Avoid holiday media headaches

Avoid holiday media headaches

By Brian Livingston

As the holiday season rises to a fever pitch, you may be thinking about buying someone – or buying for yourself – some cool new digital media geegaw. If so, you need to know about Bruce Kratofil’s BugBlog and its December Entertainment Special.

Kratofil (a co-author with me of Windows 2000 Secrets) has put together a jolly Web page chock-full of the problems and incompatibilities you’ll run into when using the latest video and audio goodies. Some of these glitches are hilarious, if you happen to be reading about them before you’ve bought the product.

Let’s take a peek at a few examples:

• XP SP1 chokes on USB devices.
If you stream media from a high-speed, USB 2.0 device – such as a video camera – to a PC with XP Service Pack 1 installed, the PC may slow to a crawl. For example, USB speakers may stop playing, or a USB mouse may become useless.

This is because XP SP1 is devoting 80% or so of your CPU time to the streaming device. Not very friendly behavior, eh?

SP1 also has several other nasty habits if your system includes USB devices. It may crash or restart the system instead of coming gracefully out of hibernation. It also may fail to recognize USB devices after coming out of suspend modes.

Fortunately, as of Nov. 24, Microsoft has a new patch. See Knowledge Base article 822603.

Unfortunately, even this patch has generated its own patch. (How did you know I was going to say that?) Installing 822603 on XP SP1 can cause your PC to hang when you try to bring it out of suspend modes by moving a USB mouse or pressing a USB keyboard key. If so, you may be able to avoid this by coming out of standby or hibernation by pressing the power button, if your system supports this. Or you can install the extra patch – 826959 – on top of 822603.

• iPod doesn’t update if Windows is not on drive C.
You’d think that Apple would know by now that we can install Windows onto any partition we like. But no-o-o-o. If you use Apple’s iPod Software Updater for Windows, you get a “Can’t Mount iPod” error message if Windows is not installed on drive C. Kratofil says there’s no workaround at this time. (I guess you could re-install Windows to use your iPod.)

• Media Center Edition video black-out.
Windows XP Media Center Edition 2004, a digital-media version of XP that’s available only on some new desktops and laptops, has a few quirks when it’s playing videos. Say you’d been playing a video, and you then put the machine into a suspend mode. After you resume the computer, restart the video, and double-click it to maximize the window, you may see nothing but a completely black screen.

Microsoft says there’s no fix, but you can work around the situation by clicking the Play button on the remote control that’s included with MCE.

Kratofil has collected dozens more of these kinds of alerts for every kind of digital media maker. The lists includes Creative Labs, Dell, Linux, Musicmatch, Nvidia, Real Networks, and Winamp. Visit BugBlog’s December Entertainment Special at www.bjkresearch.com/bugblog/entertain.cfm.

To send me more information about these kinds of media gotchas, or to send me a tip on any other subject, visit WindowsSecrets.com/contact/.

Recover those missing Outlook and Outlook Express messages

In the Nov. 20 issue of Brians’ Buzz, reader Joe Lazzara described a disaster that he needed help to recover from. His original plea went like this:

• “Right after installing the update (KB 824145) from security bulletin MS03-048 on Windows XP Professional, I lost all of my e-mails in Outlook Express. The address book was intact, but all the e-mail files were completely empty. I have found no help on the Microsoft knowledge base on this issue. Any help or ideas?”

My loyal readers came to the rescue with even more feedback than usual. Anyone who deals with Microsoft Outlook (an e-mail program that ships with Microsoft Office) or Outlook Express (a distinct program that comes with Internet Explorer) will learn something new by reading the following strategies.

Edit the Registry to recover OE files
What had happened to Lazzara’s messages is that installing MS03-048 (a cumulative update for IE) made Outlook Express set up a new default “identity.” That identity, being new, had no e-mail messages in its fresh, startlingly empty folders.

One of the best explanations for this, plus a detailed fix, comes from Kent England, a winner of the Microsoft MVP (Most Valuable Professional) award:

• “My conclusion is that the update is erroneously restoring default values for some or all user shell folder variables.

  “I would suggest that if Joe moved his Outlook Express message store prior to the update in question, then the cumulative update may have changed the message store location back to the default value.

  “Joe can look in the Maintenance tab of OE Tools, Options to see where his message store is currently located. If this is incorrect, he can change it back to where it should be. But he MUST NOT use that OE screen to change his message store, because OE will erase all his messages by overwriting with his current (empty) message store.

  “He will have to edit the Registry key

  HKEY_CURRENT_USERIdentities{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx}SoftwareMicrosoftOutlook Express5.0

  where the hex values within the curly braces correspond to his OE Identity.

  “Change the value to the correct full local path to the message store (e.g., C:Documents and SettingsuserMail). Be sure that Outlook Express is NOT running when you change the key. Then start OE and the messages should magically re-appear.

Copy the missing files using any file manager
The above strategy is an excellent prescription. But perhaps you’re not comfortable using Regedit.exe or RegEdt32.exe to edit the values in the Registry. In that case, Brian’s Buzz reader Michael Kennedy has written a step-by-step document that explains how to recover a missing storehouse of Outlook Express messages, using nothing more complicated than Windows Explorer (or any other file manager you like). Some excerpts:

• “If (big if) the OE files are not destroyed internally, then it’s normally quite easy to recover the contents. …

  “Locate the directory in which all the OE e-mail files are held:

  • In W95, it might be C:WindowsApplication Data Microsoft Outlook Express
  • In W98, it might be C:Windows Application Data Identities ???? Microsoft Outlook Express
  • In XP, it might be something like C:Documents & Settings Administrator Local Settings Application Data Identities {????} Microsoft Outlook Express (allowing for user names, etc.)
  • Or maybe just ‘search’ for directories named ‘Outlook Express’

  “In there, you’ll see a file named Folders.dbx, and probably many other e-mail (.dbx) files, including Inbox.dbx, etc. Hopefully, you’ll recognize the names of the ‘missing’ files and, hopefully, those files still have ‘proper’ sizes – indicating that the old contents are still intact.”

If you get that far, and your messages are still safely stored, Kennedy shows you how to back up the files for safety’s sake, then copy your old messages into a location where OE will find them the next time it starts up. Success!

Kennedy’s document is an online .rtf (Rich Text Format) file. To download it, visit the following Web address in your Web browser and save the file to disk when prompted. You can then open the document in Microsoft Word or almost any modern word processor: www.kennedysoftware.ie/download/oe-rebld.rtf

Use a free or low-cost recovery utility
Those who want the convenience of using an automated tool should know about DBXtract and DBXpress.

• DBXtract is a freeware program that extracts all the individual mail and news messages from an Outlook Express 5 or 6 message store. Once this has been accomplished, you can move them around with a file manager, archive just the ones you wish to save, and so forth. DBXtract is designed for recovering corrupted OE files, and (in its Recover Mode) it can even extract messages that have been deleted.
• DBXpress is a more advanced program that currently costs $29.95. It has its own search capabilities, enabling you to find even hidden files that OE has written. It runs on Windows 2000, XP, or 2003, but not Windows 9x or Me. (You can temporarily install a hard disk from the older operating systems as a second drive into a system that can run DBXpress.) The program is powerful enough to recover messages from hard drives that won’t boot, from damaged partitions, and even from drives that have been formatted.

My thanks to reader Bart Smith for his recommendation of the above software programs.

Recover deleted Outlook messages
Most corporations, of course, use Microsoft Outlook, not Outlook Express, for e-mail. Reader Bob Clifton turned me on to a way that corporate IT pros can get back any messages that anyone has recently deleted from his or her Outlook folders.

I’ll paraphrase, below, an outline of the procedure. Don’t try this without reading the complete list of steps at techrepublic.com.com/5100-6270-5054599.html.

1. Back up the Outlook .pst file, which contains the message store.
2. Use a hex editor to insert blanks into 13 specific character positions near the beginning of the file.
3. Run Microsoft’s Inbox Repair Tool on the .pst file. This utility is included with Windows 9x, NT, 2000, and XP, as well as Outlook 98 and Office 2000. More information on the tool is available in Knowledge Base article 287497.
4. Run Outlook, and the repaired .pst file will be opened, with the Deleted Items folder containing all of the recently deleted messages.

My thanks to everyone who submitted suggestions. Those whose comments I printed will receive a gift certificate for a free book, CD, or DVD of their choice. To send me more information on e-mail fixes such as these, or to send me a tip on any other subject, visit WindowsSecrets.com/contact.

Any Web page can plant code on IE 6 systems

By laying out a linked series of six simple hacker techniques, a volunteer researcher has shown that a Trojan horse program can be deposited and run on a PC if a user merely views a Web page in Internet Explorer 6 – even with all of Microsoft’s latest service packs and security patches installed.

The researcher, Liu Die Yu, said that some of the steps used in his technique were security weaknesses that have been known to Microsoft and uncorrected for almost two years.

In his posting to SecurityFocus.com’s BugTraq list about the problem, Yu provided a simple way for IE users to close the hole. The hacker exploit doesn’t work if you simply move the location where IE stores its Temporary Internet Files. The fact that these cache files are usually in a predictable location is an element in the attack.

To move the cache in IE 6:

1. Close any other documents you have open, because this procedure will log you out of your account temporarily.
2. Click Tools, Internet Options.
3. On the General tab, click the Settings button. Then click the View Files button.
4. You should see a dialog box with the location of Temporary Internet Files in the title bar. It might look similar to:

   c:Documents and SettingsusernameLocal SettingsTemporary Internet Files

5. Close this dialog box, but leave IE’s other dialog box open.
6. Using a file manager, such as Windows Explorer, create a new directory with any other name, such as Foo, in a similar location in the directory tree.
7. In the remaining IE 6 dialog box, click the Move Folder button. Select the Foo directory you just made. Click OK in this dialog box and the next.
8. Click “Yes” to allow Windows to log you off and move the cache. IE will create a new Temporary Internet Files cache underneath the directory you created.

After Yu’s revelation of the ease of planting rogue code on millions of IE 6 users’ machines, a discussion broke out on BugTraq about whether the announcement of the weakness was wise. Thor Larholm wrote:

• “There are no new vulnerabilities or techniques highlighted in this attack (which is what it is), just a combination of several already known vulnerabilities. This is not a proof-of-concept designed to highlight how a particular vulnerability works, but an exploit designed specifically to compromise your machine. All a malicious viruswriter has to do is exchange the EXE file.”

In response, Benjamin Franz wrote:

• “I have mixed emotions about this. On one side – why put millions of systems at risk to script kiddies? On the other side, as noted by the poster, one of these vulnerabilities has been known for more than _TWO YEARS_. Surely far more than enough time for MS to have actually _fixed_ the problem if they intended to. MS seems (at least in some cases) to ignore security problems unless someone publically ‘holds their feet to the fire’ over them.”

Yu’s original post that describes the six-step attack (and the workaround) is at www.securityfocus.com/archive/1/343464/2003-11-04/2003-11-10/0.

Important reactions to the subject by Larholm, Franz, and Drew Copley are at www.securityfocus.com/archive/1/343606/2003-11-04/2003-11-10/0.

Many readers have said to me that the severe security problems with IE have led them to abandon it for Netscape, Opera, or Mozilla. Those are all fine browsers, and you should seriously consider them, if you’re not already using them. I’ve provided this story and the steps shown above for those who, for whatever reason, choose not to end their reliance on IE.

I’d like to thank reader Terry Erickson for his help with this topic.

Exchange Server 5.5 and 2000 can be taken over

Think Computer, a provider of database software and services, has announced a serious security hole that allows spammers to take over Exchange Server 5.5 and 2000 and to quietly send huge quantities of spam from the compromised machines.

According to the company, the Code Red virus – which swept the world in 2001 – deposited “back door” code and enabled wide-open Guest accounts on hundreds of thousands of computer systems. Microsoft’s patch for Code Red, the firm says, closed the back door but left the status of the Guest accounts unchanged. Spammers are exploiting this and other weaknesses.

Think Computer recommends two immediate steps all Exchange Servers administrators should take:

• “Unless your server needs the Guest account to be enabled to perform a certain task, it should be disabled immediately. Leaving the Guest account enabled on Windows NT Server 4.0 also potentially allows other problems to occur.”
• “Organizations that are using the Guest account to relay messages internally should set up a dedicated user for this purpose with a secure password.”

A related issue is that Exchange Server 5.5 and 2000 do not perform directory lookups to ensure that mail is delivered only for valid users. (By contrast, Linux-based servers running sendmail do perform such lookups.) Think Computer charges that Microsoft has decided to “not provide Exchange Server version 5.5 or 2000 customers with the option of directory lookup unless they upgrade to Exchange Server 2003, which supports the option.” Industry surveys show that approximately 40% of Exchange Server customers are using version 5.5, primarily so they don’t have to upgrade to Microsoft’s Active Directory scheme. Almost all of the other customers use Exchange Server 2000.

Microsoft has posted two notices about disabling Guest accounts and why it chooses not to perform directory lookups. See Knowledge Base articles 251149 and 304897.

Aaron Greenspan, the author of Think Computer’s report on the subject, scoffs at the Redmond company’s position, calling Exchange Server “Microsoft Spam Server.”

In my opinion, every IT administrator who oversees Exchange Server installations (or receives mail from them) should immediately read the Think summary and PDF white paper, which is a quick, 4-page read accompanied by a 3-page appendix.

Other significant recent bulletins:

• SharePoint Services won’t install after Nov. 24, 2003
  SharePoint Services is a pre-built intranet site that’s included with Microsoft Small Business Server 2003. SBS, in turn, is a bundle that includes Windows Server 2003, Exchange Server 2003, and several other programs for as many as 75 users (upgradable to the full versions of these programs to support a larger number of users). I plan a full review of SBS 2003 for the Jan. 29, 2004, issue of Brian’s Buzz.

  Because of a coding error, SharePoint Services suddenly began refusing to install or re-install after Nov. 24, 2003. Microsoft acknowledged this on Dec. 1 and promises to have a fix available within a few days. In the meantime, the recommended workaround is to kick all users off the network, set the server’s system clock to a date between May 24, 2002, and Nov. 23, 2003, then uninstall and re-install the intranet component and Microsoft SQL Server Desktop Engine. You should reset the clock to the actual time after that, of course. More info

• MS03-045 makes some apps see double (characters)
  I reported in the paid version of the Oct. 16 Brian’s Buzz that security patch MS03-045 (824141) was considered merely an “important” patch by Microsoft, not a “critical” one. Additionaly, it is considered important only for systems running non-English versions of Windows 2000 SP4, not for any versions of Windows NT, XP, or Server 2003.

  Microsoft recently acknowledged in Knowledge Base article 831739 that installing MS03-045 can cause some programs to enter two characters for every one that’s typed. That KB article proposes a workaround of copying and pasting text into affected text boxes. Another workaround, uninstalling the patch and then disabling W2K’s buggy Utility Manager (as explained in a note in MS03-045), is suggested by the makers of one app that’s affected by the problem, Hyperion (more info).

• Outlook 2003 soaks up memory, then crashes
  According to Microsoft, when Outlook 2003 has been “open for a long time” and “the amount of random access memory (RAM) is large on your computer,” the program consumes huge amounts of RAM and eventually stops responding. The company didn’t define “a long time” or “large.”

  There is no apparent fix yet, but MS says the problem is lessened by minimizing Outlook 2003 occasionally. All this was described in KB article 827310 in September and October, but the article seems to have disappeared from the Microsoft site since then for some reason.

  The KB article, if you’d like to read it, has been posted at a mail archive by someone named Stefan Kiryakov, who apparently posted it as a joke (more info). And there are various opinions about the seriousness of the memory problem on an independent forum called the MS Exchange Blog.

• Important: No security bulletin critique this issue or next
  Due to Microsoft’s new policy of trying to release new security bulletins and patches only once a month instead of weekly, no major new fixes have been announced since Nov. 11. I analyzed the security bulletins Microsoft released on Nov. 11 in the paid version of the Nov. 20 Brian’s Buzz.

  Because of holiday vacation scheduling, if Microsoft releases important bulletins on Dec. 9, it won’t be possible to get an analysis of them into the Dec. 18 Brian’s Buzz. There will also be no issue of Brian’s Buzz on Jan. 1, 2004. Therefore, my analysis of Microsoft bulletins that are issued on Dec. 9 and Jan. 13 (if any) will appear in the Jan. 15, 2004, issue of Brian’s Buzz.

  In the meantime, you should sign up for Microsoft’s Security Notification Service, if you haven’t done so already. You provide the Redmond company with your e-mail address, and you receive e-mails from Microsoft when a new bulletin or virus alert is released. This may not be as much fun as reading the Buzz, but you’ll at least get some idea that something is up until my next issue. MS signup page

More on Win XP and disk errors

I printed an article by Dan Michalski and Gordy Tobutt of Tangent Systems Inc. in the paid version of the Nov. 20 Brian’s Buzz. Their article described testing that found that Windows XP suffers from disk-write errors when communicating with a Windows 2000 Server and both have “SMB signing” enabled. Server Message Block signing is a desirable security feature, but it seems to intermittently interfere with the delayed-write disk-access behavior that’s implemented in XP.

I’ll have more on this subject in my regular Known Issues column, which is scheduled to appear in the printed version of eWeek on Dec. 15. It should also appear online at eWeek.com on or soon after that date, although I don’t yet know the exact Web address where the column will be posted.

In the meantime, readers’ comments about this problem have started coming in. Let’s start off with an important point by Michael Kraftman about when SMB signing is on by default and when it’s off. (I’d written that it was off by default, except when programs like Norton Internet Security silently turn it on or when administrators enable it to get encryption of network traffic.)

• “The statement regarding SMB signing that ‘This feature is disabled by default’ in your 21st Nov. newsletter is incorrect in one important case for both Windows 2000 Server and Windows Server 2003. If the file server concerned is also a domain controller, SMB signing is enabled by default.

  “That is my configuration and I have found that the performance penalty is terrible – much worse than the 10% to 15% that you mention.

  “The best way to disable it is through Group Policy. That way, any changes made to the Registry by programs such as Norton get automatically reversed. Microsoft Knowledge Base articles 331519 [now 810907], 321169, and 321098 refer to this.”

Reader Jon Wells says he found another way in which delayed-write failures can be caused:

• “Another source of delayed-write failures is installation of ATI display-board software – IF a rather hidden setting in WinXP happens to be set a certain way.

  “If Memory Usage is set to System Cache instead of to Programs, delayed-write failures will result.”

  [EDITOR’S NOTE: To see this in Windows XP, go to the Desktop, then right-click the My Computer icon. On the context menu that appears, click Properties, then click the Advanced tab. In the Performance area, click the Settings button, then click another Advanced tab. In the Memory Usage area, you’ll see radio buttons to give priority to Programs or System Cache.]

  “ATI is aware of this problem [see ATI Infobase 4217] but hasn’t seen fit to warn the buyers of their boards: really aggravating.

  “I fell victim to this when I bought a Radeon 9200 board and installed the ATI software that came with it. After experiencing the delayed-write failures, it took me a full day of work to undo all the damage. It took out my RAID array and rendered one of the drives unrecoverable: it wouldn’t even format! So I had to buy another one.

  “When I researched the problem on the Internet (fortunately, another computer was available), I found out about the Memory Usage setting and changed it.

  “ATI could have saved me 8 hours of work and a new $150 drive just by putting a note in the box to check that obscure setting before installing their software!”

There’s more to this XP stuff than meets the eye. If you have any further information, please let me know at WindowsSecrets.com/contact/.

A workaround for MS03-048’s double-scrolling bug

I reported in the paid version of the Nov. 20 Brian’s Buzz that MS03-048 (824145) – a patch Microsoft released on Nov. 11 – has several bugs that aren’t yet corrected. One of the most noticeable is that, after installing MS03-048, clicking the vertical scrollbar in Internet Explorer (and any app that gets functionality from IE, such as an e-mail rendering window) causes the contents of the window to scroll two screens up or down instead of one.

Until this is fixed, you can avoid double-scrolling by clicking very close to the “thumb” slider in the scrollbar. This scrolls up or down only one screen. But reader Michael Schein reminded me of a technique that I’d forgotten. It’s a perfect workaround for the problem – if you can change your habits!

• “Overuse of the mouse (vs. keyboard) is a pet peeve of mine. To avoid the double-page scrolling problem, users should do what they should have been doing from the beginning – hit the Spacebar!!! And to go up a page, hit Shift+Spacebar.

  “I’ve been doing this for YEARS along with all the other Windows shortcuts that avoid carpal tunnel and save me tons of time and aggravation.”

Let it snow, let it snow, let it snow

It may not be freezing in your part of the world this month – but, if not, you can create some big flakes with a terrific Flash movie called The Little Snow Globe.

After a few seconds while the animation loads, you see a group of children playing as the white stuff falls gently around them. Simply hold down your mouse button as you “shake” the globe. The snow flies, as well as the children, who perhaps should have put on their seat belts before you rocked their little world.

I don’t know which is more sickly: the whole concept, or the Christmas tune that plays in the background while you do this. If you watch for a minute or so, the kids build a snowman, which then gobbles one of them up. It’s funny as heck, if you’re in the mood for offbeat humor. It’s a production of E-tractions, a group of more than a dozen online technology specialists in Bedford, Mass. See the movie