herbalist

A 20MB registry export does seem quite large. The registry on my primary 98 box exported at 9.86MB. Its system.dat is 6.36MB. The user.dat files are 388KB, 780KB, and 472KB. It's a multi-profile setup that's had well over 100 apps installed which includes WMP9 (Keys added: 1401), Netframework 2.0 (Keys added: 8507), Open Office (Keys added: 2150), DirectX 9 (Keys added: 2808), Adobe Acrobat (Keys added: 195), E-sword (Keys added: 373), and the 98 resource kit (Keys added: 273). Yet yours is twice this size. Are you sure that bloat isn't from MRUs and other usage tracks? There's a very good thread regarding the size of the 98 registry here. CharlotteTheHarlot When you get the registry down to the size you want and it's all cleaned up and optimized, you could use an on-demand batch file to make copies of the .dat files, then make another that will use those copies to overwrite the existing .dat files. The 2nd batch could be called from autoexec.bat and would replace your registry with optimized copies at each restart. This would put an end to bloat, usage records, and registry fragmentation problems. Rick

Most likely the WinME drive does not have the correct display drivers for the 98 PC. What make and model is each PC and what graphics card is in the Win98 unit now? Most likely you'll have to download the proper display drivers for WinME and the display card your using. Win98 and WinME occasionally use the same display driver with certain graphics cards, including ones built into the motherboard. When you said you can't change it, did the OS just fail to find the correct one to install? If so, you could try installing the original hard drive as a slave and let WinME search the 98 drive for a driver. You might have to manually enter the locations of the files. Start with windows\inf and any subfolders. Rick

I'm using version 2.1, which works great. I see no need to update it. The last version for 9X is 2.3.1.0. The current version for all other Windows OS is 2.4. Beware of Shareaza 4 and 5. These are not connected to the true Shareaza. They're entertainment industry sponsored fakes. Shareaza.com is no longer controlled by the Shareaza developers. Hostile takeover. Details at their new forum. The real Shareaza homepage is http://shareaza.sourceforge.net/?id=home Rick

I share your concern, especially in regards to software. For that reason, I've refrained from installing KernelEX on all but one test system until I can find sufficient time to examine the security implications more closely. The potential security issues would concern me a lot less if I could get KernelEX and SSM to coexist. I've never used eMule, but I run Shareaza with 98FE with very good results. In regards to security and privacy, I can definitely agree that a 9X OS is a big asset with such apps. By using an encrypted partition and batch files to load a separate registry, it's possible to completely hide a P2P app (and all the downloads) or any other software and all evidence of its existence on a 9X system. With a little work, this can be done with an entire user profile. Compared to an NT system, there's far fewer places for apps or an OS to hide data, and with DOS the user has what they need to access them. IMO, that's a 9X system's biggest asset. Rick

I haven't seen a virus or trojan cause that particular problem but I wouldn't rule it out either. I remember seeing somewhere that some USB flash drives were sold infected from the factory and infected the users PC as soon as they were plugged in. Did this problem show up when you first used a new USB device? You mentioned the DVD and the card reader use the same driver. Any chance that some of the drivers files or registry entries were duplicated? I'm not familiar with System Commander. Will it let you use shift during a restart and restart just Windows? If it will, you might try substituting empty copies of autoexec.bat and config.sys, then restart Windows and see if the duplicates are still there. Other than that, about all I can think of is restoring to an earlier state when you didn't have that problem, then add the USB and external devices one at a time. This would also rule out a virus/trojan as the cause. I monitor all installs, updates, etc with Inctrl5, which gives me a record of what each install adds and changes. Assuming you can restore to a pre-problem state, you might use the earlier version Inctrl4 to monitor what's happening. It has a real time mode that only works on 9X systems. PCMag used to sell it, but it's around if you look for it. Rick

Do you have entries for USB drivers or devices in your autoexec.bat or config.sys? When I loaded a driver for the CD drive in autoexec.bat, the CD drive was displayed twice in explorer.

First time I've seen that problem with Rapidshare. Couldn't get upload.to to work at all so I'll try this one. Documents: http://www.mediafire.com/?g9iv00t9yjv Forgot about the files. http://www.mediafire.com/?llwbnzgmjl5

The translated documents. Translated registry docs. edited to update link

Registry Tools. edited to update link.

Those "get with the times" comments do get old after a while. But now that Vista's out, XP users are starting to get the same treatment. I hope they enjoy hearing it as much as they enjoyed dishing it out to us. I think MS and companies that sell software view 98 users as bad for their bottom line. If they can convince people to stop using 98, they're more likely to get them to buy new hardware, software, and operating systems. Users have been fed a steady diet of propaganda regarding 98, starting with "it's so insecure" and have been led to believe that this alleged insecurity makes it a threat to their systems, like it carries a disease or something. The entertainment industry doesn't like 98. Making DRM part of the OS doesn't work so well when they can't stop the user from accessing it with DOS. I convinced that there's quite a few groups, companies, and agencies that view DOS and the access it gives users to everything as a threat to their agendas. The chances of this happening are extremely small, even if the patch developers system is infected. A malware writer would never expect his code to be spread via such a vector. The malicious code would have to be completely within the patch's files and would have to survive any/all modifications that might be made to the files. It could not perform any activity that might catch the attention of the developers, testers and users. It would have to work on systems that are set up differently than the typical 9X system. It would have to escape detection by all the parties AVs and security packages. IMO, someone would have to be deliberately targeting this specific group of people, not just 98 users, and be good at it before it would be successful. Rick

To my knowledge, this hasn't been discussed much or explored in any detail. System functions themselves are not vulnerable per se. They're used when the application (or malware) needs them. Allow me to rephrase your statement a little. Perhaps some sort of test case can be devised to see if a core function of NT that's introduced into 9x by KernelEX can be used to exploit or infect a 9x system, where before KernelEX was installed, that system was not vulnerable to that malicious code. When you include all the variants, there is somewhere around a half million pieces of malicious code. Testing anything more than a few examples would be impossible without a large number of employees who know what they're doing. Disassembling malware is well beyond my abilities and those of most people I know. Some of us here have small malware collections. It might be feasible to set up a standard 9X testbox and attempt to run the malware we have on it, keeping records of which ones affect a 9X system. Then install KernelEX and run them all again and see what changes. The absolute earliest I could even consider starting a project like that would be mid-winter. The most I would expect to see is a very small percentage of the malicious code for NT functioning as it was designed to. The added system functions are only one piece of a larger puzzle. The system files and their locations will be different than the malware writer coded for. Only some of the NT functions will be available. Others will not. Most malicious code for NT systems expects to find an NTFS file system, which won't be there. The processes and command switches that are normally present on an NT system won't be there or won't work. I'd expect to see some malware that partially functions, but not necessarily as it was designed to. If KernelEX gets developed enough to go mainstream and get noticed by malware writers, then everything could change. Rick

It has nothing to do with programming errors or developer mistakes. System functions and commands aren't good or malicious. They're tools. They're part of the operating system. How they're used decides if they're malicious or not. Even in the simplest of languages, system commands can be used maliciously. Individual DOS commands aren't malicious but using the DELETE command on the system folder would be. It's no different with KernelEX. It adds functions and the ability to understand commands to 9X that it never understood before. In a limited way, it's creating a new operating system that's a hybrid of 9X and NT with characteristics of both, and makes it possible for a 9X system to run software that it never could before. My point is that this could include some malicious code that 9X couldn't run before. The only "fault" here lies with the one who wrote that malicious code, definitely not with the KernelEX developer. I'm strictly pointing out that the new possibilities it opens up might not all be good. It's just something we need to be aware of. Regarding the testing of unofficial updates, I try the ones that interest me on a testbox, which is equipped with my full security package. I used to beta test quite a bit of software. Anymore, I just don't have the time to test anything in detail, so most of it hasn't gone past my testbox. Rick

Regarding KernelEX and the possible introduction of new vulnerabilities, I have to take the position that it is a possibility. By no means am I saying that this is malicious intent, negligence, or anything similar on the part of its developers. It's the nature of the project. The purpose of KernelEX is to make it possible for software that's designed for NT systems to run on 9X systems. It works by adding some of the core functions from NT systems the newer software is designed to use. 98 is in the position of not being affected by a lot of the malicious code that's in circulation, primarily for 2 reasons. 1, The system files and their paths are either different or don't exist on a 9X system at all. 2, 98 doesn't use or understand many of the core functions of an NT system, which is what most malware targets. By adding these functions to 98, it's entirely possible that some of this malicious code will be able to run on 9X when it couldn't before. In this respect, malware is no different that any other software. KernelEX definitely will not cause 9X to be vulnerable to all the malware that XP has been hit with, but it will have an effect. There's no way to know how much effect unless you have a crew of programmers available that know how to reverse engineer malware and have an in depth understanding of both types of operating systems at a kernel level. Microsoft has plenty of programmers and they can't prevent vulnerabilities in their own products, and they have the source code. KernelEX would have to become a lot more popular before malware writers start looking to write exploit code for it, but the additional functions may allow some of it to work, at least partially, which could lead to some very unexpected behaviors. It's just a potential problem we need to be aware of, one that could become more significant as KernelEX grows. When you get right down to it, this wouldn't be a KernelEX problem. Being targeted by all kinds of malicious code is just reality for NT systems. Adding NT functions to 9X systems gives them some of the NT systems problems. Regarding my comments about WGA, I wasn't suggesting that it installed a backdoor. I am calling it spyware. It was passed as a security update but does nothing that's even remotely security related. It exists solely to make sure you've given them your money, because MS doesn't trust their customers. As for actual evidence of deliberate backdoors, no I don't have proof, just circumstantial evidence and suspicions. That said, it wouldn't surprise me at all if one was discovered tomorrow. I'd have to disagree with that logic. IMO releasing the malicious code here would increase the chances of it being discovered. Many of the members here know how 9X systems work in far more detail than members elsewhere. They're much more likely to notice unusual activity. Some of us have some potent security setups in place that don't miss much. These reasons aside, why would a malware writer target such a small percentage of the PCs when there's a much more common OS (XP) with a history of being vulnerable? Rick

I don't know what you're smoking, but I want some of it!

Is it really any different with official updates? When WGA is passed as a security update, how are official updates better? As far as malicious code or backdoors that are deliberately inserted, I'd worry more about the official updates. With the unofficial ones, creating a new vulnerability is possible, especially with KernelEX. It's difficult to determine what vulnerabilities may be created by the added functions. It's largely unexplored territory. Unofficial updates are no different than user software, official patches, etc. Users systems vary widely, and what works on one might not on another. Most software leaves something behind when it's removed or doesn't put settings back the way they were. On several occasions. MS has had to patch their own patches. There's some risk in every install, every patch, every update, no matter where it comes from. The better unofficial patches have beta releases for testing, just like user software. Beta releases catch most problems, but not all of them. It's not possible to test any update, official or not, with every possible software combination. Conflicts and incompatibilities will happen. That's what system backups and test systems are for. A user that doesn't have a way to restore their system has only themselves to blame if things go wrong. With system backups available, uninstallers aren't important. Too many users overlook system backups. Even if the backups are several months old, they can still restore your system to a known point in time and save a whole lot of reinstalling and configuring. I use several unofficial updates and patches. Most of the ones I've tried work properly. That said, nothing gets installed on my primary systems without being tried on a test system first. It doesn't make any difference where it comes from or what it is. Rick

Then you have been very fortunate. Some of the biggest malware infections I've cleaned were on 98/ME units. I've seen malware on a WinME box use so much of the bandwidth that it took over 2 minutes to load any webpage, then much longer still to kill all the popups. 98 isn't targeted nearly as much as it used to be and definitely not as much as XP is, but don't make the mistake of thinking that all the malware writers have forgotten it. IE6 and WMP run on 98, and those are definitely targeted. The two most common methods of infecting Windows are attacks that target Internet Explorer and social engineering (targeting the user). Using an alternate browser is one of the best things you can do to enhance security on Windows, from 95 thru XP. The alternates are also faster and use memory and resources more efficiently on 9X systems. Other benefits are tabbed browsing, easier configuration, and the availability of all kinds of extensions and plugins to add features and customize it to your taste.

That uncertainty is the reason I install my security package first, before the OS ever goes online. Whenever I can, I try to keep up with newly found vulnerabilities, exploit code, POCs, etc, and try to make time to test some of them that look like they might be a problem for 9X systems. There's never enough time unless it's all you do. Some of the members here have sent me copies of malware that comes very close to rootkit behavior on 98. Still have more of them to test when I can find time. These have convinced me that at least some of the malware writers haven't forgotten the 9X systems. Consider yourself fortunate. Before I switched browsers, it happened to me a couple of times. Once when I was using Norton Internet Security, a malicious page crashed both the AV and firewall, then my system. When I restarted it, it was infected. This happened just from clicking a link in a Google search regarding a medicinal plant, so it's not like I was looking for trouble. Not including user mistakes, my primary concern regarding security and 98 is code that attacks user applications instead of the OS itself. Not too long ago, a POC that used PDFs for delivery worked against all versions of Windows and would function automatically if the browser was allowed to open PDFs. When the OS can't use the latest "not vulnerable" versions of the exploited software, the solution is in system configuration, how the files are handled. I now save PDFs to disk, then open them in their own process, which doesn't have permission to launch any other processes. Duffy98, Regarding Kerio and Memload, this is taken from my system. The circled apps are my security package. I've seen a couple of general guides regarding setting up Kerio but don't remember where they are. A few of us made this one last year. It's primarily for NT systems but should help give you some more ideas. As far as using Kerio with Proxomitron in such a way that your browser has to run through it, this will require a couple of rules. The browser will need a "loopback rule" that permits it to connect to port 8080 (assuming that you're using Proxomitrons default port. It would look like this: You'll also need a rule that allows Proxomitron to connect out to the internet with port 80 (and port 443 if you're using it for https). You also have to change the browsers proxy settings to use 127.0.0.1 and port 8080. The main thing to remember with Kerio is that it starts at the top of the ruleset and uses the first rule that applies, so the order the rules are in is important. Rick

You're going to receive varying opinions about software firewalls on 98. I consider them necessary. Others don't. I won't comment on choosing Zone Alarm. When used "as installed", 98 has the NETBIOS ports open. These are regularly targeted by port scans and can be used to compromise 98. Blocking them with a firewall is good, but closing them with system configuration is better. 98 might not have built in services opening ports like on the NT systems, but software installed by the user can. Apps that open ports and act as servers include, P2P apps, instant message software, internet answering machine software like Call Wave, anything that needs to receive incoming traffic. Routers can block or allow incoming traffic on a system-wide basis. Software firewalls let you control the traffic on a per-application basis. When and if you install a software firewall is up to you. It's strictly a matter of how important traffic control on an application level is to you unless you don't have a router and your modem doesn't use NAT, then I'd definitely install one first. Myself, I always install the security package first, no matter what version of Windows I'm working with. Again, a matter of personal choice. Some firewalls are extremely light and won't slow your system at all. Kerio 2.1.5 is such a firewall, but it's not for inexperienced users. The pros and cons of a software firewall on 98 and details of its usage should really be its own thread. Whether you use it or not, Internet Explorer is part of the operating system and is 98s biggest vulnerability. Either update to IE6 and patch it completely or rip it out with IEradicator. There are complications to using IEradicator, starting with its breaking software that uses Internet Explorer components. Not for the inexperienced. An alternate browser like FireFox, or Opera is a better choice. If you'd be interested in a browser suite that includes a mail/newsgroup component, addess book, webpage composer, and IRC chat component, SeaMonkey is really good on 98. It used to be called the Mozilla Suite and it's an excellent replacement for all the components that come with IE6. That's another good reason to have a software firewall, to block Internet Explorer from having any internet access, in or out. Regarding updates, Windows update still works with 98. Microsoft hasn't removed the existing updates. http://v4.windowsupdate.microsoft.com/en/default.asp Gape's unofficial service pack is good. So are Maximum-Decim updates. Make sure to look for updates from your vendors sites too. This includes updates for your sound card, video card, chipset, network card, other drivers, maybe even a BIOS update. Be careful with BIOS updates. Using the wrong one or improperly installing it can kill a PC completely. AVs that work on 98 are getting scarce. They're also getting very heavy for 98 systems that are using the original hardware. Hosts files make good ad blockers but are not up to date or complete enough to deal with the more malicious sites. They change too quickly. The hosts file is more effective against the adware sites that don't move much. An alternate browser will do more to protect you. The majority of the malicious code in circulation doesn't affect 98, but some still does. Code that attacks individual applications besides Internet Explorer and Windows Media Player is on the increase and can be used against 98 via the installed software. It's not nearly as common as the stuff that attacks XP but it's out there. The details of securing 98 should really be a separate topic. Depending on how far you want to go, this can include a lot of information. Only a few vendors of conventional security apps offer anything for 98. Soon, they will drop support too. The reality of security for 98 is this. The burden of security and support rests solely on the user now. The user has to rely on their own skills and knowledge. There's enough free security software available to secure 98 as tightly as you want, if you understand the workings of your system well enough. Unsupported operating systems like 98/ME are not for the casual user anymore. If you want a security setup and policy that doesn't rely on continuing vendor support, research default-deny as a security policy. Back on the subject of setting up 98. One utility you will likely need early on is an unzipping tool like WinZip, WinRar, or 7Zip. Unlike XP, 98 has nothing built in that opens these archives. Quite often drivers and updates come as compressed archives. 7Zip is free, Open Source, works with most all types of archives, and runs fine on 98. I don't know how you have your hardware set up or what point you're at in the setup. If you're just starting and your hard drive setup permits it, using separate drives or partitions for your system and data makes everything much easier down the line. System backups are smaller. If there's problems with the system partition that require starting over or the using of a backup image, your personal files aren't lost. I put 3 internal drives in this PC, a 9 year old HP Pavilion. Check your local computer store. The one here sold me a small used hard drive for $10. Depending on the age of your hardware, you might have to add a USB card in order to get decent use of external hardware. The built in USB on mine is very slow, even with the Maxim-Decim USB update. A new USB card and 2.0 Orangeware drivers made a huge difference, enough for an external hard drive to work well. There's a lot to update on PCs running 98, especially if it's hardware that came with 98. Rick

I'm guessing that the memory that's used by the operating system as a whole isn't included in the itemized list. My knowledge of what 98 stores in memory is quite limited. It would be useful to figure out what everything is that 98 keeps in memory and which items are responsible for its being used up. Are there any utilities that show more details of the memory usage by windows itself? Any listing of what is stored there, full or partial?

So far, no success with disabling IVRM. For now, I've moved the phone adapter/router back in front of the firewall until I'm convinced that its configuration can't be altered from the net or via the phone. Unless there's another menu or method of configuration I'm not seeing, there doesn't seem to be any way to limit what can be changed or accessed via this IVRM. Rick

That's odd. I've been using 1.51 with no problems. It sounds like you've got the wrong one. Did you get the installer or the zip file? I just downloaded the 1.70 zip file. It works fine here. MD5 for the 1.70b2 zip file: 4d4dd58ca111dc728ce4e22971e64c5d Rick

CDex works well with 98. They're making an effort to continue supporting 9X operating systems. Open Source. http://cdexos.sourceforge.net/ Rick

Memload may help you find which process is using up your memory. It's one of a very few that show memory usage on 9X units for each process separately. Another member pointed me to this little utility. http://www.pricelesswarehome.org/acf/P_SYS...IES.php#0451-PW Rick

I'm in the process of switching from conventional to internet phone service. I'm using a Linksys router/phone adapter, model SPA2102. While configuring the router, I learned of the IVRM (Interactive Voice Response Menu) feature, which enables the user configure the router-adapter with a telephone. I'm very concerned with the security implications of this "feature" as it can be used to change any or all of the settings, including a full factory reset and changing the password. This is copied from the manual. IMO, this seriously degrades the strength of a password. With attacks on routers becoming more common, I opted to install the router behind Smoothwall so I could control and monitor its traffic. I'm questioning the security of the IVRM feature, concerned that it could be used to bypass Smoothwall using traffic that's necessary for normal operations. I'd like to completely disable it but I don't see any way to do this. The manuals are no help. Anybody know how to shut off this "feature"? At present, the router/adapter is installed between Smoothwall and my PC. When I assembled the PC with Smoothwall, I only installed 2 network cards. Didn't plan on hosting a website, adding a server, etc, so I didn't set up a DMZ. Would I be better off adding a 3rd network card as a DMZ and hooking the router-adapter to it? Internet phone service is new to me so I'm open to suggestions as to the best way to set this up. Rick

Eventually, they'll all drop support for 98 and we'll have to use the last compatible versions of the one we prefer. IMO, it's not that much of a problem. We're running operating systems with no "official" support. We've all seen the warnings telling us about insecure 98 will be without support and that we have to "upgrade" to be safe. Most of us know that it's nothing more than propaganda and marketing. When properly configured and secured, the opposite is proving to be true. With the alternate browsers, staying up to date is far less important than it is for IE users. The alternates are not integrated into the operating system. With a browser that's part of the OS, code that exploits the browser basically exploits the operating system. With the alternate browsers, vulnerabilities that lead to remote code execution are rare when compared to IE6. Many of these can be mitigated or eliminated by good system configuration. A good security package can prevent most malicious code from doing any damage. A web content filter like Proxomitron can remove malicious code before it ever reaches the browser. IMO, the 98 compatible security software that's available now will be sufficient to secure 98 with an alternate browser for several more years. Running an older version of an alternate browser will be an extension of what we're already doing. In the short term, we'll have to examine vulnerabilities as they're found and see if they can be used against 9X systems. In the long term, we'll see an increasing amount of content that will be challenging to make work on 98. Some of the talented members here have already proven that they're up to that challenge. Regarding MyIE2, I believe it's a front end for Internet Explorer. It uses the core Internet Explorer components, which makes it vulnerable to many of the same problems as IE6. Since it uses IE6 components, it has the same OS integration problems and the security risks that come from exposing your OS to the internet. Rick