memex/resources/commonplace/1999-12-25-You are being Tracked!!.org

:PROPERTIES:
:ID: 5bac8ebc-23c4-469d-a38b-fda83762793a
:CREATED: [1999-12-25]
:MODIFIED: [2020-06-20 Sat 03:33]
:IMPORTED: [2023-02-08 Wed 19:22]
:END:
#+title: You are being Tracked!!
#+filetags: computer hacking security public

by: Harmless Strategies <http://canadiantom.com/menu.htm>

Corporations and government are able to go inside your computer and violate your privacy anytime they want! The creator of the Windows operating system , has conveniently imbedded some interesting files inside each computer keeping track of all your movements. Here is a small excerpt from the tutorial on the BruteForce cd-rom

Want proof? Win95/98

Launch windows explorer. Under "Tools" click on "find" Now, look for these files on your hard drive; if you decide to view them, use a good editor like Ultra Edit to see what is inside. Normal editors like Notepad will not show you what is contained.

SYSTEM.INI

Contains details about the locations and software that you are running on your system, as well as other personal things that might be helpful for rogues to find out - like preferences and the like.

USER.DAT

This is an important file! Inside this monster there are masses of data about you: The last few dozen places you've visited on the Internet; Your name; email address, telephone number, various user ID's and passwords, details about software you use and your preferences, locations of files and folders, and literally hundreds of other personal things! Even the unencrypted names of the usenet groups you have been playing with lately...

Have a look at your own user.dat using an editor like ultraedit. This should freak you out. Most of the file is encrypted but you can make out enough references that are in plain text to give you a scare. You can get a free editor here ( www.completelyfreesoftware.com )

Details Make a local copy of it (from your c:\windows\profiles\Yourself) and browse it using an"editor". You'll be amazed at the wealth of information about yourself that this huge database holds... among other things all the search strings you have recently used! There is a lot of encrypted stuff here as well! The question you have to ask yourself is, "Why is this file there?" Don't alter it in anyway! Windows will not work right if you do. They do notwant you to change it!

SYSTEM.DAT

Even worse, Once again, lots of personal details, including the location of all your windows passwords (login, screen saver, network, LAN, etc.), every conceivable thing about your computer, its hardware and setup, and full details of all the software you're using or you have ever used. You'll have the surprise of finding all the names of applications you have installed in the last couple of years on your computer! Again, you will have to use "edit" to inspect these files yourself.

*.PWL (pwl)

Located by knowing your user name, or by looking up the above file. Inside here are all your passwords. These are easily decrypted (if necessary)

nsform??.TMP

All the data inside every Netscape form you've ever submitted, with and without Secure Socket Layers.

Inbox, Outbox, Sent, Trash

A complete copy of all your incoming, outgoing, sent, and soon-to-be-deleted email. All in plain text without any encryption.

MsWord, Excel, Access, Power Point

All these programs, as well as windows itself, cache the filenames of the most recent documents you have been working on. This leads any attacker directly to your recent work!

You are being Tracked ..

Without looking inside the software, we would have no idea that many programs give critical access for filing and writing into the registry of our operating systems. This is buyer beware tactics on behalf of corporations (with government happily looking on, calculating the potential for their own misuse.) There are even more details on what

Microsoft is doing with your information whenever you allow the program called "RegWhiz" to collect information.

See essay "RegWiz"

In the world of reverse engineers, the operating system is slave to the owner. Not it's creator!

Here is an example of easy to learn reverse engineering using a Harmless Strategy

Do not buy software to do something you can easily do for yourself!

That is a simple rule of thumb. Why would you pay for software to eliminate cookies when you can follow the simple directions below or download one of many free software products to do the job for you? This is a fine example of the media's ability to promote a commercial product rather than a practical suggestion.

The best way to eliminate all cookie planting, is to create a directory "cookies.txt" inside Netscape's directory (where the file cookies.txt originally is). This directory will get priority over the targeted file, and all cookies will be sent to..wherever!

Hyperspace..... Once you have created this new cookies.txt directory, reset "Options"/ "Network"/"preferences"/"protocols"/"show an alert before accepting a cookie to NO, in fact, the sites that you visit will "believe" that they planted their cookies in your hard disk, and let you through without delay. Only you will know that no cookie was planted!

Wanna get into really scary things? Read this!

The registration wizard ::- (by Andrew Schulman, Senior Editor, O'Reilly & Associates)

The "Online Registration" feature of Microsoft's Windows 95 (Win95) (also in Win 98), also known as the "Registration Wizard" (RegWiz), has been the subject of much rumor and more or less idle speculation. Of special concern is RegWiz's ability to collect information on applications (both Microsoft and non-Microsoft) that a user has installed on their hard disk, and to send this information back to Microsoft via the Microsoft Network (MSN). As explained below, the internal name for this process is "Product Inventory": it is a feature of the PRODINV.DLL module included with Win95.

That Win95 can apparently tell what applications you have installed has generated numerous angry reactions online. For example, a posting in the comp.risks newsgroup claims that Win95 "transmits your entire directory structure in [the] background" to MSN. (MSN). Similar claims have appeared on Microsoft's forums on CompuServe, under headings such as "WIN95: Bye, ByePrivacy" and "Computer espionage by M$".

Ralph Nader's Consumer Project on Technology has even urged President Clinton "to prevent federal agencies from buying Windows 95 until the information gathering features of the 'Registration Wizard' are disabled or modified".

Microsoft has responded with a white-paper clarification (http://www.microsoft.com/windows/pr/regwiz.htm - Microsoft white paper clarification on Windows 95 Online Registration Wizard) which acknowledges that the Win95 Registration Wizard (RegWiz) collects the names of applications, but which also points out that the user must explicitly consent before this information is sent via modem to MSN, and that the information can be viewed in the file REGINFO.TXT. While the Microsoft clarification states that RegWiz "is simply an electronic version of the paper-based registration card," this appears not to be true. RegWiz's apparent ability to sniff out what applications you have is not matched by the printed registration card, which merely asks for general information on the sorts of software you use with your computer (Reference & Education, Games & Entertainment, Personal Finance/Organizer, etc.).

To see exactly what happens during Windows 95 "Online Registration," I used a utility called FILEMON (File Monitor), by Stan Mitchell (73227.1463@compuserve.com), "Monitoring Windows 95 File Activity in Ring 0," Windows/DOS Developer's Journal, July 1995, pp. 6-24. Mitchell is writing a book on the Windows 95 file system, to be published by O'Reilly & Associates in 1996. FILEMON lets you completely monitor all file-system activity under Windows 95 This makes it perfect for getting to the bottom of the the rumors that have been circulating about RegWiz. The bottom line is that RegWiz, far from conducting an indiscriminate search of a user's hard disk, instead searches for about 100 specific applications, both from Microsoft and from its competitors. RegWiz is launched by clicking the "Online Registration" button in WELCOME.EXE, which is a small program that provides the initial "Welcome to Windows 95" tips and options. Clicking "Online Registration" launches a program named \WINDOWS\SYSTEM\REGWIZ.EXE (the full command line is "regwiz -i Software\Microsoft\Windows\CurrentVersion". REGWIZ.EXE in turn loads a dynamic-link library, \WINDOWS\SYSTEM\PRODINV.DLL This is the "Product Inventory DLL," normally used for compliance checking of upgrades to Microsoft Office programs such as WinWord. (In fact, PRODINV.DLL's internal module name for "COMPLINC," for "compliance checking.")

Of course, when you buy the upgrade edition of something like WinWord, there needs to be a mechanism to check that in fact you really do have some previous word processor -- be it a previous version of WinWord, or a competitor's word processor, such as AmiProc or WordPerfect. So there's an _encrypted_ database (the reasons for this encryption are discussed below) inside PRODINV of about 100 or so products, indicating that if a given EXE of a given size range is found within a given subdirectory, then you've got a given product, and are entitled to the reduced-price upgrade. Examining the file PRODINV.DLL turns up some intriguing-sounding strings, such as "Registry Search", "INI File Search", "Big Search", and "Hard Disk Search". The DLL exports a function called "RegProductSearch," which is called by REGWIZ.EXE. Examining the file REGWIZ.EXE turns up the names of the people who worked on it:

- Software development: Tracy Ferrier

- Program management: David Gonzalez, Peggy Angevine

- Quality assurance: Sharmilli Ghosh

- Special thanks to: Evelyn and Lauren

RegWiz will list up to twelve applications that a user owns; these are
stored in the text file REGINFO.TXT and in the registry, and are
uploaded via MSN. The product inventorysection of one REGINFO.TXT might
look like this:

Product Inventory 1 = Microsoft Word for Windows

Product Inventory 2 = Personal Oracle 7

Product Inventory 3 = Borland C++ for Windows

Product Inventory 4 = Microsoft Visual C++

Product Inventory 5 = Putt Putt

Product Inventory 6 = Treehouse

Product Inventory 7 = Lotus Notes

Product Inventory 8 = CompuServe

Product Inventory 9 =

Product Inventory 10 =

Product Inventory 11 =

Product Inventory 12 =

It's worth noting that the sample "Product Inventory" screen in Microsoft's white-paper clarification shows only Microsoft programs. But the upset generated by RegWiz has been due, of course, to its collection of information regarding _non-Microsoft_ programs. The applications in which RegWiz takes an interest are as follows (the names come directly from the PRODINV product inventory): Applications Detected by Win95 Registration Wizard: (probably more in

Win 98)

3-D Dinosaur Adventure Aldus Pagemaker for Windows

Aldus Persuasion America On-line

AmiPro for Windows Approach for Windows

Bookshelf 94 for Windows Borland C++ for Windows

Borland Dbase Borland Delphi

Borland Paradox for DOS Borland Paradox for Windows

CA - Visual Objects Charisma

Charisma for Windows Clipper

Complete Baseball for Windows Comptons Multimedia Encyclopedia

CompuServe Corel Draw for Windows

Crayola Art Studio Creative Writer

Creative Writer - Ghost Mysteries DataEase

DataEase for Windows dBase for Windows

Director's Lab DOS Encarta

Fine Artist Flight Simulator

FoxPro for DOS FoxPro for Windows - Standard

Freddi Fish Gupta SQL Windows

Harvard Graphics Haunted House

Internet In A Box Kid Pix DOS

Kid Pix WIN Lion King Print Studio

Lion King Story Book Lotus 123 for Windows

Lotus Notes Lotus123 for DOS

Mathblaster Episode 1 Mathblaster Episode 2

Microsoft Access Developers Toolkit Microsoft Access for Windows

Microsoft Access Upsizing Tool Microsoft Encarta '95

Microsoft Excel for Windows Microsoft Money

Microsoft Office for Windows Microsoft Powerpoint for Windows

Microsoft Project for Windows Microsoft Publisher

Microsoft Visual Basic Professional Microsoft Visual C++

Microsoft Visual FoxPro for Windows Microsoft Word for DOS

Microsoft Word for Windows Microsoft Works for Windows

Mind Your Money Money

MSB - Human Body MSB - Solar

My First Encyclopedia NCSA Mosaic for Windows

Oregon Trail Oregon Trail 2

Personal Oracle 7 PGA Tour 486

Playroom PowerBuilder Enterprise 4 for NT

PowerBuilder Enterprise 4 for Windows PowerPlus

Print Shop Deluxe for Windows Prodigy

Putt Putt Quattro Pro for DOS

Quattro Pro for Windows Quick C for Windows

Quicken for Windows Rabbit Ears - Leopard

Reader Rabbit 1 Reader Rabbit 2

Relentless Scenes

Spider Man Cartoon Maker SuperBase

Treehouse Turbo Pascal for Windows

Where in Space is Carmen San Diego Where in the USA is Carmen

Where in the World is Carmen San Diego Wine Guide

WordPerfect for DOS WordPerfect for DOS

WordPerfect for Windows

While there are many Microsoft applications listed here, note that there are also many from other vendors. Some major commercial applications, such as Lotus Freelance Graphics, do not appear on the list, while many programs for children, such as Treehouse and Reader Rabbit, are included.

Given that RegWiz ships this information over the Microsoft Network (MSN), it's interesting to note that RegWiz is checking for the major online services that compete with MSN, such as America On-line, CompuServe, and Prodigy. Two Internet-related products, NCSA Mosaic for Windows and Internet in a Box, appear on the list, but Netscape does not. Most striking, of course, is the presence of many non-Microsoft productivity applications, such as AmiPro for Windows, Borland Dbase, Borland Paradox, Gupta SQL Windows, Lotus Notes, Lotus 123, Personal Oracle 7, Quattro Pro, and WordPerfect. Is all this a cause for concern? After all, as Microsoft points out, the user must explicitly allow RegWiz to upload this information to Microsoft. The user can choose not to run Online Registration at all. They can, without any harm to Win95, delete REGWIZ.EXE and even WELCOME.EXE.

But what is a Microsoft Office upgrade mechanism doing as part of the operating system's online registration? Why is the operating system being used to collect customer lists and/or statistical information on applications that compete with those from Microsoft? The Registration Wizard appears to be yet another case in which Microsoft has blurred distinction (whatever distinction remains) between its applications and operating-system divisions. Were I a Microsoft competitor whose product appeared in the encrypted PRODINV database, I wouldn't be particularly happy with Microsoft acquiring (for free) a good chunk of my customer list, via online registration for Windows 95, which is supposed to be a platform supporting my product.

So, it's not really an invasion of privacy issue, but is very possibly an anti-competitive problem: Microsoft is using its control over the operating system to gain information about applications that compete with its own applications. How does PRODINV determine that you have one or more of the products in its encrypted database? Running the FILEMON utility alongside RegWiz revealed that a large number of directory names were being checked. The output from FILEMON looks like this (... indicates that lines removed for brevity):

Extract from FILEMON Output

031 Open [c1065964] {c104ca54} C:\WIN95\WELCOME.EXE

...

060 Open [c10658b4] {c104ca54} C:\WIN95\SYSTEM\REGWIZ.EXE

...

098 Open [c10646d0] {c104ca54} C:\WIN95\SYSTEM\PRODINV.DLL

...

175 e GetAttrib {c104ca54} C:\ACCESS

176 e GetAttrib {c104ca54} C:\MSOFFICE\ACCESS

177 e GetAttrib {c104ca54} C:\WORLDMPC

178 e GetAttrib {c104ca54} C:\SPACE

179 e GetAttrib {c104ca54} C:\CAVO

180 e GetAttrib {c104ca54} C:\DBASEWIN\BIN

181 e GetAttrib {c104ca54} C:\DELPHI

182 e GetAttrib {c104ca54} C:\DELPHI\BIN

183 e GetAttrib {c104ca54} C:\DISNEY\LKASB

184 e GetAttrib {c104ca54} C:\LKSTUDIO

185 e GetAttrib {c104ca54} C:\MYMWIN2

186 e GetAttrib {c104ca54} C:\ORAWIN\BIN

187 e GetAttrib {c104ca54} C:\PB4

188 e GetAttrib {c104ca54} C:\PB4NT

189 e GetAttrib {c104ca54} C:\TLC\RR1

...

251 e GetAttrib {c104cc68} E:\AOL20

252 e GetAttrib {c104cc68} E:\WAOL

253 e GetAttrib {c104cc68} E:\BC4

254 e GetAttrib {c104cc68} E:\CSERVE

000 e GetAttrib {c104cc68} E:\AMIPRO

001 e GetAttrib {c104cc68} E:\PRODIGY

002 e GetAttrib {c104cc68} E:\ALDUS

003 e GetAttrib {c104cc68} E:\IBOX

004 e GetAttrib {c104cc68} E:\DBASE

...

107 e GetAttrib {c104cc68} E:\KA\TREE

108 e GetAttrib {c104cc68} E:\TREEHSE

Simplifying the FILEMON output, here is a complete list of the directories for which RegWiz (actually, the ProdInv "product inventory" module) searches:

Directories Scanned by Win95 Registration Wizard

\123R4D \123R4W \ACCESS \ALDUS

\AMIPRO \AOL20 \APPROACH \BASEBALL

\BC4 \BS \CAVO \CHARISMA

\CIE \CLIPPER5\BIN \CLIPPER5\LIB \CRAYOLA

\CSERVE \DBASE \DBASEWIN\BIN \DEASE

\DELPHI \DELPHI\BIN \DEWIN \DINO3D

\DISNEY\LKASB \ENCARTA \EXCEL \FLTSIM5

\FOXPRO2 \FOXPROW \FPW26 \GUPTA

\HG \HG3 \HGW \IBOX

\KA\SPIDERCM \KA\TREE \KIDPIX \LKSTUDIO

\LOSTCITY \MBWINCD \MECC\OTII \MOSAIC

\MSKIDS \MSKIDS\LEAOPARD \MSMONEY \MSOFFICE

\MSOFFICE\ACCESS \MSOFFICE\SETUP \MSPUB \MSTOOLS

\MSTOOLS\C\DLAB \MSVC20\BIN \MSWINE \MSWORKS

\MYMWIN2 \NOTES \OFFICE\WPWIN \ORAWIN\BIN

\OTWIN \PB4 \PB4NT \PDOX45

\PDOXWIN \PERSUASI \PGA486 \PLAYWRLD

\POWERPNT \PRODIGY \PROJ \PSDWIN

\PUTTPUTT \PWPLUS \QCWIN \QPRO

\QPW \QUICKENW \RELENT \SB4W

\SCENES \SPACE \TLCWIN\RR2WIN \TLC\RR1

\TPW \TREEHSE \VB \VFP

\WAOL \WINDOWS \WINDOWS\CHARISMA \WINDOWS\CORELDRW

\WINPROJ \WINWORD \WINWORD\C\DLAB \WORD

\WORKS \WORLDMPC \WP \WP50

\WP51 \WP60 \WPWIN \WPWIN60

If these directories actually existed, it makes sense that RegWiz would start looking for specific files within these directories. So the next step was to write a batch file which created all these directories, and then rerun RegWiz alongside FILEMON. Now FILEMON revealed RegWiz searching for specific files within directories. For example:

Extract from FILEMON Output (2)

085 e FndOpen {c104cc68} E:\AOL20\WAOL.EXE

086 GetAttrib {c104cc68} E:\WAOL

087 e FndOpen {c104cc68} E:\WAOL\WAOL.EXE

088 GetAttrib {c104cc68} E:\BC4

089 e FndOpen {c104cc68} E:\BC4\BCW.EXE

090 GetAttrib {c104cc68} E:\CSERVE

091 e FndOpen {c104cc68} E:\CSERVE\WINCIM.EXE

092 GetAttrib {c104cc68} E:\AMIPRO

093 e FndOpen {c104cc68} E:\AMIPRO\AMIPRO.EXE

094 GetAttrib {c104cc68} E:\PRODIGY

095 e FndOpen {c104cc68} E:\PRODIGY\PRODIGY.EXE

096 GetAttrib {c104cc68} E:\ALDUS

097 e FndOpen {c104cc68} E:\ALDUS\ALDSETUP.EXE

098 GetAttrib {c104cc68} E:\IBOX

099 e FndOpen {c104cc68} E:\IBOX\AIRMOS.EXE

100 GetAttrib {c104cc68} E:\DBASE

101 e FndOpen {c104cc68} E:\DBASE\DBASE.EXE

...

Extracting filenames from the FILEMON output and sorting them, yielded the following list of filenames in which RegWiz (again, actually the Win95 PRODINV.DLL "product inventory" module) takes a direct interest:

Files Scanned by Win95 Registration Wizard

\123R4D\123.EXE \123R4W\123W.EXE

\ACCESS\SCWIZ.DLL \ACCESS\SETUPWIZ.MDB

\ACCESS\SWU2016.DLL \ACCESS\WZCS.MDA

\ALDUS\ALDSETUP.EXE \ALDUS\PR2.EXE

\AMIPRO\AMIPRO.EXE \AOL20\WAOL.EXE

\APPROACH\APPROACH.EXE \BASEBALL\BASEBALL.EXE

\BC4\BCW.EXE \BS\BS94.EXE

\CAVO\CAVO.EXE \CHARISMA\CHARISMA.BIN

\CHARISMA\CHARISMA.EXE \CIE\CIE.EXE

\CLIPPER5\BIN\CLIPPER.EXE \CLIPPER5\LIB\CLIPPER.LIB

\CRAYOLA\STUDIO.EXE \CSERVE\WINCIM.EXE

\DBASEWIN\BIN\DBASEWIN.EXE \DBASE\DBASE.EXE

\DBASE\DBASEIV.ICO \DEASE\DE16M.EXE

\DEASE\DEASE.EXE \DELPHI\BIN\DELPHI.EXE

\DELPHI\DELPHI.EXE \DEWIN\DEWIN.EXE

\DINO3D\KAWIN.EXE \DISNEY\LKASB\LIONKING.EXE

\ENCARTA\ENCART95 \EXCEL\EXCEL.EXE

\FLTSIM5\FS5.COM \FOXPRO2\FOXPRO.EXE

\FOXPRO2\FOXPROX.EXE \FOXPROW\FOXPROW.EXE

\FPW26\FOXPROW.EXE \GUPTA\C\DLAB

\GUPTA\SQLWIN50.EXE \HG3\HG3.EXE

\HGW\HG20.EXE \HGW\HGW.EXE

\HGW\HGW1.DLL \HGW\HGW2.DLL

\HGW\HGW20.EXE \HGW\HGW2EXP.DLL

\HGW\HGW3.DLL \HGW\HGW4.DLL

\HGW\HGWPLAY.EXE \HG\HG.EXE

\IBOX\AIRMOS.EXE \KA\SPIDERCM\SPIDERCM.EXE

\KA\TREE\TREE.EXE \KIDPIX\KIDPIX.EXE

\KIDPIX\KPWIN.EXE \LKSTUDIO\LIONKING.EXE

\LOSTCITY\LOSTCITY.EXE \MAIN123W.EXE

\MBWINCD\MB4.INI \MECC\OTII\OTIILB.EXE

\MOSAIC\MOSAIC.EXE \MSKIDS\ARTIST.EXE

\MSKIDS\GWICON.IC \MSKIDS\HHOUSE.ICO

\MSKIDS\LEAOPARD\LEOPARD.EXE \MSKIDS\MSBHUMAN.EXE

\MSKIDS\MSBSOLAR.EXE \MSKIDS\WRITER.EXE

\MSMONEY\MSMONEY.EXE \MSOFFICE\ACCESS\SCWIZ.DLL

\MSOFFICE\ACCESS\SETUPWIZ.MDB \MSOFFICE\ACCESS\SWU2016.DLL

\MSOFFICE\ACCESS\WZCS.MDA \MSOFFICE\MSOFFICE.EXE

\MSOFFICE\SETUP\OFF40_BB.DL_ \MSOFFICE\SETUP\OFF42_BB.DL_

\MSOFFICE\WINWORD\WINWORD.EXE \MSPUB\MSPUB.EXE

\MSTOOLS\WORD.COM \MSVC20\BIN\MSVC.EXE

\MSWINE\WINEGDE.EXE \MSWORKS\MSWORKS.EXE

\MYMWIN2\MYMWIN.EXE \OFFICE\WPWIN\WPWIN.EXE

\OFFICE\WPWIN\WPWIN61.EXE \ORAWIN\BIN\ORAINST.EXE

\OTWIN\OREGON.EXE \PB4NT\PB040.EXE

\PB4\PB040.EXE \PDOX45\PARADOX.AUX

\PDOXWIN\PDOXWIN.EXE \PERSUASI\(C)ALDUS.'92

\PERSUASI\PR2.EXE \PGA486\PGA486.COM

\PLAYWRLD\PLAYROOM.EXE \POWERPNT\POWERPNT.DLL

\POWERPNT\POWERPNT.EXE \PRODIGY\PRODIGY.EXE

\PSDWIN\PSDWIN.EXE \PUTTPUTT\PUTTPUTT.INI

\PWPLUS\PWPLUS.EXE \QCWIN\QCWIN.EXE

\QPRO\Q.EXE \RELENT\RELENT.EXE

\SB4W\SB4W.EXE \SCENES\SCENES.EXE

\SPACE\CARMEN.EXE \TLCWIN\RR2WIN\RR2WIN.EXE

\TLC\RR1\RR1.EXE \TPW\TPW.EXE

\TREEHSE\TREEHSE.EXE \VB\VB.EXE

\VFP\VFP.EXE \WAOL\WAOL.EXE

\WIN95\LOTUS.INI \WINDOWS\CHARISMA\CHARISMA.EXE

\WINDOWS\CORELDRW\CORELDRW.EXE \WINDOWS\HEGAMES.INI

\WINWORD\WORD.COM \WORD.EXE

\WORD\WORD.EXE \WORKS\WORKS.EXE

\WORLDMPC\CARMEN.EXE \WP50\WP.EXE

\WP51\WP.EXE \WP60\WP.EXE

\WPWIN60\WPWIN.EXE \WPWIN\WPWIN.EXE

\WP\WP.EXE

This list should lay to rest the idea that RegWiz scans your entire hard disk. On the contrary, it has specific things it is looking for. Indeed, the list is so specific that one might ask what happens when a user installs product in a directory other than the vendors' recommended directory: how then would RegWiz find it? We'll get to that later. For now, the important thing is that RegWiz (via PRODINV) does not do an indiscriminate search of your hard disk, but has specific targets in mind.

The next obvious step was to try to create some of these files, and see if RegWiz decided that I now had a given product. However, creating dummy (0-byte) files with the correct names, or files with arbitrarily-chosen contents but with the correct names, did not induce RegWiz to believe the corresponding product was installed. Evidently, RegWiz needed something other than directory and file names: perhaps afile checksum, size, date, or a particular pattern of bytes within the file.

To find how RegWiz (ProdInv, actually) was deciding that a user had a product, I needed to find where it kept information associating directory/file names with product names. However, a full search of my hard disk turned up no occurrences of strings such as "TREEHSE" or "TREEHSE.EXE" or "CARMEN.EXE", aside from the ones that showed up in the FILEMON logs. Evidently, then, the actual "product inventory" is kept on disk in compressed and/or encrypted form, and is de-encrypted in memory only when PRODINV is loaded.

The next step was to run RegWiz under the Soft-ICE Windows debugger (http://www.numega.com/WWW/numega/newsidx.html - NuMega Technologies), and stop the program when it is calling the operating-system functions that search for directories and files. The key such function is FindFirstFileA, provided by KERNEL32.DLL. I set a debugger "breakpoint" on this function, ran RegWiz, and clicked "Online Registration."

Sure enough, I could see passing in the names of the directories and files that showed up in the FILEMON output. I was then able to "walk back" to the place from where FindFirstFileA was being called: it turned out, not surprisingly, to be inside PRODINV.DLL. From there, I had to step back again to see from where these names were coming. I finally located a buffer in memory that looked like this:

Debugger Hex Dump of PRODINV Product Inventory

Break Due to BPMB #013F:009AFA0C W DR3 C=01

:d eax

013F:004436C5 77 6F 72 64 2E 63 6F 6D-2C 5C 77 69 6E 77 6F 72 word.com,\winwor

013F:004436D5 64 2C 31 35 30 30 2C 39-30 30 30 30 2C 33 30 3A d,1500,90000,30:

013F:004436E5 4D 69 63 72 6F 73 6F 66-74 20 57 6F 72 64 20 66 Microsoft Word f

013F:004436F5 6F 72 20 44 4F 53 09 0A-77 6F 72 64 2E 63 6F 6D or DOS..word.com

013F:00443705 2C 5C 77 69 6E 77 6F 72-64 2C 31 35 30 30 2C 39 ,\winword,1500,9

013F:00443715 30 30 30 30 2C 33 30 3A-4D 69 63 72 6F 73 6F 66 0000,30:Microsof

013F:00443725 74 20 57 6F 72 64 20 66-6F 72 20 44 4F 53 09 0A t Word for DOS..

At this point, it was trivial to locate the beginning and end of the buffer, and write it to disk. (Recall that the database is stored on disk in encrypted form; this is why a search of the entire hard disk did not find it.) Here are some selected portions of the PRODINV product inventory:

PRODINV Product Inventory: Extracts

winword6.ini,Microsoft Word,programdir,1

winword.exe,3000000,4000000,2:Microsoft Word for Windows

win.ini,embedding,Word.Document.6,3,,3000000,4000000,2:Micro oft Word for Windows

win.ini,Microsoft Word 2.0,programdir,1,

winword.exe,1000000,2000000,2:Microsoft Word for Windows

win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows

lotus.ini,Lotus

Applications,amipro,1,amipro.exe,1000000,1500000,20:AmiPro for Windows

win.ini,AmiPro,dictionary,1,amipro.exe,1000000,1200000,20:AmiPro for Windows

win.ini,extensions,nsf,1,notes.exe,,,43:Lotus Notes

...

waol.exe,\aol20,12000,15000,54:America On-line

waol.exe,\waol,12000,15000,54:America On-line

bcw.exe,\bc4,850000,920000,45:Borland C++ for Windows

wincim.exe,\cserve,850000,890000,56:CompuServe

amipro.exe,\amipro,700000,2000000,20:AmiPro for Windows

prodigy.exe,\prodigy,550000,560000,57:Prodigy

aldsetup.exe,\aldus,280000,290000,46:Aldus Pagemaker for Windows

airmos.exe,\ibox,600000,650000,75:Internet In A Box

dbase.exe,\dbase,0,500000,21:Borland Dbase

dbaseiv.ico,\dbase,0,2000,21:Borland Dbase

...

The first set of entries reference .INI (initialization) files, which in turn reference file and/or directory names. For example, "win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows" means to look for a WPWin6.0= entry in the [embedding] section in WIN.INI, and to treat the third comma-delimited field as a full directory/filename. If that file is between 10,000 and 25,000 bytes, RegWiz decides you have WordPerfect for Windows. Thus, the following WIN.INI entry:

[embedding]

WPWin6.0=foo,foo,C:\FOO\FOOBISH.EXE,foo along with a file named C:\FOO\FOOBISH.EXE, whose size is between 10-25,000 bytes, will trigger RegWiz to display "WordPerfect for Windows" as one of the products on the user's machine. The use of .INI allows RegWiz to detect some applications installed in non-standard directories.

However, the bulk of the product inventory directly references directory and file names, without an intermediary .INI file. For example, the last two entry shown above indicate that, if a user has \DBASE\DBASE.EXE (size anywhere from 0 to 500,000 bytes) OR if they have \DBASE\DBASEIV.ICO (size anywhere from 0 to 2,000 bytes), then they have product #21, "Borland Dbase." So why is the PRODINV "product inventory" encrypted? I suspect because it was originally written for Microsoft Office (a nearly-identical module named WRD95INV.DLL comes with WinWord, for example). Because it would be trivial to fool this "wizard" (hmm...) simply by creating an appropriately-sized file with the appropriate name in the appropriate subdirectory, the database is encrypted.

This makes perfect sense for application upgrades. But does it make sense for the operating system's online registration?

Microsoft's white-paper clarifications says: "Registration enables Microsoft to send information about Microsoft programs that are tailored for users needs and interests." (yeah, right) While there is nothing wrong in Microsoft seeking to interest WordPerfect or AmiPro users in Microsoft Word, surely they could find a more appropriate venue in which to do so than the online registration of Windows itself, which is supposed to support ALL applications, not just those from Microsoft.

Be Scared...Be very scared....now the new york times tells us about realnetworks doing it to all of us who listen to MP3's check this page out! <http://canadiantom.com/realplayer.htm>

<http://canadiantom.com/realplayer.htm>

tom-

This article has been used with the permission of Harmless Strategies <http://canadiantom.com/menu.htm>