What is the best way for mere mortals to create a CLEAN Windows XP boot
CD?

>From a related thread on available rootkit detection utilities, it was
suggested we attempt the Microsoft Strider GhostBuster Rootkit
Detection method recommended by the Microsoft Windows Defender Strider
GhostBuster Project ( http://research.microsoft.com/rootkit ).

Following those Microsoft instructions, we performed the following on
Windows XP:
NOTE WE ARE STUCK AT STEP 4!

1. Go to the Windows XP command line:
Start -> Run -> cmd

2. Go to your rootkit detection program folder:
C:\> cd c:\proggies\RKD\

3. Create an ordered list with bare headings of all hidden & not-hidden
files:
RKD:\> dir /s/ah/l/on/b c:\ > all_hidden_files_before.txt
RKD:\> dir /s/a-h/l/on/b c:\ > not_hidden_files_before.txt

4. Boot to a Windows XP CDROM.
- My question is:
Q: HOW TO BOOT TO A WINDOWS XP CDROM WHEN YOU DON'T HAVE ONE!

5. Re-run step 3's lower-case ordered list from the Windows XP cdrom
boot:
RKD:\> dir /s/ah/l/on/b c:\ > all_hidden_files_after.txt
RKD:\> dir /s/a-h/l/on/b c:\ > not_hidden_files_after.txt

6. Run WinDiff from the clean WinXP boot to compare before/after files:
http://www.grigsoft.com/download-windiff.htm

We are stuck at step 4 for lack of the simplest way to obtain a Windows
XP boot cdrom. Our system came configured so we don't have that clean
Windows XP boot CDROM.

Googling we get MANY confusing ways to create a Windows XP bootable
CDROM, some of which seem to be promising, e.g.,
a. Bart's Preinstalled Environment (BartPE) bootable live windows
CD/DVD
http://www.nu2.nu/pebuilder

b. Bart's way to create bootable CD-Roms (for Windows/Dos)
http://www.nu2.nu/bootcd

c. Creating bootable Windows 2000/XP/2003 Disc (Nero 6)
http://www.tacktech.com/display.cfm?ttid=297

d. The Ultimate Boot CD for Windows XP
http://www.ultimatebootcd.com

e. UBCD for Windows® Project
http://www.ubcd4win.com

f. Windows XP Fresh Install Bootdisk And Bootable CD
http://www.bootdisk.com

Since there are so many method, and since the whole point is to boot to
a KNOWN GOOD Windows XP, it behooves newbies like us to ask for a
recommended path so that we don't stray too far along the wrong
(perhaps dangerous) method

Which leaves me with the question at hand:
Q: Where is the safest & easiest mehod to obtain & burn a WinXP
bootable CDROM.

(E-Mail Removed) wrote:

> What is the best way for mere mortals to create a CLEAN Windows XP
> boot CD?
>
>>From a related thread on available rootkit detection utilities, it was
> suggested we attempt the Microsoft Strider GhostBuster Rootkit
> Detection method recommended by the Microsoft Windows Defender Strider
> GhostBuster Project ( http://research.microsoft.com/rootkit ).
>
> Following those Microsoft instructions, we performed the following on
> Windows XP:
> NOTE WE ARE STUCK AT STEP 4!
>
> 1. Go to the Windows XP command line:
> Start -> Run -> cmd
>
> 2. Go to your rootkit detection program folder:
> C:\> cd c:\proggies\RKD\
>
> 3. Create an ordered list with bare headings of all hidden &
> not-hidden files:
> RKD:\> dir /s/ah/l/on/b c:\ > all_hidden_files_before.txt
> RKD:\> dir /s/a-h/l/on/b c:\ > not_hidden_files_before.txt
>
> 4. Boot to a Windows XP CDROM.
> - My question is:
> Q: HOW TO BOOT TO A WINDOWS XP CDROM WHEN YOU DON'T HAVE ONE!
>
(snippage)

> Since there are so many method, and since the whole point is to boot
> to a KNOWN GOOD Windows XP, it behooves newbies like us to ask for a
> recommended path so that we don't stray too far along the wrong
> (perhaps dangerous) method
>
> Which leaves me with the question at hand:
> Q: Where is the safest & easiest mehod to obtain & burn a WinXP
> bootable CDROM.

The short answer for your case is "you can't unless you can create a
Bart's PE". You need a real XP operating system disk (which is bootable
all by itself), not a "Recovery Disk". You can sometimes create a
Bart's if your OEM installed the i386 directory with the complete
operating system. If you don't even have that, short of buying yourself
a copy of XP, you can't do what you want. This has nothing to do with
being mortal, BTW. ;-)

Understand that when you buy a computer with an MS operating system
preinstalled, the computer mftr. legally has to give you a way to
return the computer to factory condition. This can be done in three
ways:

1. By giving you a cd with the full operating system on it. This will
probably be OEM (as opposed to retail), but that's OK for
repair/reinstallation purposes.

2. By putting a restore image on a partition (which may be hidden) on
the hard drive and not giving you any physical cd's.

3. By giving you a physical cd(s) with the restore image on it. An image
is not the same as the real operating system.

You apparently purchased a computer that fits into #3 above.

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

A bootable cd isn't going to get you anywhere unless it is a retail full
version Win XP install CD.

Why not use "Recovery CD" from Computer manufacturer?
You boot from this cd and use a recovery partition on yuor hard drive to
restore computer to original factory settings.

Some computers you create your own recovery set. Sometimes they can still be
created even if computer won't Boot. OR they can be ordered from MFG. If it
costs a significant amount you may just want to buy retail copy of XP instead.

What make and model do you have?

What is your reason for "Clean Install"?

--
Dennis S.
I''m from Illinois. I hope I helped you. Good Luck.


"(E-Mail Removed)" wrote:

> What is the best way for mere mortals to create a CLEAN Windows XP boot
> CD?
>
> >From a related thread on available rootkit detection utilities, it was
> suggested we attempt the Microsoft Strider GhostBuster Rootkit
> Detection method recommended by the Microsoft Windows Defender Strider
> GhostBuster Project ( http://research.microsoft.com/rootkit ).
>
> Following those Microsoft instructions, we performed the following on
> Windows XP:
> NOTE WE ARE STUCK AT STEP 4!
>
> 1. Go to the Windows XP command line:
> Start -> Run -> cmd
>
> 2. Go to your rootkit detection program folder:
> C:\> cd c:\proggies\RKD\
>
> 3. Create an ordered list with bare headings of all hidden & not-hidden
> files:
> RKD:\> dir /s/ah/l/on/b c:\ > all_hidden_files_before.txt
> RKD:\> dir /s/a-h/l/on/b c:\ > not_hidden_files_before.txt
>
> 4. Boot to a Windows XP CDROM.
> - My question is:
> Q: HOW TO BOOT TO A WINDOWS XP CDROM WHEN YOU DON'T HAVE ONE!
>
> 5. Re-run step 3's lower-case ordered list from the Windows XP cdrom
> boot:
> RKD:\> dir /s/ah/l/on/b c:\ > all_hidden_files_after.txt
> RKD:\> dir /s/a-h/l/on/b c:\ > not_hidden_files_after.txt
>
> 6. Run WinDiff from the clean WinXP boot to compare before/after files:
> http://www.grigsoft.com/download-windiff.htm
>
> We are stuck at step 4 for lack of the simplest way to obtain a Windows
> XP boot cdrom. Our system came configured so we don't have that clean
> Windows XP boot CDROM.
>
> Googling we get MANY confusing ways to create a Windows XP bootable
> CDROM, some of which seem to be promising, e.g.,
> a. Bart's Preinstalled Environment (BartPE) bootable live windows
> CD/DVD
> http://www.nu2.nu/pebuilder
>
> b. Bart's way to create bootable CD-Roms (for Windows/Dos)
> http://www.nu2.nu/bootcd
>
> c. Creating bootable Windows 2000/XP/2003 Disc (Nero 6)
> http://www.tacktech.com/display.cfm?ttid=297
>
> d. The Ultimate Boot CD for Windows XP
> http://www.ultimatebootcd.com
>
> e. UBCD for Windows® Project
> http://www.ubcd4win.com
>
> f. Windows XP Fresh Install Bootdisk And Bootable CD
> http://www.bootdisk.com
>
> Since there are so many method, and since the whole point is to boot to
> a KNOWN GOOD Windows XP, it behooves newbies like us to ask for a
> recommended path so that we don't stray too far along the wrong
> (perhaps dangerous) method
>
> Which leaves me with the question at hand:
> Q: Where is the safest & easiest mehod to obtain & burn a WinXP
> bootable CDROM.
>
>

Malke wrote:
> You need a real XP operating system disk (which is bootable
> all by itself), not a "Recovery Disk". You can sometimes create a
> Bart's if your OEM installed the i386 directory with the complete
> operating system.

Yes indeed. I have only a common restore CD (which I used once and it
put all the original programs on the PC even the advertising garbage
from the manufacturer I had long deleted that I had to delete again). I
do not have the requisite Windows XP installation CDROM.

Are you saying that unless I have an "i386" directory, I can't create
the Windows Boot CD that I need in order to run the Microsoft suggested
rootkit detection method?

Q1: Is THIS 2,451 file folder the one I need to create the boot cdrom?
C:\WINDOWS\ServicePackFiles\i386

The folder properties, wierdly, on this i386 folder say it is a Size of
500 MB (525,142,242 bytes) yet its properties also say it has a Size on
disk of 318 MB (334,063,651 bytes).

Is C:\Windows\ServicePackFiles\i386 good enough to create a WinXP boot
disk sufficient to run WinDiff to compare before & after files for
rootkit detection?

Your answer will help not only me, but others too,
Pamela

(E-Mail Removed) wrote:

> Malke wrote:
>> You need a real XP operating system disk (which is bootable
>> all by itself), not a "Recovery Disk". You can sometimes create a
>> Bart's if your OEM installed the i386 directory with the complete
>> operating system.

Comments inline:

> Are you saying that unless I have an "i386" directory, I can't create
> the Windows Boot CD that I need in order to run the Microsoft
> suggested rootkit detection method?

Yes. You certainly can run RootKit Detector (I assume you're referring
to Systernals' free utility) without going through all the rest of
that. If you didn't play/install one of the Sony CD's in your computer,
I wouldn't get all worked up about this issue.

>
> Q1: Is THIS 2,451 file folder the one I need to create the boot cdrom?
> C:\WINDOWS\ServicePackFiles\i386

Yes.

> The folder properties, wierdly, on this i386 folder say it is a Size
> of 500 MB (525,142,242 bytes) yet its properties also say it has a
> Size on disk of 318 MB (334,063,651 bytes).

The files are compressed.
>
> Is C:\Windows\ServicePackFiles\i386 good enough to create a WinXP boot
> disk sufficient to run WinDiff to compare before & after files for
> rootkit detection?

You can but try. It won't hurt. Again, if you didn't play/install one of
Sony's DRM-protected (hah!) CD's, you probably don't need to put
yourself through all this. If you just want to play around for learning
purposes, then definitely build yourself a Bart's. They are very useful
to have.

Malke
--
MS-MVP Windows User/Shell
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic"

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Are you saying that unless I have an "i386" directory, I can't create
> the Windows Boot CD that I need in order to run the Microsoft suggested
> rootkit detection method?

I'm not sure I would describe that as Microsoft's recommended root kit
detection. I work in this area and I have never had to resort to this quite
painful measure, nor should most users have to. Most root kits are detected
because they forget to hide something. Booting to Bart PE might arguably be
the most reliable detection method, but it is also the most costly,
especially when supporting a large enterprise.

Before ever resorting to Bart PE, you should always first use much easier
tools like www.sysinternals.com rootkit revealer and also rkdetect which can
be found by searching www.google.com.

Root kits often send out network traffic, and that traffic cannot be hidden,
especially once it leaves the system. Running a free sniffer like
www.ethereal.com and/or any Windows firewall such as www.kerio.com,
www.sygate.com or www.zonealarm.com may help detect this traffic. Better
yet, for an enterprise, use good egress firewall filters with logging,
inspect the firewall logs for blocked traffic, use network IDS such as
Snort, use a proxy server configured to only allow out browsers using the
pre-approved http user-agent string. Malware like root kits can evade
personal firewalls to get out, but I believe the firewalls should still
display and log the outbound traffic for you.

I believe there are other alternatives to Bart PE, such as the
www.Bitdefender.com Linux boot CD.

Malke wrote:
> (I assume you're referring to Systernals' free utility) without
> needing a Windows XP bootable cdrom

Actually, I tried (and failed) to complete the SysInternals
RootKitRevealer:
http://www.sysinternals.com/utilitie...trevealer.html

Even though I ran the SysInternals RootKit Revealer logged in as the
administrator, this preferred rootkit detection method totally failed
to run saying "An error occurred. Check machine availability and your
access level (must be an administrator)." But, I am the administrator,
I loudly protest to the PC, all to no avail.

Then I tried the Microsoft Strider GhostBuster Rootkit Detection kit
method:
http://research.microsoft.com/rootkit
Unfortunately, this second-best method requires us to boot to a
separate Windows XP bootable disk (which I don't have) or to the "Bart
PE" (which I may end up making from my i386 directory on my hard
drive). But, as noted, this is a lot of work. I wish I knew why the
SysInternals tool thinks I'm not the administrator. I didn't set up
this PC so maybe there is something tricky going on.

Since, at the moment, both the SysInternals & Microsoft methods are
failing miserably, I'll try the RKdetect Rootkit Detecter method
documented at:
http://www.security.nnov.ru/files/rkdetect.zip

But, I wonder ...
Q: Is it just me or does everyone have this problem that SysInternals'
Root Kit Revealer fails due to a permission problem (even though I run
it as administrator).

Does anyone have any idea what to check to see why the SysInternals
site thinks I'm not the administrator even though I am logged in as the
administrator?

Pamela

Dixonian69 wrote:
> What is your reason for "Clean Install"?

Root kits.

We all need a bootable Windows XP CDROM so that we can check for root
kits installed without our knowledge on our systems. My kids, for
example, use the computer but I have no idea what they've used it for.
All I want do to is check for the presence of a root kit, if any exist.

Once I found out that "most users stumble across cloaked files with an
RKR scan", I immediately ran SysInternals' RootKitRevealer.exe from
http://www.sysinternals.com/utilitie...trevealer.html which duly
reported the presence of many cloaked registry entries of the format:
- "Key name contains embedded nulls (*)",
- "Hidden from Windows API",
- "Visible in directory index, but not WIndows API or MFT"

The problem is that these keys use cryptic 8-4-4-4-12 CLSID class id
registry entries which mean nothing to me, a mere mortal. For example,
what am I supposed to do with the information that this cloaked
registry key exists:

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 3/21/2005
2:41 PM 0 bytes Key name contains embedded nulls (*)

A. Should I just delete that cryptically named cloaked key?
B. How can I look up what that 8-4-4-412 hex digit class ID refers to?

The SysInternals root-kit revealer also reported cloaked entries of the
form:
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 12/3/2005 4:28 AM 4
bytes Hidden from Windows API.

Again, what are we supposed to do with this information?
A. Should we delete this cloaked registry key (or is this a cloaked
file)?
B. How do we find out more about what this "Cfg s0" really is?

My point is that the SysInternals RootKit detection utility download
worked except it reported information that wasn't meant for mere
mortals. Mere mortals, like I am, don't know what to do with this
cryptic data.

So, I tried the second-best method of revealing root kits on my system.
This method was suggested by the Microsoft Windows Defender web page
http://research.microsoft.com/rootkit

This Microsoft Project Strider GhostBuster Rootkit Detection web pages
suggests we locate rootkits by the three step method:
A. Run a command listing all hidden and non-hidden files on your system
B. Boot to a Windows XP CDROM & re-run those commands
C. Compare the results with WinDiff
(http://www.grigsoft.com/download-windiff.htm)

In summary, we don't need the clean Windows XP bootable CDROM for
system recovery; we need it in order to detect rootkits on our system
which have cloaked files or registry keys.

My main question at the moment still remains - how to find why I have
so many cloaked keys and files reported by SysInternals so cryptically
(that I just don't understand well enough to know what to do to resolve
them).
Pamela

David H. Lipman wrote:
> One should copy the i386 folder off the CDROM and slip-stream the
> i386 folder with SP2 and then use that slip-streamed folder to create a
> CDROM to build a fresh OS (this is true for all the NT based OS')

Hi David,

Thank you for your advice noting that the
C:\WINDOWS\ServicePackFiles\i386 directory is not the required i386
directory to create the official "Preinstalled Environment (BartPE)
bootable live windows CD/DVD" as per instructions at
http://www.nu2.nu/pebuilder

This so-called "Bart PE" cdrom is apparently what is required to boot
to in order to run Microsoft's Windows Defender Project rootkit
identification steps documented at
http://research.microsoft.com/rootkit

Since I have access to my sister's computer (which is the same make and
model as mine), do you think I can use her i386 directory (if we can
find it) to create the Bart PE Windows XP bootable CDROM for this task?

That is, my question is:
Q: Does the BART PE bootable CDROM have to be machine specific (or can
we use any Bart PE bootable CDROM we can get our hands on in order to
run the specified Microsoft dir commands to locate cloaked files on our
systems?

Wishing finding cloaked rootkits was more step-by-step for mere mortals
such as I,
Pamela

(E-Mail Removed) wrote:
> Even though I ran the SysInternals RootKit Revealer logged in as the
> administrator, this preferred rootkit detection method totally failed
> to run saying "An error occurred. Check machine availability and your
> access level (must be an administrator)." But, I am the administrator,
> I loudly protest to the PC, all to no avail.

Ouch. I confused myself by accidentally mixing up tool errors here. It
was RKDetect (from http://www.security.nnov.ru/files/rkdetect.zip which
is reporting "An error occurred. Check machine availability and your
access level (must be an administrator)." This is occurring even though
I am the administrator, logged in as administrator.

The SysInternals RootKit Revealer actually worked fine; but it reported
finding cloaked things like:
HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32* 6/16/2004
9:19 PM 0 bytes Key name contains embedded nulls (*)

This hex 8-4-4-4-12 digit "unique?" class id is totally meaningless to
mere mortals such as I.

Even after attempting to look up the unique name for the class id at
http://www.microsoft.com/technet/pro...efclassid.mspx
I still don't know what that 8-4-4-4-12 CLSID actually refers to (do
you?).

Is there a class id to real product name lookup table somewhere on the
Internet?

Pamela