Wednesday, May 30, 2012

Sysnative - What is it?


Sysnative is a term that has two meanings.  For those interested in the technical explanation, refer to the section on Sysnative in 64-Bit Windows operating systems below.

The other use of Sysnative, and the usage of interest to readers of Security Garden, is that it is the domain name for

What is special about  Let's find out.


At one time or another, most people who use the Windows operating system have experienced the dreaded "Blue Screen of Death" (BSOD) -- until Windows 8, a strange blue screen filled with numbers and codes, completely incomprehensible to most everyone.

Granted, there are occasions where a shutdown/restart or evoking "Last Known Good Configuration" appear to have resolved whatever issue caused the BSOD.  More times than not, however, help is needed to trace the source of the problem.  This is where comes in to play. is the result of a vision of Microsoft MVP, John Griffith. John, known in forum communities as jcgriff2, specializes in Blue Screen of Death (BSOD) Kernel dump analysis.  John also enjoys a reputation as an expert Windows forensic troubleshooter, typically sought by Windows Vista and Windows 7 owners after all else has failed.

John developed an application for use by BSOD OPs known as the "jcgriff2 BSOD File Collection app". The output, including mini kernel memory dumps, is used by BSOD Analysts who assist computer users in tracking down the source of the BSODs plaguing their computers.

John also developed BSOD kernel dump file scripts that automate many of the mundane tasks performed by the Windbg GUI. The scripts allow the running of multiple BSOD kernel dump files vs. running dumps one-by-one with Windbg.  In addition, the scripts also incorporate a direct interface to the Driver Reference Table, known as DRT, created by former Microsoft MVP John Carrona for driver look-ups.

The contributions by many talented people who are involved in analyzing the data compiled by John's application have made the "jcgriff2 BSOD File Collection app" and the "jcgriff2/niemiro BSOD Dump Processing Scripts" the tools of choice for BSOD Kernel Dump Analysis.

Should you be faced with the dreaded Blue Screen of Death, expert assistance is available from the many talented analysts at  Registration at the site is free, as is the help.  Follow the BSOD Posting Instructions and rest assured, help is on the way!

Wait, there is more!

That is correct.  Help isn't limited to BSOD crash analysis, debugging and error reports.  Getting Help with Windows Update/SFC is also very popular at Sysnative with people who have Windows Update issues.  Help and information are available from Microsoft MVPs, Windows Insider MVPs,, Microsoft MCCA's as well others knowledgeable in Microsoft Windows Operating Systems, Security, Programming, Networking, Graphics, and Games.

*Sysnative Logo

The logo for, displayed above, was created by a very talented graphic designer.  I have long been acquainted with the designs he has made for ASAP members and member sites and was very excited when he volunteered to create a logo for

Aside from the fantastic Sysnative logo, one of my favorite examples of this talented designer, known on various help forums as NJustice or N_J, is the artwork and website design for Amelia Eisenhauer, a talented young singer.

If you or someone you know are in the market for a custom design, I heartily recommend contacting Amazing Dezigns.

Sysnative in 64-Bit Windows 

The Sysnative alias was first seen with Windows Vista.  The Sysnative folder is used by a 32-bit application to access the native system folder instead of the %WinDir%\System32 folder.  In addition, WOW64 recognizes the Sysnative folder as a special alias.  As a result, the file system does not redirect access away from the Sysnative folder. This mechanism is flexible and easy to use and the Sysnative folder can be used to bypass file system redirection.

Additional information is available at MSDN in "File System Redirector". 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Monday, May 28, 2012

Flame, aka Flamer or sKyWIper

Flame, aka Flamer or sKyWIper, has been dubbed more complex than Duqu and Stuxnet.  In fact, it has been described as "the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found." 

As described in The Flame: Questions and Answers - Securelist:
"What exactly is Flame? A worm? A backdoor? What does it do?

Flame is a sophisticated attack toolkit, which is a lot more complex than Duqu. It is a backdoor, a Trojan, and it has worm-like features, allowing it to replicate in a local network and on removable media if it is commanded so by its master.

The initial point of entry of Flame is unknown - we suspect it is deployed through targeted attacks; however, we haven’t seen the original vector of how it spreads. We have some suspicions about possible use of the MS10-033 vulnerability, but we cannot confirm this now.

Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on. All this data is available to the operators through the link to Flame’s command-and-control servers.

Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated."
The map below, compiled by Kaspersky, shows the top seven countries affected by Flame:

The following quote by Professor Alan Woodward Department of Computing, University of Surrey, was included in the BBC article, Flame: Massive cyber-attack discovered, researchers say:
"This is an extremely advanced attack. It is more like a toolkit for compiling different code based weapons than a single tool. It can steal everything from the keys you are pressing to what is on your screen to what is being said near the machine.

It also has some very unusual data stealing features including reaching out to any Bluetooth enabled device nearby to see what it can steal.

Just like Stuxnet, this malware can spread by USB stick, i.e. it doesn't need to be connected to a network, although it has that capability as well.

This wasn't written by some spotty teenager in his/her bedroom. It is large, complicated and dedicated to stealing data whilst remaining hidden for a long time."
In other words, it appears that this is just the tip of the iceberg.

Update:  A search of the Malware Protection Center Portal for Win32/Flame shows the addition to detection by Microsoft Security products, Published: May 29, 2012 , Alert level: Severe:

Additional References

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Sunday, May 27, 2012

JavaCool Software Now BrightFort

SpywareBlaster has long been recommended  to prevent the installation of spyware and other potentially unwanted software.  It is probably the most well known program from the JavaCool Software label. 

SpywareBlaster and the other JavaCool Software programs are now under a new label -- Brightfort.  From the BrightFort About page:
"Our Company BrightFort (formerly: Javacool Software) is a privately-owned, US-based software company. Since 2002 we've been dedicated to providing innovative and useful security and privacy solutions.

We provide feature-packed yet lean programs. Our team works closely together to design and build the fast, and compatible programs that effectively solve critical problems and help improve your computing experience."

BrightFort Programs

"Multi-Angle Protection
  • Prevent the installation of ActiveX-based spyware and other potentially unwanted programs.
  • Block spying / tracking via cookies.
  • Restrict the actions of potentially unwanted or dangerous web sites.
No-Nonsense Security SpywareBlaster can help keep your system secure, without interfering with the "good side" of the web. And unlike other programs, SpywareBlaster does not have to remain running in the background. It works alongside the programs you have to help secure your system."
 (Note:  An enterprise version of SpywareBlaster is also available.  Information at SpywareBlaster Network Version.)

"Making EULAs Easy

Discover if the software you're about to install displays pop-up ads, transmits personally identifiable information, uses unique identifiers to track you, or much much more. EULAlyzer can analyze license agreements in seconds, and provide a detailed listing of potentially interesting words and phrases."
 Doc Scrubber
"Share Only What You Want

Microsoft Word (.DOC) files can contain more than just text you see while editing them. Depending on the settings or features you use, they may contain all kinds of additional information that you may not want shared outside your home or company. Doc Scrubber lets you see that information, and scrub it from files before sending them to others."

"Protect Your Privacy

MRU-Blaster is a program made to do one large task - detect and clean MRU (most recently used) lists on your computer.

These MRU lists contain information such as the names and/or locations of the last files you have accessed. They are located ALL OVER your registry, and for almost ANY file type."


The code for FileChecker and ID-Blaster was written for older versions of Windows and has not been tested on newer version.  Since the code is very old, both programs have been retired.

(H/T:  Siljaline)

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, May 08, 2012

Microsoft May 2012 Security Bulletin Release

Microsoft released seven (7) bulletins, of which three (3) bulletins ares identified as Critical and four (4) as Important.

The bulletins address twenty-three (23) vulnerabilities in  Microsoft Windows, Office, Silverlight, and .NET Framework.  At least two of the updates will require a restart. 

If you have had difficulties with .NET Framework in the past, it is strongly advised that updates MS12-034 and MS12-035 be installed separately, including a shutdown/restart. 

Security Bulletins


The following additional information is provided in the Security Bulletin:
  • The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
  • Customers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit International Help and Support.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Saturday, May 05, 2012

Critical Adobe Flash Player Update

Adobe Flash Player was updated to address critical security vulnerabilities.  According to the Adobe PSIRT blog posting,
"There are reports that the object confusion vulnerability (CVE-2012-0779) addressed in this update is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only."

Update Information

The newest version for Windows, Macintosh, Linux and Solaris is 

Release date: May 4, 2012
Vulnerability identifier: APSB12-09
Priority: See table below
CVE number: CVE-2012-0779
Platform: All Platforms

Priority and Severity ratings

Adobe categorizes these updates with the following priority ratings and recommends users update their installations to the newest versions:
Updated Version
Priority Rating
Adobe Flash Player Windows
1 Macintosh and Linux
2 Android 4.x
2 Android 3.x and 2.x

Flash Player Update Instructions

Adobe Flash Player for Android

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Flash Player for Windows, Macintosh, Linux and Solaris

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

  • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
  • Uncheck any toolbar offered with Adobe products if not wanted.
  • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
Flash Player For Internet Explorer

Non-IE (Opera, Firefox, Etc.)

Flash Player Uninstallers:

32-Bit Uninstaller:
64-Bit Unisntaller:

*HatTip: ky331 for FTP download links.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 
Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

When Adobe Flash Player is updated, it is recommended that Adobe AIR version be checked as well.  Go to Adobe AIR Help to determine the version of Adobe AIR runtime installed.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Thursday, May 03, 2012

Security Bulletin Advance Notification for May

On Tuesday, May 8, 2012, Microsoft is planning to release seven (7) bulletins, of which three bulletins are identified as Critical and the remaining four as Important.

The bulletins address twenty-three (23) vulnerabilities in  Microsoft Windows, Office, Silverlight, and .NET Framework.  At least two of the updates will require a restart.  If you have had difficulties with .NET Framework in the past, it is strongly advised that update be installed separately. 

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.


Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Wednesday, May 02, 2012

Good-bye Windows Live, Hello Microsoft Apps

When Windows Live was introduced in 2005, it took me a while to get accustomed to adding "Windows Live" to Hotmail, Windows Messenger, Windows Movie Maker, Windows Photo Gallery, and the other programs that eventually became Windows Live Essentials*.

With the changes announced today at the Building Windows 8, it is time to start getting adjusted to new terms.  After all, when logging on to Windows 8 with your Microsoft account (formerly Windows Live ID, the apps will be immediately available with the information provided by cloud services. 

The chart below was provided at the Building Windows 8 blog showing the new breakdown of software and services.

Windows 8
Windows Phone
Web/HTML 5
API (dev.

Earlier Versions
Microsoft account
Microsoft account
Windows Live ID, Passport
SkyDrive app, SkyDrive Desktop
SkyDrive app, Office app
FolderShare, Live Mesh, Windows Live Mesh
Mail app
Mail app
Windows Live Mail, Outlook Express
Calendar app
Calendar app
Windows Live Mail, Windows Calendar
People app
People app
Windows Contacts
Messaging app
Messaging app
Integrated in Hotmail and SkyDrive
MSN Messenger
Photos/ Videos
Photos app, Photo Gallery, Movie Maker
Photos app, Camera Roll
REST, JSON (via SkyDrive)
Windows Live Photo Gallery, Windows Live Movie Maker

Even if you aren't testing Windows 8 Consumer Preview, the links all work.  Go ahead, give it a try.  Check your calendar at or look up a contact at

See the Building Windows 8 blog for additional information about the rebranding of Windows Live as Microsoft Apps.  Detailed information has been promised in upcoming articles about Microsoft account, cloud services, SkyDrive, Hotmail, Messenger, as well the work Microsoft is doing with Skype.  

*Windows Live Essentials Applications

  • Windows Live Family Safety 
  • Windows Live Mail 
  • Windows Live Mesh 
  • Windows Live Messenger 
  • Windows Live Messenger Companion 
  • Windows Live Movie Maker 
  • Windows Live Photo Gallery 
  • Windows Live Sign-in Assistant 
  • Windows Live Writer 
  • Bing Bar 
  • Microsoft Outlook Hotmail Connector 
  • Microsoft Silverlight 



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...