Windows Administration

1
Windows Administration

• Tuesday, March 29th, 2005
• Jason Parente
• Windows Administration Software
• Windows Registry
• Spyware Removal
• Hacking

2
Windows Administration Software

• There are two main Administration points in
  Windows 2000/Windows XP.
• The Control Panel
• Administrative Tools
• Note
• This tutorial very seldomly provides a difference
  between Windows 2000 Windows XP.
• The differences are minimal and mostly at a
  visual level.

3
Windows Administration Software

• The Control Panel

4
The Control Panel

• Add or Remove Programs

5
The Control Panel

• Add or Remove Programs

6
The Control Panel

• Add or Remove Programs

7
The Control Panel

• Add/Remove Windows Components

8
The Control Panel

• Automatic Updates

9
The Control Panel

• Date and Time

10
The Control Panel

• Display

11
The Control Panel

• Display

12
The Control Panel

• Internet Options

13
The Control Panel

• Network Connections

14
The Control Panel

• Local Area Connection

15
The Control Panel

• Local Area Connection

16
The Control Panel

• Local Area Connection Status

17
The Control Panel

• Power Options

18
The Control Panel

• Printers Faxes

19
The Control Panel

• Regional and Language Options

20
The Control Panel

• Add Scheduled Task

21
The Control Panel

• Security Center

22
The Control Panel

• Sounds and Audio Devices

23
The Control Panel

• System

24
The Control Panel

• System

25
The Control Panel

• System

26
The Control Panel

• System

27
The Control Panel

• System

28
The Control Panel

• System

29
The Control Panel

• System

30
The Control Panel

• Windows Firewall

31
Windows Administration Software

• Administrative Tools

32
Administrative Tools

• With the Admin Pak installed

33
Administrative Tools

• Event Viewer

34
Administrative Tools

• Event Viewer

35
Administrative Tools

• Event Viewer

36
Administrative Tools

• Event Viewer

37
Administrative Tools

• Performance

38
Administrative Tools

• Services

39
Administrative Tools

• Computer Management

40
Administrative Tools

• Shared Folders

41
Administrative Tools

• Local Users and Groups

42
Administrative Tools

• Device Manager

43
Administrative Tools

• Disk Defragmenter

44
Administrative Tools

• Disk Management

45
Administrative Tools

• Disk Management

46
Windows Administration Tricks

• Patch all your systems!!!
• Install anti-virus software. Run a full scan
  weekly.
• Have daily/weekly backups.

47
Windows Administration Tricks

• Look at your event viewers on a daily basis.
• Make sure there are no errors.
• Verify your device manager. Check that all
  hardware is functioning correctly.
• Run spyware removal tools once a week.

48
Windows Registry

• The Windows Registry is made of
• Keys and sub-keys.
• Values
• Values have value data.

49
Windows Registry

• Example

50
Windows Registry

• Example
• HKEY_LOCAL_USERS\SYSTEM\Select
• HKEY_LOCAL_USERS is a key
• SYSTEM \ Select are sub-keys 2 levels down
• Current is a Value
• 1 is the value data of that Value

51
Windows Registry

• Example
• HKEY_LOCAL_USERS\SYSTEM\Select
• HKEY_LOCAL_USERS is a key
• SYSTEM \ Select are sub-keys 2 levels down
• Current is a Value
• 0x00000001 (1) is the value data of that Value

52
Windows Registry

• Keys

53
Windows Registry

• Keys
• Hkey_Classes_Root
• This key displays information about OLE and
  associated mappings to support drag-and-drop
  operations.
• Hkey_Current_User
• This points to a branch of Hkey_Users for the
  currently logged on user.
• Hkey_Local_Machine
• This contains computer specific information
  including installed hardware and software.
• Hkey_Users
• This contains information about users that have
  logged on to the computer.
• Hkey_Current_Config
• This key points to a branch of Hkey_Local_Machine\
  Config and has information such as display fonts
  and printers.

54
Windows Registry

• Fake Keys
• HKEY_CURRENT_CONFIG
• HKEY_LOCAL_MACHINE\SYSTEM\ ?
• CurrentControlSet\Hardware Profiles\ Current
• HKEY_CLASSES_ROOT
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes
• HKEY_CURRENT_USERS
• Is a pointer to the logged-on users Sub-key
  under HKEY_USERS

55
Windows Registry

• HKEY_USERS

56
Windows Registry

• Data Types
• REG_BINARY - This type stores the value as raw
  binary data.
• REG_DWORD - This type represents the data by a
  four byte number and is commonly used for boolean
  values, such as "0" is disabled and "1" is
  enabled.
• REG_EXPAND_SZ - This type is an expandable data
  string that is string containing a variable to be
  replaced when called by an application. For
  example, for the following value, the string
  "SystemRoot" will replaced by the actual
  location of the directory containing the Windows
  NT system files.
• REG_MULTI_SZ - This type is a multiple string
  used to represent values that contain lists or
  multiple values, each entry is separated by a
  NULL character.
• REG_SZ - This type is a standard string, used to
  represent human readable text values.

57
Windows Registry

• Automatically changing keys
• Create a .reg file and then edit the file.
• Windows Registry Editor Version 5.00
• HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum
  \PCI\VEN_8086DEV_24C5SUBSYS_01261028REV_01\317
  2e68dd0FD\DirectSound\Device Presence
• "Emulated"dword00000001
• "VxD"dword00000001
• "WDM"dword00000001

58
Windows Registry

• Example To Add A Windows XP Logon Wallpaper
• 1) Navigate toHKEY USERS\ .DEFAULT\Control
  Panel\Desktop
• 2) Double click the wallpaper value, and type in
  the full path of your image and the filename.
• 3) To tile the image set "TileWallPaper" to 1
• 4) To Stretch the wallpaper set "WallPaperStyle"
  to 2
• 5) Close the registry editor and the changes will
  take place when you Log off.

59
Windows Registry

• My Wallpaper

60
Windows Registry

• Registry Hives
• A registry hive is a group of keys, subkeys, and
  values in the registry that has a set of
  supporting files containing backups of its data.
  (mostly C\windows\system32\config)
• HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
• HKEY_LOCAL_MACHINE\Security Security,
  Security.log, Security.sav
• HKEY_LOCAL_MACHINE\Software Software,
  Software.log, Software.sav
• HKEY_LOCAL_MACHINE\System System, System.alt,
  System.log, System.sav
• HKEY_CURRENT_CONFIG System, System.alt,
  System.log, System.sav, Ntuser.dat,
  Ntuser.dat.log
• HKEY_USERS\DEFAULT Default, Default.log,
  Default.sav

61
Windows Registry

• More Info
• Description of the Microsoft Windows registry
• http//support.microsoft.com/kb/256986

62
Spyware Removal

• Spyware, Adware and Malware will be treated as
  the same problem.
• An unwanted program is installed at some level in
  your computer.

63
Spyware Removal

• What to do
• 1) Get Microsoft Windows AntiSpyware Beta
• http//www.microsoft.com/athome/security/spyware/s
  oftware/default.mspx
• 2) Install Ad-Aware SE Personal
• http//www.download.com/Ad-Aware-SE-Personal-Editi
  on/3000-8022_4-10045910.html?partdl-ad-awaresubj
  dltagtop5
• 3) Install Spybot Search Destroy
• http//www.download.com/Spybot-Search-Destroy/3000
  -8022-10122137.html?partdl-spybotsubjdltagbut
  
• 4) Install Windows XP SP2 Mozilla Firefox

64
Spyware Removal

• Microsoft Windows AntiSpyware Beta

65
Spyware Removal

• Ad-Aware SE Personal

66
Spyware Removal

• Spybot Search Destroy

67
Spyware Removal

• Run the Malicious Software Removal Tool
• Checks for infections of prevalent malicious
  software.

68
Hacking

• Registry Keys
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
• Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunServices
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunServicesOnce
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
• Windows\CurrentVersion\Policies\Explorer\Run

69
Hacking

• Registry Keys
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\
• Windows\CurrentVersion\Run
• KEY_CURRENT_USER\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunOnce
• KEY_CURRENT_USER\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunServices
• KEY_CURRENT_USER\SOFTWARE\Microsoft\
• Windows\CurrentVersion\RunServicesOnce

70
Hacking

• Registry Keys
• All should be 1
• HKEY_CLASSES_ROOT\batfile\shell\
• open\command
• HKEY_CLASSES_ROOT\comfile\shell\
• open\command
• HKEY_CLASSES_ROOT\exefile\shell\
• open\command
• HKEY_CLASSES_ROOT\htafile\shell\
• open\command
• HKEY_CLASSES_ROOT\piffile\shell\
• open\command

71
Hacking

• Services
• Check HKEY_LOCAL_MACHINE\SYSTEM\
• CurrentControlSet\Services
• Compare with a clean machine.

72
Hacking

• Startup Folders
• C\Documents and Settings\All Users\
• Start Menu\Programs\Startup
• C\Documents and Settings\user_name\
• Start Menu\Programs\Startup
• Check for hidden files and folders.

73
Hacking

• Task Scheduler
• C\windows\tasks
• Win.ini
• C\windows\win.ini
• Look for malicious programs under
• windows
• RUN
• LOAD

74
Hacking

• System.ini
• C\windows\system.ini
• boot
• Shellexplorer.exe ltprogram namegt

75
Hacking

• Autoruns
• Download sysinternals autoruns.
• Shows all application that runs automatically.
• http//www.sysinternals.com/ntw2k/freeware/autorun
  s.shtml

76
Hacking

• Autoruns