Access more memory, even on a 32-bit system

Did you miss the best stories of 2008?

By Brian Livingston

I’m proud of all the writers for Windows Secrets, but I’m especially proud when subscribers give our writers top ratings for articles they’ve written.

I’d like to say that all of our articles are above average, but the truth is that some stories really stand out with especially high ratings from our readers.

At the end of the major articles in our e-mail newsletter, we include polling buttons so our subscribers can vote on a scale of 1 to 5 to tell us how useful they found each article. Believe me, our writers pay close attention to this brutal but important feedback. (Note: the polling buttons don’t appear in the Web version of our articles.)

The three highest-rated articles of 2008 are:

• Fred’s retirement announcement. Our editor-at-large, Fred Langa, decided to retire from computer writing in May 2008. In a huge sympathy vote, his fond farewell garnered the highest rating of any article we’ve ever published (4.59 out of a possible 5.0). Fortunately for his fans, however, retirement didn’t suit Fred. He came back with a bang on Oct. 9 with an all-new weekly column in our paid content.
• Flash can be a privacy threat. Contributing editor Woody Leonhard scores right below Fred on Oct. 23 with an exposé of the way “Flash cookies” can be a bigger privacy concern than ordinary Web cookies.
• Breaking news on Internet Explorer. A news update we published on Oct. 24 featured advice from contributing editor Susan Bradley on an emergency IE patch that was released that week by Microsoft. Our readers clicked the links to Microsoft.com in Susan’s column more than 190,000 times to obtain information on various versions of the patch.

All of the 10 top-rated stories from 2008 are shown below. If you missed any, I hope you’ll take a minute to review the ones that might be the most helpful to you.

The 10 highest-rated Windows Secrets stories of 2008:

• = paid content

Six of the 10 articles appeared in our paid content rather than our free sections. If you’re a free subscriber, there’s no fixed fee to get access to our premium content. Any financial contribution — whatever it’s worth to you — qualifies you to receive a full 12 months of our paid version and access to all past paid content. How to get the paid content

To see other highly rated articles we’ve published in this and previous years, visit our polls page.

Send your friends a holiday gift of secrets

I announced in a special news update on Dec. 17 that I’d temporarily lost my mind and was letting subscribers give their friends a full three months of the paid version of Windows Secrets, absolutely free.

If you missed that e-mail, you can still take advantage of this opportunity. Our holiday giveaway works this way:

• Step 1. Send the following URL in the text of an e-mail message to everyone you’d like to give, as a free gift, the paid version of the newsletter:

  http://WindowsSecrets.com/holidaygift

  You can include any text you like that will explain to your friends that they can get the paid version of this newsletter absolutely free as a gift. Please don’t spam a bunch of strangers — just send your message to your friends, people who regularly receive e-mail from you.

• Step 2. The holiday gift is only for people who’ve never had a subscription before.
• Step 3. People who visit the link and enter a valid e-mail address by Dec. 31, 2008, will receive a confirmation message. They must click a link in that message to verify their address and begin their subscription.

What’s in this holiday giveaway for you? Just the satisfaction of knowing you gave something of value to people you care about. That’s the true spirit of the holiday season.

This freebie is a one-time thing in response to today’s global economic slowdown and may never be repeated. Please alert your friends to take advantage of it today.

No newsletters Dec. 25 or Jan. 1; see you Jan. 8

Our next regularly scheduled newsletter will be published on Jan. 8, 2009. We skip publication during the last two weeks of December, so there won’t be any new content on Dec. 25 or Jan. 1. If something important occurs, we’ll send you a short news update despite our year-end break.

Please have a happy and safe holiday season!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Access more memory, even on a 32-bit system

By Scott Dunn No matter how much memory you have in your PC, you may not be getting the most out of your installed RAM. A few little-known system tweaks can improve the way Windows manages memory, freeing up more RAM for your applications.

As described in an entry on the Microsoft Developer Network, all non-server 32-bit versions of Windows XP and Vista impose a memory limit of 4GB. Your system may allow you to install more than this amount of RAM, but with few exceptions, the extra memory won’t do Windows or your applications any good.

Moreover, even if you have 4GB of memory installed in your PC, you may not be able to use it all. For example, if your video card comes with 1GB of memory and you have 4GB of RAM, your system actually has 5GB of memory physically installed. But Windows will use only 4GB of that total, regardless.

It gets worse: according to a comment posted to the MSDN article, Windows itself is getting only 3GB because the video card gets 1GB. This happens because the memory aperture — a portion of system memory — is used to work with the video system.

Ways to break through Windows’ RAM ceiling

Fortunately, there are techniques you can use to get around Windows’ system-memory limitations. One method is to use Physical Address Extension (PAE), a feature of x86 processors that lets 32-bit operating systems overcome the 4GB memory limit.

Another MSDN article explains that 32-bit Windows operating systems support PAE. Even though XP and Vista still cling to the 4GB limit with PAE enabled, the feature may help you get back some of your unused RAM.

In one or two rare cases, a developer may take advantage of PAE technology to get around the usual Windows limits. For example, reader Alan Gorski reports that when he increased a computer to 8GB, the program AutoCAD was able to open large drawing files without generating the “out of memory” errors he previously had seen. As Gorski notes, “AutoCAD has long used special memory management techniques since the DOS days to maximize use of available RAM.”

There’s a good chance your system is already using PAE. That’s because Windows relies on the technology to support the security feature known as Data Execution Prevention (DEP). For more information about Windows and DEP, see my Top Story in the May 3, 2007, issue.

If a computer supports hardware-enforced DEP, then PAE is enabled as well. Here’s how to check for it in Windows XP:

• Step 1. Choose Start, Run.
• Step 2. Type sysdm.cpl and press Enter.
• Step 3. Click the Advanced tab. In the Performance box, click Settings and choose the Data Execution Prevention tab.
• Step 4. Look for a status message at the bottom of the dialog box. If it indicates that your hardware does not support DEP, chances are PAE is not enabled.

To check your system’s PAE status in Vista, do the following:

• Step 1. Press Win+R to open the Run dialog box.
• Step 2. Type SystemPropertiesDataExecutionPrevention and press Enter.
• Step 3. If prompted by User Account Control, click Continue.
• Step 4. If the status message at the bottom of the dialog box says your system supports DEP and the “Turn on” button is selected, then PAE is enabled as well.

If PAE is not already enabled on your system, here’s how to activate it in Windows XP:

• Step 1. Choose Start, Run.
• Step 2. Type notepad c:boot.ini and press Enter.
• Step 3. Under the [operating systems] heading, look for a line that contains the /noexecute switch, which turns software DEP. For example, it may be /noexecute=optin, /noexecute=optout, or /noexecute=always on. Place the cursor directly after that switch and type a space followed by /pae. Save the file and reboot.

If you don’t have DEP enabled on Vista (or you don’t want it enabled), you can still activate PAE by following these steps:

• Step 1. Click Start, type cmd.exe and press Ctrl+Shift+Enter.
• Step 2. If prompted by User Account Control, click Continue. This opens a command prompt window with administrator privileges.
• Step 3. At the prompt, type BCDEdit /set PAE ForceEnable and press Enter.

You can read more about PAE in this post on Microsoft’s TechNet site.

Microsoft warns in another TechNet article that some drivers will not load if PAE is enabled. After you make this change, keep an eye on your system. If you have problems with drivers or your system starts acting up, remove the /pae switch from boot.ini in XP, or enter the following command line in an administrator command prompt in Vista:

BCDEdit /set PAE ForceDisable

For more information on the switches and settings related to PAE, consult this MSDN paper, “Boot Parameters to Configure DEP and PAE.”

Scott Dunn is a contributing editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Microsoft's out-of-cycle patch plugs hole in IE

By Susan Bradley

Please stop your holiday preparations long enough to apply this week’s important security update for Internet Explorer.

While most of the sites that currently host the so-called XML exploit are located in Asia, this attack on IE is likely to spread quickly to other sites, so make sure to update your PCs with this patch before using Microsoft’s browser for anything else.

Microsoft security bulletin MS08-078 (Knowledge Base article 960714) was released on Dec. 18 to correct a serious hole that affects every flavor of IE from version 5 to the beta of version 8. Install this patch immediately, if not sooner. The easiest way to install it is to click Start, Microsoft Update (or Start, Windows Update) and download the patch from there.

Unlike many other Internet Explorer patches, this one is not a cumulative update. It’s only patching the issue discussed in Windows Secrets contributing editor Mark Edwards’ Dec. 17 special alert.

As a Dec. 17 post on the Microsoft Security Response Center blug discusses, patches are now available for more than 300 versions of Internet Explorer in 50 different languanges. So far, although most of the Web sites that are known to be infected have been found in Asia, the Microsoft Malware Protection Center Threat Research and Response blog indicates that the exploit has been discovered at porn sites as well.

I haven’t encountered any problems while testing this patch, but as with any Internet Explorer update, be prepared for conflicts with third-party firewall and security software. The vendors of those programs may need to update their applications to work with the IE patch.

Give this fix the highest priority — even if you use Firefox — because core components of Windows itself may be vulnerable to this exploit even if you’re not using IE as your default browser.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.

More on troubleshooting Windows network glitches

By Dennis O’Reilly The connectivity woes Scott Spanbauer reported in his Dec. 11 Top Story represent only a portion of the network problems Windows users are encountering. Finding the source of a failed or intermittent Internet link can be a mystery worthy of a fictional sleuth.

Whether for work, play, or otherwise, our day-to-day lives rely more and more on our connection to the Internet. Unfortunately, as network links become more important, network failures become more difficult to diagnose.

Scott’s story described a change Microsoft made to Vista’s DHCP settings that caused problems with some routers, among other Windows network glitches. Several readers contacted us to share their tales of Windows-connectivity disaster. Richard Chase also reminds us of some other useful network-troubleshooting tips:

• “More than a few times I’ve seen broken antivirus programs causing the Internet to simply not work at all. Sometimes your antivirus may appear to be working correctly, but if you’ve tried everything and it still doesn’t work, remove it. I have seen McAfee, Norton, and AVG products do this on occasion and I’ve seen Telus’s antivirus program do it almost all the time.

  “A simple uninstall .. and … reinstall usually solves the problem. If, after the reinstall, your Internet [link] is broken again, seek out the antivirus company’s full removal tool. Your Internet-connection woes could be caused by corrupt configuration settings that are left behind after a standard install.

  “You guys failed to mention that it could also be as simple as a bad Ethernet cable or network card. Power surges, dust, and a million other things can fry a network card. Cables get bent, chewed, and stepped on all the time. A network cable tester costs no more than $20 … and a network card is [priced] the same. For convenience, USB-to-LAN adapters also exist for those who want to try solutions outside the computer before going internal.”

Secunia’s software scanner IDs some patched apps

Several Windows Secrets columnists have recommended Secunia’s free Online Software Inspector and downloadable Personal Software Inspector for ensuring that your applications receive all the security and other fixes they need. In fact, Ryan Russell describes the service in this week’s Perimeter Scan (paid column). Also, Susan Bradley pointed to the company’s software-update services in the Dec. 11 Known Issues 2 column.

However, in recent weeks we’ve been hearing from readers whose experience with Secunia’s update service is less than perfect. Here’s what Mel Slane wrote in to tell us:

• “Regarding using Secunia PSI to check whether your computer is patched and secure, be aware that they aren’t perfect either. I just concluded a two-day nightmare, thinking that my Microsoft Office 2003 — specifically Word 2003 — wasn’t secure (not updated).

  “Secunia PSI said that [Word] wasn’t being patched because it was located in the wrong folder (in C:Program FilesMicrosoftOfficeOFFICE11). Got a lengthy explanation from Microsoft on how I could fix my ‘problem,’ with the fourth possible step being to uninstall Office 2003 and reinstall it. Fortunately, I resisted taking that step because I knew how much of a hassle it would be, including backing up Outlook 2003 with my e-mails and addresses.

  “Then I followed one of Microsoft’s recommendations, which was to check the Secunia user forum. When I did, I discovered that many, many other people had the same problem, and it wasn’t with Microsoft but Secunia. Secunia wasn’t responding to the problem (they apparently don’t pay much attention to the user forum), even though the PSI program was apparently giving us all a false positive.

  “Fortunately, [the company] finally did respond and updated their definitions, or whatever the proper word is. When I did a rescan of my software using PSI, I was suddenly not ‘insecure’ anymore. The moral to the story is not to trust the software people who check the software too much, because Microsoft is not the only [company that] has problems.”

Plenty of free network-usage meters available

In his Dec. 4 LangaList Plus column (paid content), Fred Langa fielded a question from a reader who was looking for a way to track the amount of bandwidth his network connection used to avoid extra charges from his ISP. Several readers told us about their favorite network-usage meters; one of them is Rory Gordon:

• “…You mentioned various usage monitors in response to Peter Sutherland’s enquiry. Like Peter, I am in Australia, and I find usage monitors essential.

  “There are a number of tools that are ISP-specific. For example, I am with iiNet and use iiUsage, which grabs the usage data from the ISP on user-configurable intervals and presents the data simply and quickly. It works only for iiNet, however.

  “If Peter is using Firefox, then there is an add-on called Net Usage [download page] which functions across a variety of ISPs, both Australian and [in] other countries. Again, this [program] grabs the data from the ISP. Both of these tools have (un)official support through Whirlpool forums.

  “Finally, a utility that isn’t ISP-specific — NetMeter [download page] — is purely a bandwidth monitor that graphically shows your PC’s traffic. It also keeps a log of your daily usage and can maintain the history for years.

  “All three of these tools are free. Need I say that I recommend all of them?”

Reader Ken Heppel recommends yet another free network-use monitor:

• “I’ve been using a free utility name BitMeter2 [download page]. It does just what is needed here by tracking bandwidth usage and keeping a history of it. You can look at the results by month, day, or hour in graph or table format.”

The Known Issues column brings you readers’ comments on our recent articles. Dennis O’Reilly is technical editor of WindowsSecrets.com.

Even Santa can go a little holiday crazy

By Katy Abby The pressures of the holiday season are enough to drive anyone nuts. Just think what it can do to a man who already spends his days amongst tiny toymakers and flying reindeer. It’s not such a stretch to imagine that Santa might snap — and take some of the denizens of the North Pole with him! Take a look at this classic Christmas lampoon by legendary satirist Weird Al Yankovic. Happy holidays, everyone! Play the video

Slipstreaming simplifies Windows reinstalls

By Fred Langa It’s not difficult to update your Windows Setup CDs to make your next OS reinstallation a breeze. Creating a custom setup CD that’s fully prepatched with Windows updates and service packs is easier than you may think.

Refresh your Windows setup with a single click

Reader Bill Beadenkopf makes a good point in his response to the item in my Dec. 4 column on using the XP Setup CD to reformat your hard drive:

• “If you have patched and updated your OS, and those patches are not included on your Setup CD, then you will have to reapply all of those patches. Reinstalling the operating system from the original CD will restore the PC to its original, unpatched condition. It may be possible to obtain an updated CD from the manufacturer. For a small fee, Microsoft will supply service packs on CD.”

You’re right, Bill. But there’s a way around the out-of-date Setup CD. Good thing, too, especially with an older OS such as XP. If you do a reinstall with the original XP Setup CD, you then must reinstall not only the original OS but also as many as three separate service packs, along with a lengthy list of “optional” patches and updates. This can easily add hours to the already-lengthy setup process. What a pain!

You can avoid this reinstallation hassle by using a process called “slipstreaming.” And to top it off, doing so is free.

In slipstreaming, you create a new custom setup CD that combines the files on your original retail Setup CD with the files comprising the most recent service pack. This hybrid CD is 100% legitimate and will work exactly as your original one did, even to the point of using your original 25-character product key.

Unlike the Setup CD that shipped with your system, the slipstreamed disc will be up-to-date, prepatched, and current to the latest service pack. When you use a slipstreamed CD to set up a PC, the new installation will be up-to-date — or very nearly so — from the moment the refreshed copy of Windows first boots.

Creating a slipstreamed setup CD used to be a deep-geek exercise done only by OEMs and IT departments. The tools and techniques have improved in recent years, however, and many sites now offer complete point-and-click instructions that make slipstreaming relatively simple.

There still can be many steps to the process, but no single step is very difficult; almost anyone with intermediate PC experience can slipstream a setup CD with minimum difficulty. (As with so many things, the first time is the hardest.)

Paul Thurrott’s Windows Supersite has great info on many tech topics, including slipstreaming for XP. Paul’s XP SP3 slipstream instructions appear on this page, which also has links to instructions for slipstreaming earlier versions of XP, if you need them.

Microsoft was supposed to simplify the slipstreaming process for Vista, but that didn’t work out quite as the company had planned. Right now, the officially sanctioned Vista slipstream method involves using Microsoft’s Automated Installation Kit (AIK) for Windows Vista SP1 and Windows Server 2008 (download page). The program is free but is a huge 1.4GB in size. Also, it’s not particularly easy to use because it was designed for mass deployments of Windows on a huge, corporate scale.

Fortunately, a clever programmer named Dino Nuhagic has produced a kind of front end for AIK called vLite (more info), which stands for “Vista Lite.” Dino’s original idea was to let you preconfigure a personal Vista setup by preventing unneeded components and services from being installed in the first place, giving you a stripped-down “lite” (or at least “lite-r”) version of Vista than the standard model. The tool also lets you place patches and updates on the new setup CD. In effect, this creates a slipstreamed version.

If the vLite option interests you, there’s a handy step-by-step overview on an Obelisk blog post that describes how to use the program to slipstream Vista. Read the cautions on that blog before you start; the instructions it provides won’t work for every possible Vista setup variant, but they’ll work in most normal cases.

BTW, in case you’re wondering why it’s called “slipstreaming,” it’s because vendors once used this technique as a way of stealthily delivering unannounced patches and updates. They’d quietly change the master files at their CD duplicating plant and, without fanfare or other announcement, would simply begin producing a slightly different version of their product. This let the vendor correct problems without attracting publicity.

So why call it “slipstreaming?” In your mind’s eye, picture dropping new code into the imaginary wake of a rapidly “moving” software product — into its slipstream, as it were.

Building your own updated setup CD isn’t really slipstreaming in that sense of the word. Still, everyone refers to the process as “slipstreaming,” and now you know why.

Keep tabs on how much use a computer is getting

Reader Rick Ferch maintains two PCs used by about a dozen people in his workplace, a small private library, and wonders whether there’s a way to log the machines’ use:

• “I would like to know how I can determine how much each computer is being used. Does Windows maintain a log of users who log on to the computer?”

There’s no automatic log in Windows, but we wouldn’t let that stop us, would we now? Of course not!

One approach requires a little geek aptitude. I’ll give you the gist, and you can see whether it’s something you want to tackle. If not, I’ll tell you about some relatively inexpensive commercial software that may do the trick for you.

You didn’t mention what OS you’re running, but let’s assume it’s the most common one among Windows Secrets readers, Windows XP Pro. In this version, you can use the Group Policy Editor, gpedit.msc, to run a small script automatically at each user’s logon and logoff. This will create a timestamp in a file you specify. That’s all it takes to start your usage logging.

For more detailed information, including examples of scripts you can use, check out these Microsoft resources:

• Knowledge Base article 556015, “How to track users logon/logoff”
• TechNet article, “Startup, shutdown, logon, and logoff scripts”
• KB article 198642, “Overview of Logon, Logoff, Startup, and Shutdown Scripts in Windows 2000” (slightly outdated but still generally relevant).

If these articles are too arcane — and I wouldn’t blame you at all if you said they were — some commercial software may do the trick for you. For example, the $20 PC Time Limit program (more info) lets you designate the periods when each user account is available and records when each account is actually used. The $13 PC-Time Manager utility (more info) works similarly.

Note that these commercial products are “nannyware”; however well-intentioned, they’re a form of spyware. You might be OK using them in a private library, but installing any form of monitoring software on a computer opens up a huge can of worms with regard to user privacy. Be careful.

Why won’t these .csv files open in IE?

Robert Harmon is stymied by an odd problem he’s encountered in Internet Explorer:

• “When I download a .csv (comma separated values) file from a Web address, Internet Explorer 6 opens it in a viewer which does not have the full capabilities of MS Excel 2003. But if the file ending is .xls, it opens correctly in Excel.

  “The workaround is to save the .csv file to disk, and then access it through [Windows] Explorer so it will open in Excel as required. All relevant file associations are set to use MS Excel, but IE just ignores them.”

I hadn’t heard of this exact problem, Robert, but in researching it, I found a number of references to this issue, which is specific to IE 6. The simple solution would be to upgrade to IE 7 (download page), despite its recently discovered, gaping security hole. (See Mark Edwards’ Dec. 17 special alert for more on this matter.)

Mozilla’s Firefox browser (download page) is a safer alternative right now.

If upgrading IE or switching browsers isn’t an option, tell IE 6 to open files based on their content rather than their file extension. I don’t have a copy of IE 6 running, so bear with me if this clickstream isn’t exactly correct, but here’s the gist:

Click Tools, Internet Options, Security, Custom level. Scroll in the Settings window to the Miscellaneous section and click Enable under Open files based on content, not file extension.

Figure 1. Enable this option in Internet Explorer’s Security Settings dialog to ensure that .csv files open in Excel.

Restart the browser and see whether your .csv files open in Excel as expected. In theory, they should!

How to delete ‘undeletable’ Registry entries

Roy Whitethread needs a file-cleanup tool that goes beyond mere deletion:

• “I found the article about deleting “undeletable” files [in my Dec. 4 column] very helpful. What I would like to know in addition is whether there is any way to delete “undeletable” Registry entries. My operating system is Vista with SP1.”

Yes, Roy, you usually can delete “undeletable” Registry entries, but the method you need to use depends on why they’re undeletable in the first place.

But first, the obligatory disclaimer: the Windows Registry is a pretty complex thing, so before you venture forth, use Windows’ System Restore feature to create a restore point, which will serve as your Registry backup.

Let’s start with the simplest potential solution: the entry’s undeletability could be due to a permissions problem. To find out, click Start, type regedit in Vista’s Start Search box, and press Enter to open the Registry Editor; in XP, click Start, Run, type regedit, and press Enter.

In the left tree pane, navigate to and select the key that’s giving you trouble. Right-click the troublesome entry and select Permissions. Check the Allow box for Full Control for all classes of user. Exit Regedit and reboot your system. If it was a simple permissions problem, you’ll now be able to delete the recalcitrant key.

The Registry entry in question could simply be invalid — an orphaned item, or one mangled by an errant software installation or uninstallation. Another possibility is that the key is malformed and indigestible by standard removal tools.

You may be able to delete the bogus key in Regedit by navigating to the lowest item in the key’s tree structure and deleting that furthest-indented entry. Next, move up to the next item and delete that. Climb the tree of Registry entries until you reach the topmost item of the key you’re working on. With everything beneath it now empty, you may be able to delete the key itself.

If the bogus key refers to some software on your system, try uninstalling that software, deleting the bad key (if the uninstall doesn’t remove it), and then reinstalling the program.

Some bogus keys exist because they point to nonexistent software or file locations. In this case, a third-party Registry cleanup tool may help. My personal favorite is Macecraft’s U.S. $30 jv15 Power Toys (more info). The utility sniffs your entire Registry for obsolete software references — and many other problems — and automatically corrects all or most of the invalid entries it finds.

Of course, this assumes that the item you want to delete really is superfluous, in the way, and/or causing trouble. Don’t whack items by hand unless you’re pretty certain of what you’re doing. And don’t make any changes unless you’re sure they’re really necessary. In any case, keep your Registry backup handy and be ready to roll back your system if things go south on you.

Fred Langa is editor-at-large of the Windows Secrets Newsletter. He was formerly editor of Byte Magazine (1987–91), editorial director of CMP Media (1991–97), and editor of the LangaList e-mail newsletter from its origin in 1997 until its merger with Windows Secrets in November 2006.

Keep your Net activities away from prying eyes

By Ian “Gizmo” Richards If you share a PC with someone at home or work, you have pretty good reasons for wanting to keep your Internet activities private. Yes, it’s easy to cloak your surfing history from casual eavesdroppers, but hiding your browser tracks from determined, technically skilled users is actually quite challenging.

Simple solutions for maintaining your privacy

The fact is, if the FBI or some other powerful entity wants to see what you’ve been doing on the Internet, there are probably no precautions you can take to prevent them from tracking you. Privacy — like security in general — is never absolute, only relative.

Fortunately, few of us need to worry about hiding our activities from the FBI or other law-enforcement agencies. To ensure the level of privacy protection Joe and Jane Citizen require, there’s is a lot that can be done.

The most common privacy requirement is to erase your Internet-usage history. In recognition of this need, most browsers let you clear your history with just a few clicks.

In Internet Explorer 7, click Tools, Delete Browsing History to bring up a panel for deleting temporary Internet files, cookies, history, form data, passwords, or the lot.

Figure 1. Internet Explorer 7’s Delete Browsing History settings provide only a handful of privacy options.

To view the privacy options in Firefox 3, click Tools, Options, Privacy. Firefox’s privacy settings provide somewhat finer control than those in IE 7, including the option to delete your browsing history and other private data automatically each time you close your browser.

Figure 2. Firefox 3’s privacy settings let you clear your history and other sensitive data each time the browser closes.

These seem like attractive options, but they’re not necessarily as convenient as you might wish. They’re also not as safe as you might hope. Here’s why:

I can’t ever imagine wanting to erase my entire browsing history or all my cookies. I regard these as assets that make my browsing more efficient. Sure, there are times I might want to erase all traces of a particular browsing session, but I certainly don’t want to remove all my sessions.

Selectively erasing Web history is not an option in the current versions of Internet Explorer and Firefox, though you can do so in Apple’s Safari browser. Future versions of IE and Firefox are likely to include this capability, but as of today, you need to look elsewhere for a solution.

Firefox users have at least two free extensions that allow you to selectively turn off browser history, cookies, and the collection of other private data during a particular surfing session.

The Distrust extension for Firefox disables the use of a disk cache and sets all cookies to expire at the end of the session. When Distrust is turned off, you’re given the option to delete the Internet history accumulated while the extension was enabled.

You can also use Distrust to erase any record of items downloaded during the session, as well as forms search data and Flash cookies. Distrust is available for download on this page.

The second selective-erase extension for Firefox, Stealther, works a little differently. This add-on temporarily disables browsing history, address bar auto-complete, cookies, file download history, disk caching, and the list of recently closed tabs.

Stealther’s technique seems superior to Distrust’s strategy of deleting files at the end of the session. However, I have read reports of reliability problems with Stealther. You can download Stealther from this page.

I’m not aware of any free add-ons for Internet Explorer 7 that provide session-based deletion of private data. However, the beta of Internet Explorer 8 includes some of this functionality via an option that “lets you keep cookies and temporary Internet files from Web sites saved in your Favorites list,” according to Microsoft.

While useful, that’s not quite so convenient as the level of privacy control you get with the Distrust and Stealther extensions for Firefox.

Erased browser histories may be recoverable

Along with the lack of selective session-based privacy, my other main concern about using your browser to clear your private data is the possibility the erased data may be recoverable.

As most Windows users are aware, it’s often quite possible to restore a file that’s been “erased.” Indeed, there are many utilities available just for this task, one of which is the excellent freeware program Recuva (more info).

This means that, even if you delete your browsing history and other personal data, any reasonably skilled PC user may be able to recover it.

That’s bad enough, but the situation actually gets worse: it’s quite possible Windows has secretly stored a copy of your Web history before it was erased.

This can happen in many different ways. For example, the Web pages you visited may have been indexed by your desktop-search program. Also, your surfing history could have been saved by an automatic Windows System Restore. Additionally, a record of your Web activities may have been saved by a background-backup or drive-imaging program. The list goes on and on.

And that’s just the risk on the PC workstation itself. It’s almost certain that there are additional traces of your Internet activity residing on your ISP’s server or, worse still, on your company’s server. Then there are the records held by the Web sites you visited, many of which may have logged your Internet connection’s unique IP address.

So, how big are these risks? They’re not huge, but they’re large enough to be of real concern to anyone who places a high value on the confidentiality of their browsing activities. If that’s you, then read on.

A more-robust solution for browsing privacy

You’ll gather that it’s really difficult to surf without leaving some trace of your activities on the PC. It’s equally hard to browse without leaving some trace of your activities on your ISP’s servers or the sites you visit.

There’s a solution to this mess. It’s not perfect, but it comes close.

Rather than surf from a browser running on a PC, use a browser that launches from a USB flash drive that you connect to the PC. Virtually all record of your activities will then be held on the USB drive. When you remove the drive, you remove all record of your Web activities.

It’s a neat solution and one made easier by the fact there are free portable versions of Firefox, Opera, and other browsers available. Just download the portable version, copy it to your flash drive, and run the browser directly from the removable drive. When you finish surfing, unplug the drive and put your history in your pocket.

Portable USB drives let you stop worrying about leaving traces of your surfing from your PC, but the problem of ISP and Web-site records remains.

There is a solution for that as well: use a portable version of Firefox or Opera that comes preconfigured with the Tor anonymizing service.

Tor is a free service that channels your Internet connection through a chain of servers in such a way that your identity is cloaked. Furthermore, the link between you and the first Tor server is encrypted, so even if somebody eavesdrops on your Internet connection, they couldn’t decipher your activities.

The net effect of the Tor-portable browser combination is that your ISP no longer holds any decipherable records of your activities. Nor do any of the sites you visit. And because you’re surfing from a USB stick, there will be no record of your activities on the host PC into which you plugged your USB drive.

I can recommend two different free programs for this purpose, the first of which is Arche Twist’s OperaTor. As the name implies, the program is a portable version of the Opera browser preconfigured with the Tor anonymizing service. You’ll find more information about OperaTor and a download link for the program on this page.

The second Tor-portable browser combo is the XeroBank browser. This is a special portable version of Firefox that — like OperaTor — is preconfigured with Tor (download page).

Even though Firefox is my browser of choice, I prefer OperaTor because it’s faster and easier to use than XeroBank. Also, the strong up-sell from XeroBank’s developer to purchase the commercial version of the company’s product puts me off.

Note that XeroBank triggers a security warning from some antivirus programs. These are false alarms, as the product is 100% clean. Still, the alerts are truly an annoyance.

Limitations of browsing via an anonymizer

What are the downsides of using a portable Tor browser?

First, browsing using the Tor service can be slow — sometimes agonizingly slow.

Second, you need to worry about the physical security of your USB flash drive, which contains sensitive records of your browsing activities.

Finally, neither Tor nor the two portable browsers I mentioned support all Internet activities. For example, OperaTor supports only HTTP and HTTPS, so if you use OperaTor’s integrated e-mail or IRC client — or if you visit sites that use Java, JavaScript, or BitTorrent — your anonymity cannot be guaranteed. The record of your surfing history will be securely held on your USB drive, but you may lose your browsing anonymity.

There are other private-browsing solutions that offer fewer downsides in exchange for a little more complexity. These include using a sandbox for surfing, Linux Live CDs, virtualization solutions such as VMWare, and system-restore products such as Norton GoBack. I’ll look at these alternatives in detail in future columns, but in the interim, do try OperaTor; I think you’ll be impressed.

Ian “Gizmo” Richards is senior editor of the Windows Secrets Newsletter. He was formerly editor of the Support Alert Newsletter, which merged with Windows Secrets in July 2008. Gizmo alternates the Best Software column each week with contributing editor Scott Spanbauer.

Free software-update service spots risky apps

By Ryan Russell Secunia’s much-lauded patch scanner is now out of beta. The service gives you many more options than the updaters built into Windows and other Microsoft products.

Stay safe by keeping your PC’s software patched

I reviewed the beta of Secunia’s Personal Software Inspector (PSI) program in my May 8 column. Well, the free software-update tool recently “shipped” and is now version 1.0.0.1 (download page).

I’m not the only Windows Secrets editor who likes Secunia’s stuff, though. Susan Bradley has mentioned PSI and Secunia’s Web-based Online Software Inspector (OSI) on numerous occasions, most recently in her Dec. 4 column.

OSI is perfect for when you have to maintain someone else’s machine and just want to do a quick scan. But the Web-based scanner doesn’t cover nearly so many programs as PSI. Also, the desktop version lets you monitor your apps in real time.

Secunia also offers a corporate version of its product, Network Software Inspector, which I have not reviewed. (Secunia’s NSI competes with products from my employer.)

Advantages of a non-Microsoft patch scanner

Microsoft Update (MU) isn’t bad for what it is: a utility that scans only for Microsoft programs that are out of date. (The exception is the rare third-party program or control that Microsoft makes special arrangements to support.) But why not check the currency of more programs? This is the basic advantage of a third-party patch scanner. PSI fits the bill nicely.

Both MU and PSI will periodically check for updates and notify you via pop-up when some program needs attention. MU’s only advantage is that you can configure it to install the patches automatically. I don’t recommend that, though. For one thing, some updates cause problems, so it’s best to wait a day or two before installing a patch while you watch for reports of glitches. Also, Microsoft has been known to slip DRM, Windows Genuine Advantage, and other not-so-welcome components into its automatic updates.

Along with supporting more applications, PSI gives system tweakers more knobs for monitoring and customizing their scans. With MU you just click OK and do whatever Microsoft recommends. Great for your mom, maybe, but not for you.

View update history, uninstall at-risk relics

PSI’s Overview screen shows a graph representing your updates over time. Me, I like to see all green on this chart. I want to have all my installed software patched, and if I can’t patch it, I uninstall it.

I appreciate PSI’s ability to track both unpatched and end-of-life software. Rather than a patch-based approach, the program is vulnerability-centric: if there’s no patch available, you’ll be advised to remove the risky program from your machine.

I’m a packrat, so most of my old machines exist on my new one in the form of a directory I created named c:old. Yes, PSI is going to find many out-of-date programs in that directory. They pose no risk to me, so it’s easy to tell the program to exclude c:old from its scan. Done!

Under the Patched tab, PSI shows me all the programs it has identified. This gives me a nice warm fuzzy about how many things Secunia is checking for. On my PC, OSI reported 10 up-to-date programs, while PSI shows 134 apps installed on the machine. PSI’s list won’t be completely comprehensive, but the program can account for more apps and utilities than any other similar product I’ve seen.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.