Folks,
OK, I've had enough of things I can't see. How for example, can I find and view all files
named "index.dat". If you enter this into the search bar, you won't find any, but I assure you, there are dozens on the typical system. And that's just the tip of the iceberg.
There're many thousands of files that can't be viewed or found. I've selected show
hidden files and protected operating syswtem files, and show common file extensions
in folder options.
The problem is these two keys typically found in desktop.ini files (which themselves are
hidden):
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
The first says to hide this folder from the UI; the second to exempt this folder from being searched.
I want to see all such folders. Deleting these keys from the registry does not unhide the folders. The registry keys are kind of placeholders - they don't enable or create
any capabilities. These keys are recognized implicitly by the kernel and their function
exercised with (usually) some default value. Can a value be set somewhere to turn
them off? Or maybe replace or equate their function to doing something innocuous,
or a no-op.
Mounting the disk on another windows installation won't unhide the folders because
that windows copy will also recognize the keys.
Mounting the disk on a system booted from a linux live distro like Knoppix will find
all hidden folders and files. But manipulating (writing) to NTFS from Unix sometimes
has unexpected consequences.
Another similar problem seems to be Windows not displaying file/folder names completely.
Some files seem to have invisible non-displayable characters in their names. I.e., if I
navigate to the file through the UI, then copy and paste its name into a command
window as an argument to a delete or other command, it will say "No Such File" or
a similar message. So how do I see the real name? (I've already enabled show common file extensions folder option).
A different problem I encountered while trying to purge a virus, was registry keys that
contain nulls. Apparently, some legitimate keys also do. Maybe file/folder names
do too? If a name contains a null or other non-ascii character, the character should
be displayed in the UI as a meta-character: ^0 for null for example.
There may be other ways of hiding files, too, that I'm not aware of. I once had
a program rootkitrevealer, which displayed any files that are found in the file
table that don't show in the Windows UI. It was eye-opening. The Windows 7
version of that program runs as a service that I'm unable to start. There was also
another program, findallfiles or similar name on XP, that I seem to have lost. It
also found invisible files. I want Windows search to find everything... I do mean everything. I've seen forensic tools that can read the FAT or NTFS file table
completely and correctly, why can't Windows just "do it"? There are serious security
implications to not being able to "see" in the ordinary way. In windows, seeing is
exclusively through the Windows Explorer UI. As an Administrator, if I see a file that
has a weird name, an owner different than other files in the directory, permissions inconsistent with its function, or an inappropriate extension for the directory its in,
I know immediately that I need to investigate.
Some files remain invisible to administrator for permissions reasons. Administrator
is owner of "System Volume Information", but the UI shows 0 items there. Nonetheless,
through reducio-ad-absurdium methods, I know something really big is hiding there.
That's system recovery information... why hide that?? I'm not going to go mucking
with permissions on "System Volume Information", in case I invalidate shadow copy
recovery.
Stuart
OK, I've had enough of things I can't see. How for example, can I find and view all files
named "index.dat". If you enter this into the search bar, you won't find any, but I assure you, there are dozens on the typical system. And that's just the tip of the iceberg.
There're many thousands of files that can't be viewed or found. I've selected show
hidden files and protected operating syswtem files, and show common file extensions
in folder options.
The problem is these two keys typically found in desktop.ini files (which themselves are
hidden):
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
The first says to hide this folder from the UI; the second to exempt this folder from being searched.
I want to see all such folders. Deleting these keys from the registry does not unhide the folders. The registry keys are kind of placeholders - they don't enable or create
any capabilities. These keys are recognized implicitly by the kernel and their function
exercised with (usually) some default value. Can a value be set somewhere to turn
them off? Or maybe replace or equate their function to doing something innocuous,
or a no-op.
Mounting the disk on another windows installation won't unhide the folders because
that windows copy will also recognize the keys.
Mounting the disk on a system booted from a linux live distro like Knoppix will find
all hidden folders and files. But manipulating (writing) to NTFS from Unix sometimes
has unexpected consequences.
Another similar problem seems to be Windows not displaying file/folder names completely.
Some files seem to have invisible non-displayable characters in their names. I.e., if I
navigate to the file through the UI, then copy and paste its name into a command
window as an argument to a delete or other command, it will say "No Such File" or
a similar message. So how do I see the real name? (I've already enabled show common file extensions folder option).
A different problem I encountered while trying to purge a virus, was registry keys that
contain nulls. Apparently, some legitimate keys also do. Maybe file/folder names
do too? If a name contains a null or other non-ascii character, the character should
be displayed in the UI as a meta-character: ^0 for null for example.
There may be other ways of hiding files, too, that I'm not aware of. I once had
a program rootkitrevealer, which displayed any files that are found in the file
table that don't show in the Windows UI. It was eye-opening. The Windows 7
version of that program runs as a service that I'm unable to start. There was also
another program, findallfiles or similar name on XP, that I seem to have lost. It
also found invisible files. I want Windows search to find everything... I do mean everything. I've seen forensic tools that can read the FAT or NTFS file table
completely and correctly, why can't Windows just "do it"? There are serious security
implications to not being able to "see" in the ordinary way. In windows, seeing is
exclusively through the Windows Explorer UI. As an Administrator, if I see a file that
has a weird name, an owner different than other files in the directory, permissions inconsistent with its function, or an inappropriate extension for the directory its in,
I know immediately that I need to investigate.
Some files remain invisible to administrator for permissions reasons. Administrator
is owner of "System Volume Information", but the UI shows 0 items there. Nonetheless,
through reducio-ad-absurdium methods, I know something really big is hiding there.
That's system recovery information... why hide that?? I'm not going to go mucking
with permissions on "System Volume Information", in case I invalidate shadow copy
recovery.
Stuart