 1 Mathblaster Episode 2
Microsoft Access Developers Toolkit Microsoft Access for Windows
Microsoft Access Upsizing Tool Microsoft Encarta '95
Microsoft Excel for Windows Microsoft Money
Microsoft Office for Windows Microsoft Powerpoint for Windows
Microsoft Project for Windows Microsoft Publisher
Microsoft Visual Basic Professional Microsoft Visual C++
Microsoft Visual FoxPro for Windows Microsoft Word for DOS
Microsoft Word for Windows Microsoft Works for Windows
Mind Your Money Money
MSB - Human Body MSB - Solar
My First Encyclopedia NCSA Mosaic for Windows
Oregon Trail Oregon Trail 2
Personal Oracle 7 PGA Tour 486
Playroom PowerBuilder Enterprise 4 for NT
PowerBuilder Enterprise 4 for Windows PowerPlus
Print Shop Deluxe for Windows Prodigy
Putt Putt Quattro Pro for DOS
Quattro Pro for Windows Quick C for Windows
Quicken for Windows Rabbit Ears - Leopard
Reader Rabbit 1 Reader Rabbit 2
Relentless Scenes
Spider Man Cartoon Maker SuperBase
Treehouse Turbo Pascal for Windows
Where in Space is Carmen San Diego Where in the USA is Carmen
Where in the World is Carmen San Diego Wine Guide
WordPerfect for DOS WordPerfect for DOS
WordPerfect for Windows
While there are many Microsoft applications listed here, note that there are also many from other vendors. Some major commercial applications, such as Lotus Freelance Graphics, do not appear on the list, while many programs for children, such as Treehouse and Reader Rabbit, are included.
Given that RegWiz ships this information over the Microsoft Network (MSN), it's interesting to note that RegWiz is checking for the major online services that compete with MSN, such as America On-line, CompuServe, and Prodigy. Two Internet-related products, NCSA Mosaic for Windows and Internet in a Box, appear on the list, but Netscape does not. Most striking, of course, is the presence of many non-Microsoft productivity applications, such as AmiPro for Windows, Borland Dbase, Borland Paradox, Gupta SQL Windows, Lotus Notes, Lotus 123, Personal Oracle 7, Quattro Pro, and WordPerfect. Is all this a cause for concern? After all, as Microsoft points out, the user must explicitly allow RegWiz to upload this information to Microsoft. The user can choose not to run Online Registration at all. They can, without any harm to Win95, delete REGWIZ.EXE and even WELCOME.EXE.
But what is a Microsoft Office upgrade mechanism doing as part of the operating system's online registration? Why is the operating system being used to collect customer lists and/or statistical information on applications that compete with those from Microsoft? The Registration Wizard appears to be yet another case in which Microsoft has blurred distinction (whatever distinction remains) between its applications and operating-system divisions. Were I a Microsoft competitor whose product appeared in the encrypted PRODINV database, I wouldn't be particularly happy with Microsoft acquiring (for free) a good chunk of my customer list, via online registration for Windows 95, which is supposed to be a platform supporting my product.
So, it's not really an invasion of privacy issue, but is very possibly an anti-competitive problem: Microsoft is using its control over the operating system to gain information about applications that compete with its own applications. How does PRODINV determine that you have one or more of the products in its encrypted database? Running the FILEMON utility alongside RegWiz revealed that a large number of directory names were being checked. The output from FILEMON looks like this (… indicates that lines removed for brevity):
Extract from FILEMON Output
031 Open [c1065964] {c104ca54} C:\WIN95\WELCOME.EXE
…
060 Open [c10658b4] {c104ca54} C:\WIN95§YSTEM\REGWIZ.EXE
…
098 Open [c10646d0] {c104ca54} C:\WIN95§YSTEM\PRODINV.DLL
…
175 e GetAttrib {c104ca54} C:\ACCESS
176 e GetAttrib {c104ca54} C:\MSOFFICE\ACCESS
177 e GetAttrib {c104ca54} C:\WORLDMPC
178 e GetAttrib {c104ca54} C:§PACE
179 e GetAttrib {c104ca54} C:\CAVO
180 e GetAttrib {c104ca54} C:\DBASEWIN\BIN
181 e GetAttrib {c104ca54} C:\DELPHI
182 e GetAttrib {c104ca54} C:\DELPHI\BIN
183 e GetAttrib {c104ca54} C:\DISNEY\LKASB
184 e GetAttrib {c104ca54} C:\LKSTUDIO
185 e GetAttrib {c104ca54} C:\MYMWIN2
186 e GetAttrib {c104ca54} C:\ORAWIN\BIN
187 e GetAttrib {c104ca54} C:\PB4
188 e GetAttrib {c104ca54} C:\PB4NT
189 e GetAttrib {c104ca54} C:\TLC\RR1
…
251 e GetAttrib {c104cc68} E:\AOL20
252 e GetAttrib {c104cc68} E:\WAOL
253 e GetAttrib {c104cc68} E:\BC4
254 e GetAttrib {c104cc68} E:\CSERVE
000 e GetAttrib {c104cc68} E:\AMIPRO
001 e GetAttrib {c104cc68} E:\PRODIGY
002 e GetAttrib {c104cc68} E:\ALDUS
003 e GetAttrib {c104cc68} E:\IBOX
004 e GetAttrib {c104cc68} E:\DBASE
…
107 e GetAttrib {c104cc68} E:\KA\TREE
108 e GetAttrib {c104cc68} E:\TREEHSE
Simplifying the FILEMON output, here is a complete list of the directories for which RegWiz (actually, the ProdInv "product inventory" module) searches:
Directories Scanned by Win95 Registration Wizard
\123R4D \123R4W \ACCESS \ALDUS
\AMIPRO \AOL20 \APPROACH \BASEBALL
\BC4 \BS \CAVO \CHARISMA
\CIE \CLIPPER5\BIN \CLIPPER5\LIB \CRAYOLA
\CSERVE \DBASE \DBASEWIN\BIN \DEASE
\DELPHI \DELPHI\BIN \DEWIN \DINO3D
\DISNEY\LKASB \ENCARTA \EXCEL \FLTSIM5
\FOXPRO2 \FOXPROW \FPW26 \GUPTA
\HG \HG3 \HGW \IBOX
\KA§PIDERCM \KA\TREE \KIDPIX \LKSTUDIO
\LOSTCITY \MBWINCD \MECC\OTII \MOSAIC
\MSKIDS \MSKIDS\LEAOPARD \MSMONEY \MSOFFICE
\MSOFFICE\ACCESS \MSOFFICE§ETUP \MSPUB \MSTOOLS
\MSTOOLS\C\DLAB \MSVC20\BIN \MSWINE \MSWORKS
\MYMWIN2 \NOTES \OFFICE\WPWIN \ORAWIN\BIN
\OTWIN \PB4 \PB4NT \PDOX45
\PDOXWIN \PERSUASI \PGA486 \PLAYWRLD
\POWERPNT \PRODIGY \PROJ \PSDWIN
\PUTTPUTT \PWPLUS \QCWIN \QPRO
\QPW \QUICKENW \RELENT §B4W
§CENES §PACE \TLCWIN\RR2WIN \TLC\RR1
\TPW \TREEHSE \VB \VFP
\WAOL \WINDOWS \WINDOWS\CHARISMA \WINDOWS\CORELDRW
\WINPROJ \WINWORD \WINWORD\C\DLAB \WORD
\WORKS \WORLDMPC \WP \WP50
\WP51 \WP60 \WPWIN \WPWIN60
If these directories actually existed, it makes sense that RegWiz would start looking for specific files within these directories. So the next step was to write a batch file which created all these directories, and then rerun RegWiz alongside FILEMON. Now FILEMON revealed RegWiz searching for specific files within directories. For example:
Extract from FILEMON Output (2)
085 e FndOpen {c104cc68} E:\AOL20\WAOL.EXE
086 GetAttrib {c104cc68} E:\WAOL
087 e FndOpen {c104cc68} E:\WAOL\WAOL.EXE
088 GetAttrib {c104cc68} E:\BC4
089 e FndOpen {c104cc68} E:\BC4\BCW.EXE
090 GetAttrib {c104cc68} E:\CSERVE
091 e FndOpen {c104cc68} E:\CSERVE\WINCIM.EXE
092 GetAttrib {c104cc68} E:\AMIPRO
093 e FndOpen {c104cc68} E:\AMIPRO\AMIPRO.EXE
094 GetAttrib {c104cc68} E:\PRODIGY
095 e FndOpen {c104cc68} E:\PRODIGY\PRODIGY.EXE
096 GetAttrib {c104cc68} E:\ALDUS
097 e FndOpen {c104cc68} E:\ALDUS\ALDSETUP.EXE
098 GetAttrib {c104cc68} E:\IBOX
099 e FndOpen {c104cc68} E:\IBOX\AIRMOS.EXE
100 GetAttrib {c104cc68} E:\DBASE
101 e FndOpen {c104cc68} E:\DBASE\DBASE.EXE
…
Extracting filenames from the FILEMON output and sorting them, yielded the following list of filenames in which RegWiz (again, actually the Win95 PRODINV.DLL "product inventory" module) takes a direct interest:
Files Scanned by Win95 Registration Wizard
\123R4D\123.EXE \123R4W\123W.EXE
\ACCESS§CWIZ.DLL \ACCESS§ETUPWIZ.MDB
\ACCESS§WU2016.DLL \ACCESS\WZCS.MDA
\ALDUS\ALDSETUP.EXE \ALDUS\PR2.EXE
\AMIPRO\AMIPRO.EXE \AOL20\WAOL.EXE
\APPROACH\APPROACH.EXE \BASEBALL\BASEBALL.EXE
\BC4\BCW.EXE \BS\BS94.EXE
\CAVO\CAVO.EXE \CHARISMA\CHARISMA.BIN
\CHARISMA\CHARISMA.EXE \CIE\CIE.EXE
\CLIPPER5\BIN\CLIPPER.EXE \CLIPPER5\LIB\CLIPPER.LIB
\CRAYOLA§TUDIO.EXE \CSERVE\WINCIM.EXE
\DBASEWIN\BIN\DBASEWIN.EXE \DBASE\DBASE.EXE
\DBASE\DBASEIV.ICO \DEASE\DE16M.EXE
\DEASE\DEASE.EXE \DELPHI\BIN\DELPHI.EXE
\DELPHI\DELPHI.EXE \DEWIN\DEWIN.EXE
\DINO3D\KAWIN.EXE \DISNEY\LKASB\LIONKING.EXE
\ENCARTA\ENCART95 \EXCEL\EXCEL.EXE
\FLTSIM5\FS5.COM \FOXPRO2\FOXPRO.EXE
\FOXPRO2\FOXPROX.EXE \FOXPROW\FOXPROW.EXE
\FPW26\FOXPROW.EXE \GUPTA\C\DLAB
\GUPTA§QLWIN50.EXE \HG3\HG3.EXE
\HGW\HG20.EXE \HGW\HGW.EXE
\HGW\HGW1.DLL \HGW\HGW2.DLL
\HGW\HGW20.EXE \HGW\HGW2EXP.DLL
\HGW\HGW3.DLL \HGW\HGW4.DLL
\HGW\HGWPLAY.EXE \HG\HG.EXE
\IBOX\AIRMOS.EXE \KA§PIDERCM§PIDERCM.EXE
\KA\TREE\TREE.EXE \KIDPIX\KIDPIX.EXE
\KIDPIX\KPWIN.EXE \LKSTUDIO\LIONKING.EXE
\LOSTCITY\LOSTCITY.EXE \MAIN123W.EXE
\MBWINCD\MB4.INI \MECC\OTII\OTIILB.EXE
\MOSAIC\MOSAIC.EXE \MSKIDS\ARTIST.EXE
\MSKIDS\GWICON.IC \MSKIDS\HHOUSE.ICO
\MSKIDS\LEAOPARD\LEOPARD.EXE \MSKIDS\MSBHUMAN.EXE
\MSKIDS\MSBSOLAR.EXE \MSKIDS\WRITER.EXE
\MSMONEY\MSMONEY.EXE \MSOFFICE\ACCESS§CWIZ.DLL
\MSOFFICE\ACCESS§ETUPWIZ.MDB \MSOFFICE\ACCESS§WU2016.DLL
\MSOFFICE\ACCESS\WZCS.MDA \MSOFFICE\MSOFFICE.EXE
\MSOFFICE§ETUP\OFF40_BB.DL_ \MSOFFICE§ETUP\OFF42_BB.DL_
\MSOFFICE\WINWORD\WINWORD.EXE \MSPUB\MSPUB.EXE
\MSTOOLS\WORD.COM \MSVC20\BIN\MSVC.EXE
\MSWINE\WINEGDE.EXE \MSWORKS\MSWORKS.EXE
\MYMWIN2\MYMWIN.EXE \OFFICE\WPWIN\WPWIN.EXE
\OFFICE\WPWIN\WPWIN61.EXE \ORAWIN\BIN\ORAINST.EXE
\OTWIN\OREGON.EXE \PB4NT\PB040.EXE
\PB4\PB040.EXE \PDOX45\PARADOX.AUX
\PDOXWIN\PDOXWIN.EXE \PERSUASI\(C)ALDUS.'92
\PERSUASI\PR2.EXE \PGA486\PGA486.COM
\PLAYWRLD\PLAYROOM.EXE \POWERPNT\POWERPNT.DLL
\POWERPNT\POWERPNT.EXE \PRODIGY\PRODIGY.EXE
\PSDWIN\PSDWIN.EXE \PUTTPUTT\PUTTPUTT.INI
\PWPLUS\PWPLUS.EXE \QCWIN\QCWIN.EXE
\QPRO\Q.EXE \RELENT\RELENT.EXE
§B4W§B4W.EXE §CENES§CENES.EXE
§PACE\CARMEN.EXE \TLCWIN\RR2WIN\RR2WIN.EXE
\TLC\RR1\RR1.EXE \TPW\TPW.EXE
\TREEHSE\TREEHSE.EXE \VB\VB.EXE
\VFP\VFP.EXE \WAOL\WAOL.EXE
\WIN95\LOTUS.INI \WINDOWS\CHARISMA\CHARISMA.EXE
\WINDOWS\CORELDRW\CORELDRW.EXE \WINDOWS\HEGAMES.INI
\WINWORD\WORD.COM \WORD.EXE
\WORD\WORD.EXE \WORKS\WORKS.EXE
\WORLDMPC\CARMEN.EXE \WP50\WP.EXE
\WP51\WP.EXE \WP60\WP.EXE
\WPWIN60\WPWIN.EXE \WPWIN\WPWIN.EXE
\WP\WP.EXE
This list should lay to rest the idea that RegWiz scans your entire hard disk. On the contrary, it has specific things it is looking for. Indeed, the list is so specific that one might ask what happens when a user installs product in a directory other than the vendors' recommended directory: how then would RegWiz find it? We'll get to that later. For now, the important thing is that RegWiz (via PRODINV) does not do an indiscriminate search of your hard disk, but has specific targets in mind.
The next obvious step was to try to create some of these files, and see if RegWiz decided that I now had a given product. However, creating dummy (0-byte) files with the correct names, or files with arbitrarily-chosen contents but with the correct names, did not induce RegWiz to believe the corresponding product was installed. Evidently, RegWiz needed something other than directory and file names: perhaps afile checksum, size, date, or a particular pattern of bytes within the file.
To find how RegWiz (ProdInv, actually) was deciding that a user had a product, I needed to find where it kept information associating directory/file names with product names. However, a full search of my hard disk turned up no occurrences of strings such as "TREEHSE" or "TREEHSE.EXE" or "CARMEN.EXE", aside from the ones that showed up in the FILEMON logs. Evidently, then, the actual "product inventory" is kept on disk in compressed and/or encrypted form, and is de-encrypted in memory only when PRODINV is loaded.
The next step was to run RegWiz under the Soft-ICE Windows debugger (http://www.numega.com/WWW/numega/newsidx.html - NuMega Technologies), and stop the program when it is calling the operating-system functions that search for directories and files. The key such function is FindFirstFileA, provided by KERNEL32.DLL. I set a debugger "breakpoint" on this function, ran RegWiz, and clicked "Online Registration."
Sure enough, I could see passing in the names of the directories and files that showed up in the FILEMON output. I was then able to "walk back" to the place from where FindFirstFileA was being called: it turned out, not surprisingly, to be inside PRODINV.DLL. From there, I had to step back again to see from where these names were coming. I finally located a buffer in memory that looked like this:
Debugger Hex Dump of PRODINV Product Inventory
Break Due to BPMB #013F:009AFA0C W DR3 C=01
:d eax
013F:004436C5 77 6F 72 64 2E 63 6F 6D-2C 5C 77 69 6E 77 6F 72 word.com,\winwor
013F:004436D5 64 2C 31 35 30 30 2C 39-30 30 30 30 2C 33 30 3A d,1500,90000,30:
013F:004436E5 4D 69 63 72 6F 73 6F 66-74 20 57 6F 72 64 20 66 Microsoft Word f
013F:004436F5 6F 72 20 44 4F 53 09 0A-77 6F 72 64 2E 63 6F 6D or DOS..word.com
013F:00443705 2C 5C 77 69 6E 77 6F 72-64 2C 31 35 30 30 2C 39 ,\winword,1500,9
013F:00443715 30 30 30 30 2C 33 30 3A-4D 69 63 72 6F 73 6F 66 0000,30:Microsof
013F:00443725 74 20 57 6F 72 64 20 66-6F 72 20 44 4F 53 09 0A t Word for DOS..
At this point, it was trivial to locate the beginning and end of the buffer, and write it to disk. (Recall that the database is stored on disk in encrypted form; this is why a search of the entire hard disk did not find it.) Here are some selected portions of the PRODINV product inventory:
PRODINV Product Inventory: Extracts
winword6.ini,Microsoft Word,programdir,1
winword.exe,3000000,4000000,2:Microsoft Word for Windows
win.ini,embedding,Word.Document.6,3,,3000000,4000000,2:Micro oft Word for Windows
win.ini,Microsoft Word 2.0,programdir,1,
winword.exe,1000000,2000000,2:Microsoft Word for Windows
win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows
lotus.ini,Lotus
Applications,amipro,1,amipro.exe,1000000,1500000,20:AmiPro for Windows
win.ini,AmiPro,dictionary,1,amipro.exe,1000000,1200000,20:AmiPro for Windows
win.ini,extensions,nsf,1,notes.exe,,,43:Lotus Notes
…
waol.exe,\aol20,12000,15000,54:America On-line
waol.exe,\waol,12000,15000,54:America On-line
bcw.exe,\bc4,850000,920000,45:Borland C++ for Windows
wincim.exe,\cserve,850000,890000,56:CompuServe
amipro.exe,\amipro,700000,2000000,20:AmiPro for Windows
prodigy.exe,∏igy,550000,560000,57:Prodigy
aldsetup.exe,\aldus,280000,290000,46:Aldus Pagemaker for Windows
airmos.exe,\ibox,600000,650000,75:Internet In A Box
dbase.exe,\dbase,0,500000,21:Borland Dbase
dbaseiv.ico,\dbase,0,2000,21:Borland Dbase
…
The first set of entries reference .INI (initialization) files, which in turn reference file and/or directory names. For example, "win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows" means to look for a WPWin6.0= entry in the [embedding] section in WIN.INI, and to treat the third comma-delimited field as a full directory/filename. If that file is between 10,000 and 25,000 bytes, RegWiz decides you have WordPerfect for Windows. Thus, the following WIN.INI entry:
[embedding]
WPWin6.0=foo,foo,C:\FOO\FOOBISH.EXE,foo along with a file named C:\FOO\FOOBISH.EXE, whose size is between 10-25,000 bytes, will trigger RegWiz to display "WordPerfect for Windows" as one of the products on the user's machine. The use of .INI allows RegWiz to detect some applications installed in non-standard directories.
However, the bulk of the product inventory directly references directory and file names, without an intermediary .INI file. For example, the last two entry shown above indicate that, if a user has \DBASE\DBASE.EXE (size anywhere from 0 to 500,000 bytes) OR if they have \DBASE\DBASEIV.ICO (size anywhere from 0 to 2,000 bytes), then they have product #21, "Borland Dbase." So why is the PRODINV "product inventory" encrypted? I suspect because it was originally written for Microsoft Office (a nearly-identical module named WRD95INV.DLL comes with WinWord, for example). Because it would be trivial to fool this "wizard" (hmm…) simply by creating an appropriately-sized file with the appropriate name in the appropriate subdirectory, the database is encrypted.
This makes perfect sense for application upgrades. But does it make sense for the operating system's online registration?
Microsoft's white-paper clarifications says: "Registration enables Microsoft to send information about Microsoft programs that are tailored for users needs and interests." (yeah, right) While there is nothing wrong in Microsoft seeking to interest WordPerfect or AmiPro users in Microsoft Word, surely they could find a more appropriate venue in which to do so than the online registration of Windows itself, which is supposed to support ALL applications, not just those from Microsoft.
Be Scared…Be very scared….now the new york times tells us about realnetworks doing it to all of us who listen to MP3's check this page out! <http://canadiantom.com/realplayer.htm>
<http://canadiantom.com/realplayer.htm>
tom-
This article has been used with the permission of Harmless Strategies <http://canadiantom.com/menu.htm>