Few days ago I was playing around with a rogueware and investigating the possibilities on what I can do when the EXE association has been modified or broken. As we all know, the EXE association plays a very important part in Windows operating system because most programs runs under a EXE file. Some examples are a .reg file requires regedit.exe, .msi file requires msiexec.exe, .vbs requires wscript.exe, .txt requires notepad.exe, and many more. So now you can imagine how bad the situation can get if the EXE extension is broken which prevents you from a lot of solution to fix the problem. Fortunately running any program from Windows Task Manager that is launched via Ctrl+Shift+Esc hotkey uses the default Windows EXE extension rather than the associated EXE extension in registry.

One limitation which I’ve discovered when a program ran from Windows Task Manager is its not necessarily elevated. Running regedit.exe is fine because every time you run regedit will prompt the UAC elevation window and clicking yes will give you full control over it. However try running the command prompt (cmd.exe) from there and it runs without an administrator privileges, limiting you from making any system changes.

Few months ago one of my client informed me that when they access their website through Google, they are being automatically redirected to an attack site reported by Firefox. However they have no problems accessing the website directly. When a trusted website is being redirected to an attack website, that is a sign of the website being hacked and some scripts were modified to created the automated redirection. When I viewed some of the PHP files, there were a lot of eval(base64_decode code being added after <?php in most of the PHP files. Removing the injected code manually is not really that hard when I can compress the whole website, download it to my computer, use TextCrawler to search and replace, compress the files to a ZIP file again, upload it to the website and extract.

After few weeks, I noticed that all of the Worpdress websites got infected by the malicious code again! What I previously did was only cleaning up the redirection but did not look further into the cause of the malicious code injection. After investigating, it seems that one of my client has activated a theme that uses an old and vulnerable TimThumb.php script when the latest version today is at 2.8.10. Replacing the old tiumthumb.php with the latest one should prevent the website from being injected with malicious code. To clean up the website, I found a PHP script that can automatically crawl all the PHP files on the website and remove any known malicious eval base64_decode code.

Keyloggers is a very powerful invisible software where it is able to monitor every activity on the computer and automatically sending the logs to the installer without the user realizing it. Have you ever encountered a situation where your friend or a family member wants to borrow your personal laptop just because they are bored? If you’ve protected your personal and sensitive files with an encryption software such as TrueCrypt, it doesn’t necessarily mean that you’re safe because you may never know if they’ve decided to secretly install a keylogger on your computer to monitor what you do. There are some solutions to keep your PC safe while allowing other people to use your computer such as enabling the Guest account or installing a software such as Returnil that is able to rollback the computer to the way it was with a reboot. However if you didn’t manage to take the precautionary measures, you can still find out a list of programs last run or opened on your computer with UserAssistView.

Batch files, sometimes called batch programs or scripts are useful to simplify routine and repeat certain tasks for advanced users. You can group a bunch of commands into a single batch files and running it will automatically process all the commands in that batch file. Writing a batch file would require a bit of knowledge on using the command prompt, parameters, filters, redirection and also some conditional processing commands such as for, goto, and if. As long as you are able to work on command prompt, you can definitely write a simple batch file. As useful as batch files are in Windows, it has one inconvenience which is each application opens a console window that flickers on the screen. If you want your batch file to look professional without all those black windows opening and closing by itself, you can use Hidden Start to run console applications and batch files without any window in the background

There were a couple of times when I got so annoyed with the automatic closing the Chrome web browser when I accidentally clicked on the X button. Actually it is quite unusual to accidentally click on the X button when it is located at the most top right of the window but it happened to me when I was trying to close a program that is on top of Chrome. The program did not get terminated after pressing Alt+F4 or clicking on the X button so I ended up doing it a few more times and when it did happen, it ended up closing the program that is just behind of the program that I was trying to close.

Firefox, Internet Explorer, Safari and Opera natively supports the feature to warn the user when trying to close the browser with multiple tabs opened but oddly Chrome doesn’t come with this feature. Although we can configure Chrome to “Reopen the pages that were opened last” or click on the “Recently Closed” link located at the bottom right of a new tab, it is still troublesome because some webpages cannot be restored and requires to relogin. A simple warning prompt would be much more efficient instead.

Windows 7 supports both Sleep and Hibernate feature which are very useful in getting back into Windows as fast as possible so that you can start working again without waiting for Windows to boot up and reloading all the software that are set to autostart. The Sleep feature is also very convenient to laptop users because closing the lid will instantly put the computer to sleep without having to wait for it to shut down. Basically Sleep/Standby wake the computer up faster but still requires a bit of power to maintain the data saved in RAM. As for Hibernation, everything is saved in hard drive instead of RAM, so it doesn’t require any power at all. The only draw back is its slower to startup but still faster than the normal Windows startup. There’s also a hybrid sleep where it puts any open documents and programs in both memory and on your hard disk. If for some reason you are unable to get the Sleep or Hibernation working in Windows, one of the best way to test is by using PassMark Sleeper.

Windows by default has an association of EXE files to allow you to run executable programs. We normally don’t need to do mess around with it because wrongly associating EXE extension to another program can be a disaster whereby running any EXE file will run under the program that you’ve associated. If you double click on any EXE program but it doesn’t do anything, then it is possible that the exe association has been deleted from the registry. There are third party tools that can fix EXE association but it doesn’t make sense at all because you won’t be able to run the tool in the first place when it is an executable file… The solution is to either download a EXE .reg fix or the Microsoft Fix it tool which is in .msi extension.

The bigger challenge that I’ve faced was a rogueware that associates itself with EXE extension. Whenever Windows is booted up, the rogueware is automatically started because Windows loads a bunch of EXE files during startup.