Pop-up ads can land you in jail

Pop-up ads can land you in jail

By Ryan Russell If you find yourself the victim of pop-up ads on a computer, with children in the vicinity, you could face decades in prison. I wish that I was exaggerating or being sensationalistic, but for Julie Amero this is far too real.

Meet Julie Amero, substitute teacher

There’s a good chance that you’ve already heard something about Julie. She’s perhaps better known as the Connecticut substitute schoolteacher who’s been convicted of "child endangerment." She now faces a sentence of up to 40 years in prison because porn pop-ups appeared on a school computer.

For background on the case, you can read articles from the New York Times, MSNBC, or SecurityFocus. (Full disclosure: WSN editorial director Brian Livingston is quoted in the New York Times piece supporting Julie. The article at the MSNBC site is also a good read, but I don’t recommend the accompanying video, which starts out with a falsehood and goes downhill from there.)

Let me begin by saying that I’m biased when it comes to Julie’s innocence. I’m doing my best to spread the word about her case, and have offered my technical skills to support her defense. I have access to some technical experts who are reviewing the trial transcripts and computer forensic evidence. I can’t point to a public reference to support all of my positions yet, so you’ll just have to take my word, for the time being.

There are many points I could make about what’s wrong with her case. But I’ll stick with my core competency and just point out some of the technical flaws.

Flawed technology condemns an educator

The key issues were set in motion before Julie ever arrived to substitute-teach on the day in October 2004 that the pop-ups occurred. The school district had allowed its Web-filtering software support contract to expire, preventing the software from receiving updates. The computer in question was running Windows 98, and the browser in use was IE 6.

According to evidence analysis performed by Alex Shipp, an independent malware researcher, the antivirus software was a trial version of Cheyenne Antivirus (CA). That product had been discontinued by Computer Associates on Mar. 17, 2004. It appears that CA issued a last courtesy update on June 30. Julie taught the class on Oct. 19. The computer had no antispyware software.

In other words, this computer had almost no protection and an unsecurable operating system. This is the machine Julie was given to use.

On the day in question, the regular teacher was there before class to log Julie into the computer. Substitutes didn’t have their own accounts, and were ordered not to log out or shut down the computer. Julie left briefly and, when she returned, the regular teacher was gone. She found students, some of whom didn’t even belong in the upcoming class, Web surfing on the teacher’s computer.

Experts now analyzing the hard-drive image have confirmed that the computer had been infected with adware days before Julie’s arrival. Unfortunately, in this case, that means that when a student tried to visit a hairstyle Web site, he or she was instead redirected to a different site that had adult products advertised. When Julie tried to close the site down, this started a pop-up cascade.

One thing I should mention about Julie: She’s a total "computerphobe." She can perform basic computing functions, but that’s about it.

So what did she do when she couldn’t get rid of the pop-ups? She turned the screen away from the students. It was at the front of the room, where the students would have had to be essentially at the teacher’s desk in order to see. She did her best to get rid of the images without making it obvious to the students that something was wrong. If a student approached, she reportedly chased them away.

During a break, Julie went for technical help to get rid of the pop-ups, which reappeared as fast as she tried to close them, but she received no help. No one would return to the classroom with her. She was told not to worry about it. However, she was worried about it, and it turns out she had reason to worry &#8212 she was later arrested for "child endangerment."

Legal system fails pop-up victim

When law enforcement became involved, sanity should have prevailed. Instead, the technical flubs continued, and the case sped downhill. A detective was assigned to take a forensic image of the computer and perform a technical analysis.

Let me briefly tell you what I know about taking a proper forensic image of a computer that will be involved in a criminal case. Keep in mind that I’m not a forensics expert; these standards are just common knowledge in the computer security field.

If you’re going to image a drive for evidence, you have to use special write-blocking hardware that helps take a sector-by-sector image of the entire hard drive, including the "empty" space. The image is then hashed so that any tampering will be evident, and you always work from copies.

Typically, only software tools with support from existing case law are used. Otherwise, questions can arise over the soundness of the tools and techniques. The imaging tools that have case law behind them are EnCase and the Unix dd utility.

The detective in this case took an “image” of the hard drive with Norton Ghost. Norton Ghost is a tool used to back up a computer’s hard drive in order to restore it to a known state after people have modified the configuration. It is often used on training or lab machines. There is nothing wrong with Ghost for what it does, but it is not a forensic tool.

So what did the detective use to examine the “image”? He used a program called ComputerCOP Pro. It appears that the program displays a version of the Internet Explorer history, which shows the URLs that were visited. At trial, this ended up translating to the prosecutor telling the jury that this means that Julie “physically clicked” those links. In fact, pop-ups show up in the history the same way as a link you click on.

In truth, the software also cannot tell you who was in front of the computer, who typed in a URL, or who saw the pictures displayed. It’s clear that someone who lacks the technical background to properly interpret the results, and is not willing to put in the time to figure it out, can jump to some very wrong conclusions. The detective never even looked for spyware on the computer.

This is the kind of technical evidence on which Julie was convicted.

An innocent teacher awaits sentencing

Julie is now awaiting sentencing, which is scheduled for Mar. 2. I could discuss jail-time possibilities, but many of us are still refusing to accept any possibility other than someone coming to their senses and throwing the verdict out.

To that end, the experts I mentioned are frantically preparing their report on the technical information. The hope is that the prosecution or court will recognize that there has been a basic mistake in the facts presented at trial before a sentence is handed down.

Despite my bias that I told you about, do you have reasonable doubt about Julie’s guilt? For more information, see the julieamer blog at Blogspot, which is largely maintained by Julie’s husband. There’s a PayPal button at the top of that blog so people can contribute to help pay Julie’s defense costs, which are reported to be over $20,000 so far.

Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series. His Perimeter Scan column appears twice a month in the paid version of the newsletter.

Make more space by deleting log files

By Fred Langa Log files can be useful, but they mainly just take up space. Trim away your useless log files to gain space and make your backups and restores smaller and faster!

Hidden log files eat your disk space

Log files can be useful: They’re usually plain-text records of actions taken by software as it runs — changes made, files added or deleted, and so on. When something goes wrong, it may be possible to examine the appropriate log file to see what the software was trying to do when it encountered trouble. That, in turn, can be a valuable troubleshooting clue.

But over the years, log files have moved from front-line troubleshooting to a rarely used and obscure tool tucked away on your PC. Log files can be like weeds, growing in the quiet corners of your hard drive.

Try this experiment in order to see just how many log files are taking up space on your hard drive:

Click Start, Search, then search All files and folders on your hard drive for any files named *.log. Odds are, you’ll find hundreds of log files you probably never knew existed. (The Windows folder tree alone is a rich repository of log files.) My system currently has almost 900 of the suckers!

With today’s large disks, a passel of small log files isn’t worth worrying about. But sometimes log files can become huge, or a single active program may create a large quantity of log files. Karen Cleveland found one such instance in the ZoneAlarm Security Suite, which practically logs every heartbeat. Let’s take a look at her example, but keep in mind that the log-file proliferation caused by other programs can often be cured in similar ways:

• "I’ve installed ZoneAlarm (ZA) Internet Security Suite 6.5, which I purchased in the box off-the-shelf at a major computer store. I’m having a problem with ZA writing multiple files to the c:WINNTInternet Logs directory. These files are continually modified by ZA and quickly become very large (i.e., many MBs).

  "I stumbled upon this phenomenon because I noticed the free space on my hard disk kept decreasing day after day. Another problem is that the storage space used by System Restore is also consumed, because these files are backed up when a restore point is created. The restore directory in c:System Volume Information was also growing by leaps and bounds. My hard disk is/was being cannibalized.

  "Do you know how to fix these problems? I don’t want to get rid of ZA, but I can’t continue using it the way it is now."

First and foremost, log files are usually simple plain-text files. You can open them in Notepad and see what they contain. You can delete them if you’re sure that neither you nor the application that created them will need the information inside. (Tip: Copy the log files to a CD or other safe place before you delete them from your hard drive. Then, if it turns out you need the information, it’s still recoverable.)

You also can use various disk-cleaning utilities to delete log files automatically, if you’re sure you no longer need them. For example, the free do-it-yourself CleanAll tool can easily be modified to delete any or all of the log files on your system each time it runs.

But sometimes, software will lock a log file while it’s in use, making it difficult to remove by normal means. A tool like the free and excellent MoveOnBoot (a more powerful paid version is also available) can delete files that are normally locked, in-use, or otherwise unable to be deleted from inside Windows.

The above steps can take care of log files after they’re created. But, of course, it’s best to keep unneeded log files from being generated in the first place. Most log-creating software, including the ZoneAlarm Security Suite, lets you turn off the log file function, if you’re sure you don’t need it.

Figure 1. This example shows how the ZoneAlarm Pro firewall lets you control its log keeping. The "Advanced" button allows even finer control.

For example, to enable, disable, or alter event logging and program logging in the ZoneAlarm Security Suite and in the stand-alone Zone Alarm Pro firewall, follow these steps:

Step 1. Select Alerts & Logs.

Step 2. In the Event Logging area, select the desired setting. On creates a log entry for all events. Off means no events are logged.

Step 3. In the Program Logging area, specify the log level. High creates a log entry for all program alerts. Med. creates a log entry for high-rated program alerts only. Off means no program events are logged.

So, if you’re drowning in log files — even hidden log files you never knew existed — you can easily get your head above water. Back up and delete the log files you don’t want or need, and then adjust your software so that it doesn’t create new unnecessary log files in the first place.

Running floppy-based tools with no floppy drive

Some software still legitimately needs to boot from a floppy drive. Reader Chris Henshaw asks what to do when your PC no longer has a floppy to boot from:

• "I was about to purchase Symantec Ghost for use as ghosting [imaging] software. In the Feb. 8, 2007, issue, you wrote that BootItNG was your favorite. So, after reading the Terabyte Web site, I purchased a copy. When I tried to install it, I found that it required a floppy disk drive. Nowhere was this mentioned — either in your article or on the Terabyte Web site. I have not had a floppy disk drive for some years. Buyer beware!"

Your immediate problem is easily solved, Chris. BootItNG will run happily from any bootable medium, including bootable CDs, and even some Flash drives (depending on your hardware). You can use Terabyte’s free MakeDisk utility, or any number of third-party tools and techniques to convert bootable floppy disk images into CDs or other bootable media. There’s a good tutorial at Ultimate Boot CD.

The reason why BootItNG requires a floppy is also the main reason why I personally like and recommend it: BootItNG is 100% self-contained. When it’s running from its boot medium, Windows is entirely inert. No files are open or in use. Nothing is "live" on the hard drive.

This means that BootItNG’s partition work and imaging work has no competition from other programs while it’s running. Instead, the self-booting utility completely "owns" the PC and so is not likely to run into any problems with locked or in-use files, or files that change during the imaging process.

Most other disk-imaging tools that run from inside Windows (including Terabyte’s own Image for Windows) rely on software sleight-of-hand; features like shadowing to create reliable backups and images of in-use and locked files.

This usually works, but is not 100% certain, as is booting from an external medium. In fact, this is also why some tools that use shadowing and similar techniques still recommend that you close all other programs before making an image or backup. That’s the only way to get the reliability on par with that of externally bootable tools.

Admittedly, it’s less convenient to use a tool that requires a separate boot. To me, it’s worth it for the extra certainty of the imaging/backup process. But, it may not be for you. Indeed, BootItNG has a free trial period in which you can experiment to see if it fits your needs. If it doesn’t, you haven’t lost a dime.

CD-Rs don’t survive freezing temperatures

It’s midwinter here in the northern hemisphere, while our friends on the bottom half of the Earth swelter through summer. Either extreme can be deadly for CDs you create yourself, as reader Dalton Seymour found out:

• "Just had a look at your Feb. 8, 2007, newsletter comments on how long CDs will last, which referenced McFadden’s FAQ on the subject of CDs. This struck a chord with me because this year, I had the occasion to transport my computer system and collection of CDs from Michigan to Missouri in the dead of winter. Everything was packed up in the back of a pickup truck and covered with a tarp to make the trip. CDs were all in jewel cases packed in cardboard boxes.

  "When they finally arrived, many of the home-grown CDs containing music transferred from vinyl to CD had died. Most were of the gold variety. My guess is that subfreezing temperatures may actually crystallize the dyes embedded in the plastic. These were all CD-R, not CD-RW. I had this happen to me once a long, long time ago with floppy media, but the phenomenon there was related to the lack of hysteresis [persistence of magnetism] at freezing temps."

Right you are, Dalton. CD-Rs last longest in dark and cool (but not cold) environments. If you burn CDs to carry data between work to home, or to rip your own music mixes, or for any other reason, don’t leave them exposed to extreme hot or cold. If you leave a CD-R sitting in your car in subfreezing temperatures or baking in the summer sun, you’ll run the risk of losing the data on that CD in a remarkably short period of time.

Another look at HijackThis

Reader Chris DeWitt’s note focuses on an old favorite antimalware tool:

• "I’ve done some PC housecleaning for various people and found that some of the common tools I’ve used (Ad Aware, Spybot, NAV) don’t always do the job. After I’ve used them, I turn to HijackThis.exe. It does a scan of your system and gives you a listing and log file of lots of potential malware files. It takes pains to tell you that these are not guaranteed to be malware, but could be. It’s up to you to then go through each line, research the item, and determine for yourself if it is a culprit.

  "If you then redo the scan, you can check the appropriate lines in the list and click the Fix Checked button. It will then remove most of these. Some of the remaining items may need more sophisticated removal techniques. If you send the log file to one of the many online forms, you can get help both in determining which of these is malware and in removing the more stubborn ones. It’s a lot of work, but it can be done. Here is a link to one of the places you can get HijackThis.”

HijackThis is indeed an excellent and powerful tool. It produces so much information that it can actually be intimidating the first time you run it! Windows Secrets has discussed and recommended HijackThis on several occasions, including in the March 10, 2005, issue. The advice given then still stands today:

• “Several online forums provide free help to interpret the technical output from HijackThis. These forums are described in the HijackThis log recommendations provided by anti-adware guru Eric Howes. You’ll also want to read the HijackThis Quick Start and the HijackThis tutorial."

Thanks, Chris!

Fred Langa edited the LangaList e-mail newsletter from 1997 to 2006, when it merged with Windows Secrets. Prior to that, he was editor of Byte Magazine and editorial director of CMP Media, overseeing Windows Magazine and others.

Gollum and Smeagol get their groove on

A hilarious new video that appeared on the Web recently is a creative, creepy, and delightful duet version of a Barry White classic. It’s performed by none other than those loveable Lord of the Rings creatures, Gollum and Smeagol. The characters do a great job of lip-syncing the song, at least as edited by a director who goes by the handle of amds. This definitely puts a new twist on the old soul classic. Watch the video

Avoid firewall confusion with insider secrets

Firewalls are great tools, but some people find them a bit frustrating. This week I explain a bit about firewall technologies, firewall performance, how to extract and use information from firewall logs, and how to remove a certain firewall if the need should arise.

How to uninstall the Comodo firewall

Several weeks ago in the Jan. 11 edition of this newsletter I mentioned Comodo firewall, which was recommended by one of our readers. Many of you tried it and found it to be problematic. Lloyd Lamouria wrote to share his experience:

• “After seeing the recommendation about Comodo, I decided to try it. After half a day of unsuccessfully trying to get it to play nice with my system, I finally decided to uninstall it. After the uninstall, nothing worked. No Internet connection, nothing in the Control Panel would work, Firefox would not start, Spy Sweeper hung, etc. Had to resort to a system restore. After doing some research, a lot of others have had problems as well. Just a word of caution.”

Thanks for the warning, Lloyd. If any of you readers need help uninstalling Comodo, a thread in the Comodo Support forums mentions a standalone tool that can remove the firewall completely. You can download the tool from the forum, but be aware that you must be signed up for an account and be logged in to see the download link. If you don’t want to use your real e-mail address when signing up for an account, try using Mailinator for a temporary inbox.

What ‘stateful inspection’ means for you

There are two basic types of firewalls; one is a "stateless" filtering system, while the other is a "stateful" inspection system. Bill Norrie wrote to ask about this:

• “I installed Comodo on my wireless laptop after reading the article in the Jan. 11 edition. However, I came across this information below on a forum and wonder if you would like to comment on it:
  
  • “Comodo is not a stateful firewall. It makes little difference how good Comodo does in the leaktests; it omits the one thing the firewall was originally invented for, and that’s keeping ALL intruders out at ALL times, not just when ports are closed and hidden. The only technology with this capability is SPI, which is why it’s the one you’ll find in a hardware firewall.”

Bill, whoever wrote the post you quoted is misinformed. Comodo is, in fact, a stateful inspection firewall.

A stateless filtering system is basically a system that filters data packets without any regard to why the packet is arriving at your computer. It performs its filtering based on a simple set of rules that govern whether packets are allowed in or not, and it bases its design on parameters such as desination port numbers, protocol types, etc.

Stateful packet inspection (SPI) also filters packets, similarly to a stateless system. But it does its work based on a table of "connection states," thereby offeringan added layer of protection.

For example, when your browser opens a connection to a Web site, the firewall makes a record of that connection and keeps track of the state of the connection &#8212 whether it’s open or closed, etc. Then, when a packet arrives at your computer, the firewall compares data in the packet to the firewall state table to determine if the packet was intended for any of the connections the firewall knows about. A stateful inspection system can also base its decisions on the actual data content of the packets it receives. Overall, stateful inspection makes for a stronger type of firewall.

Stateful inspection can slow down your system

In the previous item, I briefly explained stateful inspection, but what I didn’t discuss was how stateful inspection affects system performance. Adib Behi noticed a performance lag on his system and wrote to ask about it:

• “Whenever there is a noticeable slowdown in response time on my system, I check Comodo and it reports a flurry of ‘Inbound Policy Violation.’ Most of the time, those violations come from the same few IP source addresses, mostly based in Australia or China.

  “I’m happy that Comodo catches them and prevents access. Now, since this attack happens a few times every second, sometimes with short delays of five seconds in between, I presume this may be causing the slowdown. I’m no techie or Internet wiz, but that’s the only odd activity that I see.

  "Is there any way that this kind of activity can be stopped? What else can be done?"

Good observation! Since stateful inspection systems must create and update a state table, and since it must also look at each packet and compare it to a state table, that naturally introduces a certain amount of processing overhead. That overhead will slow your system down to some degree. Under normal operating circumstances, the overhead should be barely noticeable. In Abid’s case, it seems that his system is being bombed with packets for no apparent reason. In such a case, the firewall overhead will increase considerably.

There’s not much you can do to stop the barrage of packets except to try and determine which Internet Service Provider (ISP) they originate from and then submit a report to the ISP in question. See the next item in this column for details on how to accomplish that.

How to track down and report the bad guys

If you use a firewall (and you certainly should!), then you might be among those who like to examine the logs, and possibly take action to stop attacks when you notice patterns. Huey Johnston writes to ask how to go about doing this:

• “Sometimes I find that my system is being attacked, or hammered by a bunch of network traffic from a handful of various IP addresses. This aggrevates me and I want to make it stop. How do I track down the bozos that are responsible?”

Your frustration is understandable. As I mentioned above to Abid, if you want to report the activity, then you need to track down the right ISP and let them know what’s happening.

First, you need to gather the IP addresses from your firewall log. Then you can look up IP addresses to find the networks owner at the American Registry for Internet Numbers (ARIN), or you can do a reverse DNS lookup to find the actual domain tied to an IP &#8212 if that information is available &#8212 and then contact the domain operator in question.

Try a reverse DNS lookup first to see if it reveals the domain name. If not, then resort to using ARIN to find the network owner. A typical reverse DNS lookup result will look something like this:

1-2-3-4.dynamic.dsl.domainname.com

In the example above, 1-2-3-4 represents the IP address 1.2.3.4, and domainname.com is the domain name that uses the IP address. That’s the domain name where you need to go to contact someone about potential abuse. Try visiting the domain’s Web site first and look for a support link or an abuse link. If you can’t find a support or abuse contact, then try looking up the domain using WhoIs, and send your message to the e-mail address listed in the WhoIs record.

Make Registry key files run when clicked

Editing the Registry can be a real pain, not to mention that it can be dangerous if you make a mistake. Using a .reg file is often a simpler way to modify the Registry, assuming, of course, that such a file is available. But how can you make the .reg file load to change the Registry? Ed Tobin has this problem:

• “A company sent me a regkey.reg file that, when clicked on, creates a Registry item that tells the program that it’s a registered application.

  "The problem I have is that when I click on the regkey.reg file, it doesn’t run; instead the file opens in Notepad.

  "Not many software companies use this method to tell a program that it is a registered version. So I have no idea when the .reg extension stopped being an executable file.”

Ed, there are two ways to get the file to run. The first way is to open a command prompt and enter

regedit c: emp egkey.reg

where c: emp egkey.reg is the actual path to, and the name of, the Registry key file.

The second way is to configure Windows so that it automatically runs a .reg key file when you click on it. To do that, follow these steps:

Step 1. Open Windows Explorer and navigate to the .reg file location.
Step 2. Right-click the filename and select Open With.
Step 3. Select the Browse button.
Step 4. Navigate to your Windows installation directory.
Step 5. Locate regedit.exe and select it, then click Open.
Step 6. Find and select Registry Editor in the list of programs.
Step 7. Check the box Always use the selected program to open this kind of file.
Step 8. Click OK.

That’s it!

Running Vista in a virtual machine

Have you ever read Microsoft software licenses when installing the company’s programs and operating systems? If you haven’t, and you installed Vista Home, then you missed at least one important provision that Microsoft included. Joe Datres writes to ask about running Vista in a virtual machine (VM):

• “I was reading that Vista Home cannot be installed on a virtual PC, which is what I would want to do initially to test it out, play with it, see what it can do (safely). Is this true? And is there any workaround? Or is it just an end-user paper restriction?”

Joe, Microsoft’s license for Vista Home does state, “You may not use the software installed on the licensed device within a virtual (or otherwise emulated) hardware system.” So legalistically, as I understand, you can’t use Vista Home in a VM.

I’ve read that Microsoft made this restriction for “support reasons,” whatever that means. According to ZDNet Asia, “Microsoft says that consumers don’t understand the risks of running virtual machines, and they only want enterprises that understand the risks to run Vista on a VM.”

On the other hand, technically there is no limitation I am aware of that prevents anyone from loading Vista Home into a VM. Furthermore, running an operating system (OS) in a VM can be a very safe way to use that OS. When properly configured, any changes made to the OS can be effectively rolled back out by simply stopping and restarting the OS’s VM image.

I truly fail to understand what risks Microsoft perceives in using a VM. Anybody have a clue? If so, drop us a note with your comments, using the information on the Windows Secrets contact page.

Launching programs with and without DropMyRights

In the Feb. 15 edition of this newsletter, I mentioned how to remove DropMyRights if it becomes a problem when using an application. Alan Wormser writes in with his tip on how he uses DropMyRights:

• “I have been using DropMyRights for a long time now, since you first introduced me to it. To avoid the problem your reader wrote about, I simply have two icons for those programs where I use DropMyRights as a safety net. One icon opens the program with DropMyRights, and the second icon will open that same program without DropMyRights. This approach has been working fine for me.”

Thanks for the tip, Alan!

Adding icons to the IE 7 toolbar

If you’re familiar with previous versions of Internet Explorer, you’ve probably noticed that some familiar aspects seem to have vanished with IE 7. Jeff Nolan writes:

• “Used to be, when using Internet Explorer 6, mailing a page link was so easy — just click on the little envelope in the toolbar. Now that I’ve downloaded IE 7, the little envelope is no longer there. Can I get it back?”

If you click the Page button, you’ll see the option Page by Email, which lets you e-mail a Web page.

Actually, you can easily customize the entire IE 7 toolbar to add other shortcut icons. To do that, right-click anywhere on the toolbar and select Customize Command Bar, then Add or Remove Commands. Or, if you want the “classic” look that you had in IE 6, right-click anywhere on the toolbar and select Classic Menu.

Mark Joseph Edwards is a senior contributing editor of Windows IT Pro Magazine and and writes the weekly email newsletter Security UPDATE. He’s a network engineer, freelance writer, and the author of Internet Security with Windows NT.

Vista Timesaver #4 — the Windows Experience Index

Windows Vista incorporates many firsts for Microsoft — some good, some dubious. Microsoft’s first officially sanctioned hardware performance benchmark, the Windows Experience Index (WEI), displays some useful information — if you understand its limitations. Save yourself time and money by looking behind the numbers.

The trouble with Vista’s benchmarks

Hardware benchmarks have suffered a long, checkered history. Once the talk of the computer magazine industry, hardware manufacturers since the dawn of the Bronze Age have tweaked, mangled, and goosed their designs to boost meaningless performance numbers. Scandals erupted when manufacturers cooked their products to increase ratings in the big-name computer magazines, frequently sacrificing overall performance to gain a slight advantage with this test or that index.

Now it’s happening again.

But this time, Microsoft is putting its seal of approval on a collection of benchmark tests, which are baked right into Vista itself. Microsoft tries to gussy things up by calling its hardware benchmark numbers an "Experience Index." That’s like calling the Internal Revenue Service’s Form 1040 a "Wealth Assistant." But whatever you call it, you can bet that every hardware manufacturer from Biloxi to Bangalore has its cooks stewing overtime to boost their products’ Windows Experience Index (WEI).

When you look at your computer’s WEI, and when you comparison shop for products based on their WEI, remember that benchmarks always lie, but the best ones don’t lie as much. A 20% difference in any single WEI score won’t be perceptible to the average human. More than that, the WEI scores are calculated in a way that, in some cases, defies any sort of logic I can discern.

Before you waste time and money chasing an elusive performance boost, make sure you understand the numbers.

How to understand your computer’s WEI

You probably hunted down your computer’s WEI the minute you first booted Vista. If you haven’t seen yours yet, it’s worth a gander. There are many ways to get to the WEI, but one of the easiest is to click Start, Control Panel, then click the System and Maintenance link. Under the System icon, click the link marked Check your computer’s Windows Experience Index base score. Vista shows you the WEI that it calculated the last time it ran its set of benchmarks. The WEI for one of my Vista machines appears here as Figure 1.

Figure 1: The Windows Experience Index consists of five component scores.

There’s a program — actually a big bunch of programs — called the Windows System Assessment Tool that runs all the benchmarks and boils the results down to the WEI numbers you see on the screen. The raw scores are stored in XML files in the folder named:

c:WindowsPerformanceWinSATDataStore

WinSAT produces seven component scores. You see five of them in the WEI screen. (Internally generated scores called CPUSubAggScore and VideoEncodeScore don’t appear on the WEI screen, and don’t affect the overall performance rating, er, "Experience Index.") WEI takes the lowest of the five displayed scores and uses that as your overall system rating — your Windows Experience Index Base Score, in Microsoft parlance.

In the system shown in Figure 1, my CPU — a laid-back 3.2 GHz Pentium 4 — pulls down my overall rating from a 5.0 (the score on my next-slowest component, memory) to a 4.3. In other words, if my processor were infinitely fast, my system would rate 5.0. See how that works?

The index maxes out at 5.9

At this moment, every component on every computer gets a rating between 1.0 and 5.9, except for hard drives, which run from 2.0 to 5.9. You could install the fastest overclocked gigacore pipelined processor on the planet with ten terabytes of L2 cache and your CPU score wouldn’t hit 6.0. You could have two chipmunks spinning hard drive platters for peanuts and your disk wouldn’t fall below 2.0.

Microsoft has scaled the scores. Over time, the maximum values will increase, but for now 5.9 is as good as it gets. Think of the open-ended Richter scale, where we haven’t seen a big enough quake yet to reach 10.

That part’s easy. Understanding the rest of the numbers isn’t nearly so straightforward.

A critical look at WEI’s scoring components

Each of the five component scores that you see on the screen has its own foibles. I go into detail in Windows Vista Timesaving Techniques For Dummies, but here’s the high-level take.

The processor score measures how quickly your processor runs a battery of CPU-intensive tests, such as compressing and decompressing data, encryption and decryption, and encoding video. It does not attempt to measure many compute-intensive activities that you’ll see in other processor benchmarks, such as recalculating huge spreadsheets or repaginating War and Peace or morphing Bill Clinton’s old publicity stills. Depending on the kind of work you do, the Vista benchmarks may or may not reflect your kind of work.

Perhaps the oddest of the bunch, the memory component score, incorporates a penalty that caps your performance score if you have less than 1.5 GB of memory. WinSAT calculates how fast your memory runs, but then cuts off the score at 2.9 if you have 512 MB of memory, 3.9 if you have 768 MB, and 4.5 if you have less than 1.5 GB. I have no idea how Microsoft came up with those numbers, but if you see a suspiciously low memory speed score, your memory may not be failing you!

The graphics component score emphasizes two-dimensional video performance, with specific tests geared to the Desktop Windows Manager (the program that controls the Aero interface), video memory bandwidth, and video decoder capability. If your graphics card doesn’t support the Windows Display Driver Model (WDDM), your score gets capped at 1.9.

The gaming graphics component, confusingly, deals with 3D graphics. Internally, it’s called the "D3D" score. This is shorthand for Direct3D, Microsoft’s proprietary set of commands for high-performance 3D picture rendering. The benchmark measures blending and shading performance. If your graphics card doesn’t support the Pixel Shader 3.0 spec, the score gets clipped at 4.9, no matter how fast your card.

Your primary hard disk component score doesn’t measure rotational latency or seek times or caching or any of the things that disk geeks argue about endlessly. Vista’s benchmark simply measures how quickly your computer can read sequential sectors on the disk. That’s it. WinSAT doesn’t even try to write any data to the disk. It’s a dud of a benchmark.

Don’t overestimate Microsoft’s performance ratings

If you have a great Windows Experience Index base score, flaunt it! Show it off to your friends and neighbors. Brag about it at work. Print it and frame it. Save copies for the kids.

But don’t fool yourself, for even one minute, that Microsoft’s consecrated ratings mean much. Learn about the numbers, and what goes into them. They’re not holy writ. And for heaven’s sake, don’t waste your time or money trying to bring a 2.8 up to a 3.2, or a 4.1 up to a 4.7. You’ll never notice the difference.

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.