.
.
Broch -
I don't do winblowz, but because you asked, here's a reply, I'll have to post it in two parts because of the post restrictions, so here's part one:
Microsoft's Really Hidden Files
Version 2.6b
by The Riddler
November 3, 2001
When I say these files are hidden well, I really mean it. If you don't have any knowledge of DOS then don't plan on finding these files on your own. I say this because these files/folders won't be displayed in Windows Explorer at all -- only DOS. (Even after you have enabled Windows Explorer to "show all files.") And to top it off, the only way to find them in DOS is if you knew the exact location of them. Basically, what I'm saying is if you didn't know the files existed then the chances of you running across them is slim to slimmer.
It's interesting to note that Microsoft does not explain this behavior adequately at all. Just try searching on microsoft.com.
FORWARD:
I know there are some people out there that are already aware of some of the things I mention. I also know that most people are not. The purpose of this tutorial is teach people what is really going on with Microsoft's products and how to take control of their privacy again. This tutorial was written by me, so if you see a mistake somewhere then it is my mistake, and I apologize.
Thanks for reading.
INDEX
1. DEFINITIONS
1.1) Acronyms
2. SEEING IS BELIEVING
3. HOW TO ERASE THE FILES ASAP
3.1) If You Have Ever Used Microsoft Internet Explorer
3.2) Clearing Your Registry
3.3) Slack files
3.4) Keeping Microsoft's Products
4. STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES (For the savvy.)
5. HOW MICROSOFT DOES IT
6. +S MEANS [S]ECRET NOT [S]YSTEM
6. A LOOK AT OUTLOOK
8. THE TRUTH ABOUT FIND FAST
8.1) Removing Find Fast
9. CONTACT INFORMATION AND PGP BLOCKS
9.1) Recommended reading
10. SPECIAL THANKS
11. REFERENCES
# Coming in Version 3.0: pstores.exe
# Related Windows Tricks.
# Looking back on the NSA-Key.
# What's with those Outlook Express .dbx files?
# Windows 2000 support.
1. DEFINITIONS
Well, the best definition I have been able to come up with is the following:
I) A "really hidden" file/folder is one that cannot be seen in Windows Explorer after enabling it to "show all files," and cannot be seen in MS-DOS after receiving a proper directory listing from root.
a) There is at least one workaround to enable Windows Explorer to see them.
b) There is at least one workaround to enable MS-DOS to see them.
II) Distinguishes "really hidden" file/folders from just plain +h[idden] ones, such as your "MSDOS.SYS" or "Sysbckup" folder.
III) Distinguishes from certain "other" intended hidden files, such as a file with a name of "°ƒë‹x¥."
(Interesting to note that Microsoft has disabled the "Find: Files or Folders" from searching through one of these folders.)
1.1. ACRONYMS
DOS = Disk Operating System, or MS-DOS
MSIE = Microsoft Internet Explorer
TIF = Temporary Internet Files (folder)
HD = Hard Drive
OS = Operating System
FYI = For Your Information
2. SEEING IS BELIEVING
No. Enabling Windows Explorer to "show all files" does not show the files in mention. No. DOS does not list the files after receiving a proper directory listing from root. And yes. Microsoft intentionally disabled the "Find" utility from searching through one of the folders.
One more thing. They contain your browsing history at ALL times. Even after you have instructed Microsoft Internet Explorer to clear your history/cache. And so the saying goes, "seeing is believing."
Skipping the to chase here. These are the names and locations of the "really hidden files":
c:\windows\history\history.ie5\index.dat
c:\windows\tempor~1\content.ie5\index.dat
If you have upgraded MSIE several times, they might have alternative names of mm256.dat and mm2048.dat, and may also be located here:
c:\windows\tempor~1\
c:\windows\history\
Not to mention the other alternative locations under:
c:\windows\profiles\%user%\...
c:\windows\application data\...
c:\windows\local settings\...
c:\windows\temp\...
c:\temp\...
(or as defined in your autoexec.bat.)
FYI, there are a couple other index.dat files that get hidden as well, but they are seemingly not very important. See if you can find them.
3.0. HOW TO ERASE THE FILES ASAP
Step by step information on how to erase these files as soon as possible. This section is recommended for the non-savvy. Further explanation can be found in Section 4.0. Please note that following these next steps will erase all your cache files, all your cookie files. If you use the offline content feature with MSIE, following these next steps will remove this as well. It will not erase your bookmarks.
3.1. IF YOU HAVE EVER USED MICROSOFT INTERNET EXPLORER
1) Shut your computer down, and turn it back on. 2) While your computer is booting keep pressing the [F8] key until you are given an option screen.
3) Choose "Command Prompt Only" (This will take you to true DOS mode.) Windows ME users must use a boot disk to get into real DOS mode.
4) When your computer is done booting, you will have a C:\> followed by a blinking cursor. Type this in, hitting enter after each line. (Obviously, don't type the comments in parentheses.)
C:\WINDOWS\SMARTDRV (Loads smartdrive to speed things up.)
CD\
DELTREE/Y TEMP (This line removes temporary files.)
CD WINDOWS
DELTREE/Y COOKIES (This line removes cookies.)
DELTREE/Y TEMP (This removes temporary files.)
DELTREE/Y HISTORY (This line removes your browsing history.)
DELTREE/Y TEMPOR~1 (This line removes your internet cache.)
(If that last line doesn't work, then type this
CD\WINDOWS\APPLIC~1
DELTREE/Y TEMPOR~1
(If that didn't work, then type this
CD\WINDOWS\LOCALS~1
DELTREE/Y TEMPOR~1
(If this still does not work, and you are sure you are using MSIE 5.x, then please e-mail me. If you have profiles turned on, then it is likely located under \windows\profiles\%user%\, while older versions of MSIE keep them under \windows\content\.)
This last one will take a ridiculous amount of time to process. The reason it takes so incredibly long is because there is a ton of (semi-) useless cache stored on your HD.
5) Immediately stop using Microsoft Internet Explorer and go with any of the alternative browsers out there (e.g., Netscape 4.7x from netscape.com, Mozilla from mozilla.org, or Opera from opera.com).
FYI, Windows re-creates the index.dat files automatically when you reboot your machine, so don't be surprised when you see them again. They should at least be cleared of your browsing history.
3.2. CLEARING YOUR REGISTRY
It was once believed that the registry is the central database of Windows that stores and maintains the OS configuration information. Well, this is wrong. Apparently, it also maintains a bunch of other information that has absolutely nothing to do with the configuration. I won't get into the other stuff, but for one, your typed URLs are stored in the registry.
HKEY_USERS/Default/Software/Microsoft/Internet Explorer/TypedURLs/
HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/TypedURLs/
These "Typed URLs" come from MSIE's autocomplete feature. It records all URLs that you've typed in manually in order to save you some time filling out the address field. By typing "ama" the autocomplete feature might bring up "amazon.com" for you. Although I find it annoying, some people prefer this feature. One thing is for sure, however -- it's an obvious privacy risk. You wouldn't want a guest to type "ama" and have it autocomplete to "amateurmudwrestlers.com," would you?
3.3. SLACK FILES
As you may already know, deleting files only deletes the references to them. They are in fact still sitting there on your HD and can still be recovered by a very motivated person.
* BCWipe is a nice program that will clear these files.
* For you DOS buffs, there's a freeware file wiper on simtel.net that I use.
* If you are using PGP, there is a "Freespace Wipe" option under PGPtools.
* The newer versions of Norton Utilities have a nice file wiping utility.
* You might want to check out Evidence Eliminator's 30 day trial. This is probably the best program as far as your privacy goes.
3.4. KEEPING MICROSOFT'S PRODUCTS
If your work environment forces you to use Microsoft Internet Explorer, then I strongly recommend that you talk your boss into checking out one of these programs:
* PurgeIE
* Cache and Cookie Cleaner for IE
* TARGET="new-window">Anonymizer Window Washer
These programs automate the process for you, and is a better alternative to adding 'deltree/y' lines to your autoexec.
And if your work environment forces you to use Outlook or Outlook Express, then you should get in the habit of compacting your mailboxes.
You can do this by going to File > Folder > Compact All if you have Outlook Express, or Tools > Options > Other tab > [Auto Archive] if you have Outlook. Make sure to set things up here.
4.0. STEP-BY-STEP GUIDE THROUGH YOUR HIDDEN FILES
This next section is intended for the savvy user.
The most important files to be paying attention to are your "index.dat" files. These are database files that reference your history, cache and cookies. The first thing you should know is that the index.dat files is that they don't exist in less you know they do. They second thing you should know about them is that some will *not* get cleared after deleting your history and cache.
The result: A log of your browsing history hidden away on your computer after you thought you cleared it.
To view these files, follow these steps:
In MSIE 5.x, you can skip this first step by opening MSIE and going to Tools > Internet Options > [Settings] > [View Files]. Now write down the names of your alphanumeric folders on a piece of paper. If you can't see any alphanumeric folders then start with step 1 here:
1) First, drop to a DOS box and type this at prompt (in all lower-case). It will bring up Windows Explorer under the correct directory.
c:\windows\explorer /e,c:\windows\tempor~1\content.ie5\
You see all those alphanumeric names listed under "content.ie5?" (left-hand side.) That's Microsoft's idea of making this project as hard as possible. Actually, these are your alphanumeric folders that was created to keep your cache. Write these names down on a piece of paper. (They should look something like this: 6YQ2GSWF, QRM7KL3F, U7YHQKI4, 7YMZ516U, etc.) If you click on any of the alphanumeric folders then nothing will be displayed. Not because there aren't any files here, but because Windows Explorer has lied to you. If you want to view the contents of these alphanumeric folders you will have to do so in DOS. (Actually, this is not always true. Sometimes Windows Explorer will display the contents of these folders -- but mostly it won't. I can't explain this.)
2) Then you must restart in MS-DOS mode. (Start > Shutdown > Restart in MS-DOS mode. ME users use a bootdisk.)
Note that you must restart to DOS because windows has locked down some of the files and they can only be accessed in real DOS mode.
3) Type this in at prompt:
CD\WINDOWS\TEMPOR~1\CONTENT.IE5
CD %alphanumeric%
(replace the "%alphanumeric%" with the first name that you just wrote down.)
DIR/P
The cache files you are now looking at are directly responsible for the mysterious erosion of HD space you may have been noticing. One thing particularly interesting is the ability to view some your old e-mail if you happen to have a Hotmail account. (Oddly, I've only been able to retreive Hotmail e-mail, and not e-mail from my other web-based e-mail accounts. Send me your experiences with this.) To see them for yourself you must first copy them into another directory and THEN open them with your browser. Don't ask me why this works.
A note about these files: These are your cache files that help speed up your internet browsing. It is quite normal to use this cache system, as every major browser does. On the other hand. It isn't normal for some cache files to be left behind after you have instructed your browser to erase it.
5) Type this in:
CD\WINDOWS\TEMPOR~1\CONTENT.IE5
EDIT /75 INDEX.DAT
You will be brought to a blue screen with a bunch of binary.
6) Press and hold the [Page Down] button until you start seeing lists of URLs. These are all the sites that you've ever visited as well as a brief description of each. You'll notice it records everything you've searched for in a search engine in plain text, in addition to the URL.
7) When you get done searching around you can go to File > Exit. If you don't have mouse support in DOS then use the [ALT] and arrow keys.
8) Next you'll probably want to erase these files by typing this:
C:\WINDOWS\SMARTDRV
CD\WINDOWS
DELTREE/Y TEMPOR~1
(replace "cd\windows" with the location of your TIF folder if different.)
This will take a seriously long time to process. Even with Smartdrive loaded.
9) Then check out the contents of your History folder by typing this:
CD\WINDOWS\HISTORY\HISTORY.IE5
EDIT /75 INDEX.DAT
You will be brought to a blue screen with more binary.
10) Press and hold the [Page Down] button until you start seeing lists of URLS again.
This is another database of the sites you've visited.
11) And if you're still with me, type this:
CD\WINDOWS\HISTORY
12) If you see any mmXXXX.dat files here then check them out (and delete them.) Then:
CD\WINDOWS\HISTORY\HISTORY.IE5
CD MSHIST~1
EDIT /75 INDEX.DAT
More URLs from your internet history. Note, there are probably other mshist~x folders here so you can repeat these steps for every occurence if you please.
13) By now, you'll probably want to type in this:
CD\WINDOWS
DELTREE/Y HISTORY
5.0. HOW MICROSOFT DOES IT
How does Microsoft make these folders/files invisible to DOS?
The only thing Microsoft had to do to make the folders/files invisible to a directory listing is to set them +s[ystem]. That's it. As soon as the dir/s command hits a system folder, it renders the command useless (unlike normal folders.) A more detailed explanation is given in Section 6.
So how does Microsoft make these folders/files invisible to Windows Explorer?
The "desktop.ini" is a standard text file that can be added to any folder to customize certain aspects of the folder's behavior. In these cases, Microsoft utilized the desktop.ini file to make these files invisible. Invisible to Windows Explorer and even to the "Find: Files or Folders" utility (so you wouldn't be able to perform searches in these folders!) All that Microsoft had to do was create a desktop.ini file with certain CLSID tags and the folders would disappear like magic.
To show you exactly what's going on:
Found in the c:\windows\temporary internet files\desktop.ini and the c:\windows\temporary internet files\content.ie5\desktop.ini is this text:
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
Found in the c:\windows\history\desktop.ini and the c:\windows\history\history.ie5\desktop.ini is this text:
[.ShellClassInfo]
UICLSID={7BD29E00-76C1-11CF-9DD0-00A0C9034933}
CLSID={FF393560-C2A7-11CF-BFF4-444553540000}
The UICLSID line cloaks the folder in Windows Explorer. The CLSID line disables the "Find" utility from searching through the folder. (Additionally, it gives a folder the appearance of the "History" folder.)
To see for yourself, you can simply erase the desktop.ini files. You'll see that it will instantly give Windows Explorer proper viewing functionality again, and the "Find" utility proper searching capabilities again. Problem solved right? Actually, no. As it turns out, the desktop.ini files get reconstructed every single time you restart your computer. Nice one, Slick.
Luckily there is a loophole which will keep Windows from hiding these folders. You can manually edit the desktop.ini's and remove everything except for the "[.ShellClassInfo]" line. This will trick windows into thinking they have still covered their tracks, and wininet won't think to reconstruct them.
PM