Dealing with Hosts File Poisoning

A common spy ware and pop-up tactic these days is hosts file poisoning.  Hosts file poisoning involves injecting new entries for Internet sites into a computer’s hosts file, so that web site requests are either rerouted to another site or simply return a “Page Not Found” error.

I first encountered this little trick when getting rid of some spyware and adware on a friend’s computer.  I tried to go to a popular anti-virus site to download the latest anti-virus definitions, and was constantly routed to another site filled with the typical pop-up ads for a variety of products.  I then did the typical things you’d do to help fix the problem, like dumping the Internet cache, cookies, and history, making sure my DNS was properly configured and working, and checking the browser’s settings.  When that didn’t work, I started looking a little bit deeper.  After a couple of minutes, I realized the problem was a bit simpler than some new form of malware.  It was an issue with the computer’s own hosts file.  For those of you who may not have messed around with the hosts file before, here’s a little background:

In the good old days before DNS was commonly used for host name resolution, computers used host files, which are simple text files, to resolve host names to IP addresses when accessing other computers or Internet sites.  These static text files contained mappings of Internet IP addresses to the destination computer’s host name or web site. When users requested access to those computers by host name, the host file was checked, and if an entry for that computer or site was found, it was resolved to an IP address, just as DNS does today.

As a holdover from those days, Windows computers still have and check the hosts file during the name resolution process. By default, the computer checks the hosts file first, before attempting to resolve the name through DNS.  If it finds an entry for the name, it uses that entry and does not try DNS.  On most computers there are no entries in the hosts file, except for the local loopback address, so name resolution proceeds normally through DNS.

A favorite tactic by those folks who send you tons of pop-ups and other annoying forms of malware is to put entries into the file, so that your computer will resolve certain names with it instead of going on to DNS.  On the computer I mentioned above, I found no less than about 100 entries in this file.  In addition to entries rerouting just about every common page you could think of, like web-based email and news sites, to other sites, the entries also rerouted popular anti-virus sites back to the computer’s own loopback address.  This would result in any attempt to get to those sites being redirected back to the computer itself and getting a “Page Not Found” error.  This meant that my friend would never be able to get updates to his anti-virus software.

The quick solution is to simply get rid of those entries and reboot, so the computer will re-read the file, but that doesn’t permanently fix the problem, of course.  It could get poisoned over and over.  So there are a few other steps you can take to make sure that this tactic can’t be used against you again.

If you don’t really have a need for the file, you could rename it to something else so it wouldn’t be read as the hosts file.  I experimented with this on a Windows XP SP2 box, and it didn’t seem to affect my name resolution.

On computers running Windows NT, 2000, XP, and 2003, this file is located in the %systemroot%\system32\drivers\etc folder. Just rename it; I wouldn’t recommend deleting it entirely, since one day you may actually have a need for it.  Then set the folder containing it to “read only” for the folder and all subfolders and files.

On the other hand, if you think you do have a need for it, at least mark the file as “read only” and change the permissions on it.  This at least may keep it from being altered by anyone except you, if you so desire.

In any case, when trying to get rid of spyware, adware, and those pesky pop-ups, I’d add checking the hosts file to my troubleshooting list, and you’ll have one more way of fighting malware!

Change IP Addresses with a NETSH Script

If you need to move your Windows XP laptop between networks regularly, then you’re no doubt familiar with the hassles of switching your network settings back and forth. If you’re lucky, all of the networks that you connect to use DHCP and it isn’t an issue. However, manual changes are necessary when this isn’t the case.

While changing your TCP/IP settings manually is not exactly a big deal, the NETSH command can easily put you just a double-click away from automating the switch. All you need to do is add the appropriate NETSH commands for each network to its own VBS script, and you can change anything from your IP address and default gateway settings to your DNS server addresses.

To set a static address of 192.168.1.105 and a subnet mask of 255.255.255.0 with NETSH, you would issue the following command:

netsh int ip set address name=”Local Area Connection” source=static addr=192.168.1.105 mask=255.255.255.0

Of course, you’ll need to add the name of your connection in the name field (ipconfig /all provides the details). Quotes are necessary when the name includes spaces. If the command completes successfully, you’ll be presented with one very simple message – OK.

To change your default gateway address to 192.168.1.1, issue the following command:

netsh int ip set address name=”Local Area Connection” source=static gateway=192.168.1.1 gwmetric=1

To switch your DNS server address to 192.168.1.100, the command would be:

netsh int ip set dns name=”Local Area Connection” source=static addr=192.168.1.1

To switch these same elements back to using DHCP instead, the commands would be:

netshint ip set address name=”Local Area Connection” source=dhcp

netshint ip set dns name=”Local Area Connection” source=dhcp

To automate the process of changing your addresses, fire up Notepad, create a Netsh command script for each network, and then save the resulting files to your desktop with .VBS extensions.

Create one for home, another for work, or as many as you need for the various networks you connect to. If you need to change your TCP/IP settings manually, this is a huge time saver. For more details on the NETSH command and its options, type netshint ip set address and press Enter.

Group Policy Settings Reference for SP2

Anyone who has ever used Group Policy knows that it’s a powerful ally in the battle to standardize configuration settings and lock down user desktops. However, with literally hundreds of different configurable options, finding the settings you’re looking for can often be a frustrating experience.

Thankfully, help is out there, even if it is a little tough to find. With the release of Windows XP Service Pack 2, Microsoft makes an Excel spreadsheet available that not only lists all of the individual Group Policy settings (including all SP2 updates), but also lists their related Registry locations. This is a great tool for any administrator looking to dig deeper into the details of deploying policy settings to Windows XP Professional systems. All settings are organized on different tabs according to their corresponding ADM files, helping to keep things a little more orderly than they would otherwise be.

As a side benefit, the information provided in this file may also be useful to any administrator looking for a way to lock down Windows XP Home systems in small office environments. While XP Home doesn’t include the Group Policy tool, you could use the information found in this file to take advantage of certain policy settings using the Registry Editor.

So where can you find this great little reference? Just follow this link to the Group Policy Settings Reference for Windows XP Professional Service Pack 2.

Windows XP Deployment Tools

Back in the olden days (about 4 operating systems ago!) installation alternatives were more or less limited to those of the manual kind – an endless series of clicks on a “Next” button along with many wasted hours fighting with IRQs, device drivers, and the like. The advent of more intelligent Windows versions has helped to cut down on the number of configuration issues associated with an installation. However, most users still reach for the CD and prepare for at least another boring hour of answering simple questions when an operating system installation is required. Thankfully, Windows XP includes a number of “hidden” utilities that can help you to avoid this monotonous undertaking both at home and in corporate environments.

Installation Options

While a traditional question-and-answer CD-based installation may be the simplest option for new users, Windows XP provides a set of deployment tools that allow more seasoned Windows users to automate the installation process. For example, Windows XP includes a wizard-based tool called Setup Manager than allows you to pre-create a simple text file that answers all of the questions asked during the installation process. This makes Setup Manager an invaluable tool for both home users and those who want to install Windows XP Home or Professional on a large number of machines with the least administrative effort possible. Another valuable deployment utility comes in the form the Sysprep tool. This application is aimed mainly at administrators in domain environments who want to deploy Windows XP Professional using imaging tools like Symantec Ghost. Sysprep automatically removes all of the “unique” configuration information about a machine such as its computer name and security identifiers prior to imaging. This eliminates the need to use utilities such as Ghost Walker after deploying an image to erase and reconfigure unique computer settings.

Deployment Tools

The Windows XP deployment tools can be found buried away on the Windows XP Home or Professional CD in a directory called \Support\Tools. A single file called DEPLOY.CAB includes both the Setup Manager and Sysprep utilities, as well as a variety of other tools aimed at OEM computer resellers. Most importantly, this file also includes extensive documentation on the use of these utilities in the form of Help files. In order to get started, extract the contents of the DEPLOY.CAB file to a unique directory on your hard drive. It’s not worth picking and choosing between the files to extract since multiple files are needed in some cases, such as with Sysprep.

Setup Manager

We’ll start with a look at Setup Manager since the benefits that it provides are applicable to any Windows XP user. Given that the purpose of the program is to help automate the installation of Windows XP, you obviously don’t need to be running Windows XP to use it. Simply click on the file Setupmgr.exe to start the wizard and begin the process. A summary of the steps involved in running Setup Manager is covered at the end up this article.

The Setup Manager tool prompts you to provide answers to all of the questions normally asked during the installation process, including information such as the computer name, administrator password, networking settings, and more. Ultimately, all of these settings are stored in a text file called unattend.txt, as shown below. Setup Manager also creates a helpful batch file called unattend.bat. This file should be used to launch the installation process, as it will use the unattend.txt answer file that was created by the wizard. Once launched, the installation process proceeds onscreen as normal, although when the Fully automated option is chosen, the user is not prompted for input.

Beyond simply creating new answer files, Setup Manager also provides a few additional capabilities. The first is the ability to load and edit existing answer files using the wizard interface. Although these text files can be modified manually in a text editor like Notepad, their somewhat tricky syntax makes this best avoided. Secondly, Setup Manager can also be used to create a file called sysprep.inf that is capable of automating the mini-setup wizard that appears after using the Sysprep utility.

Disk Imaging

In recent years, disk imaging utilities like Symantec Ghost and Powerquest DriveImage have become the defacto standard tools for deploying operating systems in corporate environments. Although tools like Ghost are also popular amongst home users, businesses have the most to gain from these applications, based on the large number of PCs they typically deploy.

While disk imaging certainly has advantages in terms of speed and efficiency, this method of deployment is also prone to certain shortcomings. First and foremost, since imaging utilities create a binary copy of all data stored of the hard disk of the system on which the image was created, identical hardware is generally required on the systems to which the image will be deployed. Secondly, since the deployed image is going to be an exact copy of the source machine, settings that cannot be same, such as computer names and TCP/IP settings, must be changed on each individual system that the image is installed on. While this is a rather simple affair on Windows 9X operating systems, the challenge is greater on systems running Windows 2000 or XP. These OSes suffer from a third issue, namely the fact that all Windows 2000 or XP systems use a security identifier (SID) that unique identifies them to other network machines and the domain if one exists. As such, the SID of all Windows 2000 or XP systems has to be changed either after the image is deployed using a utility like Ghost Walker, or in advance using a utility like Sysprep.

Sysprep

The Sysprep deployment tool is likely to be of most use to network administrators in corporate environments deploying Windows XP Professional. While the utility is easy to use, a number of caveats exist in terms of using it properly. Firstly, Sysprep is meant to be used after you have installed and configured Windows XP and associated applications, but before an image is created using your favorite disk imaging utility. Sysprep’s job is to erase all of the unique identifiers on a computer, such as its computer name, serial number, and SID information. Once the utility has completed these steps, it is ready for imaging. After the image is created and deployed as usual, you will be presented with what Microsoft calls a mini-setup wizard during the initial boot process. Essentially, this allows you to input the system’s unique information, such a new computer name, administrator information, and serial number. For those looking for a shortcut here, the Setup Manager tool can be used to create a mini answer file (Sysprep.inf) that automates this process as well, allowing the information it contains to be read from a floppy disk.

To properly run Sysprep, copy both the sysprep.exe and setupcl.exe files extracted from DEPLOY.CAB to a new directory called Sysprep on your C drive. Once your operating system is ready to be imaged, run the Sysprep.exe file and check the PnP, MiniSetup and Pre-activated checkboxes, as shown.

Another fringe benefit to using Sysprep prior to imaging is that it is capable of automatically detecting minor hardware differences between machines when the PnP box is checked. This is especially useful when using hardware that is not quite identical, such as when a vendor uses different network or video cards in otherwise identical systems. To complete the Sysprep process, just click the Reseal button. This will shut down the PC, allowing you to image it using a utility such as Ghost. Once the image is deployed to another PC, just complete the mini-setup wizard when it appears onscreen (or automate it using a Sysprep.inf files), and you’re ready to go!
Automating Installations Using Setup Manager

Step 1: Browse to the \Support\Tools directory on the Windows XP CD. Right-click on the DEPLOY.CAB to extract it to a new directory called Deployment Tools using a utility like WinZip.

Step 2: From the Deployment Tools directory, double-click on Setupmgr.exe to start the Setup Manager Wizard, and then click Next. Choose to Create a new answer file. Click Next.

Step 3: Select the Windows Unattended Installation radio button and click Next. When prompted for the operating system version, select either Windows XP Home or Professional. Click Next.

Step 4: Select the Fully automated radio button as shown above and click Next. Select whether the installation will occur from the CD or another source, and again click Next. Accept the Licensing Agreement, and then click Next.

Step 5: The Windows Setup Manager screen shown above allows you to configure settings specific to your installation. Provide all necessary information, and ultimately click Finish. This will create both the unattend.txt and unattend.bat files in the directory you specify.

Step 6. Browse to the directory specified in Step 5 and then run the unattend.bat file to begin the installation, ensuring that the Windows XP source files are in the directory you specified during the Setup Manager wizard.

Remote Desktop Alternatives and Dynamic DNS

While Windows XP Professional users can take advantage of the fact that Remote Desktop is a built-in and easily configured feature, the fact that it isn’t included with other Microsoft operating systems may leave you feeling a little out in the cold. Not to worry, as alternatives do exist. If you’re looking for a free solution, take the time to investigate RealVNC, available at www.realvnc.org. If you’re looking for something with support attached, you may want to take a closer look at GoToMyPC (http://www.gotomypc.com/), a subscription service that allows you to get to your PC from any web browser over a secure connection.

Get home with DynDNS

One of the biggest challenges involved with trying to access your home PC from the office or while on the road is remembering your IP address. Depending upon your ISP, you may have been allocated a fixed IP address that never changes, or one that changes regularly. Obviously changing IP addresses present an issue, since you’ll need to provide the correct address in order to connect to your XP system running Remote Desktop.

Thankfully there’s an easy solution at hand – dynamic DNS. Dynamic DNS is a service that allows you to map your current IP address to a free domain name like dan1999.dyndns.org. Then, you only need to remember that name rather than the address in use. Updates can be performed manually via the dyndns.org website, but a better bet is to download and install one of the many automatic updating tools listed on the site. Once installed, these utilities will automatically update your IP address with the dyndns.org servers whenever your IP address changes, and you’ll always be able to connect. Best of all, this service is free, and you have 45 potential domain names to choose from – good fun!

Adding Remote Desktop Users and Configuring Firewall Settings

In order for users to be able to connect to an XP Professional system using Remote Desktop, they must either be a member of the Administrators group on that system, only be explicitly granted access. To grant non-administrative users access to Remote Desktop, open the System applet to the Remote tab and click the Select Remote Users button. From the window that opens, use the Add button to select the user accounts that should have access. It’s worth noting that a user account must have already been created for the user from the Local Users and Group node in Computer Management, so you may need to stop there first. Also keep in mind that users without a password configured for their account are never allowed to connect to Remote Desktop.

Remote Desktop Firewall Settings

If you plan to need to connect to a Remote Desktop system behind a firewall, the firewall will need to be configured to forward traffic destined for TCP port 3389. This is simple if you’re using Windows Firewall – just check the Remote Desktop checkbox on the Exceptions tab. You’ll also need to supply the name or IP address of the system you’ll need to connect to through the firewall. For all other firewalls (including hardware models), check your documentation as to how to forward traffic received for port 3389 to the XP Professional system with Remote Desktop enabled.

Configuring Remote Desktop Client

At first glance, the Remote Desktop Connection window looks exceptionally simple, only requiring you to specify a computer to connect to. In this case, the “name” that you need to provide depends upon where you’re sitting. For example, if the client and XP Professional system with Remote Desktop enabled are located on the same network, the computer name (or local IP address) of the XP system will suffice. If you’re connecting over the Internet, then you’ll need to specify your public IP address. If your XP system is directly connected to the Internet, you can find this address with the IPCONFIG command. The tough part is that depending upon your Internet connection type, your IP address may change frequently. This obviously presents an issue (not knowing the address) when you need to connect. In these situations, your best bet is to use a free dynamic DNS solution, as outlined in the boxout at the end of this article. If implemented, you’ll be able to get at your home PC using a name like myhomepc.dyndns.org rather than have to remember or deal with changing IP addresses.

To get the most out of Remote Desktop Connection, you’ll want to customize its settings according to your preferences and needs. Clicking the Options button makes a number of additional configurable settings available to you, giving you control of everything from what username and password should be used for the connection through to optimization settings for speed and display.

When the Options button is pressed you’ll be presented with 5 tabs – General, Display, Local Resources, Programs, and Experience. The General tab allows you to configure a username and password to connect to the remote system, as well as a domain name if necessary. This user account must exist on the remote Windows XP Professional system, and the account must have permissions for Remote Desktop (more on that shortly). If you want to make future reconnections easier, use the Save As button on this tab to save your customized connection settings as a .RDP file that can be used as a shortcut later.

The Display tab looks somewhat similar to the Settings tab in the Control Panel display applet. However, its purpose in this case is to control how the remote desktop environment will be displayed on your local PC. Most users will prefer to use the right-most setting in the Remote Desktop Size section, allowing them to view things “full screen”. Smaller windows are also possible, and often preferable over slower connections. If you are dealing with a slower connection (such as dialup), then make a point of choosing the lowest possible color setting, namely 256 colors. If you choose 16- or 24-bit color more information will need to be transmitted over the connection, and performance will definitely be sluggish. Higher color settings are generally responsive enough over broadband connections, however.

The Local Resources tab allows you to control how different remote elements are presented to your local computer. For example, in the Sound section you can control whether remote sounds (like error beeps) are sent to your system running Remote Desktop Connection, and what will happen when you press a Windows key combination like Alt+Tab. As a general rule, avoid having sounds sent over the connection as this may chew limited bandwidth. As for the Keyboard section, the default setting (In full screen mode only), ensures that the remote system responds to Windows keys in full screen mode, and that the local system responds at any other window size.

The most important settings on this tab are those in the Local devices section. By checking the checkboxes for Disk drives, Printers, and Serial ports you can make these devices on your local system available to the system running Remote Desktop. That may sound confusing, but it’s actually quite simple. If you were to select Printers, for example, after connecting you would be able to open a file on your remote system and print to the printer sitting next to you. Similarly, making local disk drives your system available to the remote system would allow you to open a file on the remote system and save it to the disk of the system you’re working from – a very simple and effective way to transfer that forgotten file.

The Programs tab allows you to specify a program that should be started on the remote system once a connection to that system is established. This would be useful in cases where you need a certain application running on the remote PC and want to have it started automatically without any additional interaction.

Finally, the Experience tab allows you to specify your connection type and speed to optimize the performance of Remote Desktop – make sure the setting here matches your connection type for best performance. In the Allow the following section, you can control which “fancy” Windows elements will be enabled over the connection. We generally suggest unchecking all boxes here with the exception of Bitmap caching, since elements like Themes and animations will slow down performance. Bitmap caching helps to reduce the amount of information that needs to be transferred between the Remote Desktop system and the connecting client, and can noticeably improve performance.

Remote Desktop Client Software

The client software used to connect to an XP Professional system with Remote Desktop enabled is called Remote Desktop Connection, and is installed by default on both Windows XP Home and Professional systems. The software can be started from the Run command by specifying its executable name (mstsc.exe), or from the shortcut found under Start > All Programs > Accessories > Communications. The Remote Desktop Connection window that will open is shown here.

If you’re running a client operating system other than XP Home or Professional and need to connect to an XP system running Remote Desktop, all is not lost. Remote Desktop Connection software can be downloaded from Microsoft for free, and runs on everything from Windows 95 through to Windows 2000. Obtain the latest version online at http://www.microsoft.com/windowsxp/pro/downloads/rdclientdl.asp.

Allowing Remote Desktop Connections

The best thing about the Remote Desktop feature is how easy it is to enable. Disabled by default, simply open the System applet in Control Panel to the Remote tab. In the lower portion of this tab you’ll see a checkbox marked Allow users to remotely connect to this computer. Simply check that box, click OK, and Remote Desktop is enabled. If you’re running Windows XP Home, you won’t find this checkbox because Remote Desktop isn’t included with this OS version. If you’re looking for a Remote Desktop-type solution for XP Home (or 95/98/Me/2000 systems), alternative software is discussed later in the article.

Once Remote Desktop has been enabled, only members of the system’s local Administrators group will have the ability to connect to the system remotely by default. All other users will be denied access if they attempt to connect, and users without passwords are always denied access for security reasons. To add users to the Administrators local group, use the Local Users and Groups section of the Computer Management MMC, accessed by right-clicking on My Computer and selecting the Manage option.

Using Remote Desktop with Windows XP Professional

Users today commonly complete work on both a home and office PC, shuttling files back and forth using email, disks, and online storage services. Unfortunately, gaining access to your home PC from work (or vice versa) has typically not been an easy proposition. While some users have VPN software set up to simplify connections between a home and office network, most users who’ve forgotten important files take the road more traveled – a trip back to wherever those critical files currently reside. However, if you’re running Windows XP Professional, another potential solution exists in the form of Remote Desktop, a feature that allows you to connect to your desktop remotely as if sitting in front of it. A few simple clicks sure beats turning the car around – read on and learn how to get this useful setup sorted!

Why Remote Desktop?

First and foremost, it’s important to understand what Remote Desktop is all about, since it’s easy to get confused with the various remote access technologies out there today. In simple terms, Remote Desktop does exactly what it’s name suggests, providing access to your XP desktop from another system via a local network or Internet connection. Once you connect to an XP system with Remote Desktop enabled, you can interact with that desktop precisely as if you were sitting in front of it. That means you could open your home email client and send yourself a file at work, run programs on your home PC, and so on. Some people use Remote Desktop as a way to administer or “play around” with their home system from any location, while others keep it running just in case they happen to forget a critical file. Many office environments enable Remote Desktop on all XP Professional systems to allow workers to gain access to their desktops after hours from home in case it’s necessary.

What actually happens over a Remote Desktop connection is that local commands and actions (like typing or mouse clicks) are sent to the remote system as instructions. The remote systems “responds” by sending back images of the remote system’s screen as responses to these instructions. So, clicking on the remote system’s Start menu using your local mouse ends up being interpreted as clicking the Start button from a mouse connected to the remote system. The remote system opens the Start menu, and sends back regularly refreshed images of the remote screen.