Sunday, July 15, 2012

BSOD - Reading and Using Windows Dump Files

Let's face it, there is nothing more frustrating than being in the middle of a great game and suddenly getting the dreaded Blue Screen of Death (BSOD), unless it's being in the gunners seat of a helicopter in BFBC2 when your pilot suddenly loses his internet connection.

We've all been there, some more than most. Anyone who owns a Windows computer will see a BSOD at least once in their lifetime.  If it happens once and recovers, then it was probably just a system hiccup, but if it KEEPS happening, then something is wrong.

For many of us, the blue screen will appear for 15 - 30 seconds, giving us time to read (and write down) the generated error code, but if the blue screen flashes by too fast to read the error code, how do you know what is going on?

Dump Files (dunna nunna nunna nunna)

 

If you have your system set to record dump files (and it should), when Windows crashes it will write all the necessary error information to the dump file.  This is wonderful if your blue screen flashes before your eyes like someone has just snapped your picture, but unfortunately, this is not a simple .txt file and extracting information from it is going to require jumping through a couple of hoops.

First off, let's verify that your system is set to record dump files.

For now this page will focus on Windows Vista / 7, but I will come back later and update for XP.

If you have Vista or Windows 7:

  • Go to Start > Control Panel > System and Security > System
  • From the right-hand menu options select Advanced System Settings
  • A box will pop up with the advanced tab selected  Under  "Startup and Recovery" select "Settings"
  • Make sure there is a check mark in the box labeled "Write an event to system log" and in the drop-down box below it ensure that it reads "Kernel Memory Dump"
  • Click OK and back out of your control panel.  


Now your ready for your next BSOD.  Unfortunately, if your system was not set up to record memory dumps, you'll have to wait until it crashes again to write a log file, but if it was already set to record memory dumps, then we're still in business.

Windows Debugger (WinDbg)

Your dump files should be located by default (Windows 7) in C:/Windows/minidump/ but to read the files is another matter entirely.  For this you will need something capable of actually reading the dump file.  There are several options, but we are only going to explore WinDbg at this time.

There are two files that you will need here.  Windows debugger and it's associated symbol file.

Start by downloading the Windows debugger. I prefer the stand-alone SDK but that's up to you.
When installing, you will get a checklist of items to install.  They are all checked by default.  This is un-necessary since all you will really be needing for this is the debugger.  Just uncheck everything else.

 Once installed you will need to install the symbol file.  You can download the latest symbol file for your operating system, but instead I prefer to simply provide the debugger with the address to the Microsoft Symbol Server and let it download the most updated symbol file.

To do install the symbols file:
  • Go to File > Symbol File Path (or just press Ctrl + S)
  • If you downloaded a symbol file, enter the path to the symbol file directory here
  • If you want WinDbg to download it for you type in http://msdl.microsoft.com/download/symbols

Now you are ready to open your dump file and find out what is going on with your computer!


Let's read those dump files!

 

To open the dump file you may either choose File > Open Dump File or simply use CTRL + D.
Navigate to your dump file directory (c:\windows\minidump\) and choose the latest dump file (if you chose not to overwrite old dump files).
Once open WinDbg will chew on it a bit then spit out something that looks completely useless.  As you scroll down you will see a blue hyperlink that reads !analyze -v.  Click on this link, and it will analyze your dump file and rather frankly tell you why your system crashed.

My last dump file reads:

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
MODULE_NAME: Pool_Corruption

So there we have it.  We got STOP 0x0019 BAD_POOL_HEADER because a driver malfunctioned.  Granted, this could also have been caused by a hardware issue such as a bad hard drive or bad sector on the HDD, or bad memory, or (since it's a laptop) the memory could have needed to be re-seated, but in this case it was an old program that I didn't use anymore that was causing the problem.  A bit of digital housekeeping, cleaning up the disk and tossing out old un-used programs did the trick.

Hope this helps :)





Friday, April 13, 2012

How to react to scare tactic posts and chain letters.

                                                        photo courtesy of www.freepixels.com
Today I received an email from a friend of mine that read something like this:
URGENT - PLEASE READ - NOT A JOKE
PASS THIS ON!
IF A PERSON CALLED SIMON ASHTON (SIMON25@HOTMAIL.CO.UK) CONTACTS YOUTHROUGH EMAIL DON'T OPEN THE MESSAGE. DELETE IT BECAUSE HE IS AHACKER!!

TELL EVERYONE ON YOUR LIST BECAUSE IF SOMEBODY ON YOUR LIST ADDSHIM THEN YOU WILL GET HIM ON YOUR LIST. HE WILL FIGURE OUT YOUR IDCOMPUTER ADDRESS, SO COPY AND PASTE THIS MESSAGE TO EVERYONE EVEN IFYOU DON'T CARE FOR THEM AND FAST BECAUSE IF HE HACKS THEIR EMAIL HEHACKS YOUR MAIL TOO!!!!!.....
Anyone-using Internet mail such as Yahoo, Hotmail, AOL and so on..This information arrived this morning, Direct from both Microsoft andNorton. Please send it to everybody you know who has access to theInternet. You may receive an apparently harmless e-mail titled 'MailServer Report'
If you open either file, a message will appear on your screen saying:'It is too late now, your life is no longer beautiful.'
Subsequently you will LOSE EVERYTHING IN YOUR PC,And the person who o sent it to you will gain access to your name,e-mail and password.
This is a new virus which started to circulate on Saturdayafternoon.. AOL has already confirmed the severity, and the antivirus software's are not capable of destroying it .
The virus has been created by a hacker who calls himself 'life owner'..
PLEASE SEND A COPY OF THIS E-MAIL TO ALL YOUR FRIENDS, And ask themto PASS IT ON IMMEDIATELY!


According to Snopes ( http://www.snopes.com/computer/internet/hackermail.asp ) this is just another installment in a long-running hoax, and in fact, is made via a simple template (rather like that old game Mad Libs) 


Unless the person includes a malicious file along with their email (NEVER open attachments from people you don't know), such as a worm or virus, the person really has no way of accessing your computer via this method unless you have not activated your firewall.  Though if you have not activated your firewall or other intrusion detection software, e-mail hackers are the least of your worries.

The only thing a person can really do via server-side email clients, such as Hotmail, Yahoo or AOL is tell whether the email has been opened or not by embedding a simple image file, often a 1x1 pixel blank image that is stored on a server that reports access, and then watch their access logs to see who actually opened the image file.  This simply tells the hacker which email addresses are active and thus they can then sell your email address to spammers and advertisers as "valid".

This is the reason most server-side email clients (and even client-side email clients such as Outlook)  block image downloads by default, allowing you to view images only from trusted sources.  It isn't to protect your computer, it's to protect your e-mail address from unwanted spam.

Even though this email is a hoax, it does serve a very useful purpose.  It brings attention to the real threats out there and makes the public at large more aware of the real vulnerabilities that may be lurking in their computer system.  

A simple list of good computing practices can virtually eliminate any worries you may have about your online life.



  • 1. Make sure the firewall built into your operating system is active at all times.  (never turn it off)
  • 2. Make sure your operating system is up-to-date.
  • 3. Invest in a good "active scan" virus protection system such as McAfee, Kaspersky, Norton or AVG and keep it updated.
  • 4. Invest in a good "active scan" malware program such as Malwarebytes, and keep it updated.
  • 5. Backup your hard drive at least once a month, or use an active backup service to either an external hard drive or cloud.  If you should ever have to reformat or even replace your hard drive, you won't lose your data.
  • 6. Clean and defrag your hard drive at least once a month.  You can also invest in a free program from IOBit called "Smart Defrag" which will defragment your computer whenever it is idle.
  • 7. Never EVER open attachments or click on links in email from people you don't know.  Even if it is from someone you do know, if it looks suspicious, don't click it!!



These are just a few simple steps to a happier, healthier computer, and in most cases, a worry-free online experience for you.  


Tuesday, August 16, 2011

Should I turn my computer off when I'm not using it?

                                                        photo courtesy of www.freepixels.com
Q: Should I turn my computer off when I'm not using it?
A: Yes, but probably not for the first reason to spring to mind.


     Most people these days are more conscious of the energy their household is consuming, for both environmental and economical reasons.  But turning your computer off (and indeed unplugging those nasty little "wall warts") has not only energy benefits, but network and security benefits as well.

     In this day and age of "Always On" broadband connections, the concept of "always on" seems to have carried over to the power switch in the mind of most computer users these days.  Most of us think nothing of leaving a room with the computer running, even when we turn the overhead light off and intend to be gone for long periods of time.  The problem with this is that the digital underworld have noticed this trend too.

     Who is using your computer when your not home?

     Have you ever heard the acronym "DDOS"?  This stands for Distributed Denial Of Service attack, and is become the most common form of denial of service attack on the web today.

     We won't go into the long and boring details of exactly what a denial of service attack is, suffice it to say that it is simply a method in which an attacker floods the communications ports of a chosen server with junk traffic, causing the real traffic to get lost in the flood.   This means that during a DOS attack, legitimate users are essentially blocked from getting in.  Imagine a flash-mob outside the door to your favorite resturant. They have no intention of actually ordering anything, but thier presence clogs the entrance so you can't get in to buy either.

     So what is the difference between a denial of service attack and a distributed denial of service attack?  Well, a simple DOS is usually someone flooding one system from another system, but a distributed attack comes from many computers at the same time.  The client is embedded on numerous systems on the internet and triggered to activate simultaneously. 

     DDOS clients are often embedded into trojans and other malware.  Often the unsuspecting computer user will download these without ever knowing it, either by downloading a program that they think is something else, connecting to an infected webpage, clicking on a popup that say's "YOUR COMPUTER HAS VIRUSES" (It didn't but if you click on something like that it will), or by simply failing to turn on your Windows firewall or by turning off your virus detection program.  (an unprotected open port is a hackers dream).

     Even if you have done everything right though, firewall on, virus program running, many of these malware programs can infect your computer without you ever knowing it, and many can go undetected by virus scanners.  You won't know your infected until your computer slows to a crawl and you start digging around in your hard drive to know the reason why.  There are literally millions of infected computers on the internet today who's owners have no idea they have malware on their systems, and a likely majority of those systems are infected with a DDOS client just waiting to be activated by the hacker that put them there.

     So now a hacker has distributed his DDOS client to a whole host of computers.  If your computer is infected, and you don't know it, and you leave your computer turned on and on the internet 24/7, you have just provided someone with a method of attack.  As someone said on Twitter recently "There are plenty of kids out there that leave daddy's laptop turned on all the time".

    So why should you turn your computers off when not in use?
  1. Save Electricity
  2. Save Money
  3. Save the planet
  4. Prevent hackers from getting into your computer while your away
  5. Prevent hackers from USING your computer while your away
     You also don't necessarily have to "flip the switch" every time you walk away either.  Most operating systems have built in "Power Settings" which will automatically turn your computer off if not used for a specified period of time.  For example, I use Windows 7 on one computer and Windows XP on another.  Both of these will turn themselves completely off if not used for 1 hour.

In Windows 7, this can be found in the Control Panel under System and Security > Power Options.

     DDOS attacks are only ONE example of the myriad of methods hackers use.  Some hackers attempt to break into your system to garner your personal information, others to send spam and other malicious emails. Ironically enough, the most effective methods of securing your computer consist of just plain common sense.  Good "Cyber-hygiene" as it were.

  1. Invest in a good active virus scanner such as McAfee Virus Scanner
  2. Keep your operating system up-to-date.  When your OS askes to update files, let it!
  3. Invest in a good Malware scanner such as SAS Super Anti Spyware, Malwarebytes and/or Microsoft Security Essentials
  4. Turn your computer off when not in use.
  5. Scan your computer at least once a week.
  6. Never store credit card information online or in "auto complete" fields.
  7. Never store important personal documents (such as scans of your drivers license, social security card, etc.) online or on your hard drive. Use a USB flash-drive instead.
      Simple steps to protect yourself, your family, and the internet from those who have other ideas for your stuff.