CharlotteTheHarlot

First, to give credit where credit is due. Everyone should take the time to see the magnificent effort at explaining MBR's by Daniel B. Sedory aka TheStarman. I am perfectly safe in saying that his is the most extensive examination of this subject anywhere. Microsoft and Wikipedia will likely use him for reference, I am not kidding at all. Daniel, we're not worthy! The table of contents is here: MBR and OS Boot Records (INDEX PAGE). In that list is the MBR we are presently concerned with: An Examination of the MBR (WIN9X). I just took a snapshot of a Seagate 120GB C: boot drive. Then I dropped the bytes into a formatted spreadsheet. Its too bad the forum software does not allow CSS-style background colors. Using foreground colors is limiting. Here are the main descriptions but do visit the linked website for expert level information. This is all 512 bytes of the Master Boot Sector (Absolute Sector 0) formatted into lines of 16 bytes ... [font="Courier New"][size=3][color="#008800"]33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04 38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC ; this entire green area 3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25 ; is executable code 96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05 ; except the 6 bytes in black 3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4 41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74 0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF 0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E 25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55 AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB 8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB D5 4F 74 E4 33 C0 CD 13 EB B8 [b][color="#000000"]00 00 80 11 11 11 ; Drive/Timestamp Mystery Bytes[/color][/b] 56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4 [b][color="#000000"]; Important! see link![/color][/b] 50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72 ; [size=2][url="http://thestarman.pcministry.com/asm/mbr/mystery.htm#COPY"]Don't make exact copies of Win9x HDDs![/url][/size] 0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74[/color] [color="#FF00FF"]49 6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 ; this section contains error 64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73 ; message strings such as: 79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 ; 'Missing operating system' 65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00[/color] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [color="#880088"][b]8B FC 1E 57 8B F5 CB[/b][/color] 00 00 00 00 00 00 [color="#880088"][b]; MSWIN4.1 FDISK mark[/b][/color] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [color="#000088"][b]00 78 01 78[/b][/color] 01 00 [color="#FF0000"][b]80 01[/b][/color] [color="#000088"][b]; NT Drive Serial Number[/b][/color] [color="#FF0000"][b]01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D 00 00[/b][/color] [color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; Partition Table[/b][/color] [color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[/b][/color] [color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00[/b][/color] [b][color="#880000"]55 AA ; signature ID Magic Number[/color][/b][/size][/font] Now if you focus on the Partition Table, it is actually 4x16 byte arrays ... [font="Courier New"][size=3][color="#FF0000"][b] 80 01 01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D [color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[/color] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[/color][/b][/color][/size][/font] Same data spread out linearly ... [font="Courier New"][size=3][color="#FF0000"][b]80 01 01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D ; Entry-1 [color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; Entry-2[/color] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; Entry-3 [color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; Entry-4[/color][/b][/color][/size][/font] This HDD has one partition, the other three entries are blank. Deciphering Entry-1 gives this information ... 80 ............ Bootable? 80h = yes 01 ............ Start Head: 1 ; these three establish CHS:0,1,1 01 ............ Start Sector: 1 ; (absolute sector 63) as the 1st 00 ............ Start Cylinder: 0 ; partition VBR beginning 0C ............ Type 0Ch = WIN95 OSR2 FAT32, LBA-mapped FE ............ End Head: 254 dec 7F ............ End Sector: 63 dec 00 ............ End Cylinder: 256 dec 3F 00 00 00 ... Relative Sectors (offset to partition): 0000003F = 63 dec 82 37 F9 0D ... Total Sectors (in partition): 0DF93782 = 234,436,482 dec Now to try to answer that question. What is the dual-boot software mechanism (System Commander etc)? More importantly what is the structure of the HDD? How many partitions? Extended partitions? Is either Windows version on another disk? The example I showed above is a simple single partition and all of the critical structural data lies in front of the first FAT within the 95 sectors I mentioned previously. Saving everything is simple. However I think it is possible that certain multi-boot arrangements can leave some of the Partition Table or Volume Boot Record information scattered about. You will need to do some homework to understand the bootstrap steps for each OS you have. Don't worry though, you'll learn a lot. Now for saving the critical structural information, do both. Save the single MBR/MBS 512 first sector. And also save a copy of the 95 sector MBRPLUS for reference. I do this for all attached hard drives anyway (one reason explained in that link above is that the drive/timestamp/mystery bytes for all attached Win9x HDD's should be different from each other and may need to be hand edited). Definitely save that structural information BEFORE you ever run a fixboot, fixmbr, or any version of FDISK, System/Partition/Boot Magic/Commander/Manager, LILO/Grub, Ranish or any other low level application. EDIT: changed Starman to TheStarman. Corrected the links. See Post #31 for more links and information from Daniel.

Fully agree with you here. The multi-cores appear to be a brick wall for Win9x. Its almost as if Intel is creating its own planned obsolescence with respect to the OS. Something about those 3.x GHz single core chips hitting a thermal limit or something. I still dream of a 4 GHz single core (take it in a heartbeat over dual 2 GHz) running Win9x. One thing I have not done is use Win9x under a VM under WinXP/Vista. CPU overheating issues aside, I wonder if the multi-core CPU is presented to the Win9x kernel as a single monolithic glob of GHz. Whetstone might be a decent measure of the really old hardware against the really new since it has been in use for quite a long time. Maybe others could chime in that have tested Win9x under these VM's. That 120+ GB HDD limit has obviously been broken by some rather clever members here. Personally I stay at or under 120 GB HDD's just to be safe. Like I said, the right tool for the job. Massive quantities of files or really gigantic ones belong on NTFS (if you care about the data). FAT32 tables can get so large from LFN's that the law of diminishing returns comes into play anyways as simple file operations become slow and FsInfoSector updates begin to fail, then you have a Scandisk that eats up all the time that was saved in the first place! Hmmmm, wasn't there supposed to be a FAT64 anyway? I'll stay away from the Vista debate (definitely wrong section of forum) but will say that I love WinXP Pro. In fact both Win9x and WinXP Pro will have to be pried from my cold dead fingers.

Death before Symantec! Seriously, no Norton/Symantec AV within these four walls except for sick customer computers who wish they never bought it. The machines here that face the internet on broadband presently use McAfee on the theory of the lesser of many evils. But the best way to address the substance of your post is to state unequivocally that this machine: Win98se+, has no Antivirus running ever. It does not need it. I do keep an older McAfee 6 around with manual definition updates for scanning on demand, plus some other apps for verification. And to drive the point home, I do prowl around some websites that I shouldn't, and wouldn't using MSIE on WinXP or newer. My Win9x thesis (with me this really means Win98se+) relies on the whole point of Windows itself: its GUI. That is why it exists at all. From the standpoint of the enduser this is what matters: How they interact with all the hardware by way of mechanical input (keyboard/mouse/voice) and visual output (what windows paints on the screen). There can be little disagreement that in 2001 WinXP and its GUI put a real hurting on the pre-Northwood chips (does anyone remember starting explorer and aiming it at a CDROM and waiting for the filelist?). But when Win9x was ran on the same machine everybody called it 'snappy' or 'smoking!'. That difference will always exist since each iteration of Windows piles on eye candy without ironing out previous bottlenecks. Microsoft chooses to let the hardware catchup to each release. So, from a GUI standpoint I choose to make my stand. The enduser is constantly interacting with menus and related GUI and autorun features. Doing the math, a second here and a second there adds up to real time. I should point out that I completely rule out startup/reboot/shutdown times as a basis for judging the useability of Win9x versus WinEverythingElse, if it takes 10 minutes to bootup to a bombproof desktop thats just fine with me. Its once we get to the desktop that we start to take note of wasted time. After all, time is the one commodity that cannot be replaced or upgraded. How much time has Microsoft and others cost us? Tons (someone please cue up Wasted Years!) Microsoft spends our time like it is free and we cannot get it back once it has been spent. None of us have enough of it or know how much we have left (possible Maiden lyric tagline: "As soon as you're born, you're dying"). So having said all that, an example. Facing two desktops on identical hardware, one is Win9x and one is WinXP (need I say Vista?), and given a random job: {A} rip dozens of audio CD's into MP3's with editing and postprocessing plus ID3 customizing and push the lot of them into some MP3 USB device, test it and re-arrange them some more {B} build a website including editing hundreds of photos and debugging all the HTML, firing up lots of ancillary tools for reference and color matching, upload and testing {C} write a paper for a college class with lots of raw research, formatting, footnoting, proofreading, previewing, drafting, printing {D} develop a family genealogy slideshow, scan documents, distill tons of raw information from ZIP/RAR archives, emails, attachments, editing/processing multitudes of photos and songs {E} completely develop a Windows application from dev to compile, bouncing around from editors to output windows while juggling a multitude of online/offline references ... now, provided that the required software works on both platforms, which will get me there faster? Without question, I am going straight to the Win9x box because the thing that I physically interact with: the GUI, will be faster. If time is a determinant, the faster GUI wins. Yes, there are many jobs that are not in that list, and we are all very aware of the limitations of Win9x. I addressed that in another post: using the right tool for the job. And to further refine something else I said, 'if something takes more time to do in WinXP/Vista, I will do it on Win9x'. Honestly, nostalgia is definitely *not* involved. WinXP themes, msstyles, cursor shadows and Vista Aero are definite visual improvements and I would rather have them than not. But the GUI is slower. You mean I need to buy this big slow Roll Royce just to get the hood ornament? (obvious Vista Aero metaphor but applicable here). Unfortunately for Win9x fans this is all an academic discussion. Those that fail to understand the concept of lean and mean as a time driven goal will of course get the last laugh as the community succumbs to Redmond, as hardware vendors get too lazy to write drivers for previous OS versions, as software authors get incentives to change to new compilers, as Microsoft rigs these compilers to fail and as they exert pressure to not even sell computers without Vista. In short, we're whistling past the graveyard as Microsoft funnels everyone into what-they-think is best for us, even if that thing is slower than the previous thing (and I am not even mentioning DRM style intrusions yet!).

Firstly, I just noticed that FindPart PutSect fails to return the commandline options that FindPart GetSect does. You need to first do this: set findpart=edit. The presence of that environment string 'unlocks' the more dangerous features of FindPart. Having done that, here is the commandline usage for the PutSect component of FindPart: Putsect, version FP 4.91. Copyright Svend Olaf Mikkelsen, 2007. Usage: Findpart Putsect <disknumber> <cylinder> <head> <sector> <filename> <cylinders> <hash> [checkfile <checkfilename>] [force] Writes the content of the file <filename> to the sector. Returns 0 if the sector is written. The file must be 512 bytes long. <cylinders> is the number of cylinders on the disk. If the ascii value of byte no. n is called a(n), the hash value used is 1 * a(1) + 2 * a(2) + ... + 512 * a(512). The result is written as an 8 digit hexadecimal number. The hash value of a 512 bytes file can be printed with the command: Findpart Putsect gethash <filename> If checkfile is used, hash can be entered as 00000000 and the current sector content must match <checkfilename>. If force is used, hash can be entered as 00000000. Special <filename> values: !zero for ascii 0 characters, !f6 for ascii 246, !ff for ascii 255. Other keywords: 'loop' puts infinite loop code in the first 2 bytes. 'signature' puts hex 55, AA in the last 2 bytes. IMPORTANT CORRECTION!: this command appears to only support single sector insertion. My bad! That MBRPLUS.BIN containing 95 sectors (48,640 bytes) cannot, I repeat CANNOT be restored by this command. I will research this further but in order to place data onto your HDD, you must first save a single sector, in your case the Master Boot Sector (absolute sector 0 aka CHS 0,0,1) as previously noted: FindPart.exe GetSect 1 0 0 1 1 MBR.BIN noheader That gives you a 512 byte file called MBR.BIN that contains the Master Boot Sector (within that is the actual MBR and MPT Partition Tables). Once you have that file, and you set findpart=edit, the corresponding command to restore the same saved file back to the HDD is: FindPart.exe PutSect 1 0 0 1 MBR.BIN ??? 00000000 force That ??? will need to be filled in. It will be the number of cylinders on the HDD you are writing to. To find out how to determine this see Post #31 from TheStarman. Alternatively, see: Post #28 for another possibility for writing this data to the Hard Disk (by using SrcMbr from SRCTOOLS). NB: I believe it is possible for BIOS or Windows based AntiVirus Boot Sector protection to interfere with this operation. But lets not cross this bridge unless we have to. Cannie, remember to stash away that MBRPLUS.BIN for reference only. The new file MBR.BIN is what you will be using now. Sorry about any mixup! I need to wash my brain and then try to remember what utility I used to insert multiple saved sectors onto a HDD. It could have been another of Svend's tools, or maybe one from Terabyte. Possibly even Norton DiskEdit. Once I have this squared away I will start a thread specific to this subject. EDIT: i'll be back soon to answer the 2nd part of that question. EDIT: fixed the FindPart PutSect commandline per Daniel in Post #31.

Just bumping the thread to see how it all turned out. How did it go neowillendit? or

Well, the main reason to run Win9x on modern hardware is because it flies on modern hardware. Seriously, the dual/quad CPU speeds, L2 caches, DDR2/DDR3 speeds, and HDD cache/speed improvements are really just begining to let WinXP shine. The registry can be so huge that GUI features like context menus and start menu flyouts (and similar items tied to registry keys) cause a maddening wait for the enduser. Now add in a realtime antivirus that eats up 25-50% of your available 'power' and a not-so-new system can be slowed to a crawl. IMHO, WinXP started to be useful once CPU's hit the 3GHz mark with 1MB caches. Before that I would always say that 'only WinXP can make a modern computer as fast as Win3.x.' In other words, hurry up and wait. Essentially WinXP came out 3 years too early. But back to Win9x. If you can get it to run on newer hardware, it runs like a racehorse. Actually more like a rocket ship. If you click START, the menu is there. If you drag past submenu flyouts, they appear instantly. Even the plain old brute-force non-indexed FIND runs quickly. Hot-swapping a properly tweaked USB is embarrasingly fast compared to WinXP and Vista. Assuming that my peers have also killed all their autorun features like myself, we have no interminable waiting for optical discs. And as has already been beaten to death around here, the relatively few startup points are manageable so security is a snap. If you add in Opera/Firefox for browsing, Win9x is itself a defacto firewall. The presence of DOS is not a liability at all, this becomes clear on WinME/WinXP/Vista where an infection will require a non-Windows boot solution. Look at your computers like items in your toolbox. There is a time and place for hammers, screwdrivers and pliers. If you use Win9x for the wrong job its your own fault. WinXP+NTFS versus Win9x+Fat32 are two different platforms that have strengths and weaknesses. If you want crashproof: use WinXP. If you want a very responsive GUI: use Win9x. Processing thousands of files: use WinXP. Require a lean and mean search on *all* files: use Win9x. Installing monstrous programs with gazillions of files and megabytes of registry entries: better use WinXP. Editing and compiling source code, doing Email, Website browsing, HTML editing, most games: why not use Win9x? If a given chore is likely to cause a crash/lockup I personally choose WinXP because it tends to confine the damage to that particular task, plus no cold reboot with a subsequent scandisk. Win9x+Fat32 is inherently limited by design: file size and file quantity limits, FAT size, RAM limits, registry maximums and resource bugs. If you understand these issues you will avoid suicidal tasks on Win9x. However, if something will actually take more time to accomplish on WinXP than on Win9x, and there are many, well, that would be equally stupid. I cannot tell you how many people have seen my faster Win9x boxes blazing when clicking around the GUI (you know, the part that user actually interacts with). Unanimously they are like: "wtf? why isn't my computer fast like that. I click and like, wait forever!". With proper (some might say drastic) tweaking, a WinXP box can be speeded up to get close to Win9x speed on identical hardware (kill indexing, use only one user, delete startmenu/new registry keys, etc). But it is still only close. This is because the quirky limitations of Win9x can also be its very advantage.

Folks, I have been messing around with that first post in MSIE (version 6.0.2800.1106). I shortened up the longest lines that are in those CODEBOXes. Still looks like crap! I am on a Win9x box at the moment without MSIE7. Can anyone comment on the width using that version? One would think that this issue may have come across a computer screen up in Redmond sometime during the last 7-ish years! Unless the MSFN site software is customizeable with respect to endusers using MSIE, perhaps with targeted style sheets via some creative scripting, well, I just don't see an easy solution. Maybe endusers themselves that use MSIE can use a custom stylesheet for this site (and others with the same forum host software). I see that Opera works flawlessly here. I hear that Mozilla does also. I would hate to use a content reducing solution (i.e., limit text width within a CODEBOX) so that a POS browser does not choke on visual output. I mean, its not like this is a serious Acid Test. More suggestions please! I have more System Internals information to add to this thread but I would like to solve this issue somehow first.

Fortunately in Win9x critical maintenance is easy to do. I usually run a compiled INNO exe that performs a complete data collection: CMOS dump, MBR/MBS/VBR and more, Registry export, Registry DATs, complete Filelist, and critical OS and log files. Winrar is nicely suited for most of this, CMOSSAVE, REGEDIT, and FINDPART are other useful tools. There are many ways to save/restore the Master Boot Sector (the first 512 bytes of disk 0 which contains the MBR). In my experience it is better to grab more than the first sector's 512 bytes, and since it takes no more time or effort why not just grab the first 95 sectors (absolute sectors 0 to 94). This is everything up to but NOT including the first FAT. The output is a mere 48,640 bytes and contains lots of important information needed to reconstruct a HDD. Sometimes I do grab at least one of the two FATs also. FINDPART is one of those great uber-hacker utilities and it is free. Last seen on this page (I highly recommend that technically skilled users download everything on those webpages). The FINDPART utility combines in one EXE many other tools, I quote the author: The Findpart Windows version includes the functionality of the utilities FindNTFS, GB32, Chsdir, Editpart, EditGUID, Findfat, Getsect, Putsect, Cyldir, Finddir, Findext2, Findbad, Pqrp, FindJPG, FindDoc, Readext2 and Readfat. Using the GetSect component of FindPart returns this information: Getsect, version FP 4.91. Copyright Svend Olaf Mikkelsen, 2007. Usage: Findpart Getsect <disknumber> <cylinder> <head> <sector> <no of sectors> [+]<filename> [noheader] [backwards] [bad00 | badf6] Writes the sectors to <filename>. Use +<filename> for append. Returns 0 if the sectors are read without errors. Option 'bad00' or 'badf6' writes ascii 0 or hex F6 for sectors that cannot be read. The output file can be viewed with the Windows 95/98 'edit /64 <filename>' command. Disks are numbered from 1. For my example, this command saves the aforementioned 48,640 bytes: FindPart.exe GetSect 1 0 0 1 95 MBRPLUS.BIN noheader | | | | | | | | | +-----> total of 95 sectors | | | +------> sector 1 | | +------> head 0 | +------> cylinder 0 +------> 1st disk (disk 0 aka C:) All the bytes contained in the first 95 sectors are saved into into a file called MBRPLUS.BIN. Note that there is a corresponding PutSect component to add such saved data back into the HDD. The NOHEADER means that only data is written to the file lending itself to be restored back to a HDD. Of course the following will give you just the 512 byte MBS that you originally asked for: FindPart.exe GetSect 1 0 0 1 1 MBR.BIN noheader EDIT: please see post#24 for an update. In short, FindPart PutSect apparently can only restore a single sector to a HDD. To restore multiple saved sectors something else must be used.

You may find it very useful to burn yourself a bootable CDROM containing the latest Seagate DiscWizard software which is a quite capable free version of Acronis TrueImage which only requires that one of the hard drives is a Seagate/Maxtor. No bootup floppies or FDISK/Format is necessary. No worries about locked files as you are cloning disks outside of the operating system itself. Fat32 or NTFS makes no difference. The clincher is that the CDROM will clone any Windows operating system (as of the last time I checked). The process is simple: grab a new HDD and clone the old one to the new one (C: to C:), remove the old one and place it on the shelf as an emergency backup. Place the new one in its place. IMHO this process lends itself to three frequently encountered scenarios: {1} backing up a HDD, {2} upgrading/replacing your HDD, {3} duplicating a HDD to safely work on a copy (e.g., virus infected or forensics exploration). There are more details of course: jumpers on PATA drives, and both drives need to be attached during the cloning. But they are easy to handle. I wrote about it in this thread. Be sure to read post #5 and post #9.

Interesting. Maybe Webroot is exploting ADS instead. If you are familiar with command line utilities there is a tool that is useful to security minded folks called LADS. It is capable of creating a filelist of every alternate data stream on an NTFS disk. The BioShock thing is actually a copy protection according to several contentious Slashdot and Digg articles. Sony never learns. But you mentioned Windows Password. Do you mean the HKLM\Security\Policy\Secrets\SAC and \SAI with embedded nulls? I just checked a couple of WinXP Pro machines and have no 'Windows Password' rootkits myself. Google turned up nothing obvious on 3 pages. Suspicious I'd say. Anyway, its been awhile since I saw SpySweeper in person, and I cannot even remember what version it was. I blasted it away with the partition it was crawling around on. I'll let Cluberti continue the fine work he is doing. I'd suggest you follow his advice and remove that shell extension DLL since that is likely to be SpySweepers shoehorn into Explorer. VERY Likely candidate for crashes. Only suggestion is that after you remove the program, you should dump the registry to a file and text search for SSCtxMnu and see if any references remain. They will need to be killed as well. Oh, one other thing ... I believe this thread helps illustrate the irony of anti-spyware behaving as bad as spyware/viruses. Myself, like many others do NOT run active anti-spyware. Instead, periodically I manually run a freshly updated SpybotSD. To prevent realtime spyware exposure I use Opera for web access. IMHO, its best to use MSIE only for Windows Updates and maybe those increasingly rare MSIE-only sites. However, if you are on broadband and do not have a hardware firewall, you *will* need some realtime anti-virus. And since most such security suites do include realtime anti-spyware, well, Webroot SpySweeper and its ilk becomes completely un-necessary.

You are most likely beyond a few glitches and well into infection territory. There are a few ways to handle an infection. The usual way is in realtime (while working on the infected computer). This may or may not be successful depending on how many viruses are alive and spawning. I'll let someone else explain the steps of disabling startup apps, safe-mode, floppies, etc. You should definitely have a copy of Startup Control Panel standalone EXE handy. Another way is via UBCD and other special boot cdroms which is better since the virus is not actively running. You must first alter the BIOS so that the HDD is given later priority than the CDROM drive. One problem here is that the antivirus definitions are likely to be outdated relative to a very current infection. Finally, IMHO this way is the fastest: Yank that system drive and install it as a slave in a working computer which has the necessary tools: updated Antivirus (McAfee/AVG/etc) *and* anti-Spyware (SpybotSD/Adaware/etc). Manually scan the slave drive from this safe platform (change settings to ALL files not just program files and enable heuristics), delete the problem files, verify by scanning again until clean, and yank the drive and put it back the way it originally was (umm, be sure you do not execute any files on the slave disk while it is connected in the clean computer!). You're not done yet: on the original computer, you still have to scan one more time with both sets of tools in order to clean the registry and to remove all bad apps hooked into the Win9x startup points. Theoretically no virus should be able to survive this procedure provided the antivirus definitions are up to date. In practice it could be an undefined variant. In this case, put that particular HDD on ice for a couple of weeks and get later definitions for the antivirus and SpybotSD programs and repeat. BTW, this is not necessarily a problem in itself. It could just mean that either or both of these registry settings exist: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer] "DesktopProcess"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer] "DesktopProcess"=dword:00000001 It simply forces each Explorer instance into a separate thread (which IMHO is a good thing). The root folder instance right after bootup is a only a strange by-product. But, it is possible a virus might intentionally do this so that if one infected Explorer crashes or is killed by Process Explorer, it does not bring down any other infected instances which will then respawn a new thread. So, the way I see it, on an uninfected Win9x computer these settings can add stability, but on an infected one they can help to preserve certain nasty viruses. Just change those DWORDs to all zeroes to prevent this behaviour. EDIT: fixed that "alter the BIOS so that the HDD is given later priority". It said "disable HDD". Doh! Too many beers.

Thanks for that. This is very interesting as Daniel Werner seems to have released multiple builds with the same version info. I have found four different builds of this file (one is same as your link). Here is what I have (I believe the file date/time stamps have been accurately preserved) ... FileName Size Date Time MD5 Hash File CRC REGCOM~1.EXE 73,728 10-15-00 04:36 d6c48ea6219abd82c127cf38994e0ed7 98738FC3 REGCOM~2.EXE 73,728 10-18-00 00:39 328012d5badf9833ad645d7ca9b08b37 2E4D7E33 <- [b]galahs[/b] link REGCOM~3.EXE 73,728 10-28-00 17:16 f5e3fbb6209a0ed15e82be0f2b1847f7 00B40B76 REGCOM~4.EXE 73,728 12-01-00 20:33 5749eb12f8c4f4fa3f2489e62a0c1531 036EE115 They all have the following identical information in common ... pe.compiler MS Visual C/C++ 5.0, 6.0 FixedFileInfo file type: Application FileDescription RegCompact FileVersion 1.0 InternalName RegCompact LegalCopyright Copyright c 2000 Daniel Werner ... but enormous differences in structure. I have to assume for now that the December 2000 file is the latest. Anyway, I'll let you know if I turn up anything newer for Win9x. EDIT: ... verion = version and some other tweaks

This will fail under certain circumstances. The built-in registry tools have multiple limitations. RAM memory size, registry size and registry complexity are the main barriers. Any or all of the three can cause the standard Windows tools to fail. This is why there are dedicated 3rd party tools that are successful even on very large registries. The way the specialized tools work is to read the entire registry into memory while under Windows, write it back out contiguously to $temp files (in effect defragging it) and then prompt a reboot so that the temp files may be copied over the previous registry via WININIT. Unless your system is butting up against these barriers then it is a matter of personal taste only. Speaking for myself, the RegCompact program is easy because {A} it is a simple 2-click solution, and {B} it has never failed even on really large registries with lots of REGEDIT illegal keys that will never work under real DOS reconstruction. Also subjectively speaking, SCANREG will remove anything in a registry that it does not want. Some applications plant flags in a registry when they are 'registered'. If altered or removed a program can then stop working or for example revert to shareware again. Also, when SCANREG is run automatically on startup, it will often simply replace the current 'defective' registry with one archived in the CAB files. This is completely unacceptable behavior IMHO. But again, if your Win9x install is new and the registry is small and your memory is large, you should be ok under all circumstances. It does pay to save copies of the DATs now and then anyway.

As I bow to the superior XP debugging skills of cluberti I cannot add anything of substance to this thread, but I can say this: WebRoot SpySweeper is IMHO the only example of software worse than modern Symantec/Norton crap. McAfee Suites come in a distant 3rd. I have only had one client PC that drove me so mad that I gave up and went to a clean XP install out of frustration. That installation had Spy Sweeper actively running, blocking setups, killing USB devices and most Microsoft fixes. It defeated all attempts to reclaim ownership of registry keys and folders. It behaved like the worse virus imaginable, with stealth techniques that I could not completely understand. I cannot remember if I tried System Internals RootkitRevealer or not, but I would be very interested in the results if you would run it before you uninstall the beast! BTW, Good luck with Uninstall, as the Add/Remove entry was not working on mine. Nor was the Uninstall EXE file. Please write back with any interesting details if possible!

Guys, let me know if you need me to edit anything else in that post. They were and still are CODEBOX (not CODE) tags. I believe any horizontal problem involving the entire post would be related to that last part which was using a fixed-width Courier font outside of any CODEBOX (the green and red on the MSFN blue). It just looked cooler that way and also preserved the characters lining up vertically. I could just throw that into a CODEBOX which automatically provides the fixed-width font. EDIT: done! I noted one other difference too: *outside* of a CODEBOX multiple spaces are truncated to one, hence you see creative use of periods to pad the filetimes which do not have leading zeros/digits and filesize differences. Using Opera 9.51 here. Looks as designed. The only horizontal scrollbars that Opera shows are for those long lines *within* the CODEBOXs. I am afraid to fire up MSIE to check! Anyway, please let me know what you think is the best way. There is no sense in letting the top post bust the thread for those folks using inferior browsers. EDIT: ... ok, it has been fixed (I hope). Remember to F5 Refresh or delete the cache. Let me know if all is good now. I wanted to fix that fast before someone quoted the whole thing and propogated the error! P.S. has anyone else noticed a difference in Opera 9.5x vs 9.2x cache behavior? Seems I am getting more stale pages all of a sudden within a thread, and, 'read' topics that look like 'unread' topics on each forum's main page.

Hello Advanced User ... Just wondering if you have a non-EXE solution (ZIP/RAR/7Z)? Alternatively, are they possibly INNO setups (which are easily extracted manually) or perhaps you inserted a: "/SWITCH" of some kind to manually extract? I hate to run EXE setups when I know exactly where to put the files myself. EDIT: ... dude, your English is great. Much much better than my Russian. Speaking of which, I cannot figure out how to download from those pages! Can you explain?

Personal favorite under Win9x is RegCompact by Daniel Werner. The version I have is v1.0 (I believe) and is freeware. The URL has gone dead and I just searched for a link to no avail. It is a very good program though. Later versions for XP are based on .NET and are easily found as RegCompact PRO or RegCompact.NET as shareware. If anyone knows of a current link please post it. I would like to see if he released anything later for Win9x.

I am not sure but didn't Microsoft have the Pinball (Space Cadet) from the Win95 Plus! CD-ROM available for free on their website? Could it have been the 98 version? I seem to remember one of them becoming available some years after Win98 came out. I never downloaded it since I had the Plus! pack but you may want to start your search there. Hopefully somebody will correct me if I am wrong! I remember EPIC had a pretty good DOS based Pinball. It should be simple to find and may even have become public domain in the past 15 years or so. Worth searching for as well. All in all this is a good question. The better pinball games (and pool/billiards) have not been free, especially before DirectX became popular. I imagine those reactive precise angles must have been a bear to write without the benefit of a widely installed, friendly video/gaming API.

BACKGROUND INFORMATION: Mark Russinovich and Bryce Cogswell from System Internals (SysInternals, Winternals, NTInternals) have been producing infinitely useful freeware administrative utilities for the Windows NT and 9x platforms for many years. THANK YOU guys for all that you have done (and continue to do for XP/Vista/7). During the summer of 2006 the company was assimilated by Microsoft and as many of us feared, the Win9x family of utilities is dwindling . This thread will attempt to audit the entire suite of utilities, their status on the Win9x platform and whatever can be done to restore compatibility. This topic is meant as a tiny supplement to the awesome work in Last-Versions-of-Software- for-Windows-98 by galahs (help yourself to any of this info galahs) and countless other MSFN members. IMPORTANT! To ensure that this thread remains open I ask that you review the EULA for the free System Internals utilities and please do not violate the MSFN forum rules. Anyway, as the System Internals / Microsoft EULA reads now, there seems to be no legal way to 'reverse engineer' them at all so that would probably make patching them a questionable affair. Perhaps contacting Mark himself would be of some use, if only to get an official blessing or even his direct input. Mark, you are cordially invited to chime in here at any time! Also, considering that System Internals does not maintain any archives of previously released versions (well I cannot find them), the mods will need to decide if linking to them is ok. UPDATE: please see important info from forum moderator below at post #27. In summary, we can discuss the patching of these utilities but NO DISTRIBUTING of files is allowed, patched or unpatched. NOTES: For the purposes of this discussion Win9x means Win98se, and testing is done on v4.10.2222 *without* the highly regarded KernelEx installed (some limited testing done on WinME also, but does anyone really care? Just kidding!). Members might also want to report their specific experiences using the utilities on Win95 to enhance our general knowledge base. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= AUDIT UPDATE: 2013-10-29 (previous was 2013-01-18). Long story short: TWO utilities arrived DOA for Win9x - Utilities ADDED=1 - Utilities SUBTRACTED=0 - Utilities UPDATED=17 This post now reflects the Suite dated October 25, 2013. The ZIP distribution now contains 72 executable Windows binaries ... --- FILENAME ----------- SIZE -------- DATE ------ TIME --- VERSION Accesschk.exe ......... 328,384 ... 2013-05-15 ... 23:46 ... 5.11 (UPDATED) Accessenum.exe ........ 174,968 ... 2006-11-01 ... 14:06 ... 1.32 Adexplorer.exe ........ 479,832 ... 2012-11-14 ... 10:22 ... 1.44 Adinsight.exe ....... 1,049,640 ... 2007-11-20 ... 13:25 ... 1.01 Adrestore.exe ......... 150,328 ... 2006-11-01 ... 14:05 ... 1.1 Autologon.exe ......... 148,856 ... 2011-02-22 ... 15:18 ... 3.01 Autoruns.exe .......... 661,184 ... 2013-07-31 ... 13:08 .. 11.70 (UPDATED) Autorunsc.exe ......... 579,264 ... 2013-07-31 ... 13:08 .. 11.70 (UPDATED) Bginfo.exe ............ 847,040 ... 2013-07-31 ... 13:08 ... 4.20 (UPDATED) Cacheset.exe .......... 154,424 ... 2006-11-01 ... 14:06 ... ?.? Clockres.exe .......... 151,936 ... 2009-06-03 ... 22:36 ... 2.0 Contig.exe ............ 207,960 ... 2012-11-14 ... 10:22 ... 1.70 Coreinfo.exe ........ 1,479,256 ... 2012-11-14 ... 10:22 ... 3.20 Ctrl2cap.exe .......... 150,328 ... 2006-11-01 ... 14:05 ... ?.? Dbgview.exe ........... 468,056 ... 2012-12-03 ... 10:10 ... 4.81 Desktops.exe .......... 116,824 ... 2012-10-17 ... 18:28 ... 2.00 Disk2vhd.exe ........ 1,767,104 ... 2013-07-31 ... 13:08 ... 1.64 (UPDATED) Diskext.exe ............ 87,424 ... 2007-05-14 ... 08:42 ... 1.1 Diskmon.exe ........... 224,056 ... 2006-11-01 ... 14:06 ... 2.01 Diskview.exe .......... 580,984 ... 2010-03-24 ... 14:00 ... 2.40 Du.exe ................ 223,424 ... 2013-03-24 ... 23:24 ... 1.50 (UPDATED) Efsdump.exe ........... 146,232 ... 2006-11-01 ... 14:05 ... 1.02 Findlinks.exe ......... 103,216 ... 2011-07-07 ... 13:28 ... 1.00 Handle.exe ............ 462,936 ... 2013-01-22 ... 23:12 ... 3.51 (UPDATED) Hex2dec.exe ........... 150,328 ... 2006-11-01 ... 14:05 ... ?.? Junction.exe .......... 150,392 ... 2010-09-07 ... 15:39 ... 1.06 Ldmdump.exe ........... 154,424 ... 2006-11-01 ... 14:06 ... 1.03 Listdlls.exe .......... 520,496 ... 2011-07-07 ... 13:28 ... 3.1 Livekd.exe ............ 539,736 ... 2012-10-17 ... 18:28 ... 5.30 Loadord.exe ........... 154,424 ... 2006-11-01 ... 14:06 ... ?.? Logonsessions.exe ..... 261,496 ... 2010-04-30 ... 11:43 ... 1.21 Movefile.exe .......... 130,160 ... 2013-01-22 ... 23:12 ... 1.01 (UPDATED) Win9x D.O.A. Ntfsinfo.exe .......... 122,680 ... 2006-11-01 ... 14:05 ... 1.01 Pagedfrg.exe .......... 215,928 ... 2006-11-01 ... 14:06 ... 2.32 Pendmoves.exe ......... 130,648 ... 2013-02-04 ... 22:46 ... 1.20 (UPDATED) Win9x D.O.A. Pipelist.exe .......... 150,328 ... 2006-11-01 ... 14:05 ... 1.01 Portmon.exe ........... 451,392 ... 2012-01-13 ... 17:35 ... 3.03 Procdump.exe .......... 478,400 ... 2013-05-15 ... 23:46 ... 6.00 (UPDATED) Procexp.exe ......... 2,799,296 ... 2013-07-31 ... 13:08 .. 15.40 (UPDATED) Procmon.exe ......... 2,489,024 ... 2013-05-31 ... 15:54 ... 3.05 (UPDATED) Psexec.exe ............ 387,776 ... 2013-10-22 ... 08:59 ... 2.00 (UPDATED) Psfile.exe ............ 105,264 ... 2006-12-04 ... 17:53 ... 1.02 Psgetsid.exe .......... 333,176 ... 2010-04-27 ... 11:04 ... 1.44 Psinfo.exe ............ 390,520 ... 2010-04-27 ... 11:04 ... 1.77 Pskill.exe ............ 468,592 ... 2012-06-21 ... 23:34 ... 1.15 Pslist.exe ............ 232,232 ... 2012-03-22 ... 15:53 ... 1.30 Psloggedon.exe ........ 183,160 ... 2010-04-27 ... 11:04 ... 1.34 Psloglist.exe ......... 178,040 ... 2010-04-27 ... 11:04 ... 2.71 Pspasswd.exe .......... 171,608 ... 2012-10-17 ... 18:28 ... 1.23 Psping.exe ............ 167,048 ... 2012-10-02 ... 14:03 ... 1.00 Psservice.exe ......... 169,848 ... 2010-04-27 ... 11:04 ... 2.24 Psshutdown.exe ........ 207,664 ... 2006-12-04 ... 17:53 ... 2.52 Pssuspend.exe ......... 187,184 ... 2006-12-04 ... 17:53 ... 1.06 Rammap.exe ............ 560,832 ... 2013-10-25 ... 13:28 ... 1.31 (UPDATED) Regdelnull.exe ........ 162,616 ... 2006-11-01 ... 14:06 ... 1.10 Regjump.exe ........... 150,328 ... 2006-11-01 ... 14:05 ... 1.01 Rootkitrevealer.exe ... 334,720 ... 2006-11-01 ... 14:07 ... 1.70 Ru.exe ................ 150,720 ... 2013-03-24 ... 23:24 ... 1.00 (NEWLY ADDED 2013-March) Sdelete.exe ........... 155,736 ... 2013-01-09 ... 14:26 ... 1.61 Shareenum.exe ......... 260,976 ... 2006-11-01 ... 14:07 ... 1.6 Shellrunas.exe ........ 103,464 ... 2008-02-27 ... 18:51 ... 1.01 Sigcheck.exe .......... 293,056 ... 2013-10-22 ... 08:59 ... 2.00 (UPDATED) Streams.exe ............ 87,424 ... 2007-04-27 ... 10:17 ... 1.56 Strings.exe ............ 90,304 ... 2013-06-18 ... 15:12 ... 2.52 (UPDATED) Sync.exe .............. 150,328 ... 2006-11-01 ... 14:05 ... 2.2 Tcpvcon.exe ........... 199,544 ... 2010-07-28 ... 15:47 ... 3.01 Tcpview.exe ........... 300,832 ... 2011-07-25 ... 12:40 ... 3.05 Vmmap.exe ........... 1,056,392 ... 2012-09-10 ... 09:16 ... 3.11 Volumeid.exe .......... 154,424 ... 2006-11-01 ... 14:05 ... 2.01 Whois.exe ............. 144,984 ... 2012-10-17 ... 18:28 ... 1.11 Winobj.exe ............ 729,464 ... 2011-02-14 ... 12:37 ... 2.22 Zoomit.exe ............ 596,160 ... 2013-06-18 ... 15:12 ... 4.50 (UPDATED) NOTE: The following utilities no longer appear in the SysInternals Suite ZIP distribution ... Diskmnt.exe ........... 191,288 ... 2006-11-01 ... 14:06 ... 1.1 ............ (removed circa 2009-Jun) Reghide.exe ........... 146,232 ... 2006-11-01 ... 14:05 ... ?.? ............ (removed circa 2009-Jun) Physmem.exe ........... 150,328 ... 2006-11-01 ... 14:05 ... 1.0 ............ (removed circa 2009-Jul) Filemon.exe ........... 748,344 ... 2006-11-06 ... 12:55 ... 7.04 ........... (removed circa 2009-Sep) Regmon.exe ............ 707,384 ... 2006-11-01 ... 14:07 ... 7.04 ........... (removed circa 2009-Sep) Newsid.exe ............ 228,152 ... 2006-11-01 ... 14:06 ... 4.10 ........... (removed circa 2009-Nov) Procfeatures.exe ...... 150,328 ... 2006-11-01 ... 14:05 ... 1.1 ............ (removed circa 2011-Sep) Pdh.dll ............... 155,960 ... 2012-03-22 ... 13:24 ... 5.00.2195.1600 . (removed circa 2012-Mar) Zoomit64.exe .......... 294,520 ... 2012-07-17 ... 23:59 ... 4.31 ........... (added circa 2012-Oct, removed 2012-Dec) Of those, a total of 50 are clearly not meant for Win9x (e.g., NTFS, ADS, ACL etc.) or simply have never worked. Just for the record, here are the usual results when running them under Win9x ... - FILENAME ---------------- RESULT ------------------------------------------------- Accesschk.exe ......... Error Starting Program: The ACCESSCHK.EXE file expects a newer version of Windows. Upgrade your Windows version. Accessenum.exe ........ Error Starting Program: The ACCESSENUM.EXE file is linked to missing export NETAPI32.DLL:NetUserGetLocalGroups. Adexplorer.exe ........ Error Starting Program: The ADEXPLORER.EXE file expects a newer version of Windows. Upgrade your Windows version. Adinsight.exe ......... Error Starting Program: The PSAPI.DLL file is linked to missing export NTDLL.DLL:_stricmp. Adrestore.exe ......... Error Starting Program: The ACTIVEDS.DLL file is linked to missing export NTDLL.DLL:RtlInitUnicodeString. Autologon.exe ......... Error Starting Program: The AUTOLOGON.EXE file is linked to missing export ADVAPI32.DLL:LsaOpenPolicy. Cacheset.exe .......... Cacheset: Not running on Windows NT Contig.exe ............ Error Starting Program: The CONTIG.EXE file expects a newer version of Windows. Upgrade your Windows version. Coreinfo.exe .......... Error Starting Program: The COREINFO.EXE file expects a newer version of Windows. Upgrade your Windows version. Ctrl2cap.exe .......... Error Starting Program: The CTRL2CAP.EXE file is linked to missing export ADVAPI32.DLL:CheckTokenMembership. Desktops.exe .......... Error Starting Program: The DESKTOPS.EXE file expects a newer version of Windows. Upgrade your Windows version. Disk2vhd.exe .......... Error Starting Program: The DISK2VHD.EXE file expects a newer version of Windows. Upgrade your Windows version. Diskext.exe ........... CONSOLE MESSAGE: DiskExt requires Win2K or higher. Diskmon.exe ........... Diskmon: This version of Diskmon requires Windows 2000 or higher. Diskview.exe .......... Error Starting Program: The DISKVIEW.EXE file expects a newer version of Windows. Upgrade your Windows version. Efsdump.exe ........... Error Starting Program: The EFSDUMP.EXE file is linked to missing export ADVAPI32.DLL:QueryUsersOnEncryptedFile. Findlinks.exe ......... Error Starting Program: The FINDLINKS.EXE file expects a newer version of Windows. Upgrade your Windows version. Junction.exe .......... *** CMD EXECUTES OK (but not useful for Win9x) Ldmdump.exe ........... *** CMD EXECUTES OK (but not useful for Win9x) Livekd.exe ............ Error Starting Program: The LIVEKD.EXE file expects a newer version of Windows. Upgrade your Windows version. Loadord.exe ........... EMPTY WINDOW or: LOADORD CAUSED AN INVALID PAGE FAULT IN MODULE LOADORD.EXE AT 017F:00401311. Logonsessions.exe ..... Error Starting Program: The LOGONSESSIONS.EXE file expects a newer version of Windows. Upgrade your Windows version. Ntfsinfo.exe .......... *** CMD EXECUTES OK (but not useful for Win9x) Pagedfrg.exe .......... Pagefile Defragger: Not running on Windows NT/2K. Pipelist.exe .......... CONSOLE MESSAGE: Could not find NtQueryDirectoryFile entry point in NTDLL.DLL. Procdump.exe .......... Error Starting Program: The PROCDUMP.EXE file expects a newer version of Windows. Upgrade your Windows version. Procmon.exe ........... Error Starting Program: The PROCMON.EXE file expects a newer version of Windows. Upgrade your Windows version. CONSOLE MESSAGE: A device attached to the system is not functioning. Psexec.exe ............ Error Starting Program: The PSEXEC.EXE file expects a newer version of Windows. Upgrade your Windows version. Psfile.exe ............ Error Starting Program: The PSFILE.EXE file is linked to missing export NETAPI32.DLL:NetFileGetInfo. Psgetsid.exe .......... Error Starting Program: The PSGETSID.EXE file is linked to missing export NETAPI32.DLL:NetApiBufferFree. Psinfo.exe ............ Error Starting Program: The PSINFO.EXE file is linked to missing export NETAPI32.DLL:NetServerEnum. Pskill.exe ............ Error Starting Program: The PSKILL.EXE file expects a newer version of Windows. Upgrade your Windows version. Pslist.exe ............ CONSOLE MESSAGE: pslist requires Windows NT/2000/XP/2003. Psloggedon.exe ........ Error Starting Program: The PSLOGGEDON.EXE file is linked to missing export NETAPI32.DLL:NetApiBufferFree. Psloglist.exe ......... Error Starting Program: The PSLOGLIST.EXE file is linked to missing export NETAPI32.DLL:NetApiBufferFree. Pspasswd.exe .......... Error Starting Program: The PSPASSWD.EXE file is linked to missing export NETAPI32.DLL:NetApiBufferFree. Psping.exe ............ Error Starting Program: The PSPING.EXE file expects a newer version of Windows. Upgrade your Windows version. Psservice.exe ......... Error Starting Program: The PSSERVICE.EXE file is linked to missing export NETAPI32.DLL:NetServerEnum. Psshutdown.exe ........ Error Starting Program: The PSSHUTDOWN.EXE file is linked to missing export NETAPI32.DLL:NetApiBufferFree. Pssuspend.exe ......... CONSOLE MESSAGE: PsSuspend requires Windows NT/2000/XP/2003. Rammap.exe ............ Error Starting Program: The RAMMAP.EXE file expects a newer version of Windows. Upgrade your Windows version. Regdelnull.exe ........ REGDELNULL caused an invalid page fault in module REGDELNULL.EXE at 017f:00402656. Rootkitrevealer.exe ... (nothing) Ru.exe ................ Error Starting Program: The RU.EXE file expects a newer version of Windows. Upgrade your Windows version. Shareenum.exe ......... Error Starting Program: The SHAREENUM.EXE file is linked to missing export NETAPI32.DLL:NetGetDCName. Shellrunas.exe ........ Error Starting Program: A required .DLL file, CREDUI.DLL was not found. Sigcheck.exe .......... Error Starting Program: The SIGCHECK.EXE file expects a newer version of Windows. Upgrade your Windows version. Streams.exe ........... *** CMD EXECUTES OK (but not useful for Win9x) Vmmap.exe ............. Error Starting Program: The VMMAP.EXE file expects a newer version of Windows. Upgrade your Windows version. Winobj.exe ............ WinObj: Could not locate required functions in NTDLL.DLL. This version of Windows NT may be incompatible with WinObj. NOTE: The following non-Win9x utilities no longer appear in the SysInternals Suite ZIP distribution ... Diskmnt.exe ........... Diskmon: Not running on Windows NT 4. Get Diskmon for Windows 2000 amd higher from SysInternals. Newsid.exe ............ (nothing) Physmem.exe ........... CONSOLE MESSAGE: Unable to locate NTDLL entry points. Reghide.exe ........... (nothing) Of the remaining 22 Win9x traditionally compatible utilities, 4 still work ok, but a total of 18 of these have become deceased ... - FILENAME ---------------- RESULT ------------------------------------------------- Autoruns.exe ....... Error Starting Program: The AUTORUNS.EXE file expects a newer version of Windows. Upgrade your Windows version. Autorunsc.exe ...... Error Starting Program: The AUTORUNSC.EXE file expects a newer version of Windows. Upgrade your Windows version. Bginfo.exe ......... Error Starting Program: The BGINFO.EXE file expects a newer version of Windows. Upgrade your Windows version. CONSOLE MESSAGE: A device attached to the system is not functioning. Clockres.exe ....... Error Starting Program: The CLOCKRES.EXE file expects a newer version of Windows. Upgrade your Windows version. Dbgview.exe ........ Error Starting Program: The DBGVIEW.EXE file expects a newer version of Windows. Upgrade your Windows version. Du.exe ............. Error Starting Program: The DU.EXE file expects a newer version of Windows. Upgrade your Windows version. Handle.exe ......... Error Starting Program: The HANDLE.EXE file expects a newer version of Windows. Upgrade your Windows version. Hex2dec.exe ........ ok (DOS Prompt) Listdlls.exe ....... Error Starting Program: The LISTDLLS.EXE file expects a newer version of Windows. Upgrade your Windows version. Movefile.exe ....... Error Starting Program: The MOVEFILE.EXE file expects a newer version of Windows. Upgrade your Windows version.*** Latest Casuality *** Pendmoves.exe ...... Error Starting Program: The PENDMOVES.EXE file expects a newer version of Windows. Upgrade your Windows version.*** Latest Casuality *** Portmon.exe ........ Error Starting Program: The PORTMON.EXE file expects a newer version of Windows. Upgrade your Windows version. Procexp.exe ........ Error Starting Program: The PROCEXP.EXE file expects a newer version of Windows. Upgrade your Windows version. Regjump.exe ........ ok (DOS Prompt) Sdelete.exe ........ Error Starting Program: The SDELETE.EXE file expects a newer version of Windows. Upgrade your Windows version. Strings.exe ........ Error Starting Program: The STRINGS.EXE file expects a newer version of Windows. Upgrade your Windows version. Sync.exe ........... ok (DOS Prompt) Tcpvcon.exe ........ Error Starting Program: The TCPVCON.EXE file expects a newer version of Windows. Upgrade your Windows version. Tcpview.exe ........ Error Starting Program: The TCPVIEW.EXE file expects a newer version of Windows. Upgrade your Windows version. Volumeid.exe ....... ok (DOS Prompt) Whois.exe .......... Error Starting Program: The WHOIS.EXE file expects a newer version of Windows. Upgrade your Windows version. Zoomit.exe ......... Error Starting Program: The ZOOMIT.EXE file expects a newer version of Windows. Upgrade your Windows version. CONSOLE MESSAGE: A device attached to the system is not functioning. NOTE: The following Win9x utilities no longer appear in the Suite ZIP distribution ... Filemon.exe ........ ok (Windows) Regmon.exe ......... ok (Windows) Procfeatures.exe ... ok (DOS Prompt) (removed circa 2012-Mar) So I dug into my own archives and tested each deceased version's predecessor until I successfully found older versions that run. This list is subject to change in the event that I am missing a release! Until I hear otherwise, I believe these are the last versions running on Win9x ... Autoruns.exe .... 9.13 ..... 603,176 ... 2008-02-25 ... 12:44 ... ok (Windows) Autorunsc.exe ... 9.13 ..... 513,064 ... 2008-02-25 ... 12:44 ... ok (DOS Prompt) Bginfo.exe ...... 4.07 ..... 741,421 ... 2004-09-22 ... 15:46 ... ok (Windows) Clockres.exe .... ?.?? ..... 150,328 ... 2006-11-01 ... 14:05 ... ok (DOS Prompt) *** Dbgview.exe ..... 4.74 ..... 480,296 ... 2007-11-26 ... 13:21 ... ok (Windows) Du.exe .......... 1.0 ....... 53,248 ... 2005-02-07 ... 16:43 ... ok (DOS Prompt) Handle.exe ...... 3.30 ..... 373,800 ... 2007-10-11 ... 11:26 ... ok (DOS Prompt) Listdlls.exe .... 2.25 ..... 170,808 ... 2006-11-01 ... 14:06 ... ok (DOS Prompt) Movefile.exe .... 1.0 ...... 146,232 ... 2006-11-01 ... 13:05 ... ok (DOS Prompt) Pendmoves.exe ... 1.1 ...... 150,328 ... 2006-11-01 ... 13:05 ... ok (DOS Prompt) Portmon.exe ..... 3.02 ..... 363,320 ... 2006-11-01 ... 14:07 ... ok (Windows) Procexp.exe .... 11.11 ... 3,654,696 ... 2008-02-27 ... 13:05 ... ok (Windows) Sdelete.exe ..... 1.51 ..... 166,712 ... 2006-11-01 ... 14:06 ... ok (DOS Prompt) Strings.exe ..... 2.40 ...... 91,520 ... 2007-04-24 ... 11:38 ... ok (DOS Prompt) Tcpvcon.exe ..... 2.52 ..... 132,136 ... 2008-01-03 ... 11:40 ... ok (DOS Prompt) Tcpview.exe ..... 2.53 ..... 148,520 ... 2008-01-09 ... 16:38 ... ok (Windows) Whois.exe ....... 1.01 ..... 158,520 ... 2006-11-01 ... 14.06 ... ok (DOS Prompt) Zoomit.exe ...... 1.80 ..... 148,520 ... 2008-03-07 ... 10:11 ... ok (Windows) *** This file has no discernible version, use the date of 2006-11-01 to identify it. Note that the current non-Win9x release of the file does contain a version of 2.0. BTW, you may have noticed that several of them went belly-up a few years ago ( e.g., BGINFO ), but most seem directly related to the very recent Microsoft Visual Studio 2008 compiler bugs. I expect more of these utilities to stop working as Mark recompiles with VS2008. My testing shows this common denominator: versions: linker 9.0, OS 5.0, file: 0.0, subsystem: 4.0 Also note that although the version 7.x releases of FILEMON and REGMON do run on Win9x, I am aware of some stability issues and minor GUI errors ( toolbar buttons and SAVE AS function ) so, IMHO the 6.x versions are actually more stable. Regardless, I do in fact use the 7.04 versions on Win9x systems successfully. It should be noted that one of the newer utilities: RAMMAP.EXE requires Vista or higher. This means that both Win9x and WinXP are now victims of Microsoft's latest compilers. If this is the case, we can expect many new apps from here on out to fail as well. ADDED: PSPING.EXE also requires Vista or higher. Formatting Adjustment: I finally completed switching the FileLists over to the more sensible YYYY-MM-DD date plus 24-hour time format. Previously files were displayed as MM-DD-YY with 12-hour AM/PM in the traditional Win9x COMMAND.COM directory output seen on a typical Win9x computer with the default time format set in the SysTray. Well, that's all for now, more to come later. Please inform me of any errors, typographic or otherwise. EDIT: 2009-04-15 ... this post now reflects the SysInternals Suite dated : 2009-04-08. EDIT: 2009-08-28 ... this post now reflects the SysInternals Suite dated : 2009-08-26. EDIT: 2009-12-20 ... this post now reflects the SysInternals Suite dated : 2009-12-01. EDIT: 2010-04-17 ... this post now reflects the SysInternals Suite dated : 2010-04-15. EDIT: 2010-08-23 ... this post now reflects the SysInternals Suite dated : 2010-08-02. EDIT: 2011-02-14 ... this post now reflects the SysInternals Suite dated : 2011-02-01. EDIT: 2011-05-05 ... this post now reflects the SysInternals Suite dated : 2011-05-03. EDIT: 2011-10-13 ... this post now reflects the SysInternals Suite dated : 2011-09-20. EDIT: 2012-05-07 ... this post now reflects the SysInternals Suite dated : 2012-04-16. EDIT: 2012-08-06 ... this post now reflects the SysInternals Suite dated : 2012-08-03. EDIT: 2013-01-18 ... this post now reflects the SysInternals Suite dated : 2013-01-11. EDIT: 2013-10-29 ... this post now reflects the SysInternals Suite dated : 2013-10-25.

IMHO, one should never download the same packages more than once unless the goal is to test the stability of Microsoft's download servers, your ISP's reliability and your home's power supply! One electrical hiccup, brownout/blackout or Cable/DSL Network reset in the middle of a large update is not my idea of fun! Instead, just download this once. That is the complete ISO version of the SP3 update. Within that is a file named: WINDOWSXP-KB936929-SP3-X86-ENU.EXE. Place it on a CD or Flashdrive and copy it to the desktop of the computer you need to update. Now, read what comes next BEFORE you run that update file: What is really important is whether the computer has some realtime antivirus product running. You say you closed all running programs including AV and Firewall software, I find this to be unlikely concerning modern Norton/McAfee style security suites. They can have almost a dozen processes loading from different points and often lock files and registry keys which can cause serious SP3 update problems. My advice is to reboot from MSCONFIG by selecting the Diagnostic Startup and clicking OK. Then execute the above mentioned update file from the desktop. When complete, in MSCONFIG this time select Normal Startup and click OK. Even this could fail because in a nutshell, some antivirus programs are now inserting themselves as core services which means a diagnostic startup might not be 'clean' anymore. In this event you should do those steps under SAFE MODE from the F8 menu. More information can be found in that above mentioned thread as well as links to a discussion at Microsoft about this very real problem. I cannot prove this, but I suspect even SAFE MODE is not 100% safe from McAfee/Norton in their recent releases. Of course this could be avoided if McAfee/Norton provided a password-protected easy-off mechanism for a clean boot with *none* of their stuff running for these very situations of updating Windows, or playing a game or whatever activity that does not need or want some program scanning every open file and further restricting registry access!

(1) As jcarle said, make sure that is MSIE. If there is a way to use another browser it would be news to me. (2) Some people need to check Services to see that BITS ("Background Intelligent Transfer Service") is running. (3) You may as well re-add all the known sites to Internet Options | Security | Trusted Sites ... http://*.windowsupdate.microsoft.com http://download.windowsupdate.com http://update.microsoft.com http://windowsupdate.microsoft.com https://*.windowsupdate.microsoft.com https://download.windowsupdate.com https://update.microsoft.com https://windowsupdate.microsoft.com You will need to uncheck that box that mentions: require HTTPS verification before you can even add those first 4 addresses. NOTE: I have recently seen examples where all these manually added trusted websites were in fact deleted (gone!) after the computer owner installed an internet security suite from McAfee. I suspect Norton/Symantec is equally stupid.

@takeos, thanks for that information. I was just trying to understand these various strategies to restoring backwards compatibility to apps that have no valid reason for failing to execute under Win9x. Both you and steelbytes are clearly on the good guys team, standing against these unnecessary winds of change. Price sounds reasonable to me and I wish you much success. Speaking only for myself, I have yet to get Visual Studio 2008 but have almost everything prior, and will likely not use anything beyond VS6 personally because of all the time spent tweaking the libraries, options, editors and tools. Should that change I will no doubt grab your add-in. Fully agree. This is certifiable planned obsolescence. I hope you are a MSDN member and figure out a way to publicize within the community. I find that the coders there, even Microsoft employees have much more sense than the suits who are making these stupid decisions. I also hope that you can get Mark at System Internals to at least consider trying it. We can certainly survive on Win9x with older versions of AutoRuns (the startup areas are well-known), but Process Explorer is a definite loss. IMHO, he should compile that one for both platforms. It might help if other interested Win9x users would Contact Mark Russinovich with their suggestions. Oh, you may want to look at a very important sticky thread here Last Versions of Software for Windows 98SE, + Current Software Still Supported. You might view this is as a potential goldmine of clients, well at least those that use Visual Studio. Maybe even the FireFox problem might be of interest to you. To avoid hijacking this thread further, I'll eventually start a new one here that completely inventories the various System Internal utilities that still work in Win9x and those that have been recently euthanized by Visual Studio 2008. That would be a good place to chronicle any successes with steelbytes patcher against the compiled files.

Wont somebody please think of the PIRATES?!!?!!?! I am in total agreement with our friendly ADMIN on this point. I just hope the pirates are in fact stupid enough to keep their bootleg WinXP Pro machines facing the internet with Automatic Updates enabled. Let me beat this (newly updated) dead horse while carefully staying within MSFN rules... What I am really finding intrusive is that all the legal WinXP Pro machines I own and maintain (quite a few at obscene retail hologram prices to guarantee the luxury of being allowed to use the Automatic Updates) are targeted by MS with this latest WGA modification. "What was the advantage to buying Pro instead of Home for more than two bills again?" says the ticked-off customer. I do not claim to know the magic answer for Redmond to safeguard their intellectual property, I can only state what I am personally feeling once again, invaded. Kind of like an imaginary traffic stop where the police roadblock every car and make each and every one produce their Insurance and Registration papers because they know there are a few that are stolen or expired. Using the word 'invaded' is intentional, as I see this as comparable to the Sony rootkit fiasco which was almost universally despised. One difference between them is that Sony merely disabled further duplication of *their* CD's whereas this Microsoft 'experience enhancement' contains more harmful abilities. Ascii2 posted a link to the Microsoft WGA page that really says it all. Speaking for myself as one who has rooted for and defended Microsoft for years (even with the MSIE DoJ nonsense), it was clearly a mistake on my part as this piece of propaganda riddled with marketdroid terms like 'experience' makes me ill. It is a sugar coated enema. What worries me is that I will now get some calls from clients with their LEGAL retail Pro machines now under reduced functionality because some virus or javascript toggled some registry bit or easily deleted some OEMBIOS or DBL file or they triggered WPA by screwing with the NIC or some other hardware. I hope it does not happen because such calls would be difficult to impossible to bill to the clients as have been all the calls to sort out previous Activation bugaboos. Truthfully, here in August 2008, I do not have 100% confidence that the dozens of recently SP3 updated machines I support will pass the next WGA change unscathed. I can say this from experience of having many machines over the years become unactivated for no apparent reason (maybe a PCI card, maybe sp2, maybe a rollback). They are all 100% working *today* however, and all tested through Automatic/Manual Updates and MSKB WGA downloads. But, if you consider the recent serious SP3 registry boondoggle, one might be inclined to expect the worse from Redmond when it involves WinXP. P.S. I Hope I kept this within forum rules, that was my intent. And, sorry about the rant, not a good day for me as both of my favorite Operating Systems: WinXP Pro and Win9x are under deliberate attack, not by Viruses or Hackers or Y2k or Communists, but by the publishers themselves!

If you don't mind slightly rephrasing the thread title to Games not requiring directx updates... well, you might consider OpenGL based games which work surprisingly well on under-powered Win9x systems. The two that come immediately to mind are Quake III Arena and Unreal Tournament. They are thoroughly debugged and have a slew of mods and add-ins that will keep a newbie gamer busy for months or more likely, years. I maintain installations of both titles on my Win9x units and even to this day stumble upon mods, maps, skins, bots and levels that I never used before. Quake III Arena includes the official mod 'Team Arena' and it's simple to download many other free mods like Western Quake, Urban Terror, Jailbreak, Navy Seals, World of Padman, Hunt, etc. These create a practically infinite selection of games and levels. Unreal Tournament has almost as many mods, certainly as many maps, but also some more realistic skins and bots. All in all these two games are extremely reliable on older systems even using the built-in chipset video graphics. If you decide to go this route, one suggestion: install these games completely to the Hard Drive and apply the necessary 'tricks' so that you never need to insert the CD-ROMs again. This is the secret to keeping these games fast and smooth, *no* further CD-ROM access. I have not looked recently but I imagine you can buy the gold versions (complete CD-ROM retail versions plus documentation) for a good price nowadays. You can also look for 'used' at places like Amazon.