DNS is the manageable way to resolve computer names to IP addresses, yet Windows admins usually use host files because they always work. But when you need to make a change to a bunch of host entries, where do you start?

—————————————————————————————————————-

It can be risky to use the Windows host file (which is located at C:\windows\system32\drivers\etc\hosts) for default installations if you need to make a change to a large number of systems with a local entry. Fortunately, there are a few ways to change these entries.

For example, look at a simple host file entry:

Imagine that the DHCP-122 host is frequently generic cheap cialis used and many systems have a host entry with that IP address. As the system becomes more important, it is moved to another network and a static IP address. Assuming there is a resolution mechanism, the task is to replace the entry with a hashed out entry, as shown below:

Let’s also assume that we don’t want to remove the other entries in the file. This change comments out the entry and puts the new IP address in place. In the event that DNS or another mechanism cannot resolve the address, we can easily flip this entry for access.

To accomplish this task for a large number of systems, there are a few ways of going about it. One tool that I came across recently is Advanced Find and Replace, where a text file of paths can be loaded for a large find and replace task. The text file would contain entries like this:

Advanced Find and Replace can then go through all of those paths and make the requested change if the text string exists in the file. This task can also be accomplished with a stream editing tool like Sed for Windows.

Another way to address easy short name resolution without the nightmarish management of host files is to migrate to Windows Server 2008’s DNS engine and use the GlobalNames zone — although the host files would need to be removed for the DNS results to work.

Whatever tool you use to modify the entry, make sure you do not add a file extension to the hosts file — the file will not function correctly with an extension. In general, you should stay away from using host files; however, certain situations warrant their use, and the manageability issues will soon follow.

Microsoft plans to release an R2 edition of Windows Server 2008 in 2009 or 2010. Here are the key features of the R2 release that you need to know.

—————————————————————————————————————

When Windows Server 2008 R2 is released in 2009 or 2010 (that is the current projected timeframe), there will be some important features about this release. The most prominent is that Windows Server 2008 will solely be an x64 platform with the R2 release. This will make the upgrade to x64 platforms not really a surprise, as all current server class hardware is capable of 64-bit computing. There is one last window of time to get a 2008 release of Windows still on generic brand for cialis a 32-bit platform before R2 is released, so do it now for those difficult applications that don’t seem to play well on x64 platforms.

Beyond the processor changes, here are the other important features of the R2 release of Windows Server 2008:

Hyper-V improvements: The Hyper-V is planned to offer Live Migration as an improvement to the initial release of Quick Migration; Hyper-V will measure the migration time in milliseconds. This will be a solid point in the case for Hyper-V compared to VMware’s ESX or other hypervisor platforms. Hyper-V will also include support for additional processors and Second Level Translation (SLAT).

PowerShell 2.0: PowerShell 2.0 has been out in a beta release and Customer Technology Preview capacity, but it will be fully baked into Windows Server 2008 R2 upon its release. PowerShell 2.0 includes over 240 new commands, as well as a graphical user interface. Further, PowerShell will be able to be installed on Windows Server Core.

Core Parking: This feature of Windows Server 2008 will constantly assess the amount of processing across systems with multiple cores, and under certain configurations, suspend new work being sent to the cores. Then with the core idle, it can be sent to a sleep mode and reduce the overall power consumption of the system.

All of these new features will be welcome and add great functionality to the Windows Server admin. The removal of x86 support is not entirely a surprise, but the process needs to be set in motion now for how to address any legacy applications.

The other evening my wife was working on her Windows Vista laptop and encountered an unexpected result. She double-clicked on a .PNG image file and up popped the QuickTime PictureViewer. It displayed the .PNG image perfectly, but she had been expecting the image to be displayed by Windows Photo Gallery, like it always has in the past. Claiming that she didn’t have any idea how such a thing could happen, she asked me to fix it.

I knew right away what had happened. She had recently installed Apple QuickTime to view a movie that a friend had sent to her and must have clicked Yes when the installation procedure prompted her to alter the default programs. As such, QuickTime had taken over all the default graphic file associations. Fortunately, my assumption that it would be an easy fix was indeed true; however, I decided to take the procedure one step further and remove QuickTime from the Open With list by using a quick Registry edit.

In this edition of the Windows Vista Report, I’ll show you how to clear out Vista’s Open With list.

This blog post is also available in PDF format as a TechRepublic download.

Using default programs

As I began my investigation, the first place I looked was in the Default Programs tool. To launch it, just type Default in the Start Search box on the Start menu and press [Enter]. When you launch the Default Programs tool, shown in Figure A, you’ll see that there are four links that allow you to configure how Windows Vista works with programs:

Figure A

The Default Programs tool provides you with four different ways to configure your default program options.

For this type of investigation, I selected the file type association option — Associate a File Type or Protocol with a Program. I then scrolled through the list of file types until I located .PNG, as shown in Figure B. As you can see, the .PNG file type is associated with QuickTime PictureViewer.

Figure B

You can see that the .PNG file type is associated with QuickTime PictureViewer.

To reset the file type association back to Windows Photo Gallery, I selected the Change Program button. When I did, the Open With dialog box displayed. At this point, all I had to do was choose the Always Use the Selected Program to Open This Kind of File check box and select Windows Photo Gallery from the list, as shown in Figure C. To complete the operation, I just clicked the OK button.

Figure C

Using the Open With dialog box, you can easily reset the default program that you want to open a particular file type.

Testing the result

I then returned to Windows Explorer, double-clicked a .PNG file, and watched Windows Photo Gallery pop up. However, when I right-clicked on a .PNG file and accessed the Open With submenu, I discovered that PictureViewer was still linked to the .PNG file type even though it wasn’t set as the default program, as shown in Figure D.

Figure D

The QuickTime PictureViewer was still linked to the .PNG file type even though it wasn’t set as the default program any longer.

Now, I am not totally against Apple (even though I’m a PC guy), but I was annoyed that the program had taken over the .PNG file type and so I really wanted to remove all traces of it.

Investigating the Registry

Doing a bit of research on Vista’s Registry structure, I discovered that there are five registry keys that have the potential to control the list of programs that display on the Open With submenu:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\FileExts\.xxx\OpenWithList

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\FileExts\.xxx \OpenWithProgIDs

HKEY_CLASSES_ROOT\.xxx\ OpenWithList

HKEY_CLASSES_ROOT\.xxx\ OpenWithProgIDs

HKEY_CLASSES_ROOT\SystemFileAssociations \PType\OpenWithList

Where .xxx is the file extension you are concerned with and PType for a file extension could be audio, image, system, text, or video.

In my case, I found that the link between the QuickTime PictureViewer and the Open With submenu was located in the HKEY_CLASSES_ROOT\.png\ OpenWithProgIDs registry key, as shown in Figure E.

Figure E

The link between the QuickTime PictureViewer and the Open With submenu, was located in the HKEY_CLASSES_ROOT\.png\ OpenWithProgIDs registry key.

After deleting the QuickTime.png Binary Value from the Registry, the QuickTime PictureViewer disappeared from the Open With submenu. (Keep in mind that whenever you delve into the Registry, you are potentially playing with fire. So make sure that you have a recent backup.)

In most cases, you’ll find the item that you want to remove from the Open With submenu in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \FileExts\.xxx\OpenWithList registry key as a String Value.

For example, I later went to that registry key to remove Windows Movie Maker from the Open With submenu. In that case, I had to delete the free cialis pills moviemk.exe String Value and the MRUList String Value, shown in Figure F. The reason is that while the moviemk.exe String Value represented the actual application link, the MRUList String Value contains the actual list.

Figure F

In some cases you may have to delete more than one registry key.

It would be nice if you could just pull out a directory and look up the e-mail address of anyone you wanted to contact. Unfortunately, a bit more resourcefulness is required. Here’s an assortment of strategies to try when you can’t seem to run down an e-mail address you need.

---

Technology is great… when it works. It seems, though, that the more advanced our technology grows, the more complex the simple tasks become. Finding someone’s e-mail address is a perfect example — there’s no huge yellow book full of e-mail addresses. The system at large is huge, and individual choices are still too elusive. Hunting down a current e-mail address is a challenge, but it isn’t impossible.

Note: This information is also available as a PDF download.

#1: Look in your own e-mail folders

This tip seems obvious, but if you haven’t corresponded with someone in a long time, you might not remember that his or her e-mail address is sitting in one of your folders. To find an e-mail address in one of your own mail client folders:

#2: Be an anarchist — call them

At the risk of sounding flip, a quick call can solve your problem, as long as the person wants you to have the e-mail address. You don’t even have to talk to the person directly. The receptionist who answers the phone will probably have a list of e-mail addresses for employees. If, on the other hand, you’re trying to find a long lost lover or friend, that’s probably not going to work (unless, of course, you know where they work… and if you know where they work, chances are they’re not lost).

#3: Check a business card

Most people include an e-mail address on their business cards, so make a quick pass through the ones you have. You don’t have to look for the specific person; pull out a card from anyone at the same company or organization. Just knowing the domain can help you (see #1 and #8).

#4: Search user groups and newsgroups

Just about everyone who’s online takes advantage of a newsgroup or user group. Sometimes, you can find a message, including a person’s e-mail address, using an Internet search engine, such as groups.google.com. If the person has posted on any UseNet group, Google will return a link to the post, which might lead to a full e-mail address. (UseNet is a network of worldwide Internet discussion systems, or user groups and forums.)

#5: Use an Internet search engine

Google is now a verb! Simply Google the person and see what turns up. Now, the problem with this solution is that you might get nothing  – or you might get dozens of hits, especially if the name is common or shared with a public personality. Use this method early in your search, but check only the first few links. Reviewing dozens of links takes too much time. If the other methods fail, you can always return to a search engine.

A general search will generate more hits than a filtered search, such as searching newsgroups (see #4). Google is just one search engine among many, so don’t limit yourself; try others. A meta search engine is often a better choice because they rely on many search technologies, not just one.

#6: Search for an address

An Internet search engine, such as Google, can find more than names. If a name doesn’t turn up anything, search on something else, like the person’s street address or employer. The more unique the search, the more likely you are to find something useful.

#7: Guess!

If you know the person’s domain, you can guess at the name component. This is especially easy if the domain is a business or organization because most companies and organizations use consistent rules for creating e-mail addresses. Find the right rules and you might get lucky. When there’s no discernable pattern, just keep guessing. There are a number of common patterns:

• firstname.lastname@domain.com

  free cialis coupon

• firstname_lastname@domain.com
• firstnamelastname@domain.com
• firstinitiallastname@domain.com
• firstinitial_lastname@domain.com
• lastname@domain.com
• firstnamelastnameinitial@domain.com

If you don’t know the domain, use an Internet search engine to search for the company or organization’s name. Doing so might turn up a domain name. If there’s a Web page, but no contact information, try the Web site’s domain name. If there’s a contact name, but not the one you’re looking for, check existing e-mail contacts for a consistent pattern. If you find a pattern and you know the contact’s full name, apply the pattern, send a message, and hope for the best. Or simply send a message to the listed contact and ask for the person’s correct e-mail address.

#8: Find a new e-mail address

E-mail addresses change all the time. A person can go through several in just a few years. A few online services can help if the e-mail address you have no longer works:

• EmailChange.com
• Find mE-Mail
• FreshAddress
• Return Path

But don’t get the wrong idea about these services. There’s no huge network running spiders to glean addresses. People must register their old and new addresses with these services. When it works, it works great. But mostly, this type of service is a long shot.

#9: Try an online directory

It would be nice if the Internet had a phone book or even a 411 service. Unfortunately, e-mail addresses, by nature, are elusive, at best. There are a number of online directory services to try:

• address.com
• search.bigfoot.com
• peoplesearch.lycos.com/whitepage
• peekyou.com
• wink.com

These directories aren’t generally too reliable. A quick search on them returned only one business-related e-mail address for myself. Many online directories charge for their services, so be careful.

#10: Search online networking sites

A number of people enjoy social networks, both for business and pleasure. Most will make you register to search their membership, but generally, registering is free. If the person you’re looking for belongs to one of these networks, you can contact them via the service’s online contact feature:

• classmates.com
• facebook.com
• friendster.com
• icq.com
• linkedin.com
• mychurch.org
• plaxo.com
• pogo.com
• shelfari.com

#11: Take a long shot

When all else fails, try soc.net-people. This newsgroup allows you to ask for help locating someone you believe has an e-mail address. To use this service, post a message asking for help. Describe the person to the best of your abilities, including as much relevant information for positively identifying them as possible. Be sure to include your e-mail address so members with information can contact you. It’s a long shot, for sure, but it can’t hurt to try.

Michael Kassner recently asked TechRepublic members to submit questions about botnets, promising to forward them to the experts at Arbor Networks. Dr. Jose Nazario volunteered to provide the following informative answers.

---

Note: This information is also available as a PDF download.

#1: Could you define what a bot or zombie is and how they become part of a botnet?

A botnet is a collection of machines that have been compromised by software installed by the attacker so that they now respond to commands sent by the attacker. This malcode can be installed by exploits on the base OS (e.g., as in the Sasser worm), through browser exploits, or through Trojan horse activities such as fake games or pornography codecs.

#2: What are botnets used for — are they profitable?

Botnets are used by the attackers for a wide variety of tactics: spamming, hosting phishing sites, harvesting information from the infected PCs for use or resale (such as credit card or banking information), denial of service for pay or extortion, adware installations, etc. The botnet is a platform for the criminal underground, providing unfettered access to the compromised PC and its resources — disk, bandwidth, IP reputation, personal information, etc. — for the attacker. It’s a way to load arbitrary software onto the machine, as well as to pull arbitrary information off of the machine.

We see botnets used all over the world: the United States, Europe, Russia and the Ukraine, China, Korea, Japan, South America — all over. The main motivations in the past few years have become monetary, as opposed to curiosity or joy riding.

#3: If I understand correctly, there are different command and control philosophies used by botnets. Could you explain how they work and their effectiveness?

The two main types of command and control structures used by botnets are a centralized mechanism and a decentralized, peer-to-peer mechanism. There is also a third, hybrid approach. Command and control refers to the server(s) that the infected hosts, the bots, contact to receive new commands from the attacker.

IRC botnets are the classic centralized structure, with one or more single IRC servers acting as the main hub. This is still the most popular way to run a botnet, using IRC, HTTP, or other protocols with a single hub. The storm worm used a hybrid approach, where it would pass messages to other bots using P2P, but it would use a central set of servers for files and updates. Finally, the Nugache botnet is the biggest and most well known true P2P botnet.

Obviously, if you can take one server out and disrupt a botnet, that is the most desirable way to approach it. If we take out the hubs of the botnet, the bots are still infected but not acting on commands. P2P botnets are far harder to disrupt and shut down.

#4: Are all operating systems equally vulnerable to rootkits? Is there any advantage to using one operating system versus another?

Almost all commonly available operating systems — Linux, BSD, Mac OS X, Windows — are vulnerable to rootkits, either kernel-mode or user-land rootkits. These can be used to hide processes or files from the user. In the end, given that all systems have flaws and can be attacked, the only advantage one OS has over another is the research time devoted to it by an attacker.

#5: My computer’s CPU usage is more than 50%, and outgoing network activity is far from normal, so I suspect my computer may be part of a botnet. How can I confirm this?

AV scans can be of some help, through a number of means, assuming it’s up to date. First, if you can scan with multiple scanners, this can make a significant difference in the detection rates. This can be easily done with free online AV scanners, as every major AV vendor has them.

Second, scan with something like a rootkit detector to see if a rootkit has been installed; this is usually not a major source of traffic and CPU usage, but would indicate malware infections that may be hidden from AV or manual inspection.

Third, look at your external IP using a check my IP service and then query a tool to see if the IP address is blacklisted for spamming. This is another sign than your system is infected and is a spam bot. The tools at Robtex can be very helpful at this.

Finally, a tool like Trend Micro’s RUBotted can help spot some signs of botnet participation. All of these tools can be used freely. But always be wary of software that claims to be free until it charges you a sum to clean up your system; that’s usually a scam product.

#6: I’ve heard that rootkit scanners aren’t effective. Is that true? If scanners are effective only for certain types of rootkits, how do I know which ones to use? Which scanners would you recommend?

They’re somewhat effective, but they’re being defeated by newer rootkits. GMer is one of the better rootkit scanners. It is kept up to date with new techniques and appears to address almost all common rootkits.

#7: I thought my computer was protected by a firewall and antivirus program, yet the computer became infected with Rustock.B and ultimately a member of some botnet. I was told my only option was to completely rebuild the computer. I did, but what if anything can I do to prevent my computer from getting rooted again?

Keep up to date with AV software, keep updated on patches, don’t run as Administrator (or with equivalent permissions), and run a personal firewall. If possible, if you’re running Windows, run Vista, which does much of this for you. If not, use XP SP2. Make sure that your AV is enabled for e-mail and Web browsing.

#8: I’m a systems administrator for a typical company network. I assume that there’s more risk, just from the sheer number of computers. Is there any information I can pass on to the users (especially mobile workers) that will minimize the risk?

Mobile workers are probably the most susceptible, as they enter hostile networks (e.g., the broadband networks they may use at home). They should be told to not ignore software updates, keep their AV updated, and not to cancel such updates or to disable such software. The benefits of these simple hygienic approaches can’t be understated.

#9: Could you suggest any good sources of information related to rootkits and botnets (Web sites, forums, RSS feeds) that would allow me to stay current?

I maintain a website, InfosecDaily that covers some of the better blogs and news sites. It’s freely available. I also recommend a handful of major sites:

I use an RSS reader to fetch and maintain my news; RSS is vital to simplifying your daily news digestion in this business!

#10: From all that I’ve read, it appears as though there’s very little I can do to prevent my computer from becoming a member of some botnet. Is that really the case?

I don’t think so; I feel this is a winnable battle. The best things you can do are to keep your software updated; the base OS, your browser (most important), and any add-ons. Most bots and malcode get in by using well known vulnerabilities.

The next best thing to do is to keep your AV software updated; most people don’t update their AV software — hourly or even daily, in some cases — and have no real benefit from it as a result. Finally, a good anti-spam filter can do wonders to prevent threats via e-mail.

Final thoughts

I’d like to thank Dr. Nazario of Arbor Networks for answering these questions and Jessica Sutera, also of Arbor Networks, for helping to make the question and answer session possible. I found the links to be especially illuminating. Oh, almost forgot GMer, which already has a special spot in my rootkit scanner toolbox.