Wednesday, April 1, 2015

Eliminate the Windows 8 or 8.1 Lock Screen

The Windows lock screen found in Windows 8 or 8.1 is annoying to many people, myself included.  I don't see the point in dismissing the lock screen, then entering my account information to login.  That extra "swipe" or "keystroke" doesn't protect me from anything or give me any particular value.  I'd rather go straight to a login prompt.  The following registry hack will enable that.  (Note that this does not seem to work on the Windows 10 technical preview.)

Open Regedit.  (You can do this in Windows 10 by typing "Regedit" in the "Ask me anything" box, or in Windows 8/8.1 by searching for it.)

If Windows asks whether you want to allow Regedit to modify your computer, say Yes.

Navigate from HKEY_LOCAL_MACHINE to SOFTWARE, Policies, Microsoft, Windows

Right-click the "Windows" folder and choose New, Key.  Name the key "Personalization".

Right-click your the newly-created Personalization key, and choose New, DWORD (32-bit) Value.

Name the DWORD value "NoScreenLock".

Double-click the value to edit it, and change it from 0 to 1.

Click OK to save the value and verify that everything is spelled correctly and that the value now shows as 1.

Close Regedit and reboot the PC.  The lock screen should now be gone.

Wednesday, March 25, 2015

Activate "God Mode" in Windows 8, 8.1, or 10

There is a menu hidden in Windows 8, Windows 8.1, and Windows 10.  It's referred to as "God Mode" because it provides access to a large selection of troubleshooting, administration, and maintenance features that aren't always easily accessed.

To gain access to this hidden menu, right-click your desktop and create a new folder.

Rename that folder to:
When the rename is complete, the folder's icon will change.  The Windows 10 version is pictured here:

When you double-click this icon on Windows 10, a menu similar to the following will be displayed:

The "God Mode" menu lists many functions and features, including (among many others):

  • Create and format hard disk partitions
  • Diagnose your computer's memory problems
  • Free up disk space by deleting unnecessary files
  • Set up iSCSI initiator
  • Manage BitLocker
  • Manage Web Credentials
  • Manage Windows Credentials
  • Make a file type always open in a specific program
  • Set up USB game controllers
  • Adjust ClearType text
  • Accommodate low vision
  • Set up Family Safety for any user
  • Change search options for files and folders
  • View installed fonts
  • Change cursor blink rate
  • Customize icons on the taskbar
  • Change SmartScreen settings
  • Change Customer Experience Improvement Program settings (disabled in the Windows 10 Technical Preview)
  • Manage Storage Spaces
  • Check firewall status

The name "God Mode" isn't meant to refer to religion.  It's a reference to video games where cheat codes would make the player unstoppable.  These cheat codes were often referred to by players as "God Mode" cheats because they became invincible and all-powerful within the video game.

Wednesday, March 18, 2015

Troubleshooting Adobe Flash Player Problems

Adobe Flash Player is still a relatively common component of Windows PC configurations.  Although the use of Flash on the Internet seems to be declining, it's still used widely enough that Flash Player remains part of most PC configurations.  Most of the time, Flash works well and requires no particular effort to troubleshoot or repair.  When you need to troubleshoot Flash Player, here are some steps to follow that may help you identify the problem:

  • Make sure the Flash Player plugin is enabled in the web browser experiencing the issue.  It is possible that the user has unintentionally disabled Flash Player.
  • Clear the web browser cache and remove any cookies that may be associated with the site.  A corrupted cache file can cause the web browser to have difficulty displaying the Flash content.  Clearing out the cache will remove the corrupted file and restore operation.
  • Remove and reinstall Adobe Flash Player.  It is possible that the installation has become damaged or corrupted.  Removing and reinstalling the software is a quick way to fix that.
  • Reboot the system.  It's possible that a recently-installed Flash Player update might have left the plugin in a "broken" or inconsistent state.  Rebooting will allow the update to finish installation and enable it to function again.  Sometimes, too, a memory leak or other problem will cause software to stop working.  Rebooting often clears up these problems.
  • Does the problem occur on more than one web site?  If the problem appears on only one web site, it's possible that there is a problem with the Flash content on that site.  If the problem is on the web site, there is nothing you can do on your PC to fix it.
  • Does the problem appear in more than one web browser?  If the problem appears in Internet Explorer but not Firefox or Chrome, then we've isolated the issue to the ActiveX version of Flash Player.  If it works in Internet Explorer but not Firefox, the issue exists in the "plugin" version of Flash Player.  Try removing and reinstalling the appropriate version.  If the problem appears in all versions, make sure you're running the latest Flash Player for all installed browsers.  If the problem seems to occur in only one browser and remains after Flash Player has been removed and reinstalled, try removing and reinstalling the browser (if possible).  Also make sure that your browser has the latest patches or updates applied to it.
  • Does the problem occur on the same PC when a different user account logs in?  If the problem exists when User A logs in, but not User B, this points to a problem in the user's Windows profile.  Cleaning out Flash Player temporary files in the user's profile may help.  Comparing the HKEY_CURRENT_USERS registry entries for Adobe Flash to those of a user for whom Flash Player is working may also resolve the issue.  If not, try logging the user off the PC and renaming their profile in the "C:\Users" or "C:\Documents and Settings" folder.  If the problem goes away when the user logs in again, it was something in the old profile.  Copy the files you can salvage from their old user profile to the new one.
  • Try to reproduce the issue on another PC to make sure that the problem isn't a bug in Flash Player itself (in which case there may be nothing you can do).  If the problem appears on both PCs, and appears when different users visit the same web site, the issue may be a Flash Player bug, a problem with the web site's Flash content, or something other than Flash Player.  For example, it may be a web browser patch recently applied.
  • Consider the firewall.  If you have a firewall on the PC or the network it's attached to, the firewall may be blocking the Flash content.  You'll want to investigate this with those who control your firewall.
  • Do an Internet search.  Search for any error messages, problem descriptions, etc., reported online by others.  You may find that someone else has discovered this problem and found a way to fix it.  

Wednesday, March 11, 2015

Rethinking IT Security in 2015 - Kaspersky's View

Recently, I listened to a webinar presented by Kaspersky, the makers of several network security products.  The talk was entitled "Rethinking IT Security".  It discussed the current threat landscape, projections for 2015, and of course the Kaspersky products that could help an organization improve their security.

The talk began with a presentation of malware statistics based on Kaspersky's antivirus work.  They surveyed people to see how many new malware samples they expected a company like Kaspersky to discover in a month.  Options for answering the question ranged from 1-1,000 all the way up to 250,000+.  Over 70% of the survey respondents thought the number of new malware samples was 10,000 or less per month.  The real answer was over 325,000 unique malware samples were discovered per month in 2014.

The number of web-borne infections seen per month exceeds 270 million.  The number of network attacks blocked per month exceeds 160 million.

The "most serious" threats in 2014 were malware, intentional data leaks, software vulnerabilities, accidental leaks, hacking and intrusion, phishing, and device theft.

Malware in the mobile space (iOS and Android) has been growing at an exponential rate over the last couple of years.  In 2011, virtually none existed.  Today the number has grown to almost 12 million unique "installation packs" of mobile malware.  The explosion is attributed to the kinds of things an attacker can get from a compromised mobile device, which can include banking information, private photographs, identity theft information, personal email, and confidential documents.

Kaspersky predicts that the top threats in 2015 will be:

  • Old code, new vulnerabilities:  This is using newly-discovered zero-day exploits with existing malware payloads.
  • Escalation of ATM machine and point of sale (POS) attacks, like those perpetrated against Target and Home Depot
  • Attacks against the Macintosh platform, due to the growing popularity of these devices and the ingrained belief that malware isn't an issue for the Mac OS
  • Attacks against virtual payment systems
  • Continued exponential growth in mobile attacks
  • Hacks against the "Internet of Things"
  • Increased business costs resulting from security breaches

Kaspersky claims that 70% of malware can be stopped using traditional antivirus, host intrusion prevention systems (HIPS), firewalls, URL filtering, anti-spam, anti-phishing, blacklisting, and heuristics.  Another 29% can be stopped through a combination of Application Control, whitelisting, and a "default deny" policy on unrecognized software.  Much of the remaining 1% can be blocked with behavior monitoring, automated exploit prevention, and system monitoring - combined with the ability to roll the system back when an exposure is detected.

Device control was also discussed as a key security policy component.  Preventing people from mounting unauthorized USB devices can help prevent infection, data leaks, and other security problems.

Kaspersky's description of "rethinking" IT security is to suggest that a layered approach is needed.  You want to combine different kinds of protections that work together.  A signature-based antivirus product alone isn't enough.  You also want protection at the firewall, network, and other levels.

They stressed that even the best-protected network can still be exploited.  The point is to put enough protective measures in place that you make it difficult for the attacker to get in.  This will cause all but the most dedicated attackers to move on to another target with less-effective security.

Tuesday, March 10, 2015

Cylance's New Approach to Anti-Malware

I've spent a lot of time over the past year thinking about desktop security.  Helping to keep our software up to date, making sure things are patched, watching for zero-day malware creeping into the organization, etc., is a constant challenge and activity.  Even the best of the available antivirus software is not 100% effective.

I watched a Kaspersky webinar recently where they said traditional antivirus, combined with some of the more modern protections, will probably catch 79% of threats.  Another 29% can be caught through some combination of technologies like firewall, application control, and the like.  Their basic message is that regardless of your protection, malware will eventually creep in.

One of the big problems is that most antivirus software is still based on signature scans.  That means some human being looked at the malware sample, confirmed that it was malicious, classified it as this or that variety of malware, found something unique about the file that identified it, and placed that definition in the "DAT file" used with the software.  Here's an interesting thought about antivirus software.  Given that there are literally a quarter million new samples captured by malware vendors each month, and that each of these might need some kind of signature to be stored for it, that's a lot of stored signatures.  How many of these signatures do you think are really stored on your PC?  Hundreds of thousands, kept indefinitely, over months or years?  No.  They're keeping the most common and most recent definitions only.  The rest are kept in a cloud server and the antivirus software consults that when it needs to know if something is infected.

I had the opportunity to speak with staff from Cylance (pronounced like "silence").  They have a very different approach to the whole malware and signature problem.  Rather than try to manually classify thousands of malware items on an ongoing basis and build massive signature databases, they went a different direction.  They gathered millions of samples of good and bad software.  They placed it in different "buckets".  Then they identified some 150,000 to 200,000 ways that the software could be classified.  Does it hook the keyboard?  Does it try to write to system directories?  Is it trying to modify running processes?  They scanned all those millions of samples and determined which of those 200,000 characteristics separated good software from malware.  Then they built a mathematically solid process for rating software as "safe" or "dangerous" based on those characteristics.

I've not had a chance to play with it yet, but they tell me their approach is able to catch 97-99% of malware, including zero-day malware, that it encounters.  Cylance intercepts the program when it's about to launch, rates its resemblance to malware, and decides whether or not it should be allowed to launch.  Programs with a strong resemblance to malware are blocked, the rest are allowed to run.

At first, I was a bit skeptical of the approach.  The more I thought about it, though, the more it made sense to me.  A lot of malware is created using canned toolkits.  Even the customized, targeted stuff is still going to use code that resembles that canned stuff.  For it to be useful to the attacker, it's got to be able to do things like communicate with a Command and Control server on the Internet, maybe intercept key presses, scan security databases for passwords, etc.  If you can fingerprint the code that does that kind of thing, you can start to tell the good software from the bad.  Even a modified version of a legitimate program (e.g., Microsoft Word) could be identified from the real thing by that weird additional code doing the attacker's bidding.

I hope we'll have the opportunity to bring the product in and kick the tires.  It seems promising.

Wednesday, March 4, 2015

Change Registry Permissions Via the Command Line

Recently, while coping with a malware infection on a PC I administer, I discovered that the malware had altered the permissions on a registry key to prevent me from accessing it to find and remove the malware's trigger.  I wasn't able to use Regedit to change the permissions on this registry key, so I needed to find a way to do it through the command line.

That's where the "regini.exe" program comes in handy.

Regini.exe uses a text file for input.  This text file must contain lines in a particular format.  These lines tell Regini which keys you need to modify the permissions for, and what permissions you want to apply to those keys.  It can also delete a key for you.

The lines in the Regini text file should resemble the following example:
HKEY_LOCAL_MACHINE\SOFTWARE\MyCompany\MyProgram [1 5 11 14 17 21]
The first example line above will change permissions on the registry key shown.  The second example will delete the listed registry key.  The numbers in the brackets "[ ]" represent the permissions changes you want to make to the registry key.  (I'll list the valid numbers and their meaning below.)

You can create the Regini text file in Notepad or any other text editor and then save it to disk.

When you're ready to apply the permission changes in the file, you can use the following syntax:
regini.exe -m \\pcName filename.txt
In the above example, the "-m" tells Regini which PC you want to make changes to (if you're changing the PC you're using, you can omit this parameter).  Here, we're making changes to a PC named "pcName".  If you were changing a PC named "Finance-01" then you'd use "-m \\Finance-01" instead of "-m \\pcName".

The "filename.txt" part tells Regini where to find the text file containing the lines that tell Regini what permission changes you want it to make to the registry on that PC.  You can replace that with the path or filename where you've saved the registry change information.

Note that in order to change registry permissions, the command prompt you're running Regini from must have administrator permission on the  machine you're changing.

For more information, see the Microsoft KB.

These are the supported permissions values:

1 - Administrators Full Access
2 - Administrators Read Access
3 - Administrators Read and Write Access
4 - Administrators Read, Write and Delete Access
5 - Creator Full Access
6 - Creator Read and Write Access
7 - World Full Access
8 - World Read Access
9 - World Read and Write Access
10 - World Read, Write and Delete Access
11 - Power Users Full Access
12 - Power Users Read and Write Access
13 - Power Users Read, Write and Delete Access
14 - System Operators Full Access
15 - System Operators Read and Write Access
16 - System Operators Read, Write and Delete Access
17 - System Full Access
18 - System Read and Write Access
19 - System Read Access
20 - Administrators Read, Write and Execute Access
21 - Interactive User Full Access
22 - Interactive User Read and Write Access
23 - Interactive User Read, Write and Delete Access

Wednesday, February 25, 2015

Prevent Windows 7 from Automatically Rebooting After Windows Update Patching

By default, Windows 7 wants to automatically reboot the PC after it finishes applying security patches that need a reboot to finish their installation.  This can be very annoying if you go away and leave applications running overnight, or have some other need to keep the system online.  Fortunately, it's also an easy fix.

Go to the Start Menu and enter "regedit" in the search box.  When you see the Regedit program appear in the list, right-click it and choose "Run as Administrator".

In Regedit, navigate to HKEY_LOCAL_MACHINE, then to SOFTWARE, Policies, Microsoft, Windows.

If there is a key there named "WindowsUpdate", continue on.  If not, right-click that "Windows" key and select New, Key.  Create the WindowsUpdate key.

If there is no "AU" key under WindowsUpdate, create that key as well.

Under the "AU" key, create a new 32-bit DWORD value named NoAutoRebootWithLoggedOnUsers.

Set the value of this key to "1".

Close Regedit.

Windows 7 should no longer automatically reboot after patching.