Everyday Security

and registry tricks
by Dan Appleman

1st Edition – March 2004
revised March 25, 2004

Copyright © Daniel Appleman 2004 All rights reserved Portions of this ebook are excerpted from the book “Always Use Protection: A Teen’s Guide to Safe Computing” published by Apress. www.alwaysuseprotection.com

............................................................................................................... 5 Antivirus .............. 6 Antispam ............................................................................................. 15 Disabling CD Autorun ............................................... 14 Services ......................................................................... 14 Win............................... 3 Firewalls............................................................................... 8 Using the Registry Editor .......................................................................... 4 Browsing the Web.................. 4 Spyware and Adware Blockers........................ 6 Backup ...................................................................................................................................................................... 15 Conclusion .................. 4 Floppies and CDs................................................................................................................................................................................................................... 3 Protecting Your Computer................................................................................................................................................................................................................................................................................................... 5 Chat Rooms.................. 6 Routers and Firewalls .......... 3 Antivirus .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 7 Registry Tricks......................................................................................................................... 5 P2P ................................................................. 3 System Updates............................................................................................... 16 .......................................................................................................................................................................................................................................................................................................... 10 Backing up Registry Entries ......................................................................................................................... 6 Privacy and Consumer Rights............ini ......................................................................................................................... 3 Software and System Configuration ....................................................................................... 5 Links ............ 13 Other Places to Look.... 7 Other ..................................... 8 Which Programs Are Viruses?............................................. 4 Shopping Online ................................................................................................................... 4 Using Your Computer.. 6 Scams and Fraud ............................................................................................................. 4 Checking E-Mail............................................................................................................................................................................................................................... 15 Your Startup Folders.............. 4 Passwords................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... 5 Browsers .................................... 4 Instant Messenger Programs .....................................Contents Everyday Security........................................................ 5 Privacy ......... 12 Other Tools .....

* Learn to open individual ports to allow access to services without taking down your entire firewall. Obviously. it’s simplified considerably from the text in the book. I tried to not only offer specific suggestions regarding computer security.com and install all critical software updates. but tomorrow’s as well. use a router that supports NAT (also called Internet Connection Sharing). -3- . Use active scanning (the antivirus program monitors files as you use them). The following is a summary of the key things everyone should know about computer security. * Visit http://windowsupdate. The security needs of teens are often greater than those of their parents. the reverse is not true!). and system updates. as teens often have the best computers in the home. System Updates * Back up key data before you perform a major update.microsoft. use automatic Windows Update (enable reminder prompts and follow the recommendations – don’t use automatic download and install). Keep your subscription up to date. but also teach the how and why of security – to cover the concepts that will help readers deal with not only today’s risks. In the book. in a strange sort of twist. Security is a big subject. Antivirus * * * * Keep your antivirus program active. I hope you find it useful. * On XP.Everyday Security The book “Always Use Protection: A Teen’s Guide to Safe Computing” was inspired and based on the real world problems that today’s teens face with regards to computer security. Consider these the most important things you should do and be aware of every day. Firewalls * If you use a phone dial-up connection to the Internet. * If you use cable or DSL to connect. Protecting Your Computer There are three things you need to secure your computer: an antivirus program. a firewall. and spend the most time online (thus. Be sure your antivirus program updates itself automatically. it turns out that while a computer security book written for teens also covers everything an adult home user needs to know. use a software firewall such as ZoneAlarm. But as a quick reference. and I won’t discuss the exceptions to the rules shown here.

Don’t trust ActiveX controls unless you explicitly request one. * Hold the Shift key down when inserting a suspect CD to prevent the autorun program from starting. * Deny permission to set cookies to all but the most trusted sites. Browsing the Web Scan any downloaded files for viruses. Shopping Online * Use credit cards. * Use a password on your system. not cash or debit cards. * Block harassing messages. * Set your cookie configuration to block or prompt on all third-party cookies. Spyware and Adware Blockers * Use spyware and adware removal tools to help protect your privacy.Software and System Configuration * Turn off automatic downloading of messages (Outlook and Outlook Express). * Don’t click links inside e-mail messages. -4- . * Turn off JavaScript and ActiveX controls in e-mail viewers. Consider using prompts on first-party cookies as well. * Turn off unnecessary services. * Turn off automatic login and password storage for web sites. * * * * Instant Messenger Programs * Turn off automatic logon. Using Your Computer Here is a summary of things you should always keep in mind while using your computer. Don’t give out personal information unless you truly trust the site. Floppies and CDs * Scan floppy disks and CDs from untrusted sources for viruses. * Use encryption if you have a wireless network. Don’t give out your Social Security number or birth date unless you are absolutely certain it is safe. Checking E-Mail * Don’t open attachments.

otherwise take files out of your shared file folder.com http://www.microsoft. Chat Rooms * Don’t give out any personally identifiable information to strangers. P2P * Avoid the adware/spyware versions of P2P software. and one for your computer. and anything else I can think of that might be fun or useful Browsers * * * * http://www. Passwords * Use at least three passwords: one for high security. Create “throwaway” passwords for sites you don’t trust or don’t plan to visit again. and cookies after using a public computer. 1 -5- .mozilla.com based on visitor recommendations and ongoing experience—the Internet changes quickly.com http://www.* Use credit cards or escrow services on auction sites. * http://www.netscape. file cache (offline content).opera.alwaysuseprotection. With the exception of Amazon. book updates and corrections. names. * Mix some numbers in with the password. AlwaysUseProtection.com There are many other sites with security information and companies that provide security products. one for moderate security. so be sure to check in for updates. These were chosen primarily based on popularity and familiarity. and of course. I do not own any stock in any of the companies mentioned in the book. * Turn off file sharing if your client allows it. * Remember—everybody lies online. etc.). * Avoid the obvious (birth dates.com. Privacy * Clear your history. No company paid to be included in the book.com: For updated links. Additional sites and companies will be listed on AlwaysUseProtection. no matter how nice they seem. Links Here is a summary of key sites referenced in the book1.org http://www.com. * Do not act as a supernode or share files.

cert.com: Privacy software * http://www.anonymizer.com.about.maxtor.com for more recommendations.3com.backup.org: Electronic Frontier Foundation—privacy rights advocate * http://www.mcafee.com: External hard drive * http://www.symantec.com/ Visit AlwaysUseProtection.virusbtn. http://www.acronis.sourceforge.speedstream.linksys.com: Anonymous web surfing -6- .gov: Federal Trade Commission * http://www. http://www. http://www.lavasoftusa.org.com for more recommendations. Routers and Firewalls * http://www.zonealarm.com.com.dlink.Antivirus * http://www.netgear.com.net) * http://www. http://vil.com.sourceforge. Antispam * http://spambayes.mcafee.symantec. http://securityresponse.com.com.com: Routers * http://www. http://www.eff.symantec. http://www.safer-networking.com.net/ * http://www.apc. http://www.com for more recommendations.com.nai. http://www.com: Backup power (UPS) Privacy and Consumer Rights * http://www.com: Internet backup service * http://www.com.hawkingtech.mcafee.com. http://www. http://netsecurity.ftc.com. http://www. Backup * http://www.webroot.com: Firewall software Visit AlwaysUseProtection.com: Antivirus software * http://www.heidi.com.org: Adware removal software * http://www.sunbelt-software.com * http://www. http://www.com: For general antivirus information Visit AlwaysUseProtection.ie: Eraser (secure file erase—also see http://www. http://www.

knoppix.Scams and Fraud * http://www.org.com: Partition manager * http://www.com: Urban legends Other * http://www.com: Computer insurance -7- .ftc.powerquest. http://www.org: Fraud and scam information * http://www.scambusters.gov. http://www.urbanlegends.consumerreports.com.snopes. http://www.com: Linux distribution that runs off a CD * http://www.safeware.

CAUTION!!! Anything you do here is entirely at your own risk. I’m going to show you how the experts edit the registry. Figure B-1 shows the main window of the registry editor. except that they are individual numbers and strings that have names. Figure B-1. That’s why emergency repair disks and system save points save the registry—Windows does what it can to make sure that the registry information is recoverable if something goes wrong. But there isn’t much it can do if you damage your registry intentionally. choosing Run. Think of them a bit like files. main window The registry editor window divides into two parts. The right-hand side contains the values. Think of them like directory folders—containers that hold various values. How important is the registry? If every file on your system was left alone. You can wipe out your system if you accidentally delete or modify the wrong entry. The Registry editor. Knowledge of how to edit the registry can help you manually disable many worms and Trojans. It wouldn’t even boot. from key system software to individual application settings. your system would be dead. and you scrambled your registry. Lose your registry and it’s game over—you won’t lose your data files. The left-hand side contains objects called keys. Using the Registry Editor Start the registry editor by going to the Start menu.Registry Tricks Your system registry is a database on your computer—a file that contains centralized information that controls every aspect of your system. -8- . In this appendix. Nothing would run. but you will need to reinstall your system. and entering the command RegEdit. Registry editing is designed for expert-level system configuration—and even the experts have been known to damage their registries using these techniques.

you’ll see subkeys where different applications store settings that apply to the current user (some applications are able to keep different settings for each user on a machine—this is where they store those settings).At the top level. . your computer has five keys. next thing I’d be trying to explain classes. or to search the registry (but it does let you control registry security). you should consider using RegEdt32. COM. If I started trying to explain HKEY_CLASSES_ROOT. I’ll continue to use that syntax to describe keys from here on. As you can see. Anyway. On any version of Windows before XP. . keys contain other keys). Of these. different applications can store their own software settings under the HKEY_LOCAL_MACHINE\SOFTWARE key. That’s the key that holds your machine configuration and settings. 2 You may be wondering why I’m not bothering to explain the other keys. So trust me. 3 -9- . .exe: The other registry editor If you’re using Windows NT or 2000. Viewing subkeys in the registry editor The highlighted key. GUIDs. The thing is. people write entire books just about the registry. America Online. not only don’t you need to know about the other keys—you don’t want to know about them! The keys that appear under the SOFTWARE key on your system will probably differ. This shouldn’t be a problem with the entries discussed here – they should all be REG_SZ. This is where applications will tend to store their machine settings. If you navigate to the HKEY_CURRENT_USER\SOFTWARE key. if you want to edit entries that have the type REG_EXPAND_SZ or REG_MULTI_SZ you have to use RegEdt32 because RegEdit will incorrectly change them to REG_SZ. the one we’ll be most concerned with. but splits the registry into sections called “Hives”. would be referred to as HKEY_LOCAL_MACHINE\SOFTWARE\America Online RegEdt32. and then expand the SOFTWARE key. AppIDS. you’d die of boredom long before we got to anything actually useful. is named HKEY_LOCAL_MACHINE. RegEdt32 doesn’t have the ability to save parts of the registry. depending on what applications you have installed. Figure B-2 shows what happens when you expand the HKEY_LOCAL_MACHINE key. type libraries.3 Figure B-2.2 You can click on the little [+] symbol on the left to expand and collapse the subkeys (yep.exe RegEdt32 is similar to RegEdit.

as Windows runs them once and then deletes them.10 - . Each line contains a value. but this is less common. They are used when you need to launch a program one time only the next time Windows starts. You should also check the following key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Programs under this key start automatically when this user (the one currently logged on) logs in again. Why is this important? Because worms and Trojans love to install themselves in this key.The key you’ll be most interested in is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Figure B-3 shows the values located under this key on one of my systems. and then either choosing the Edit -> Delete command from the menu or right-clicking and choosing Delete. The value is a text string (that’s what the REG_SZ means). If you find a worm or Trojan in this list. some viruses prevent the registry editor from running). if you’re trying to remove a piece of . Which Programs Are Viruses? Figuring out which program should be deleted is where the real challenge lies. and the data is the command line to a program that should be run every time Windows starts. The safest way is to look at the manual removal instructions for the virus you have—the major antivirus sites include descriptions of known viruses and instructions on how to remove them manually (if possible—remember. Figure B-3. There may be times when you have to figure it out for yourself – for example: if the virus prevents your antivirus programs from running. you can delete it by clicking it. The RunOnce and RunOnceEx subkeys (under both the HKEY_CURRENT_MACHINE and HKEY_CURRENT_USER keys) may also be used by viruses. Example of the contents of the Run key Look in the right pane of the registry editor. That’s what allows them to run automatically each time you start your machine.

Once you’ve identified the filename. Once you’ve found it. .spyware or adware that your antivirus or anti-spyware program doesn’t know about yet. The trick is to figure out which files are viruses.INF In this case. find it on your system using the Windows Explorer.exe.InstallHinfSection 132 C:\WINDOWS\INF\SHELL.dll. you’re looking at the shortened name of the directory. I had no idea when I first snapped that screen shot. select Properties. right click it. and looking at the version information saw the dialog box in Figure B-4. Sample version information .11 - . C:\PROGRA~1 actually refers to C:\Program Files. the first program is something called AGRSMMSG. any of them might be a virus. You may see a line like this: RUNDLL. For example.EXE SETUPX. It will usually be in your Windows or Windows\System or System32 directory. etc. Each line in the registry key consists of the path to the executable file.DLL. and are in fact required for your computer to work. Figure B-4. But I found the file in the Windows directory. RunDLL is a program that runs other programs or libraries (with the extension DLL). I guess that’s the program that runs my laptop’s modem.bat. and which are programs that your computer (or applications) needs to run. So if you see any filenames (files with the extension . So don’t delete any entries from the registry unless you are certain they are viruses. Sometimes the filename isn’t at the start of the line. or if you can’t find manual removal instructions for the virus (perhaps because it’s too new).exe.) in the registry value. . CAUTION!!! Most of the files you find in this key are not viruses. One way to do this is to just search for the filename. There are some tricks to be aware of though: When you see a directory with a ~ character. In Figure B-3. and then choose the Version tab. What does that program do? Frankly.

4 I can’t stress enough the risks of making a mistake here—if you delete a key or value that is critical to your system.dll. For example: I found this entry in my registry: RUNDLL32. it will stop working. I just did a Google search on “nvcpl. Backing up Registry Entries Before you start modifying the registry. it’s very likely the file is supposed to be there. many virus authors just can’t resist showing off.dll.12 - .REG which contains a list of registry keys and their values. but it is awfully suspicious. or a single registry key (and its subkeys) by selecting “Specified branch” as shown in figure B-5. You can then store either the entire registry. and will have missing or suspicious version information. I quickly found several sites that explained that this file is the “Nvidia Display Properties Extension”.EXE F:\WINNT\System32\NvCpl. Select the key you want to save. However. as professional and commercial software developers all know how to set version information for a program. it’s a good idea to back up your current settings.NvStartup Rather than look at the properties of the file NvCpl. This will store a file with the extension . Figure B-5 – The Export Registry File dialog box.REG file for the Run key on one system: Not every program with missing information is a virus. On XP you can do this by setting a System Restore point – always a good idea before you start tinkering with your system configuration.Worms and Trojans can lie about their version information. Or. Another trick is to Google the file. Since I know I have a Nvidia graphics card. and files infected with viruses still have their original description. and select the Registry ->Export Registry File menu command. 4 . Here’s an example of the .dll”. you can save individual registry using RegEdit.

However.mlin.exe" "VSOCheckTask"="\"f:\\PROGRA~1\\mcafee.shtml.exe\" /checktask" "WinampAgent"="\"F:\\Program Files\\Winamp\\Winampa.exe" "MCUpdateExe"="F:\\PROGRA~1\\mcafee.net/StartupCPL.dll. It makes it easy to enable or disable these services. for those of you with Windows 2000. and often will work in cases where the registry editor has been disabled by a virus.EXE F:\\WINNT\\System32\\NvCpl.exe" You can reload a key from a .exe" "VirusScan Online"="\"f:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe" "QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.com\\agent\\mcagent.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CreateCD50"="\"F:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r" "MCAgentExe"="f:\\PROGRA~1\\mcafee.Windows Registry Editor Version 5.13 - .exe -launch" "np"="f:\\winnt\\notepad. . can be found at: http://www.REG file by using the Registry -> Import Registry File command. A number of shareware and freeware startup control programs are available. Figure B-6 shows a list of services installed on your system. there are other applications that make things a bit easier.exe\" -atboottime" "NvCplDaemon"="RUNDLL32.exe\"" "RunMSK"="F:\\Program Files\\McAfee\\SpamKiller\\spamkiller. Figure B-6 shows an example of one of the MSConfig screens – in this case a list of services installed on your system. One example. it will work if you can find a copy.exe\"" "wcmdmgr"="F:\\WINNT\\wt\\updater\\wcmdmgrl. called Startup Control Panel. but for some unknown reason is not provided with Windows 2000.com\\vso\\mcvsshld. Other Tools While you certainly can edit the registry manually.exe /install" "TkBellExe"="F:\\Program Files\\Common Files\\Real\\Update_OB\\realsched. MSConfig is a Microsoft program that comes with home versions of Windows and Windows XP.com\\agent\\mcupdate.NvStartup" "nwiz"="nwiz.exe -osboot" "Mskexe"="f:\\PROGRA~1\\mcafee\\SPAMKI~1\\spamkiller.

If you can’t stop the service. . try double clicking on it to see a detail page about the service as shown in Figure B-9 on the following page. you may be able to change the startup type from Automatic to Manual or Disabled. Services are accessed by bringing up the control panel. In that case.14 - . Services Occasionally a virus will install itself as a special kind of program called a service. by examining its version information and searching for information about the on the Internet. Services are most often an issue on Windows 2000 and later (though Windows 9X and ME did support a limited version of services. A list of services can be found in the registry at the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services Each subkey is the name of a service. You’ll see a display similar to the one in Figure B-8. Figure B-8 – Service control display You can right click on one of the entries and try to stop it.Other Places to Look There are a few other places where viruses can insert themselves so that they run automatically when a system starts. they were never very popular). and selecting “Administrative Tools” and then Services. Look for the value ImagePath under the service’s key to see the name of the program that is run when Windows starts up. This should prevent the service from starting up when the computer is started – so restarting the computer should stop the service. It is always better to use the Service manager to add or remove services rather than the registry – use the registry only as a last resort if you are unable to disable a service. but in many cases you will not be able to do so due to security configuration issues. You can also see the path to the executable and use it to research the file further.

Figure B-10 shows you the contents of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Cdrom key.ini file. Your Startup Folders Figure B-9 – Service Detail Page It goes without saying that you should also check which files are in your startup folder. which by default is set to 1. They may not be used for much. you should check both). As you can see. then selecting either “Open” or “Open All Users” (actually. it’s a good idea to turn autorun off. this file (found in the Windows directory) were used for system configuration (back before the registry was invented).ini A long time ago.15 - . there is a value named Autorun.Win. Navigate to Programs and then to Startup to see what files are set to start when you log on. Viruses will often insert themselves both in the registry and in the win. You can navigate to your start folder by right-clicking on the Start button. but they still work. Registry entry for the autorun feature . Figure B-10. You can right click on each one and select the Properties menu to see the “target” – the path to the executable file that is run on startup. Disabling CD Autorun Autorun is actually a very low-risk operation—most viruses are spread nowadays through the Internet rather than floppies or CDs. if you do find yourself looking at CDs obtained from untrustworthy sources. Nevertheless. You may find in the file a few lines that look like this: [Windows] Run= Load= The Run= and Load= lines instruct Windows to start and run (or load) the specified file when Windows starts.

. Remember though.alwaysuseprotection. and introduction for parents. In cases of serious infection.NET: Strategies. They disable the registry editor.com. and click OK.com.com and Buy. table of contents.desaware. the autorun feature is disabled. that while it is good to know how to remove viruses. a developer of add-on products and components for Microsoft Visual Studio. and at a local bookstore near you. double-click the Autorun value. For more information on “Always Use Protection: A Teen’s Guide to Safe Computing” including the book’s introduction. So these programs work very hard to make sure they are hard to remove from a system. We also have a selection of “interesting” T-Shirts.com.To turn off the autorun feature. About the Author: Dan Appleman is the president of Desaware Inc. "How Computer Programming Works".16 - . "Dan Appleman's Visual Basic Programmer's Guide to the Win32 API". Change the number from 1 to 0. visit www. what “Always Use Protection” is about. Editing a numeric value in the registry Conclusion Viruses and worms are often written by very clever people. your own ability to manually find and remove viruses can make the difference between total loss of a system. it’s far better to prevent them from getting on your system in the first place. and at least restoring it to the point where you can make backups of critical data and with luck be able to run your antivirus programs. A complete list can be found at www. Concepts and Code". He is a cofounder of APress. Contact information for Dan can be found at www.com. and is the author of numerous books including "Moving to VB.com . You’ll see the dialog box shown in Figure B-11. They attack anti-virus programs. Once you restart your system. a computer book publishing company. “Always Use Protection: A Teen’s Guide to Safe Computing” and a series of ebooks on various technology and security topics.AlwaysUseProtection. of course. Figure B-11. Available for preorder today on Amazon. Barnes and Noble. Which is.