Fix PC Errors Blog

What can be said about the security and performance of Microsoft Vista?  Here are some of the Vista performance items that Microsoft lists on their site.

New to Vista (mostly new) is the Microsoft Diagnostic Infrastructure.  There are a set of instrumentation tools that make it easier for the Vista user to manage performance.  This includes being able to diagnose issues related to the system or applications starting up slowly and network-related delays.  Here are the diagnostics and tools.

Resource Exhaustion: This is a warning mechanism that displays a message when your resources are low and there is a potential data loss.  It points out which processes are using up the most resources, assists you to reclaim the resources, and then logs the event.

Memory Diagnostics: This tool works with the Microsoft Online Crash Analysis service – a service where you can upload error reports to Microsoft in the event of a crash that can be due to memory issues.  There is guided support and a queue to schedule a memory test once you have started your computer again.

Disk Diagnostics: This built-in diagnostic tool detects disk failures that are about to occur and then guides you through a process of backing up and recovering your data before it is lost.  The step-through process is one of backing up data, replacing the disk, and then restoring the data.

Network Diagnostics: This tool will identify the most hindering network connectivity issues and then it begins an automatic correction process.  Using graphs you can get a network diagnostic visual to assist in pinpointing the cause and to determine a solution.

There are many other features that are listed as well including:

• Self-tuning and diagnostics
• Startup, sleep, and shutdown performance
• Quick app startup
• New memory management technology (Windows SuperFetch)
• Low priority I/O process management for multi-tasking,
• Scheduled disk defragmentation
• Windows HotStart for improved access to DVD’s and music (especially useful for mobile PCs)
• Windows ReadyBoost ideal for taking advantage of USB flash drives as a memory cache
• ReadyBoost utilizes USB storage devices to provide more high-speed memory using.

While there are many new features and performance tools offered there are many that have criticized Vista for a variety of faults and deficiencies.  For example, there are those that say the extras that are offered are not actually needed by the majority of users.  Backwards compatibility for third-party applications continues to be an Achilles heel for Microsoft.  There are also vulnerability issues and there could be more hacks as a result of User Account Control (UAC) design flaws.

Regardless of new entry points and attacks, malware authors will likely only need to tweak their coding to continue their assault using prior hacking apps and tools.  An article by Computerworld referenced David Milman, Rescuecom Corp. CEO (a computer support chain), as saying that Vista users as frustrated.  The recommendation is to wait until after the release of Service Pack 1 which is slated to be released in the first quarter of 2008.

So this concludes a brief blog entry into the realm of Vista performance and security offerings and criticisms.  Any real-life accounts of Vista are always welcome.

As this is my first blog entry I felt I had to write on something close to home. As a technical writer I have been writing pieces for online articles related to computer performance and security issues. I am three quarters of the way through an article about malware (“malicious software”) and it is taking far longer than I expected. I have tried to condense it as much as possible. It begins with a definition, lists the various types of malware, and briefly covers the transition from virus to malware. Recently, I did a first pass on a section related to attack vectors and security vulnerabilities and I am about to write on botnets and rootkits. As I work on this I am overwhelmed by just how much information is available on these subjects.

Last weekend I switched off my computer for the day and enjoyed an amazing day of bike riding and an incredible swim at a local lake. While warming in the sun and with the continuous reflection of light bouncing off the water, I attempted to explain to my new friend the work I was doing and the subject matter of my writing. Not only was it a challenge to bring this virtual existence into the refreshing day we were experiencing, but it was also difficult in another way. In the back of my mind, as I was talking, and even during the times I write, I can’t help but think… “Am I portraying a certain kind of message?” Am I saying in some way: “The virtual sky is falling… the virtual sky is falling”?

According to the available documentation malware and cyber crime is a serious issue and there is sufficient reason to be concerned. And yet, I don’t want to be an alarmist. How bad can it be? Most people that face this would be getting a few web cookies and popup ads. By some accounts, there will be those that will have their computers controlled by remote hackers (also known as “black hats” or “crackers”). Is this real and is there more to this?

Two days ago, the whole thing strikes close to home for me. A good friend of mine tells me that she has had some funds - a thousand dollars - taken from a bank account. The account is shared between her and her husband. When dealing with her bank, the rep assured her that this happens all the time and it was likely an error related to misdirected funds and they were investigating it. Soon after this someone from the bank tells her that it could be from malware or a virus and she should check her computer. She is using a MacIntosh and I find this interesting because from what I know, malware is not typically targeted at MacIntosh computers. I try and help from my end by attempting to find some free online scanning utilities. Finding some online scanning tool for the MacIntosh wasn’t leading to much success. She resolves herself to checking with the computer wholesalers, and the bank, the next day.

The next day, the Mac distributor that she speaks to says that there hasn’t been a virus on a Mac in 10 or 11 years. A contradiction from what I hear. The people I work with tell me that Macs are just as vulnerable but they are just not targeted as much because they have less of a market share. This was something I was fully aware of but I was glad to have confirmed it. My friend tells me in our next conversation that she had received an online correspondence a few days back which appeared to be from her bank. The email had seemed to look legit and it described a warning about an expiration which linked her to a web page where she had to submit her account credentials. Right away I knew what this was… a Phishing scam.

By using “hoax” or “spoof” emails these scammers appear legitimate. In some schemes, like this one, there is an urgent message, a web link is displayed, and the user is taken to a “spoofed” web page. The aim of the scam is to get a password, or PIN information, debit or credit card numbers, or social security numbers, or bank account information. Once you enter the credentials they can record the information and use it for other purpose such as transferring funds.

From what I know… it takes close examination of the email and the spoofed web page to detect that it is in fact a scam. The email message that my friend received stated that she must act immediately.

Here’s my little blurb… if in doubt of an email such as this, take some time to confirm it person-to-person or by phone with the financial institute. If you see a web page that looks like it could be a fake, examine the URL address to see if it is exact or if there are misspellings. Some of these tricksters are mimicking the web address by using two letter v’s (“vv”) instead of the letter w (“w”). You can also check to see if the address can be altered. If the site address is: “http://www.mybank.org/actow.html” you can try and truncate the URL so that you are taken to the home page: “http://www.mybank.org”. To read more about email spoofing, see: http://www.cert.org/tech_tips/email_spoofing.html.

One point of clarification has to do with PC’s and Macs. I usually slam Microsoft in my articles and here is an opportunity to balance the scales. Nothing against Macs but according to my online research, the first virus “in the wild” was spread via an Apple II floppy disc in 1981. There were viruses since then and up until the turn of the century. In May of 2001 there was the introduction of the first AppleScript worm. This virus uses Entourage or Outlook Express on Mac computers to spread emails to address book entries. All things considered, Macs are safer to use. However, as can be seen, no one is safe from the exploits of cyber crime and from the annoyance of viruses and security breaches.

When I research and study the reports available online I can’t help but write about this subject with a particular tone as this is important to me. I don’t know the full ramifications of it but it is a growing concern as we become more and more comfortable with our virtual conveniences. We rely on technology to be secure and to protect us from cyber nasties and we underestimate the potential of what is in fact a pandemic. I do not want to portray some message about disaster being eminent. It is a clear indication of our reliance on computer technology.

For many people who experience malware first-hand and take on their own private battle by trying to remove these items and regain control of their system, this is more than an a casual annoyance. As for other mass attacks and what the fallout will be… much of the outcome depends on how organized this threat is and how able users and solution providers are able to rally against it. There is the equivalent of an online “Neighborhood Watch”. You can check it out at: http://stopbadware.org/home/about.

There were very few people that were affected by the first virus that struck in 1981. It did include a little rhyme:

It will get on all your disks
It will infiltrate your chips
Yes it’s Cloner!
It will stick to you like glue
It will modify ram too
Send in the Cloner!

The cyber threats we face today have a greater impact and strike closer to home. They target and have an impact on our real world lives.

Windows Explorer is the executable that serves as the interface to the Windows operating system and as such it has its share of problems. This is the second article in a series that will deal with various Windows Explorer related issues.

Windows Says You Must Re-Install

After starting your computer in Windows 98 or Me, you may see a blank desktop and get an error message like this:

Error loading EXPLORER.EXE. You must reinstall Windows.
Explorer.exe [program_name]

where [program_name] is the name of a program.

After receiving the error your computer may hang or restart. You may also see this behavior in Safe Mode. This happens when Windows Explorer is set to run a program automatically on startup which is missing or damaged. Sometimes this can be a virus or Trojan horse.To fix the problem, you will need to edit the System.ini file and remove the program. You should also scan your computer with anti-virus and anti-spyware software. Follow these steps to repair Windows:

1. Use a startup disk to boot to a command prompt. If you don’t have a startup disk you will have to get one made on another computer. If no one you know is running Windows 98 or Me, you can visit www.bootdisk.com to make a boot disk on another computer.
2. Type C: and press ENTER at the command prompt.
3. Change to the Windows directory by typing CD \Windows and pressing ENTER.
4. Type Edit System.ini and press ENTER to edit the System.ini file.
5. Using the arrow keys, find the line starting with shell=Explorer.exe, in the [boot] section of the System.ini file.
6. Insert a semicolon in front of the test, so the line looks as follows:

   ;shell=Explorer.exe [program_name]
   

7. Using the arrow keys, move to the end of the line and press Enter to insert a new blank line.
8. Type Shell=Explorer.exe on the new line. The file should now read as follows:

   shell=Explorer.exe [program_name]
   Shell=Explorer.exe

9. Save the file by pressing ALT+F, then S.
10. Exit by pressing ALT+F, then X.
11. Remove the startup disk and restart.

Windows XP Quits When You View My Computer

While trying to use Windows Explorer to view items under My Computer, you may get an error if the Folders Explorer Bar is turned on:

Windows Explorer has encountered a problem and needs to close. We are sorry for the inconvenience. Please tell Microsoft about this problem.

This can happen if you have installed programs from the Kodak Picture Software CD version 1.3 or earlier, like Kodak EasyShare: Camera Connection, Picture Transfer, and Picture Software. Removing these programs using Add/Remove Programs in the Control Panel will fix the problem.

Windows Explorer Quits When You Map a Network Drive

When you try to map a drive to a network share or Web location using Windows Explorer, Windows Explorer may exit with one of the following errors:

Windows XP:

Explorer.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

Windows 2000:

Access Violation

Explorer.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created.

This can happen if the length of the mapped network drive name exceeds 300 characters. You can fix this by installing the latest service pack for Windows XP or 2000:

Windows XP:

http://www.microsoft.com/windowsxp/sp2/default.mspx

Windows 2000:

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.mspx

Windows Explorer is the executable that serves as the interface to the Windows operating system and as such it has its share of problems. This is the first article in a series that will deal with various Windows Explorer related issues.

Thumbnail View Error

When trying to view the contents of a folder using the Thumbnail view, you may receive one of the following error messages:

• EXPLORER caused an invalid page fault in module THUMBVW.DLL at 015f:799eaee4
• EXPLORER caused an invalid page fault in module KERNEL32.DLL at 015f:bff9d709

This occurs when the Thumbs.db file (the file that contains thumbnails for a folder) in the folder is corrupted. To fix this problem, follow these steps:

1. Be sure that you are able to view hidden files. From the View menu in Windows Explorer, click Folder Options. Select the View tab, click Show All Files, and then click OK.
2. Delete the Thumbs.db file in the folder.If an error message displays, saying access is denied, then do one the following:
1. Close Windows Explorer, and then empty the Recycle Bin.
2. In Windows Explorer, click another folder to view its contents, and then empty the Recycle Bin.
3. Re-create the Thumbs.db file by clicking on the folder whose contents you are trying to view in Microsoft Windows Explorer, and then click Thumbnails on the View menu.

Windows Explorer is Blank or All Folders View is Missing

If Windows Explorer is blank or the All Folders view is missing, it may be that the ExplorerBar value in the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
registry key is damaged.

To fix this problem, do the following:

1. Upgrade to the most current version of Microsoft Internet Explorer at http://www.microsoft.com/windows/ie/default.asp
2. Test to determine if the issue is resolved. If the issue is resolved, do not go to step 3. If the issue is not resolved, go to step 3.
3. Make sure that you have a backup of your computer available before editing the registry.
4. Use Registry Editor to delete the ExplorerBar value in the following registry key, and then restart your computer:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

Too Many File Types

When you try to use the search feature in Windows Explorer, you may get the following error:

The instruction at 0×778aa57 reference memory at “0×3b0046″. The memory cannot be read.

This can happen if you just added more than 64 file types in the File Types tab under the Folder Options dialog (found in the Tools menu in Windows Explorer). To resolve this problem, get Service Pack 4 for Windows 2000 from:

http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.mspx

White Desktop and BrowseUI.DLL Error

When you start up Microsoft Windows Millennium Edition (Me), the screen is white, and the following error message may appear:

Explorer has caused an error in Browseui.dll

You get a prompt to change desktop settings, because Active Desktop is turned off, but changing settings doesn’t help. The same error displays, and then the computer freezes.

You can resolve this issue by using the Registry Scan utility:

1. Insert the Windows Me emergency startup disk, and restart your computer.
2. Use the arrow key on your keyboard to select Start Computer Without CD-ROM Support, and then press Enter.
3. At the command prompt type scanreg /fix, and then press Enter.
4. After the ScanReg process is complete, restart your computer. The Registry Scan utility will find and remove corrupted registry entries and system files. The system replaces those files with a working copy of the files.

Explorer Causes an Invalid Page Fault in Browseui.DLL

After you log on to a Windows 98-based computer, you may get the following error:

This program has performed an illegal operation and will be shut down. If the problem persists, contact the program vendor.

If you click Details, the following error message will display:

- EXPLORER caused an invalid page fault in module EXPLORER.EXE at 167:00401f31

- EXPLORER caused an invalid page fault in module BROWSEUI.DLL at 167:00401f31

If you close the error, the computer starts with a blank desktop. Starting in safe mode does not solve the problem, but the memory address listed may change. This can happen if the Browseui.dll file is missing or damaged.

To fix this problem, try Method 1; if that fails, try Method 2.

Method 1: Repair Internet Explorer

1. Restart the computer to display the command prompt by inserting the Windows 98 Emergency Startup disk and starting the computer, or pressing the CTRL key while starting the computer  and selecting Command Prompt Only from the Windows Startup Menu.
2. At the command prompt, type edit c:\windows\system.ini, and then press the Enter key to open the System.ini file in MS-DOS Editor.
3. Use the arrow keys to navigate through MS-DOS Editor. Under the [Boot] section, change the following lineshell=Explorer.exeto:

   shell=Progman.exe

4. Press ALT+F to scroll down to Exit, and then press Enter. Select Yes to save the Windows\System.ini file and to return to the command prompt.
5. Restart your computer, and Program Manager will start.
6. Click File | Run, type control appwiz.cpl, and then click OK to open the Add/Remove Programs Properties dialog box.
7. On the Install/Uninstall tab, click Microsoft Internet Explorer 5 and Internet Tools, and then click Add/Remove.
8. Select the Repair Internet Explorer option, and then click OK. Follow the instructions in the wizard to repair Internet Explorer, and when you are prompted to restart the computer, click Yes.
9. Repeat steps 1 through 5, but in step 3, change the line shell=progman.exe to shell=explorer.exe.

If the error persists, follow the steps in Method 2.

Method 2: Restore Internet Explorer

1. Restart the computer to display the command prompt by inserting the Windows 98 Emergency Startup disk and starting the computer, or pressing the CTRL key while starting the computer  and selecting Command Prompt Only from the Windows Startup Menu.
2. At the command prompt, type edit c:\windows\system.ini, and then press the Enter key to open the System.ini file in MS-DOS Editor.
3. Use the arrow keys to navigate through MS-DOS Editor. Under the [Boot] section, change the following lineshell=Explorer.exeto:

   shell=Progman.exe

4. Press ALT+F to scroll down to Exit, and then press Enter. Select Yes to save the Windows\System.ini file and to return to the command prompt.
5. Restart your computer, and Program Manager will start.
6. Click File | Run, type control appwiz.cpl, and then click OK to open the Add/Remove Programs Properties dialog box.
7. On the Install/Uninstall tab, click Microsoft Internet Explorer 5 and Internet Tools, and then click Add/Remove..
8. Click the Restore to previous Windows Configuration option, and then click OK. Complete the wizard to restore the earlier Windows configuration, and when prompted to restart the computer, click Yes.
9. Repeat steps 1 through 5, but in step 3, change the line shell=progman.exe to shell=explorer.exe.

If both methods fail, you may have to completely reinstall the Windows 98 operating system. It should be noted that the reinstallation of Windows 98 may result in the loss of some Windows configuration information and/or data.

JavaScript is a scripting language developed by Netscape for web browsers and is the de facto standard for scripts on web pages (it is also possible to use VBScript but almost no one does since it is only supported by IE). Microsoft uses an implementation of JavaScript called JScript, and while there are some differences between the two (and implementations in other browsers), everyone refers to browser scripting as JavaScript. Many people think that Sun’s Java programming language and JavaScript are related but the only things they share in common are the name and superficial syntax conventions.

It is important to understand the difference between JavaScript, scripting languages like PHP and ASP, and web programming languages like Java and ASP.NET. JavaScript is a client-side scripting language, and it runs on your browser. Essentially, the web page you visit tells your computer what to do, and your computer does it. Scripting languages like PHP and ASP are server-side scripts that are read through an interpreter on the web server and displayed to your browser. Web programming languages like Java and ASP.NET (Java is not strictly a web programming language but ASP.NET is) are actually programs that run on the server, created ahead of time by the web site designers. Instead of parsing a script which can be changed on the fly, the web server acts as a front-end to another program and any changes to the program require that it be recompiled.

The Fundamental JavaScript Problem

Each browser has its own interpretation of JavaScript and this quickly leads to problems. A few years ago, nearly everyone used Internet Explorer to surf the web. There were still some holdouts from the 90’s Microsoft/Netscape browser war but not many. This lead web developers to code JavaScript that they only checked in Internet Explorer. Even though IE 4.0 kept to published web standards better than Netscape 4.0, Microsoft began developing its own proprietary implementation of JavaScript and other web languages, adding non-standard items and leaving other standard items unimplemented. The result was a lot of pages that only worked in IE.

Apple threw its own implementation into the mix with the Safari web browser in 2003, which muddied the waters a bit as Mac usage began to climb. A year later Firefox burst upon the scene as a faster, safer alternative to IE and gained 10 percent market share by November 2005. Moreover, Firefox closely implemented the standards set forth by the W3C, an independent group that has been publishing web standards since 1994 and whose director, Tim Berners-Lee, invented the World Wide Web in 1989.

With at least three major implementations out there, it is very difficult for web site designers to check that their pages work in all three browsers. When they don’t, JavaScript errors will occur.

Other Causes

Spyware can cause JavaScript errors if it modifies how your browser handles JavaScript code, which many do by capturing keystrokes and mouse-clicks hoping to catch your passwords and pin numbers on banking sites and online stores. Spyware will also try to place its own custom ads on web pages which also can cause JavaScript errors. Getting rid of spyware can be difficult but I have outlined steps to prevent, detect and clean up spyware in my Dealing with Spyware blog entry.

Pop-up blockers can also cause JavaScript errors although this is always the fault of the web site for not checking to see that pop-ups are disabled. If you trust the site you are on, you can disable the pop-up blocker for that site to see if it helps. Another trick is clearing your cache - some websites have multiple JavaScript files and if you don’t have the latest one you could be calling a piece of code that no longer exists.

If you use Firefox, you can cut down on the number of JavaScript errors by installing the NoScript extension. This will allow you to choose which sites run JavaScript and which do not. A lot of sites work fine without JavaScript for casual surfing.

While it is possible for every piece of hardware in your PC to fail, your hard disk drives are the most likely to die. Hard disks are the only components with moving parts that are constantly running in your computer, and like anything that has moving parts, they can wear out. With today’s hard drives getting bigger and bigger, it gets more expensive to develop drive parts that are both precise and robust. Nearly all consumer hard drive warranties are 1-year, but the average replacement time for a PC is about three years. Since only a hard drive crash can actually destroy your data, this means your PC will spend 2/3rds of its time with the most data-critical component unprotected by the manufacturer - and if the manufacturer won’t provide a warranty for the device you can bet there’s a reason.

Your computer manufacturer may cover the whole computer for three years, if you bought the extended warranty, but that won’t save your data. If you don’t have a data backup plan, you should read my blog entry Backing Up is Hard To Do. If losing your data forever is a problem, then you need a backup system. The next thing to do is read the rest of this blog, where I’ll explain how to maintain your hard drives and find out ahead of time if they are going to fail.

Checking for Errors

There are several ways you can check for errors on your drive. First, you should get a free utility to check your drive called HD Tune. HD Tune can read information on your drive, perform an error check and run speed tests. While most of the information is highly technical, HD Tune will sum up your drive’s health as ‘OK’ if everything is running fine. If not, it’s probably time to consider a new drive. Hard drive failures tend to be exponential - the first few errors may happen over a long period of time but once the number of errors goes up, it’s usually not long before the hard drive goes belly up.

After checking the overall health of your drive, run an error scan on each disk to check for physical errors on the hard drive. If you have any, the end is probably near. Most modern hard drives leave extra “sectors” blank so that data can be moved to those sectors when another sector becomes defective, but there are only so many of these and again, hard drive failures tend to start small and get big fast. If you see any errors you should make sure you have your data backed up and re-check the drive at least a couple days a week.

The next thing to check is the Event Viewer. Right-click on My Computer, select Manage, and open the Event Viewer folder. Click on the System log and sort by the Source column. Look for errors listed under ‘disk’ - if you find any, open them and look for the words ‘bad block’. If you have these errors then disk failure could be hours away.

The last check to run is chkdsk. This utility runs the next time you restart your computer and you can schedule a scan by running chkdsk /f from the command line (Start, Run…, type cmd and hit enter). You will be asked if you want to schedule a scan for the next time Windows starts - hit Y to confirm or N to cancel the scheduled scan. You can also specify the drive you want to check using chkdsk d: /f, where d: is the letter of the drive to check (don’t do CD-ROM drives).

Defragmentation

Defragmentation is essentially the only thing you can do to a hard drive to improve its performance that doesn’t involve highly technical and potentially dangerous tools. However it is especially critical to do if you have a drive that is getting full (more than 60%) or if you’ve got a lot of small files on the drive. Since your system drive will have a lot of of small, frequently used files (not to mention all the temp files that Windows throws around), you should defragment it at least once a month.

If you still have the Computer Management window open from looking at the Event Viewer, check out Disk Defragmenter next. Defragmenting a drive multiple times does little harm (although it does exercise the drive more than it would have been), but if you’ve defragmented recently and just want to check, hit the Analyze button to see what your drive looks like. Big blocks of blue are good - tiny lines of blue or red are not. Windows will tell you if you need to defragment or not, but depending on the files that are fragmented you may want to do it anyway, or if there are a lot of lines scattered everywhere. Blocks of data are easier for your hard drive to read as it doesn’t have to jump around as much.

If the drive is pretty bad, Windows will not organize everything into nice neat blocks in order to save time. If you really want your drive fully defragmented and have all the data organized toward the front of the drive, you may have to run the defragmenter several times.

Is it Really Dead?

Sometimes, a failing power supply (another component prone to failure) can cause hard drive errors in the event log (they may listed as ‘atapi’ in the Source field), poor hard drive performance or clicking sounds as the hard drive resets itself. In this case your hard drive may not be failing - yet. Bad power can ruin a hard drive just like old age can. While power supplies are harder to replace, they are usually covered under the manufacturer’s warranty. So if you have these symptoms, backup all your data and call your computer manufacturer right away. Hopefully they’ll recognize it as a power supply failure and replace the part for you.

Last weekend, between 8,000 and 10,000 websites, mostly in Italy, were hijacked and used to host a malware package called MPack. Using several exploits, MPack silently infects any visitors to compromised sites. Attacks like these have been getting more frequent, with a larger number of legitimate sites getting used to spread malware.

It’s very important to understand one thing: avoiding the seedy side of the Internet is no guarantee that you will not get spyware.

There’s a lot of ways you can protect yourself, but you have to be careful as some spyware masquerades as anti-spyware tools.

Prevention

Prevention is always the best option for a lot of things, spyware included. You can prevent virtually every malware package out there by creating a regular user account and using that account to surf the Internet and read email. If you need to transfer files between your administrator and regular user account, just put them in the Shared Documents folder in My Computer. In Vista, if you can put up with it, User Account Control (UAC) is a decent compromise.

Unfortunately there are a lot of things you aren’t allowed to do as a regular user, like set the system time, install programs or certain hardware, change system settings, and so on. With Fast User Switching, this is less of an annoyance but it can still be a pain. If you decide this route isn’t for you, then a more complicated approach is in order.

The first thing to realize is the primary avenues of attack for spyware are infected websites and email. If you use a major webmail provider like Gmail or Yahoo mail, you’ll stand a better chance against spyware getting through. But if you use Outlook or Outlook Express (or Windows Mail in Vista) you are putting yourself at a greater risk. The same applies to IE, particularly IE6 on XP (IE7 on Vista is safer as it is prevented from making changes to the system).

Even if you replace these programs with safer alternatives, such as Mozilla Firefox, Thunderbird (for email) or Opera (another lesser known browser), the problem remains that your administrator account can install spyware that you may never be able to get rid of. There is a free tool that allows you to limit what these programs can do called DropMyRights, available here. When you install it, you should put it in C:\DropMyRights and install it so everyone can use it. Then you can change all of your browser, mail and file sharing program icons as follows:

1. Right-click on the icon and select Properties.
2. In the General tab, insert C:\DropMyRights\DropMyRights.exe in the Target: field before the path to the program (be sure to leave a space).
3. Change the Run: dropdown box to Minimized.
4. Click on the Change Icon… button, browse to the program’s executable (which is usually under C:\Program Files\\ or C:\Program Files\) and choose the appropriate icon. This keeps the icon from changing to a generic icon.

Again, this comes with some annoyances - you won’t be able to install anything directly from the browser, you’ll have to download it first and then install it. But it is easier than using a regular user account.

If you aren’t installing automatic updates, you really need to. In fact, some exploits are reverse-engineered from updates released by Microsoft, so as soon as updates are available, the clock is ticking, if the update itself wasn’t in response to an already known exploit. In the Control Panel, double-click Automatic Updates and set it to install automatically. If you are using a regular user account, you won’t be able to change this setting or install updates, so you’ll need to switch to your administrator account to change the setting, and log in periodically to install any new updates.

A healthy dose of paranoia is also a good prevention measure. Treat the Internet as you would the bad part of town where you live and don’t trust every website you run into or every email you read.

Detection

It used to be that spyware infections were obvious - slow performance, lots of popups, a home page that you could never change back, etc. While that still happens, the trend in spyware has been toward more silent infections - after all, if you’ve got spyware, you’ll try to clean it off. If you don’t know you have it, then you won’t.

The next best method for detecting spyware is getting anti-spyware software from a reputable vendor. There are even some free anti-spyware tools out there that will scan and remove most spyware infections. However, spyware authors are constantly writing new spyware programs (some of which can subvert anti-virus and anti-spyware programs!) and the anti-spyware companies are constantly playing catch up, so these programs may miss some infections.

Fortunately, there’s another way to determine if you are infected. If you haven’t already, read my blog posts on process pruning and Understanding Task Manager Part 1 to prepare for these next steps:

1. Trim down the number of processes that run at startup to as few as possible, particularly any instant messengers, file sharing programs, Adobe products and Java update.
2. Turn off Automatic Updates temporarily (don’t forget to turn them back on!).
3. Add the PID column in Task Manager.
4. Restart your computer and log in.
5. As soon as you can, go to Start -> Run…, enter cmd /c netstat -ano > desktop\netstat.txt and hit Enter.
6. Start Task Manager and switch to the Processes tab.
7. Open the netstat.txt file and look for any connections where the Foreign Address doesn’t start with one of these numbers:
1. 0
2. 127
3. 192.168
4. 172.16 - 172.31
5. 10
8. Check out the PID in netstat.txt with the ones in Task Manager. If you see an executable you don’t recognize, type it into Google and see what it is.

Cleanup

If it’s just a regular program or something you forgot to clean up, then you can breathe easy. If you find out it’s spyware, try running some more anti-spyware tools. Your search may also contain some removal methods. If you don’t find the executable in Google, and the anti-spyware programs you try don’t find anything, then you are really in trouble. It’s time to start backing up your data and a couple last-ditch efforts.

First, download and install these two programs: RootkitRevealer and HijackThis. You’ll need to log in as an administrator to run them. The first thing you should do is run RootkitRevealer (unzip it to a desktop folder). Check out the help file first to get an idea of what rootkits are and then run the program. Again, Google is your friend for checking out anything that RootkitRevealer finds. If you determine that you have a rootkit, there may be some way to remove it, but if not, you’ll have to re-install Windows. Good thing all your data is backed up, right?

If RootkitRevealer doesn’t find anything, it’s time to try HijackThis. Run the installer and make sure you allow it to put an icon on the desktop. Double-click the HijackThis icon and click on Open online HijackThis QuickStart. Follow the instructions on the site - there are also very useful links for cleaning up some nasty infections.

Last time I covered the first two Task Manager tabs, Applications and Processes. In this post I will explain the other three tabs, Performance, Networking and Users.

Performance Tab

The Performance tab is the executive summary of the Processes tab. Where the Processes tab can show you what processes are running (and the resources they are consuming), the Performance tab gives a high-level look at your system resource usage - most importantly, how much physical memory is available for programs.

The CPU Usage and CPU Usage history sections are straightforward. The first is a graph of how much CPU the computer is using at the moment and the second is a line graph of CPU usage over a given period of time (by default, each grid is ten seconds). If you are getting slow performance, and the CPU history shows a lot of usage, or is pegged at 100%, it’s a clue to look at the Processes tab to see what process (or processes) are using so much CPU. Under normal usage there should be some spikes but the processor should never be pegged at 100% for any length of time.

The PF Usage graphs are similar in purpose to the CPU graphs, but they relate to page file usage, or more accurately, virtual memory usage. These graphs show how much memory you are using on your computer. If they ever get close to the top you will have performance issues and eventually program crashes. Again, you should check out the Processes tab to see what programs are using a lot of memory.

If you commonly find that you are close to the maximum amount of available memory, you can increase the size of your page file. Right-click on My Computer, click Properties and then choose the Advanced tab. In the Performance section, click Settings and choose the Advanced tab in the window that appears. In the Virtual Memory section, click Change. You will see there are three options for paging file size:

1. Custom size - you can set the upper and lower limits
2. System managed size - Windows sets the size of the page file
3. No paging file - No page file is used at all

The typical recommendation is the amount of physical memory multiplied by 1.5. So if you have 1GB of RAM, you should set your page file size to about 1536MB (one GB of RAM is 1024MB). If the recommended size in the Total paging file size for all drives is close to this amount you can just use that instead. If you set the Initial size and Maximum size the same, you will prevent Windows from changing the page file size on its own, which is a huge performance hit in most cases, and is typically done at the worst possible time - when you need more virtual memory.

If you already have a page file that is 1.5 times the size of your physical RAM and you are still running out of virtual memory, you need to buy more RAM. You also may want to consider an x64 version of XP or Vista, which allows you to use RAM beyond the 4GB limit that 32-bit Windows systems have. It’s also possible to turn off the page file, if and only if you have enough physical RAM. The next section can help you determine if that is possible.

Totals, Commit Charge and Memory

The Totals section of the Performance tab simply displays the total handles (files or registry keys being accessed by programs), threads (individual parts of programs that are using the CPU) and processes (executables) on your computer. If any of these get extremely high you can go to the Processes tab and add the appropriate column (Handle Count for handles) to see which process is using the most.

The Commit Charge and Physical Memory sections are the most vital to determining the performance of your computer. Modern CPUs are usually fast enough to handle most computing tasks without breaking a sweat. Games and video editing software may tax a computer but Office, money management suites and Internet browsing should never be a problem, and unless you’ve filled up your hard drive without realizing it, the last remaining performance culprit is memory.

The Commit Charge section has three parts:

1. Total - the current total of memory being used by programs
2. Limit - the maximum amount of memory that can be used before a program will crash
3. Peak - the highest usage of memory since the computer has been turned on

The Physical Memory section also has three parts:

1. Total - the total amount of physical memory (RAM) in your computer
2. Available - the amount of physical memory available for programs
3. System Cache - the amount of physical memory being used for open files

If your peak commit charge is bigger than the total physical memory, it’s time to consider more physical RAM, especially if you do a lot of multitasking. If you only occasionally open a lot of programs then you will probably be fine. If after an intensive multitasking session on your computer, your peak commit charge is only half of your available RAM, you can consider reducing or eliminating your page file. To be sure, check your peak commit charge every time you are ready to log off your computer for a couple weeks. Be aware though, that if you run out of physical memory your programs will crash, although this goes the same for physical memory plus the page file as well.

The Kernel Memory section typically does not offer much performance information, but if the numbers are high you may have too many drivers or buggy drivers taking up a lot more memory than they should be.

Networking and Users

The Networking tab is new to Windows XP. For the most part it doesn’t help much with performance troubleshooting, but like any other graph, if it is maxed out you have a problem. Unlike the other tabs, there isn’t an easy way to determine what processes are using up your bandwidth. If you have more than one PC at home, you may experience a slow Internet connection if the other PC is using up too much bandwidth, and you can check the Networking tab on that machine to be sure.

The Link Speed column indicates how fast the network link is. If you have a wired link, it’s probably 100 Mbps or 1000 Mbps (or 1Gbps). If you have broadband, your Internet link speed is probably in the 1.5 Mbps to 10 Mbps range - well under the limit for your network adapter. If you are transferring files from one computer to another though, you can max out a 100 Mbps link.

The Users tab will be available if you have Fast User Switching turned on. I always turn this off as it is the biggest performance killer besides a massive spyware infection if you actually have multiple people using your PC, and if you don’t, then you don’t need Fast User Switching anyway. Basically it will tell you how many users are connected to your PC and from which computers.

If you share files in a dorm environment, you may have a lot of connections on your computer which impacts performance. You can view the same information in the Users tab by right-clicking on My Computer, clicking Manage and selecting Shared Folders. Underneath you will see three more folders:

1. Shares - folders that are shared on your computer
2. Sessions - users logged into your computer
3. Open Files - files that users have opened

If you’ve got a lot of people connected you can kick them all off by right-clicking on their session and disconnecting them.

When it comes to system performance issues, Windows’ Task Manager (Ctrl-Shift-Esc) is the first place to look. Task Manager can also end processes that aren’t responding, start new processes and switch to applications that may have gotten “stuck” when a dialog box got covered up by another window.

Status Bar

In all Task Manager tabs, the status bar at the bottom of the window shows three things:

1. Processes: The number of running processes. The more processes running, the more work Windows has to do and the slower your computer will run.
2. CPU Usage: Total CPU usage by all processes. If this stays at 100% for an extended period of time, it is typically because of a buggy application.
3. Commit Charge: The total amount of memory that Windows is using for applications and the maximum available memory. If the commit charge ever gets close to the maximum available, Windows will slow down considerably.

Note: in the screenshot below, the Users tab is missing because I have Fast User Switching turned off. I will cover the users tab briefly in the next article on Task Manager.

Application Tab

The default first view is the Application tab. There’s really not much exciting here but this tab does allow you to switch to a task that may otherwise not be responsive. You can also attempt to gracefully end a task (which is safer than ending its process) or start a new task. For example, when Windows Explorer hangs and you are forced to close it, you can use Task Manager to start a new Explorer.exe if it doesn’t come back up on its own.

Processes Tab

The Processes tab is a detailed view of all exes that are running on your computer. You may need to check the Show processes from all users checkbox to see everything. The default columns will show some information but many additional columns are also available, and can be added from the View -> Show Columns… menu item. Here is a list of some of the more useful columns and what they mean:

• Image Name: The name of the executable
• PID: A number that is assigned to the executable by Windows.
• User Name: The user that is running the process. The SYSTEM, LOCAL SERVICE and NETWORK SERVICE users are all built into Windows and run system processes. It is almost never a good idea to forcefully end one of these processes. If you have a lot of processes running under your username, especially if you don’t have any applications open, your computer may be burdened with junkware, or worse.
• CPU Usage: Current percentage of CPU being used by the process. If a process is using 100% of the CPU for more than a minute or so, it usually means the process has locked up.
• CPU Time: Total amount of CPU time the process has used. Sort by this column to see if any process is using a lot of the CPU’s time. If you have slow performance issues, this is the first thing to look for in determining which program is causing the problem.
• Memory Usage: This is the amount of memory that Windows has allocated to a particular process. If a process which isn’t being used starts using more and more memory, it is a sign of a memory leak. Eventually the process may use up all available memory and crash.
• Peak Memory Usage: The largest amount of memory that has been used by a process. This is a useful gauge to determine how much memory to allow for a particular program.
• I/O Reads and I/O Writes: While not strictly about disk usage, the vast majority of I/O activity is related to disk usage. Any program with a lot of I/O reads and especially I/O writes may be causing performance problems.

If you right-click on any process you will get 5 options:

1. End Process: This will kill the process and unlike the Application tab, it will do it right away, unless you do not have permission to end it (which is usually the case with processes running under the SYSTEM username).
2. End Process Tree: If a process started another process, this command will end those processes as well. If you use this command on explorer.exe it will kill all of your running applications.
3. Debug: If you have a debugging tool, you can debug a process with this option. If you don’t know what debugging is you should definitely never use this command.
4. Set Priority: This option allows you to set the priority of the process in using the CPU. For the most part this should be left alone, but if you are watching a movie on your computer, setting the priority to “High” for the process will help if the video starts skipping frames.
5. Set Affinity…: If you have a hyper-threaded, dual core or quad core processor, you can use this option to restrict a process to specific cores. This can be useful for processes that use a lot of CPU.

In Part 2, I’ll cover the Performance and Networking tabs in detail, as well as the Users tab.

The blue screen of death (BSOD) is likely the most famous component of the Windows operating system. First seen in Windows 3.1, it gained notoriety after appearing during Bill Gate’s unveiling of Windows 98. Anyone who ever used Windows 95, 98 or Me for any length of time has probably seen a BSOD, and though they are less common with Windows 2000, XP and Vista, they still occasionally appear. Windows XP and Vista will reboot if a bluescreen condition happens during the boot process and then display the “Windows has recovered from a serious error” message.

Causes of BSODs

In Windows 2000, XP and Vista, BSODs can be caused for a number of reasons. Below, I’ve listed some of the stop codes and possible causes, summarized from The Lazy Admin website:

• STOP_0×0000000A IRQL_NOT_LESS_EQUAL:
  Buggy device drivers, virus scanners and backup tools.
• STOP 0×0000001E KMODE_EXCEPTION_NOT_HANDLED:
  Programs, usually trojans and spyware (although legitimate remote control programs may cause the same problems) attempting to subvert the Windows logon process.
• STOP 0×0000007B INACCESSIBLE_BOOT_DEVICE:
  Hard drive failure, bad boot.ini configuration, or incompatible hard disk controller drivers. This can happen after swapping out a motherboard with another one having different disk controllers.
• STOP 0×00000050 PAGE_FAULT_IN_NONPAGED_AREA:
  Windows tries to access memory that is not available and can’t be written to the page file, typically caused by bad memory or printer drivers.
• STOP 0×0000007F UNEXPECTED_KERNAL_MODE_TRAP:
  Bad memory chips or CPU overclocking.
• STOP 0×00000024 NTFS_FILE_SYSTEM:
  Failing hard disk or buggy third-party disk defragmenters.
• STOP 0×0000002E DATA_BUS_ERROR:
  Hardware incompatibility, misconfigured BIOS settings or bad memory.

Troubleshooting Steps

The first thing to do is disable automatic restart after BSODs, before trouble begins. Right-click My Computer and choose Properties. In the Advanced tab, in the Startup and Recovery section, click Settings and then uncheck Automatically restart. Click OK twice.

If you do get a stop error there are a lot of things you can do, but the first steps to take are typically in the error message itself. If you need to, write down the error, especially the STOP code (like the ones listed above), and do a Google search on it if you have some other means of internet access.

Microsoft has provided a document on BSOD errors, that while highly technical, offers good advice based on the STOP code received. Skip ahead to page 22 and then find the error matching the one you got and try the troubleshooting steps there.

Most of the time, BSODs are hardware or driver related so your first priority after getting your computer up and running is backing up your data, if you aren’t doing that already.