95 Registry * Command Line * AutoRun * Getting In * Full Control * NT Tricks * NT Bootup * The Ring


N E W: Ported to Eccentrica domain 11.16




windows 95 registry


Indispensable Tools: Install-Watch is fantastic utility for uncovering just what is happening to your hard drive under the veil of an "Install Wizard". Install-Watch allows you to monitor all of the system files and directories for additions, changes, and deletions (all of which are recorded in a log), as well specific registry keys and directories of your choosing. In addition, this program comes with an Uninstall feature that is quite frankly the only one that WORKS. The 95 Registry Monitor is a must-have tool for those who want to delve deep into the "mystery" of the 95 registry; it monitors Registry calls in the background while other applications are running (like Filemon for the registry....).

What is the Registry? The 95 Registry has been made out to be a phenomenal mystery--probably due to the CLSID keys alone--and as such has inspired a number of books (by Que, O'Reilly, even Microsoft at last...), FAQs, Web-Sites...you name it. Quite simply, the Registry is one huge (and I mean huge; after installing Visual C++ and MS Outlook, my system.dat is 2.2 MB) configuration database, storing information such as where certain dll's are found, what programs are associated with which extensions, what are the most recent network connections made/URL's visited, what position was an application window in when the user last exited the program, what color is the desktop, what driver is used for the modem, what shows up on the right-clisk menu....all sorts of things. In fact, it is often more suprising to find what isn't recorded in the Registry that to find what is. The Registry is contained in two files in the Windows directory (in NT they are called "hives"): system.dat and user.dat, with backup copies system.da0 and user.da0. The Registry database is accessed with regedit.exe (in the Windows directory), or with shareware utilities such as grep_reg or RegSearch&Replace, and consists of six keys: HKEY_LOCAL_MACHINE (all of the settings for the machine, such as software location and drivers), HKEY_CURRENT_CONFIG (a subset of HKEY_LM that details the current configuration), HKEY_USERS (all of the settings for the users of the machine, such as favorite application settings and URL history), HKEY_CURRENT_USER (a subset of HKEY_USERS that details out the profile of the current user), HKEY_CLASSES_ROOT (a subset of HKEY_LM\SOFTWARE that lists all of the software "classes" and extensions), and HKEY_DYNAMIC_DATA (dynamic information regarding the PC that is built at startup and is good only until shutdown). Registry keys can be exported to .REG files which may then be modified in Notepad and double-clicked to have their contents be appended to the Registry--note that this provides a fantastic way to implement Registry patches on a large number of computers (LAN), or to keep your customizations on floppy so that they follow wherever you go. The Microsoft documentation warns you to NOT mess with the Registry as it may render your machine unusable...that is, unless you know DOS and can go in via the command line, then replace the Registry files either with backups or with someone else's Registry files (yes, this works, though you have to do a hardware-detect and a lot of your software settings will be toast...). Fortunately most of us ignore Microsoft's documentation as it never really tells you anything anyway.....

HKEY_CLASSES_ROOT
  • \.???
  • \objecttype
  • \CLSID

    In the Windows GUI, everything--every file, every directory, every applet, every link, every drive--is treated as an object; every object has certain properties associated with it. The HKCR key contains the list of object types and their properties. The main functions configured by HKCR are: 1) Associating a file extension with an object type, 2) Associating an icon with a object type, 3) Associating a series of command-line actions with an object type, 4) Defining Context Menu options for an object type, and 5) Defining Property Sheet options for each object type. In Windows 95, the Context Menu is the menu that pops up when you right-click an object; the Property Sheet is the dialogue box that opens when you select the Properties... option for an object.

    What does this mean? It means that by changing the settings in HKCR you can change the default association for a given file extension, change the default icon for a file type, and add or remove items from the Context Menu of a given object type (or all object types). HKCR contains three basic types of subkeys: the \??? or file extension subkey, the \object type subkey, and the \CLSID subkey. The file extension subkey links file extensions to object types and provides control over the Context Menu, Property Sheet, and Action association. The object type subkey defines an object type in terms of its default icon, its Context Menu and Property Sheet, its action associations and its CLSID links. The CLSID subkey provides OLE and DDE information for object types and may have icon, Context Menu, or Property Sheet information contained in its subkeys.

    A note on subkeys: Apparently documentation on the Registry was so scarce in the early days of '95 that most programmers were making up Registry fixes as they went along. As a result, there is some overlap within the HKCR subkeys, such that a subkey such as \shell can be found under a \.??? key, an object type key, or a CLSID key. The typical "code" keys (being keys that do not identify an object type or name but that actually describe the properties of an object), if you will, are usually 1) shell, 2) shellex, 3) ShellNew, and 4) DefaultIcon. Shell keys have an "action" subkey, such as "open", which in turn has a command subkey; the command subkey has a Default string value that contains the command line for the program to be run. Placing an "open" subkey in an object type's shell subkey will put an "open" option on the Context Menu for that object type, and giving the open subkey a command key with the default string value "C:\Windows \Notepad.exe %1" will cause Notepad to be the default application used to open that object type. Other action options include View, Print, Copy, Virus Scan, etc.. Shellex keys have a subkey for ContextMenuHandlers and/or PropertySheetHandlers. Each of these contains subkeys that point to CLSID entries to perform OLE and DDE functions fo that object type (an example being Quickview, a ContextMenuHandler subkey under * that points to a CLSID key with a string value that lists the .dll file containing the file-viewing function). ShellNew contains a "command" string value that contains the command line for opening a "new" instance of that object type (for example, new .txt file would have a "command" value of "C:\Windows \Notepad.exe"). DefaultIcon subkeys contain a "Default" string value that contains a command line pointing to the icon (for example, "C:\Windows \System \shell32.dll,2" where 2 is the third icon--count starts at 0, remember-- in the shell32.dll).

    HKCR\file extension The following subkeys will demonstrate the modifications that can be made in HKCR: *, .386, .dll, .exe, .zip

    HKCR\object type The use of this key can be illustrated by the following selection of subkeys: Allfile, drive, exefile, file, fndfile, folder,, mailto, regfile, unknown

    HKCR\CLSID This is probably the most disconcerting key to look at. Each CLSID number must be unique--in fact, Microsoft has produced a CLSID-generation program just for this purpose--and as a result you tend to get strings of 32-digit hex numbers. For the most part these keys are of no interest unless you are programming or reverse engineering; they contain memory management models, client-server configurations, and links to .dll's for OLE handling.


    Here are some sample .REG files for Context-Menu actions:

  • Dos Prompt Here Opens selected folder in a DOS box.
  • Run In Dos Runs selected .COM or .EXE file in a DOS box and leaves the box open afterwards.
  • FileFind The built-in Windows FileFind function.
  • Explore From Here The built-in Windows Explore function.
  • Sharing Network FileSharing enabled on drive: Properties tag.
  • Print Directory Same as DIR>LPT1 or DIR/S>LPT1 in DOS.
  • HexEdit Open in Hex Editor of your choice. Example uses HIEW.EXE


    HKEY_CURRENT_USER
  • \AppEvents
  • \Control Panel
  • \Install LocationsMRU
  • \keyboard layout
  • \Network
  • \RemoteAccess
  • \Software

    This key contains the settings for the current user drawn from that user's profile in the HKU key at startup. For the most part, HKCU contains all of the information about the system that HKLM does not; for example, software settings and user preferences. Probably the most interesting subkey is \Software; most everything else can be set through the Control Panel.

    \AppEvents This key contains the sounds that are linked to application or OS events, as set in "Sounds" in the Control Panel. EventLabels contains subkeys that provide the names of the events, Schemes\Apps provides the paths to the .wav files, and Schemes\Names provides the names for the sound schemes.

    \Control Panel This contains more options that are configured via the Control panel, notably Accessibility (wheelchair options as set in the Accessibility Property Sheet with the following subkeys: HighContrast, KeyboardResponse, MouseKeys, SerialKeys, ShowSounds, SoundSentry, Stickykeys, TimeOut, ToggleKeys), Appearance (color scheme set in the Appearance tab of the Display Properties Sheet along with definitions for all schemes), Colors (current color scheme as set in Appearance, given in hex RGB values for each window, border, button, etc), Cursors (scheme definitions), Desktop (Misc settings such as wallpaper, drag option, icon size, and background pattern), International (string value: Locale), and Sound (string value: Beep).

    \Install LocationsMRU M.R.U. is Microspeak for Most-Recently-Used; in this case it refers to the M-R-U install locations....here you find a list of directories where software was installed via the InstallWizard (bigbrotherbigbrother). Very useful to scan if you are a software vendor and want to delete the competition's software from your users' hard drives.

    \keyboard layout This key defines your....wait for it....keyborad layout. Yes, the Reigstry isn't always as mysterious as Microsoft makes out. The preload subkey defines you key configuration according to some obscure numbering system.

    \Network The Network subkey lists your past network connections in two subkeys: Persistent (the drives and devices you have mapped to with the "reconnect at logon" option checked, organized by subkeys labelled with the drive letter or device name, each containing your network client--i.e. Client For Microsoft Networks--your user ID, and the full network path to the driver or device) and Recent (the last 20 or so network connections you have made without the "reconnect at logon" option checked, organized in subkeys named with the full network path of the connection, and contain the same info as the Persistent subkeys). The Persistent connections are all connected and given "My Computer" icons at startup; the Recent connections appear in the drop-down list box for "Path" when you map a network drive.

    \RemoteAccess This key contains the scripts for Dialup Networking. It consists of two subkeys: Addresses, whihc contains a binary key for each connection, and Profile, which contains a subkey for each connection with values for IP addresses, vendor-supplied scripts, domain names and user ids..

    \Software All of the sub-keys under this key represent software installed on your computer, listed by vendor name (note that some of the same vendors will have keys under HKLM, but the contents of the key will differ). The software settings contained in these keys will be user-specific (hence the HKCU placement), such as user preferences, location of log files, default directories for saving files, etc. A fine example can be had in the one key everyone will have, \Microsoft\Windows\CurrentVersion, which has just about all of your windows settings not covered elsewhere. The following subkeys branch off: Applets, explorer (look at all the MRU's here as well as the "recent docs" key, lots of keys to "clean"....), GrpConv (convert 3.1 progman groups to 95 explorer), Multimedia, Policies (what you are/are not allowed to do according to your sysadmin--if you do not have access rights, tailor this key at home and export it to a .REG file that you run after login to restore your lost user rights), Profile Reconciliation (where to look for profile info upon login), Secondary Profiles, and Taskman.



    HKEY_LOCAL_MACHINE
  • \Config
  • \Enum
  • \hardware
  • \Network
  • \Security
  • \SOFTWARE
  • \System

    The HKLM key stores the system information for the computer. This covers everything from software settings (such as file locations, registered/unregistered status, version number) to network and hardware configurations.

    \Config This key stores all of the different hardware configurations for your computer (the ones you create in the System Properties Sheet of the Control Panel). The configuration that is currently in use is copied to HKCC at startup.

    \Enum This is where the majority of your hardware settings are located, including the information for PNP (Plug N' Play) cards. Subkeys include ESDI, FLOP, HTREE, ISAPNP, Monitor, Network, Root, SCSI, and VIRTUAL.

    \hardware The hardware subkey has two further subkeys: the DESCRIPTION key, which leads to a Floating Point Processor key (poss present: 0/1), and a devicemap key, whihc leads to a serialcomm key that lists all of your com ports.

    \Network This key has one subkey, Logon, that contains the values LMLogon (local machine logon? 0=False 1=True), logonvalidated (logon must be validated 0/1), Policy Handler, Primary Provider (primary logon, i.e., client for MS networks), username, and UserProfiles.

    \Security There are two subkeys to the Security key, the first being Access (which leads ultimately to a Remote key that lists the source for network security,i.e., access rights), and Provider (containing keys that list the network "address book" and "address server").

    \SOFTWARE Most of the subkeys exist simply to provide a version number for the installed software. Once again, however, we can find some interesting settings under \Microsoft\Windows\Current Version, which has the following subkeys: App Paths (program locations for just about all of the 32-bit software that you have ever installed on your machine), Applets, Compression, Controls Folder (contains Property Sheet add-ons for Control Panels like Display), Detect, explorer (the most interesting subkeys here are the Namespace keys of Desktop and My Computer--they point to CLSID strings for the Recycle Bin and Dialup Networking--and the Tips subkey that lets you create your own tips), Extensions (a list of extension associations, this time associating extensions with specific executable files rather than with object types), Fonts, fontsize, FS Templates (File System templates, i.e. Server, Desktop or Mobile, from the System Property Sheet), MS-DOS Emulation (contains an App Compatibility subkey which has binary values for a ton of outdated programs), MS-DOS Options (settings for Himem.sys, CD-ROMs, etc, in DOS mode), Network (configurations for your network drivers), Nls, Policies (more things that your sysadmin thinks you should not be allowed to do), ProfileList (list of all of the usernames that have ever been used to log on to your machine, very handy), Run (programs that are run on startup: VERY IMPORTANT), RunOnce (programs that are run at startup only one time ala WinInit.exe, this wil usually be blank except after an install that requires a reboot), RunServices (like Run but contains "services" which are unlike normal programs in that they are elite or "system" programs...however they are not VXDs, just stuff like McAfee or RegServ), RunServicesOnce (just like RunOnce, but for "services", Setup (tons of windows setup parameters: mostly string values containing system directory locations, with subkeys for '95 Updates, Optional Installed Components, and Windows Boot Directory), SharedDLLs (a list of the shared DLLs, each given a number rating on an unknown system of measurement), Shell Extensions (lists "approved" OLE registry patches, with links to the relevant CLSIDs), ShellScrap (contains a subkey called PriorityCacheFormats which contains a blank numbered value...most likely derivative of the old SmartDrive command-line switches), Time Zones (the main string value is your current time zone; the subkeys define all of the possible time zones. Snore.), Uninstall (this stores the programs that show up in the Add/Remove programs dialogue box; the subkeys contain paths that point to the vendors' uninstall programs. So much for InstallWizard.....), WinLogon (contains the text strings used for logon legal notices).

    \System The system subkey contains a CurrentControlSet subkey that branches off into the ComputerName, FileSystem, IDConfigDB, InstalledFiles (being dlls, vxds, and exes), keyboard layouts (pointers to the files that define various keyboard layouts), MediaProperties, MediaResources (string names and dll links for various multimedia resources), NetworkProvider, Nls, PerfStats (Performance Stats, with the following subkeys: Kernel, SMBRedir, VFAT, VMM--does not provide actual statistics but instead defines labels for use by a peformance monitor program), Print (provides the configuration information for the printers defined in HKCC\System\CurrentControlSet), PwdProvider (lists the password manipulation files--usually .cpl or .dll--for the various network clients that 95 is running), ServiceProvider, SessionManager (contains many intersting-sounding subkeys such as AppPatches, CheckBadApps, CheckVerDLLs, HackINIFiles, Known16DLLs, KnownDLLs, and WarnVerDLLS; most of these are of no practical interest unless you have software that you are trying to fool 95 into running), Shutdown, TimeZoneInformation, Update, and VMM32Files (a listing of the VXDs installed on your system; if you write your own VXD, you may want to register it here) subkeys.



    HKEY_USERS
  • \.Default
  • \username

    HKU contains the profiles for all of the users on the system; at startup, the login profile is copied to HKCU..

    \.Default Structure is the same as HKCU.

    \username Structure is the same as HKCU.



    HKEY_CURRENT_CONFIG
  • \Display
  • \System

    The contents of the HKCC key are taken from the appropriate configuration profile in the HKLM\Config key at startup.

    \Display Has the subkey Fonts which provides string values listing the fonts available for the main screen font, and the subkey Settings which has string value settings for BitsPerPixel, Resolution, MouseTrails, DPI, and VGA Fonts.

    \System Has a single subkey, CurrentControlSet\control\Print\Printers, which defines the printers that are placed in the Printers object (in My Computer) at startup.



    HKEY_DYN_DATA
  • \Config Manager
  • \PerfStats
  • \Security

    The HKDD key contains information about your system that is detected at startup. The information in this key is, as the name explains, dynamic, and is subject to change while the OS is running. Changes made to this key do not appear to be saved to disk.

    \Config Manager This key has a single subkey, Enum, that branches into further subkeys that describe the PNP devices detected at startup.

    \PerfStats The actual performance statistics are recorded in binary values in subkeys of this key (StartSrv, StartStat, StatData, StopServ, StopData). It seems each of the primary string types (VMM, SMBRedit, VFAT, and KERNEL) correspond to a section of the '95 System Monitor applet (Memory Manager, Microsoft Network, File System, and Kernel).

    \Security This key has a single subkey, Provider, that mirrors the Security\Provider key in HKLM. It is likely that this key is constantly updated to keep up with changes in the network, while the HKLM key remains static.


    Serious enthusiasts are directed to John Woram's The Windows 95 Registry from MIS Press .





    command line 95


    Windows 95 can be converted to a command-line operating system with multiple virtual terminals, reminiscent of a crippled version of Linux. To start off, do not set GUI=0 in MSDOS.SYS; this merely disables 95 from entering Protected Mode at all. Instead, set shell=command.com in SYSTEM.INI (instead of shell=explorer.exe)--though you can use NDOS or 4DOS if you prefer. What will happen is that Windows will run (yes, it is still slow-loading) and produce a DOS box; after you hit ALT-ENTER you will get a full-screen DOS terminal, and this will stay in effect through subsequent reboots. Additional DOS terminals can be created by typing start command.com at the DOS prompt; ALT-TAB will switch you between DOS terminals (and open windows applications). Windows applications can be run using the same start command (i.e., start explorer.exe); the DOS terminal will minimize, and the Windows application will run over your background bitmap (it is a good idea to create batch files for running your most-used apps, and put them in a directory in your path). One final note: to shut down this "version" of Windows, you must hit CTRL-ESC to bring up the Task List, then choose File->Shutdown Windows from the menu.

    Explorer Command Line Options

    The following command-line options may be used with explorer in a DOS box or the Run dialogue box:

  • explorer path :opens folder specified in path.
  • explorer /e path:opens folder specified in path in dual-pane (explorer) view.
  • explorer /root,path :opens explorer window rooted at the folder specified in path.
  • explorer /s :opens single-pane (MAC-like) explorer window in current dir.
  • explorer /n path :opens folder specified in path in a new window.
  • explorer /select path :opens an explorer window with the file specified in path selected.

    Notes: IDlist: The Registry uses an idlist parameter but it seems to have no effect. NameSpace: Explorer.exe uses "namespaces" instead of directories. A namespace is more or less a "virtual directory"; specifically, it includes everything in the client area of a window. The root window is the desktop window; therefore the "root" namespace for explorer.exe is the Desktop. The child windows of Desktop include My Computer (with its sub-windows of all of your drives), Network Neighborhood, the Trash Can ('scuse me, Recycle Bin, how PC....), the Inbox, etc. Note that a namespace contains more than just real files; it can contain applets such as the Network Neighborhood and the Control Panel. You can move these "special folders" around by including them in a namespace (for example, the namespace of My Computer) in the registry or by turning them into actual folders with TweakUI.

    Command-Line Networking Utilities:

  • arp.exe (Address Resolution Protocol): Displays and/or changes entries in the ARP IP address-to-hardware address tables. Sample uses: Type "arp -a ###.#.##.##" with an IP address filling in the #'s and you get the physical address of the network card--useful for intercepting TCP/IP packets with Net X-Ray. Switches: -a ipaddr=display entry, -d ipaddr=delete entry, -s ipaddr hdaddr=add entry.
  • finger.exe: Disabled on most hosts; shows information on a user. Sample uses: Type finger user@host.com to start stalking a person. Switches: -L =verbose display.
  • ipconfig.exe: Displays the current TCP/IP network settings on your PC. Switches: /all =full display, /renew adaptername =renew DHCP info, /release adaptername =release DHCP configuration.
  • nbtstat.exe: Displays protocol stats and NetBios/TCP/IP connections. Sample uses: Type "nbtstat -s" to see your current connections, along with the amount of data sent and received along each connection. Switches: -a remotename=displays remotename's name table, -A ipaddr =display ipaddr's name table via IP, -c =shows NetBios names cache, -n =lists local NetBios names, -R =reloads LMHOSTS file, -r =displays Name Resolution statistics (WINS), -S =display workstation and server sessions by IP address, -s display workstation and server sessions by hostname.
  • net.exe: Network services. Sample uses: Type "net use" to view your current network connections, and "net use x: aaaaaaa" to map drive x: to server aaaaaaa. Type "net view aaaaa.com" to see all the shared resources on a server. Type "net view" on a lan to find out the machine names in your workgroup. Type "net diag" on two computers to start network diagnostics on the second of the two computers. Switches: config, diag, help, init, logoff, logon, password, print, start, stop, time, use, ver, view.
  • netstat.exe: Display protocol stats and TCP/IP connections. Sample uses: Type "netstat" to see what protocols you are using to attach to which servers. Switches: -a =display all, -e =display ethernet stats, -n =display IP numbers and port numbers, -s =list by protocol, -p protocol =show all connections for the specified protocol, -r =display routing table.
  • nslookup: Display information from DNS servers. Syntax: nslookup hostname dnsserver
  • ping.exe: Verify connection with a remote computer. Syntax: ping hostname. Switches: -t =ping until interrupted, -a =resolve IP address to host name, -n count =send count number of echos, -l length =send packet of length number of bytes, -r count =trace route of outgoing packet for count number of hosts.
  • route.exe: Manipulate network routing tables. Suggested uses: Type "route print" to get your gateway addresses. Switches: -f =clear routing tables, print =print a route, add =add a route, delete= delete a route, change = modify a route.
  • telnet.exe: Interact with a telnet server. Syntax: telnet hostname, or telnet hostname port.
  • tracert.exe: Record the route used to connect with a remote computer. Suggested uses: Type "tracert ###.#.##.##" to see which servers you use to connect to ###.#.##.## and how many ms you waste by going through them. Switches: -d =do not resolve IP addresses to host names, -h hops=specify maximum number of hops in which to find target computer.

    Other command-line programs:

  • "command.com" starts a new DOS box; ALT-Tab switches between the DOS virtual terminals much like in Unix.
  • "start path" runs a windows program from a DOS box.

    Useful Keyboard Commands for '95/NT4:

  • Alt-Enter: Makes a full-screen DOS box "not so full-screen".
  • Alt-M: Minimize all windows.
  • Alt-Tab: Switches between active applications.
  • Alt-Windowskey: "Run" dialogue box.
  • F3: "Find" dialogue box.
  • Ctrl-Esc: Start Menu or Task List.
  • Ctrl-Z: Global Undo (try it!).
  • Shift-F10: Right-click.





    autorun


    Normally this is of no real consequence as it only works with CD-ROMS--but somehow I got it to kick in on my hard drive as well. Basically you create an AUTORUN.INF text file, in the root directory of the disk, that contains the following:

    [AutoRun]

    OPEN=autorun.exe

    with Autorun.exe being the name of the file you want to run automatically (perhaps virus.com? claymore.exe?) It still seems pretty limited...anybody know how to get this to work with a floppy?





    getting in

  • Password Bypass : Ctrl-Esc is not gone, nor is the 3.1 task list. Next time you are stuck at a password prompt--say, for example, at a less-than-friendly network--Ctrl-Esc will bring up said task list, and Alt-File-Run Application allows you to run Explorer. You're in! If the desktop doesn't respond (happens on some NT networks) choose Start>Run>C:\ [ENTER] and start maneuvering....
  • Floopy booting : sys.com a floppy, then copy the msdos.sys from c:\ to a:\ (overwrite the useless a:\ one). Make sure all of the msdos.sys options are to your liking (WinDir=C:\Windows, WinBootDir=C:\Windows, BootMenu=1,Network=0,GUI=0, etc), then add set path=c:\windows;c:\windows\command;c:\windows\system;%path% to your autoexec.bat.
  • Variation on the floppy-boot trick : call Soft-Ice from the floppy autoexec.bat (set GUI=0 and all that...), with SVGA--or you favorite video display--as the default. I recommend doing this with Soft-Ice 2.0 as it is more portable (read: small enough to fit on a floppy) than 3.0. But then again, since you can use DriveSpace to compress floppies (and zip disks!), why hold back? Warning: The Soft-Ice trick is s---l---o---w. But the Ctrl-D is worth it. Variation: You set the video card by copying one of the driver files to the softice directory and naming it siwvid.386. With some creative .bat-ing, you can create a startup file that a) prompts you for a video card, b) creates c:\siw95, c) copies all of the soft-ice files with the correct driver to c:\siw95, d) runs Soft-Ice and thereby loads windows, and e) deletes c:\siw95. Here is my attempt.





    full control


    How to get the most out of your machine with the least amount of effort:

  • Unable to access the Registry? Use PolEdit!
  • Get Kernel Toys Now: Use Keyboard Remap for mimicking that Microsoft 95 keyboard (for example, RtAlt + R= Run dialogue box); WinTop is a more or less adequate system monitor; Doswzcfg for full control of your ms-dos mode environment.
  • Get Power Toys Also: HTMLDriver, QuickRes, and ShellFix are okay, but for real system control you need TweakUI (with its Paranoia! option...) and CabView (treats .CAB files as directories, double-click a file to extract it).
  • The Start Menu (as well as SM>Programs>Startup), Desktop, and SendTo folders are all good places to have "shortcutted" on your Desktop or in your Start Menu (in NT, be sure to link to the "All Users" subdirectories (\winnt\profiles\All Users\StartMenu) except for SendTo, which must be under your specific profile). Another fun trick is to shortcut SendTo and put that in your "SendTo" directory, so that you can easily send shortcuts to your right-mouse-button>SendTo menu.
  • Keep an eye on WinInit.ini. This file contains the changes that will be made to your system the next time you boot up; it is called by WinInit.exe (which runs at bootup) and is deleted when the .exe has finished running (it is like the RunOnce key in the Registry except that the RunOnce key actually runs a specific executable file at startup, while WinInit implements enviromental changes (renaming files, changing strings, etc).
  • If you are on a LAN, watch out for Regserv; this device loads at startup (Run Service in the Registry) and remotely updates your registry. Use Ctrl-Alt-Delete to monitor the services running at startup (this is kind of like fishing) and if you find regserv, either disable it (to hell with the sysop!) or keep a backup of your registry in your harddrive. For more network chaos, run KOH on your system (or similar non-viral utilities such as Cerebrus or Lock-And-Key) to make your hard drive inaccessible to others; also, combining arp.exe with Net X-Ray (available on the web...) gives you TCP/IP packet generating/intercepting capabilities without requiring admin rights.
  • The following are all of the places where a program or driver can be specified to load at startup: c:\config.sys, c:\autoexec.bat, c:\windows\win.ini (load= and run= lines), c:\windows\system.ini (drivers only), c:\windows\Start Menu\Programs\Startup (anything in this folder...), and the \Software\Microsoft\Windows|CurrentVersion\Run and RunService keys (also the RunOnce and RunServiceOnce keys, for installs or patches) located in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER in the Registry.
  • On occasion you will need to manually register a .dll file. The executable used for this is Regsvr32.exe; the syntax is simply REGSVR32 filename, from the DOS prompt. If one of your applications is failing to load a .DLL due to a flaw in the app (as opposed to a flaw in the DLL), this may help you out.
  • Setting up a new machine with your 95 settings: this happens a lot where I work; you wouldn't believe how much of a pain it can be to get all of your 95 settings and your third-party software working on another machine if you've never done it before (the problem is that software vendors put shared files--.dll's--in the Windows\System directory instead of another common directory like, say, Program Files, because the system path can be returned with the GetSystemDirectory API call...which is much easier than creating a \Program Files\Shared directory and then loading your files into it; this makes files easier to install but much, much harder to uninstall or move, for you have to be able to distinguish between the Windows .dll files and the vendor .dll files....). The first rule is: never do this in DOS--you'd be amazed how much a problem it can be not having those long filenames like ShellIconCache. The hardcore tech way to do this is to install 95 on the new hard drive, slave the new HDD to the old HDD and boot off the old then a) copy everything but the Windows directory to the new HDD, b) create a Windows directory on the new HDD, and c) go into the Windows directory on the old HDD and copy everything except win386.swp (it will crash your copy process) to the Windows directory on the new HDD. "What about laptops?", comes the obvious cry. There is another method: a) export the HKEY_Current_User key to a file such as USER.REG, b) back up your entire (old) hard drive, and c) selectively restore files, namely: the USER.REG file (which you must double-click to import into the Registry), all of your program Directories, the C:\Windows\Desktop, C:\Windows\Sendto and C:\Windows\Start Menu directories (be sure not to have two copies of the contained shortcuts), and all of the files from C:\Windows\System, C:\Windows\Fonts, and C:\Windows that are not the same (use WinDiff.exe to determine which files to copy). The Registry Key and the SendTo, Start Menu, and Desktop folders will contain all of your 95 settings; the remaining steps copy files needed for vendor applications onto your new hard drive. Almost as easy as DOS, huh?





    nt tricks


    Windows NT: the wave of the future. Just when Windows got to Plug-and-Pray, now we take a few steps back to the 3.1 days of "how do I get my SCSI card to work?"; if NT stays like this and becomes an industry standard, expect the MacIntosh to make a comeback. But yes, OK, the system is more stable than 95 (remarkably so), is much more efficient than 95 on high-RAM (48+ MB) systems, and is reasonably secure (unless you have a floppy drive, see below... ), so I guess some improvements have been made after all. N.B.: most of the tips about 95 (especially where the UI is concerned; for some reason both of these OSs use EXPLORER.EXE) listed above apply to NT as well.

  • Worried about losing your files when you convert a partition to NTFS? Cue the entrance of NTFS-DOS: A handy utility that allows you to view NTFS volumes as if they were FAT volumes. This is a TSR that you run from DOS: it detects NTFS volumes on the local machine and mounts them as FAT logical drives. If you run this before Windows (3.1/95) loads, the NTFS drives will be available globally through the My Computer applet. If you run it after Windows has loaded, you will be able to access the NTFS volumes only in the DOS box where you ran the TSR. One quirk: on my system it does not load the \WINNT directory on the NTFS drive. Endless Fun Trick: Make a DOS 5.0 or higher bootable diskette with ntfsdos.exe and an NT password cracker (avail on the web, everywhere...even here or here), maybe a copy of getadmin.exe (see below)...
  • Recover your lost admin rights! Are you trapped with the choice of using the "guest" account or not using a computer at all? Despair no longer--now available is GETADMIN, a utility that will temporarily assign the current user admin rights--regardless of the user's assigned rights. Just like SU in UNIX, but no password needed; I'm sure you can see the possibilities... One caveat is that it only recovers admin rights from the local user table: if you run it while logged into a remote NT server, for example while logged in to the network at work, you will get a GPF right after the rights are assigned. The program comes with source, though, so I am on my way to developing a networkable version...
  • NT Boot repair: Running Windows NT and Windows 95 on the same system cna be a bit tricky--especially with NT's special boot sequence. If your 95 crashes, for example, and you have to SYS.COM the drive to get it working again, you can assume your NT boot track is toast. At this point you have two options: Install NT all over again, or trick the computer into thinking you did so. For the second option, run the install program from the NT CD-ROM from DOS or '95 up to the point where it asks you to reboot after it has copied the NT files into a temporary directory. At this point the NT bootsector has been restored; you can delete the temporary directory and delete the "Install Windows NT" option from BOOT.INI . Preventative measures include running DISKSAVE from the DOS command prompt (note: must be DOS 5.0 to 6.11; Microsoft blew it when coding this routine so that it will not run in DOS 7.0, regardless of how clean you boot up) in order to back up your boot partition, or making a bootable floppy diskette in NT (format a 1.44 MB floppy with system files) and copy the following files from the root directory of your boot drive onto the floppy: BOOT.INI, BOOTSECT.DOS, NTDETECT.COM, and NTLDR. Note: if you have a SCSI drive controller, be sure to add the drivers to your floppy. Either of these methods will allow you--with some work, of course--to recover the boot sector on your hard drive. Nothing like SYS.COM available, unfortunately.
  • NT Workstation to Server in 2 Registry Keys: this one is untested, but as it comes from Schulman and O'Reilly & Associates you can more or less count on it as fact. The NT kernel is built at bootup, not (as with other versions of Windows) during Setup--and it takes its configuration parameters from the NT Registry. Apparently there are two special keys (HKEY_LOCAL_MACHINE\System\CurrentContolSet\Control \ProductOptions\ProductType, which has a string value that must be changed from "WinNT" to "ServerNT", and HKEY_LOCAL_MACHINE\System\Setup\SystemPrefix, which is a binary value that must be changed so that the bit masked by x04000000 is set to 1 instead of 0; using a base calculator, that is the bit that is in the 27th position from the end of the high-order DWORD value ) that, when modified, cause anywhere from 75 to 700 (your guess) changes in the NT kernel and enable it as either a Workstation ($139) or Server ($759). NT has a thread running that prevents these keys from being changed; however from DOS you can always regedit a patch or, as Russinovich decided, write a utility that kills these two threads and patches the registry itself. As for myself, I already have server...no need to try making it a workstation.





    nt boot sequence


    The following information is culled from Micro$oft's Technet techncian's reference and not from my own personal experience/experimentation, therefore I cannot attest to its accuracy or reliability. I trust the inclusion of such third-party information will not compromise the integrity of my page....

    Services: Order of Loading

  • SCSI miniport
  • Port
  • Primary disk
  • SCSI class
  • SCSI cd-rom class
  • Filter
  • Boot file system
  • Base
  • Pointer port
  • Keyboard port
  • Pointer class
  • Keyboard class
  • Video init
  • Video
  • Video save
  • File system
  • Event log
  • Streams drivers
  • NDIS
  • TDI
  • NetBIOS group
  • Spooler group
  • NetDDE group
  • Parallel arbitrator
  • Extended base
  • Remote validation
  • PCI configuration

    Services Automatically Started

    NT loads these services automarically, unless you configure it not to:

  • Alerter
  • Computer browser
  • Event log
  • License loggin service (ugh)
  • Messenger
  • Net logon
  • NT LM security support provider
  • Server
  • Spooler
  • TCP/IP NetBIOS helper
  • Workstation

    "Kernel-Mode" Drivers Automatically Started

    The drivers listed below are loaded automatically by NT, even when no network is running. This is a bare-bones boot:

  • ntoskrnl.exe
  • hal.dll
  • atdisk.sys
  • ntfs.sys
  • floppy.sys
  • scsiflop.sys
  • scsiscan.sys
  • scsicdrm.sys
  • cdaudio.sys
  • fs_rec.sys
  • null.sys
  • beep.sys
  • i8042prt.sys
  • mouclass.sys
  • kbdclass.sys
  • videoport.sys
  • vga.sys
  • qv.sys
  • vga.sys
  • msfs.sys
  • npfs.sys
  • fastfat.sys
  • parport.sys
  • parallel.sys
  • serial.sys

    Typical NT Driver Initialization

    The following is a sequence of drivers initialized during a typical NT bootup, as captured at M$oft by a kernel debugger:

  • atdisk.sys (non-SCSI HDD driver)
  • ntfs.sys (booting from NTFS partition)
  • floppy.sys (FDD driver)
  • scsiflop.sys (SCSI FDD driver)
  • scsiscan.sys (SCSI device scanner)
  • scsicdrm.sys (SCSI CD-ROM driver)
  • cdaudio.sys (sound card driver)
  • fs_rec.sys (file system recognizer)
  • null.sys (NULL device driver)
  • beep.sys (computer speaker driver)
  • i8042prt.sys (mouse/keyboard port driver)
  • mouclass.sys (mouse driver)
  • kbdclass.sys (keyboard driver)
  • videoport.sys (std display driver)
  • vga.sys (std display driver)
  • qv.sys (video driver)
  • vga.sys (vga driver re-loaded)
  • msfs.sys (mailslot file system)
  • npfs.sys (named-pipe file system)
  • fastfat.sys (FAT file system driver)
  • ndis.sys (ndis layer driver)
  • elnkii.sys (ethernet card driver--3com, in this instance)
  • tdi.sys (tdi layer driver)
  • tcpip.sys (tcp/ip protocol driver)
  • netbt.sys (netbios over tcp/ip driver)
  • netbios.sys (netbios interface)
  • parport.sys (parallel port driver)
  • parallel.sys (parallel port driver)
  • serial.sys (serial port driver)
  • mup.sys (multiple UNC provider)
  • rdr.sys (workstation service file system driver)
  • srv.sys (server service file system driver)
  • afd.sys (windows sockets driver)





    Standards * Member1 * Member2 * Member3 * Member4 * Member5 * Member6 * Schulman