CharlotteTheHarlot

Well the RIAA doesn't have this power and won't... At the risk of keeping this thread off-topic (sorry!) It may surprise some people to learn of the power some of these non-governmental agencies have achieved while everyone was napping. I can state as a fact the following: Here in my little corner of the States there is a large and very popular flea market that regularly gets raided by teams made up of local cops, FBI feds and agents of the MPAA, who of course are arresting folks that are selling counterfeit DVD's and other such state secrets. I certainly hold no sympathy for people that copy media and sell it and pocket the proceeds (there is clear theft in this case). But what we have now is the elevation of some short-lived consumer recreational media products to the level of a national currency. Furthermore, when actual counterfeit money is detected it is a minor affair that is handled by the locals (no doubt some SS folks get notified though). I mean, we can really tell what the priorities are these days. My overall point being that it is wise to never say never about any of these hollywood/artist/software lobby groups, and never under-estimate what may happen down the road. (As I write this there is a large BSA flash banner add at the top of this page!). I can easily imagine raids on stores that might be selling illegal hardware such as some DVD player without the required output restricting chips, or maybe VideoCards that refuse to honor the Vista/7 DRM protocols. A Congress (or EU) full of fools is capable of doing just about anything, it just depends upon who is bending their ear. If the current state of affairs (industries successfully lobbying for draconian governmental protections) were in existance around 1890, we would have buggy whips, unpaved roads, feeding troughs, and horse poop piles all around us.

Thanks for the excellent explanation Jaclaz. For those using Opera, if you have bookmarks/favorites to the MSFN site you will need to edit the file called Opera6.adr which on my systems is found under the Opera directory in a subfolder called \Profile. This is a plain text file that can be easily edited (but probably only while Opera is not running). ASCII search for a simple string like msfn.org/ to be sure to catch all possible variations. If you save a lot of Sessions like me, you will also need to venture into another subfolder another level down called \Profile\Sessions. Do a Windows FIND in there and look for the msfn.org string to catch all the files (sessions) which saved tabs pointing to MSFN. Then proceed to edit these files as above (they are also ASCII but in UTF-8, UltraEdit works fine). The details are found above in Post #3, but to summarize, replace the links with the appropriate lines: h--p://www.msfn.org/board/index.php?showforum=xx h--p://www.msfn.org/board/index.php?showtopic=xxxxxx All of the 'x' need to be replaced with the correct identifiers (and of course the http)!

Well, it's definitely not one or the other for me, I choose to use both 9x and NT. Which leads me to a real important question that has bugged me for a while ... How can I change this OS thing over here to say BOTH Win9x and WinXP Pro ??? . . . <------ Over Here EDIT: trying to point to it better

Similar question was recently asked in this thread ... Tracking Registry... I believe the answer was software called RegShot.

In general, if you had Home OEM you would want a Home OEM CD, not Home Retail or Pro OEM or Pro Retail. MCE of course came a few years later. Although not on the sticker, 'OEM' is implied (I believe there is no MCE 'Retail' version). Hence, there is no way to get confused now. You want a Sony CD for XP MCE, preferably 2004, that is the easiest method to achieve what this thread title asks. But if you cannot get one, you will need to try to build a CD from the existing files. Search for Sony MCE 2004 i386 or some such. Keep in mind that MCE has many more files than Pro, as stated previously this could be quite a chore! Slipstreaming this up to SP3 would be, well, interesting (although someone surely has done it). I can think of one other way to do this but it has to be considered a last-ditch effort. I might clone that current installation to a new HDD, then shelve the old drive, then boot the new one, then have a look at the recovery partition and perform a reset. This won't get you a lean mean optimized setup, instead it will essentially be what Sony originally shipped, bloatware and all. Cloning to a new HDD buys a cheap insurance policy, if the reset/install goes wrong the old drive is still there unharmed and ready for use (clone and try again or try something else). Whatever you end up doing, please report back for others to learn from!

The sticker may or may not have the product key that was entered into the XP install screen. When you build a system yourself and open up a system builder OEM version of WinXP and install it, the key on that sticker will match the key in the registry because that key on the sticker is what you enter into the setup screen and then affix the sticker to the computer. However, this is not how the retailers do it because employees at stores could copy the keys off the stickers on their inventory and then run home and use or distribute the key (this is illegal), leaving the future purchaser in a lurch. They all have their own method to install and protect the XP installation while keeping their own costs as low as possible. Having myself inherited countless scrapped XP computers of which most are retail models from those companies mentioned previously, I can tell you that the key I pull from the registry rarely matches the affixed sticker. The few times that it does I suspect the previous owner re-installed and used the number from the sticker. Whether this resulted in a phone call activation is anyone's guess. The main point I was making is that you should NOT worry about activation at all. If that system is legal and it has the sticker to prove it, you will get activated, period. The worse case scenario involves a free phone call. In your situation, I would do this: get a Sony labelled WinXP CD from the owner or Sony or eBay (it will be SP2 or older). I would setup using this disc and use the product key pulled from the registry, failing that use the sticker, (failing that make the phone call). Then you can run the SP3 update when done. This is the easiest way. Listen to what jaclaz said, it is difficult to impossible to recreate the retailer re-install CD from the files found on the hard disk. Slipstreaming SP3 into a complete source (Sony XP distribution disc) can be hard enough, but slipstream to a possibly incomplete source (taken from HDD i386 or recovery partition) may substantially tax one's patience. EDIT to make clearer: I should have said that the fine print on your sticker will tell you what kind of WinXP Re-Installation CD branded by Sony you are looking for. Most importantly 'OEM' (99.999% certainty) and 'Home Edition' will be the key words. If it is 'Professional' you will need that instead. This is absolute, you cannot go from Home to Pro or vice versa. Don't attempt to install the wrong one! Ultimately that original HDD might make a nice 2nd slave drive, but I meant leave it disconnected (or put it on a shelf) until everything on the new XP drive is ironed out (it should not be connected while installing XP to the new HDD). Consider it a fallback failsafe backup. It can be re-attached (while disconnecting the new HDD) and presto, you will be right back where you left off, with the ability to grab data files, drivers and that important registry export. The main point is that re-installing XP to that current drive burns all your bridges at once, there is no going back. It is currently working, so don't kill it yet. Reformating it for slave use is way down the list of priorities well into the future IMHO. BTW, you would not have to de-activate any partition anyway, it will not be seen as a part of the new configuration from your XP install onto a new HDD. If and when the drive is slaved later, most BIOS's are smart enough to allow you to select which drive comes first, and it will not default to a slave drive (IOW you would need to manually force the BIOS to see the old slaved drive as the system bootup C:). The really good BIOS choices, usually on SATA, let you enable and disable specific drives (in this case only I would leave both drives hooked up and use the BIOS exclusively to pick my boot). But by disconnecting it completely, you will remove all confusion. So, to be clear, I was suggesting to use the old or new, not both.

Well don't worry about activation yet. If this is store bought and legal with the sticker on the side (includes Dell, HP, Compaq, Sony, eMachines), your friend owns a license and it will be activated, definitely, but probably after a simple phone call. That sticker and an honest explanation is all that is required. Also note that there are many special utilities to pull the product key as originally entered from the registry, and this may successfully preclude the phone call altogether. Here is something to consider. Why do you want to obliterate the old working HDD with format/install? It is not like drives cost a ton of money, you should find a new 80 GB for like $30. Since he is adding RAM have him get another HDD at the same time. The current one remains as a failsafe backup. It will also be a necessary source of: registry export (valuable settings, product IDs, licenses), drivers, data (that someone always forgets), possible hidden recovery partitions, on and on. Using a new HDD allows you to experiment safely on getting the XP install correct. Also, to identify the specific hardware, your first best option is to eyeball the actual parts rather than relying on software that takes its best guess. Start with the exact motherboard model and revision and hit Google and you will locate drivers that are likely independent of the original system retailer (Sony). Do the same for all other components. Each of those companies named above have 3rd party sites created by loyal users that often know more about the system than the original retailer does. You might hear something like: on Model xxxx, don't use the eMachines driver, instead get the package from FIC directly (just a common example).

You will need to perform an UnDelete (aka UnErase) on the files. Those historical terms apply to Win9x and earlier which was kind enough to supply DOS command line utilities for this task. However, on the NT/2K/XP side they have been missing since at least 2k (someone correct me!). There are GUI based utilities (a few are free) for use on XP and such. I use one that is not free but it has a trial period of 25 uses: Briggs Directory Snoop. I like it a lot. Other retailers that come to mind are Runtime Software, Symantec Norton Utilities, etc. I believe there are free tools at SourceForge. Another possibility is to burn or borrow a self-contained bootable UBCD or Knoppix style utility disc and startup with that. You will need to know where those files were physically (where in the directory structure). Important Note: It would be unwise to install some gigantic suite of programs (_cough_ Norton!) which steps all over this hard drive containing your deleted files, this will increase the risk that an undelete operation will fail. The Briggs software I mentioned is very tiny. Likewise, don't download a huge ISO image to burn to CD onto the computer that you need to unerase data! If you happen to own some Norton Utilities discs you may be able to copy or extract only the command line undelete.exe from the CD and try that. Some versions came with a separate bootable Recovery Disc.

The .DEFAULT key under HKEY_USERS is actually used by the Local System user account, it has nothing to do with interactive or default users.The NTUSER.DAT in the Default User profile (on disk, not in the registry) is the template user profile registry hive used when users log on for the first time. Thanks for pointing that out! Been a while since I cracked the Russinovich book. Got to make some time (sigh).

ProcMon and RegMon (one of its parents) could 'drop' certain events, meaning that it is theoretically possibile to lose track of some changes you made. This problem exists for all realtime capture utilities. Snapshot utilities, which I believe includes RegShot (already suggested by -X-), are what you want. It simply makes a comparison of the registry data before and after and presumably creates a ready to use 'patch' file. If you have no such utility there is the classic (but manual ;-) method ... 0) *** 1) export registry to text file (e.g., RegDump_A.reg) 2) make changes (only) 3) export registry to text file (e.g., RegDump_B.reg) 4) WinDiff RegDump_A.reg RegDump_B.reg You have to collect the changes from WinDiff and piece together the registry file you want. *** Note: it is extremely helpful to only make changes at step 2) and do nothing else. Any dialog boxes and other necessary GUI stuff that you intend on working in to make these changes, should already be open before you first save the registry. Ideally at step 2) you might only click Apply having pre-selected a color for example. This will help isolate only the registry settings you want and not clutter things up with registry settings that are consequences of clicking around windows (MRU and other housekeeping). Whether you use WinDiff or RegShot this advice still stands. Try to do as few clicks as possible at the registry snapshot phase.

I just looked at some references and see that there is a possibility of conflicts arising from real-mode drivers loading in Autoexec.bat and Config.sys that can disrupt the use of opticals in Windows protected mode. You should check those two files in the root directory (if they exist) and see if there is anything within that is suspect (oak, atapi, mscdex). In theory, this could affect one optical drive but another might be just fine. You didn't mention your ability to restore the registry from system.dat backups. Please tell us you have backups and know how to restore it from an increasingly likely FUBAR disaster. Swapping HDD controllers, INF chipset software, and moving PCI cards is not for the ill-prepared! The MSINFO you supplied is definitely one for the record books, the only thing missing is the kitchen sink! It appears to me that the Highpoint implementation is non-standard since it does not show up as two discrete HDD controllers on their own IRQ's (unless the two so-called HPT366 Ultra DMA Controller is an alias, in which case they appear to share IRQ 11 ouch! lucky the secondary appears to be empty). Re-reading this thread and your replies tells me that this DVD would not work in UDMA-2 on the 33 channel(s) or in UDMA-4 on the 66 channel(s). The latter is troubling because the correct cable is there and a drive is working in UDMA-4 as it should. If you are game, I have an idea. After it is done I will give you a registry patch to try. There is some prep first... 1) remove the DVD burner 2) boot into to Safe Mode 3) Device Manager > System (delete all occurences of the Samsung) 4) shutdown, install DVD on 80-wire slave to the HDD (jumper!) 5) boot normal, let it detect, reboot 6) export two registry branches (place in zip) ... [HKEY_LOCAL_MACHINE\Enum] [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Asd] 7) get them to me somehow: maybe try attaching ZIP in forum (not sure if possible), I estimate those would be like 100 kb as text, probably 10 kb as ZIP. Text is probably too big for CODEBOX (does anyone here know?). If all else fails, PM me and we'll do an email. Here is what I can definitely do (given that data). I can determine which entries the Samsung is being loaded from and tailor the registry branch and the Enumerate/Start key the way it should be (if needed! it might actually be correct). The resultant registry patch plus a reboot will pretty much tell us if this is a Windows problem or a hardware problem. In other words whether the drive should be replaced. The reason I can say this is because of that HDD sitting in the master position with UDMA-4 working. This drive as slave with the correct registry info should work (again barring all the previous things we verified: jumpers, BIOS, cables, and don't forget to look at Autoexec.bat and Config.sys). P.S. how much time before the new drive replace/return RMA elapses? FYI, you can short circuit this adventure by stuffing the DVD drive into a WinXP (or newer) machine. With no DMA I would suggest with high confidence to RMA the thing and start over.

What you noticed is apparently by design. I have noticed in Win9x that both of these branches ... [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] get 'reset' extremely often. I suspect there is hard code in Explorer.exe or Shell32.dll but I never ran it down to be sure. If Tweakui does in fact allow you to change these special folder locations, then I think it only 'sticks' because Tweakui inserts itself into the startup axis in one or two places (you know, for persistent settings).

Try this prefix instead ... [HKEY_CURRENT_USER\Control Panel\Desktop] I am pretty sure that modifying the registry branches for the .default user will only affect new users that are created later (after such registry modifications are entered).

I see the IDE configuration you have now (jeez, I should have looked up the Abit BE-6 first ). I see a picture of it on this page. Is this the one? When I noticed the eight IDE devices I figured resource sharing as a likely culprit. I noticed on that same page mentioned above that the author mentions this: "As with the BE6 before it, installation of the BE6-II passes without incident as long as some forethought is put to the installation of the ATA66 controller. The trick consists to refer to Appendix D in the users manual to proceed with the installation of the ATA66 controller drivers. Don't forget that the ATA66 controller integrated into this board shares the bus master designation for PCI slot 5, while PCI slot 3 shares an IRQ with that same controller. The driver for the ATA66 controller supports the sharing of the IRQ, but so must the peripheral device installed in PCI slot 3, otherwise you're in for a whole mess of annoyance..." Since this arrangement is probably using/sharing 4 IRQ's and 12 I/O ranges (apologize if you already mentioned it) but could you describe what if anything is in the PCI slots? I agree with Drugwash that the problem lies somewhere in the HDD Controller configuration (as long as you are sure that there isn't some BIOS setting you missed). I didn't see anything yet in a quick Google search but somewhere there must be someone that documented the steps of installing the Intel INF Chipset Utility (this gets installed first) and the Intel AA (if it applies to this board) or maybe Highpoint supplemental drivers (if they even exist). When you get around to posting those registry entries, do a search for the string 'S222A' and list any that appear under the HKEY_LOCAL_MACHINE\Enum key. What I am thinking is that the two separate controllers use two different branches. Everything under \Enum matters. P.S. as already mentioned (but hopefully not to late!), you need a registry backup especially when juggling HDD controllers. If you are not familiar with saving and restoring the configuration, please ask. But definitely make sure there is a recent copy (prior to this adventure) of both System.dat and User.dat that can be used in an emergency.

Rivia, just to be clear can you describe the 2 ATA channels (all four positions and cables). Typically like this: Channel 1 Master: xxx Channel 1 Slave: xxx Channel 2 Master: xxx Channel 2 Slave: xxx I am now thinking you have an add-in card, maybe like this(?): Onboard IDE Master: xxx Onboard IDE Slave: xxx PCI IDE Card Master: xxx PCI IDE Card Slave: xxx Please point out the current location of the DVD and all drives (fill in those xxx). That registry excerpt you provided only shows your DVD on the SECONDARY SLAVE (note the Child0001 Func_0110). Is that where it is right now? By my count of your testing their should be at least three entries here. I expected these: [color="#FF0000"][HKEY_LOCAL_MACHINE\Enum\SCSI\TSSTCORPCDDVDW_SH-S222A_S][/color] [HKEY_LOCAL_MACHINE\Enum\SCSI\TSSTCORPCDDVDW_SH-S222A_S\MF&CHILD0000&PCI&VEN_8086&DEV_7111&SUBSYS_00000000&REV_01&BUS_00&DEV_07&FUNC_0110] .. stuff... [HKEY_LOCAL_MACHINE\Enum\SCSI\TSSTCORPCDDVDW_SH-S222A_S\MF&CHILD0001&PCI&VEN_8086&DEV_7111&SUBSYS_00000000&REV_01&BUS_00&DEV_07&FUNC_0100] .. stuff... [HKEY_LOCAL_MACHINE\Enum\SCSI\TSSTCORPCDDVDW_SH-S222A_S\MF&CHILD0001&PCI&VEN_8086&DEV_7111&SUBSYS_00000000&REV_01&BUS_00&DEV_07&FUNC_0110] .. stuff... Please export that root key above (in red) and post it here. Other stuff ... Can you locate another 80-wire? Definitely put it in there. Anywhere you are using a 40-wire IDE ribbon cable it is ok to replace it with the newer 80-wire (they are nicer anyway). As Drugwash pointed out, the blue-end to the mobo. If that is an add-in card I presume it has its own BIOS (the few I have dealt with anyway) which means you would have to access it and make sure UDMA or Auto is enabled, not PIO. Ditto this for the onboard IDE in the main BIOS. You asked: "Do you mean I should physically unplug the Samsung drive before applying the patch ?", the answer is no. The INF files get edited, then you physically install the drive(s) and they get detected. To utilize those edits on already-installed drives you would have to re-detect them (most easily done in Device Manager by deleting the specific drives and then rebooting (...found new hardware...). If you decide to do this, please do it before you export and post that registry key! FYI: the "IDEDMADRIVE0" and "IDEDMADRIVE1" is the magic that the INF file edits insert into that Class\Hdc00x registry branch. What people confuse is that is not a runtime value that is referenced at bootstrap, it is used during detection of new hardware and is then used to insert values into the Enum\SCSI subkeys. The "DMACurrentlyUsed"=hex:01 should appear in each entry for the DVD under said key. Since you found this: "DMACurrentlyUsed"=hex:00, you have now entered the infamous DMA not sticking topic! It should yield about a million Googles. [ok, actually 20,000 for S222A DMA not sticking] The good news is that Drugwash has the same burner working on XP so that means it is likely just a matter of massaging Win9x a bit (unless the cable/firmware/BIOS is to blame). Also, please clarify one other thing, did you mean that you have not yet flashed the firmware? Definitely flash it now (if it goes FUBAR you can still make them replace this new drive). It may be the cure anyway.

These ideas come to mind ... Cables ... are you using the finer 80 wire PATA cable versus the coarser 40 wire? Is the cable in mint condition? It is possible that a marginal cable may work ok for the older CDR but not the newer DVD. Is that CDR set for CS Cable Select? That would require the DVD to also respect CS (not all opticals do). And, if so, the cable must also be a CS version with a flipped wire (I try to avoid CS these days!). Position ... did you remember to reverse location of the drive when swapping Master/Slave? Master is the end of the PATA cable and Slave is the middle position. Jumper ... did you remember to change the jumper positions when you changed the Master/Slave relationship? Note that this MUST be checked. If using CS as mentioned above, both drives will need that jumper, if not one drive has Master and the other Slave jumpered. Also, (apologize if dumb question) but does the DVD have a DMA jumper? I have seen some CDR's with them, maybe this DVD burner has one as well. Firmware ... look for a flash for this drive. Sometimes they forget to enable DMA in the initial release. NOTE: the MSHDC.INF and DISKDRV.INF edits must be done before the drive is installed and detected. Else, you will simply have to punch in the registry values yourself. Can you open REGEDIT and export the DVD burner registry branch which has several subkeys (I believe I count three now from your post). It will look like this: [HKEY_LOCAL_MACHINE\Enum\Scsi\Samsung_DVD_xxx] Export that entire key (the 'Samsung' branch NOT the SCSI branch above it!) and post it here in a CODEBOX. Note that the xxx will be some variation of the drive model number. It is a little unclear in your post the primary/secondary positions but that registry key will probably have three subkeys now with data in these subkey names that corresponds with three of four of these: Child0000 Func_0100 (Primary Master) ??? unlikely! Child0000 Func_0110 (Primary Slave) Child0001 Func_0100 (Secondary Master) Child0001 Func_0110 (Secondary Slave) After we see those it will be simple to whip up the necessary registry hack to add DMA ("DmaCurrentlyUsed"=hex:01). P.S. another thing to consider is that this burner may push this marginally powered system over the line into flaky performance, the Power Supply is likely underpowered and the disc writing operation could overload the 12v rail. I would definitely consider dumping the CDR and using the DVD by itself as Secondary Master (if we get it working that is).

Ponch is exactly right about GPartEd. This is probably the most versatile software for modifying existing partitions from multiple File Systems. As stated, it is actually booted from its own media containing its own OS. It is very powerful. Alternatively, this is an opportunity to kill several birds with one stone. If you feel like upgrading to a newer/larger Hard Disk you can use the disc that comes with (or is downloaded) for a new HDD and temporarily slave the new one in the computer, boot with this disc, carefully follow the Cloning instructions and you will eventually get to some software dialogs that are similar to GPartEd allowing you to resize the partitions (grow/shrink/keep same) to use up all the space on the new larger HDD any way you choose. At the end of the procedure you will have ... 1) accomplished your goal of wiping those partitions 2) a newer, larger harddrive (and reset the MTBF counter) 3) a failsafe drop-in spare HDD (with your multiple OS's) 4) reset the guarantee (certain new drives like Seagate have 5-year warranty) 5) possibly improved performance (depending on the age of the existing HDD) The reason I mention all this is that hard drives are cheap and fast and it is nice insurance to tuck the previous one away, just in case. For your purposes you would always have that perfectly bootable XP/Linux/Solaris HDD sitting around in case you needed to fire one of them up again for some reason. P.S. On Seagate drives the software is called DiscWizard which is a lite version of Acronis TrueImage. Note: I do not work for Seagate! I just offer the same suggestions I would give to any customer that walks into my shop! Hope it helps.

Dang, you owe me another monitor! ... CAT-LIKE TYPING DETECTED ... ROTFL!

Unless I missed something it sounds as if you are still using a harddrive that has sector damage. If this is in fact true, you should stop trying to fix any broken apps and get out of the file system. The next thing I would do is get a new harddrive, mount it as slave, boot with a suitable cloning disc (Acronis, etc), clone the drive, pull the old one out, boot with the new one (should be 99% intact) and then fix broken apps and system files as they are encountered. Bad sectors are supposed to be handled at the HDD firmware level behind your back and are invisible to the file system. If they seem to be popping up in the file system, one of two things is likely: the firmware ran out of replacement spare sectors which means the drive for all practical purposes is useless or there was only a configuration error like a BIOS problem or maybe the Windows HDD Controller driver changed. The latter case is fixable albeit carefully. To be most thorough, I would pull the drive, mount it in a neutral computer (this eliminates your BIOS, case temperature, cables, etc as variables), boot with the harddisk manufacturer diagnostics disc and you will then positively know if the drive is failing. The SMART data may contain some clue (but it is less important than the mfg specific utility). Either way, fixing broken programs comes later.

Yup, this is an exceedingly important tip. Never leave your File Manager (Explorer, PowerDesk, XYplorer, Total Commander, etc) as the visible active Window on an unattended computer. Never! Because if there are cats around, they will merrily trot onto the keyboard somehow avoiding every key except for ENTER and DELETE. If the focus was on a folder/directory ... you're in a world of hurt.

How's this for almost foolproof security: get a 2nd computer. Computer A ... Offline ... contains important stuff, spreadsheets, taxes, records, source code, family photos, etc. This computer requires no active antivirus running but should have the ability for manual on-demand scans, the definitions will need to be manually updated. Most importantly, this computer must have no wireless cards or ethernet cable attached and is not on a network. It does not touch the internet. The only points of entry for malware are the traditional avenues, USB, Floppy, CD/DVD etc. You manage those risks the same way I have been doing since around 1982 (don't leave media in during reboots, kill autoplay, manually scan all media before use). Offline boxes are very secure because only you yourself can get it infected. Note: this is the box that should have incremental backups kept offsite to insure against theft/fire/etc. Computer B ... is the Online box and can be a laptop or anything. Of course it has whatever antivirus you prefer always running. This one should have a custom made Slipstream/Nlite disc or Image available for an easy OS reset when it gets clobbered (NOT System Restore!). Surf to your hearts content because you can easily revert to a known safe state, but taking common sense precautions will lengthen the uptime between virus attack resets. Note: Files that get transferred to the offline box must be scanned along with the transportation media. Yeah its a little cumbersome, but it is time tested. This method makes sense if you have any data that you consider valuable. There is no good reason these days for important records to live on the same computer that is exposed to the internet. I do agree with much of this, especially about ACL's and ADS's on NTFS. You only left out one thing: The good guys supposedly protecting the user (McAfee and Norton) to name two, often exploit ACL's in the name of security and create a tangled web of permissions that leave computers almost unuseable to the point that programs and even service packs will not install. I stopped counting the number of times I have had to wipe out ACL's on consumer PC's. Alternate Data Streams are a huge risk as well. I'm not sure Fat32 is the answer though because of its structural limitations. Maybe the holy grail would be NTFS with both ACL's and ADS's somehow disabled. Don't know if it can be done since they have been in NTFS under the NT kernel for a long time now. Yeah but that is not what it really means. It is more like Security Through Scarcity because MSIE page requests present such a target rich environment. The status of the source code for Opera/Mozilla/Firefox/Safari does not figure into the equation (because if it did, MSIE which is proprietary would be the most secure browser on the planet!). The other browsers also benefit from the 20-20 hindsight of like a decade of MSIE exploitation. This coming from a longtime Opera user.

On my dual-core desktop, which I started to set up very carefully about a year ago, webcheck.dll under Win98SE is 259.344 bytes, v5.50.4522.1800, modification date 20-Oct-2000. The modification date looks Ok, it's from Internet Explorer v5.5 SP1.Since in general I try to stay away, under Win98SE, from US software created after Sept.11, 2001, a file with a modification date of 10-Oct-2003 raised a red flag with me. That version of WebCheck.dll that you cite, particularly the filesize, doesn't appear in my personal list above (I guess I simply skipped MSIE v5.5 altogether and eventually went straight to 6). More importantly though, when you previously mentioned: Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download., I would find the cabs and pull out the original file which should have the correct date/time and binary compare them. Hopefully the files are identical which might indicate something harmless happened (maybe some briefcase/synchronization program went awry). If they are not identical I'd see a red flag for some virus/spyware. Either way, I would search every inch of the laptop (the desktop too) for any files with that peculiar date/time (widen it to a few hours), the results may pinpoint a trail that you can then follow. Yikes, I didn't notice that myself (because I tend to do such work offline). But I will certainly take any reports and add them to the data in that System Internals thread. Maybe someone with the time might endeavor to try all the available versions and test if their firewall catches anything and make a post about it in that discussion (I'll try to get the time to merge it into the other information). I am just guessing here, but hopefully there is just some basic boilerplate code packed into the post-Microsoft versions that would explain it. Still I don't like it one bit. I searched my registry and this key doesn't exist on my system. @BenoitRen: yup, I just checked registries for some retired Win95/96/97 machines that had MSIE from version 1 to 3.x. That key is not there and likely never was there. Good assumption would be that it arrives with MSIE version 4 or 5. This begs the question of what would happen if you created the key on a 95 system (where it previously did not exist) and placed something in there to see if it gets called. If nothing happens then logic would dictate that when MSIE version 4/5 is installed some core patching must take place (perhaps IO.SYS) that enables these new and wonderful startup locations to be used by Windows. Hmmm. As Artie Johnson would say: Verrrry Interestink ... .

Webcheck.dll was also displayed by Autoruns on my laptop, which runs Internet Explorer v6.0.2600, downloaded on 20-Sep-2001 from MS and re-installed after a clean install of Win98SE on 10-Oct-2003. Webcheck.dll on my laptop has 258.048 bytes, is displayed as v6.00.2600.0000 - but with a file modification date of 10-Oct-2003, 2 years after the original download. Iexplore.exe is v6.00.2600.0000 but has the modification date 17-Aug-2001 and ie6setup.exe is digitally signed 20-Aug-2001 [i.e. before Sep.11, 2001] IE probably called home during the installation on 10-Oct-2003., but why would webcheck.dll have a much later modification date than Iexplore.exe?BTW, are the excellent postings about webcheck.dll (of 2005) http://www.msfn.org/board/index.php?showtopic=46066&st=0 still Ok with todays new hardware? Honestly, I never saw that thread before! (was before my time here). Amazingly, in Post #8, I see the great MDGx has a REG file that is almost identical to one I handmade many years ago. He even mentions the SENS components which I also yanked out by the roots! Consider this operation independently verified. Nice thread you found there. Bookmarking for later reading. What I ended up doing was very extreme and very complicated. I essentially removed many of the core components like the previously mentioned WebCheck/Sens to other things like Power Management and parts of SysTray and WBEM/WinMgmt and EventLog/Event System and much more. The only downside I see is that a FlashDrive left in a USB port will prevent shutdown (no big deal). The speed gain and overall stability is substantial, and that was the whole point anyway. About those file stamps, without looking at other archives (WinME/2K/XP etc) I find these versions of WebCheck.dll in my Win98se stash (MSIE never was used above version 6 of course) ... WEBCHECK DLL ... 342,800 ... 09-18-97 ... 11:28a ... Webcheck.dll_47117123 WEBCHECK DLL ... 356,352 ... 05-11-98 .... 7:01p ... Webcheck.dll_47231100 (Win98) WEBCHECK DLL ... 274,704 ... 02-24-99 .... 3:10p ... Webcheck.dll_5002014200 (Corel 10) WEBCHECK DLL ... 274,704 ... 03-25-00 ... 12:11p ... Webcheck.dll_50023141000 WEBCHECK DLL ... 274,704 ... 04-23-99 ... 10:22p ... Webcheck.dll_50026143500 (Win98se) WEBCHECK DLL ... 258,048 ... 08-17-01 ... 10:34p ... Webcheck.dll_60026000000 (MSIE6) WEBCHECK DLL ... 258,048 ... 08-29-02 .... 7:07a ... Webcheck.dll_60028001106(MSIE6sp1) Maybe the file date/time/size will be of some comparative use to you. I see the default Win98se, then MSIE6 and SP1. I am pretty sure that it was between 2001 and 2002 that I physically stopped these features from running. If you are in need of more info, it is easy enough to extract the unaltered files from the original distros (e.g., MSIE offline setup cabs). I defintely have them somewhere. IMPORTANT REMINDER for others that may be reading: cutting out these and other core components is not for the faint-hearted. Having spare good copies of System.dat and User.dat handy for quick replacement from DOS is vital and will rescue you from the inevitable system stop at bootup!

The objects loaded by this key are DLLs loaded by explorer and will not show up on a process monitor as a separate process. The objects in this key are loaded only when explorer starts or restarts. Not all real time autostart monitors watch this key. If you're concerned about the potential malicious use of this key, a DOS batch file called from autoexec.bat can be your best ally. The batch file can either cover the entire registry or just specific keys with command line entries for regedit. Indeed. The ShellServiceObjectDelayLoad is an old hook, one of many exploitable startup access points that appeared in the Win95 shell. Thankfully we have Autoruns to illustrate them. This particular entry point has always been used by Microsoft to load its controversial WebCheck.dll among other things (there was lots of discussion back in the day about whether it was necessary at all). You can see it is present in that screenshot above from Tihiy. This hook persists in WinXP as well. I decided long ago that all these autoloading registry locations are way too much exposure and I flushed them all to empty on Win9x with a REG file. But your mileage may vary because if I remember correctly, there were some other related details that required some attention also, namely the keys ending with WebCheck], SyncMgr], Scheduled_Updates], and possibly some more (perhaps Protected Storage and the Event System). Obviously the plugging of this autoloading hook is a double-edged sword however, since it would also preclude using this excellent network systray utility developed by Tihiy.

Just inventoried all the versions I had and dropped them into this post.