To all forum members re file verification

I am just finishing some code which calculates the MD5 signature of files to be held in a list in the registry and used for checking purposes either during Startup or manually. This will spot changes, including corruption or replacement, much faster than file comparison and is binary based so all files are candidates not just ascii files such as system.ini.

There could be as many lists as there are PCs but some files will be very common, for example Normal.dot used by MS Word. According to many forums this file does get corrupted and it is not obviously the problem. Failing a regular MD5 check will save a lot of time and grief.

What I would like is a list of such files that I can include with the code as a 'starter' list. I have already included system.ini and win.ini; the former included after reading one forum member, not WinBBS, who found that the current system.ini and all copies in the rb0nn.cab files were corrupted. An MD5 check at StartUp would have spotted corruption long before all copies fell foul.

When the project is completed I will make it available here for unrestricted use and possible comment for improvement.

Thanks all in anticipation of your suggestions for inclusion in the 'starter' list.

 

Hi ge, I do not know what an MD5 signature is or what the basis for using it is ! Please explain more for us.
regards

 

Apologies, Merlin

It is analogous to Cyclic Redundency Checksums, 16 and 32 bit. If two files have differing CRCs then they are likely to be different.

MD, Message Digest, was introduced in '92 for checking the integrity of messages. A message is sent with its MD signature. If the recipients message has a different signature then the message is probably corrupted. MD covers both text and binary files but its power is that it is 128 bit based so we have astronomic odds against two different files having the same MD signature - 2^64 against, in fact. The odds against winning the UK Lotto are about 2^24.

ge

 

Hi ge. Sounds great - let us know how you get on.
regards

 

I will, Merlin. Do you have any suggestions re what to include for checking?

What we will have is a mini System File Checker but instead of checking system files it will check those files which can cause us grief when corrupted such as Normal.dot for example.

Early tests indicate that including the checking app in the StartUp folder with a workload of a handful of smallish files has a negligible effect on boot time.

The 'starter' list I want to include in the documentation is to indicate the type of file we want to 'keep an eye on'. Folks will then think of such files in their own setup which would be irrelevant to someone else's setup.

 

Ge, Is your application limited in any way by the the file suffix ?
My immediate thoughts would start with files needed to boot a PC, such as protocol.ini , msdos.sys , dosstart.bat -
but there are many more relevant to my PC that I would judge
worth checking eg all the stuff that starts at boot, AVG, Keytext,
and so on.
regards

 

Hi Merlin

No limitations whatsoever.

I don't use the Startup bitmap but I have heard of folks coming to grief when it has been corrupted so it may be worthwhile including that in the check list.

I use OpenDialog for selecting the inclusions and the mask is set at *.*.

The project is coming on and the provision for more than one list has now been included with an optional argument to the shortcut Target for a user defined registry key name. At the moment I have keys called StartUp and Manual; the former being used as a check list during bootup and the latter to be employed as and when.

I've also experimented with dumping small sections of the registry into reg files and computing a signature for them. A redump with a different signature would indicate at least one entry difference. We can then compare the 'base' reg file with the current dump to find what has altered. We can always do this anyway but with the above approach we can check any number of reg files in a list very quickly without going anywhere near a 'file compare' routine unless we are alerted of one or more signature failures.

"protocol.ini , msdos.sys , dosstart.bat " would be typical inclusions and files of this size would be checked at lightning speed.

It has occurred to me that checking such files before a restart or shutdown may be the way to go. I'd rather be told that a potential headache is on the horizon as opposed to being told why I had one even though the latter is better than a blank piece of paper!

Thanks for your interest.

 

Maybe msconfig.exe ? I've heard that some trojans disable msconfig to prevent users from easily disabling hklm run keys.

Maybe VMM32.VXD ? to prevent tampering that would keep windows from loading...

I think your mini-system file checker idea is great!

 

benhenry

Thanks for your input.

Yep, I'll buy both of your suggestions.

I did have 7 items being checked - I now have 9.

However, the vmm32.vxd is taking a long to time to give up a signature. The 9 items now take 240ms to check. I think I can live with ¼ second.

The signature is calculated by an ActiveX in-process server dll written in Visual C++ 5.0 and called by my vbscript app. My beast poodles along at 600MHz.

I should add that I did not write the dll and full credit will be given when I publish the project.

I'm also using a dll which enhances vbscript considerably and, here to, only an acknowledgement is required.

I've given some thought to checking prior to restart/shutdown resulting in a small script which emulates Logoff and Shutdown at the same time and if a restart/shutdown is chosen the MD5Exit key list is checked. If anthing suspicious is found we can abort and investigate. Imagine finding a corrupt system.ini before we shutdown? I could stand a lot more delay on a shutdown than a boot and its the best time to check!

 

Hit the wrong button and thought I'd stopped it. Wanted to see how a small font looked and I'm not allowed to delete this post - so it seems - but I can replace the text?

 

For the record this is how my Exit key looks.

[HKEY_LOCAL_MACHINE\Security\MD5Exit]
"C:\\WINDOWS\\SYSTEM.INI "= "5d8e5d71ce1843180cbf166e98701c10 "
"C:\\WINDOWS\\WIN.INI "= "96eee678748c7c2b14a2db6830a44b6e "
"C:\\AUTOEXEC.BAT "= "8d35c627364a5584a5d8483f8b045427 "
"C:\\CONFIG.SYS "= "7ddcffd5ce8a73c148f32ad3d724f61b "
"C:\\MSDOS.SYS "= "e9c416536ff0d4c0cfaa835a488d6d69 "
"C:\\WINDOWS\\PROTOCOL.INI "= "3c7e4027dd7c8f64228b493d4f7e082d "
"C:\\WINDOWS\\APPLIC~1\\MICROS~1\\TEMPLA~1\\NORMAL.DOT "= "abb1ad4a6419ef36f2bd16d66f7952a1 "
"C:\\WINDOWS\\SYSTEM\\MSCONFIG.EXE "= "c5e1a2005709410fd33ebcc0a054d360 "
"C:\\WINDOWS\\SYSTEM\\VMM32.VXD "= "905a5ee4f465d5fce86f7f7447f78518 "
"C:\\WINDOWS\\FONTS\\DESKTOP.INI "= "80c0482092be4ddebbfae67a3651785a "
"C:\\WINDOWS\\SYSTEM\\FONTEXT.DLL "= "b406a9c5dfddc47b7d7d73db75f37747 "


The hex in the value data is the 128 bit signature.

Keep the suggestions rolling in.

I should be in a position to release the apps at the end of the week - there's a small matter of celebrating looming on the horizon.

 

Update:

I've been giving the apps a thorough workout and the checking app periodically misbehaved. It appeared to be either interfering with string segments and/or messing up garbage collection. The app was rewitten several times but the misbehaving took various forms. It also appeared to baulk at long names unless this was coincidental but forcing 8.3 did reduce failures. It got its marching orders and I've written to the author.

Bit of a niche market this subject but I tracked down a library which has both a Pro version [shareware] and a Lite version [free]. The Pro version has more hash routines than you can shake a stick at and the Lite version only has MD4 and MD5

Rewrote the code as wanted and its working a treat. It may have been written in machine code because it is twice as fast as the first dll tried.

MD4 appears to be about 10% faster still but I'll stay with MD5.

The System File Checker uses CRC [32 I assume].

The latest dll will get a hammering before I release the apps but it is looking very promising.

My m.o. is now a restart/shutdown check. I was messing with autoexec.bat and forgot it was in the check list - MD5Exit interrupted the restart. That'll do me.

 

Finished, if ever any project is really finished.

We can have several sets of files, held in the registry with their MD5 signature, to check and they may be checked at startup, at anytime or at a Restart/Shutdown. Separate apps to the checking routine have been written to create these sets allowing us to keep the registry at arms length. Right clicking a file(s) can send them to a chosen set or the files can be selected via the standard Open Dialog box.

I no longer use Start>Shut Down...

This has been replaced with an option to Log Off, Restart/Shutdown or Cancel.

With both Log Off and Restart/Shutdown a particular set of files is checked and if any suspect files are found we may either continue with the chosen action or abort to investigate.

With Restart/Shutdown, after checking, we may have apps run along the lines of the Local Machine Run key providing then a Restart/Shutdown Run key. An app has been written to create this set as well.

How fast? [on my 600MHz]

“In one key I have 16 files totalling 1438Kb and they are checked in 145ms; varies slightly with each check. The files are quite varied in size so a rule of thumb would be 0.1s/Mb plus the apps loading times. So, it would seem, we have not got a costly exercise on our hands.â€

Level of experience required: Intermediate and above should have no problems. Beginners should also be OK provided they have been around the block at least once. Early beginners may struggle but Intermediate members could help here and will probably be better at explaining things than me. Some members are very good at this.

Have fun

File Verification

 

Will get back to you ge when I have tried out the DL
regards

 

A new script has been added to the set:

“MD5SD.vbs

The SD stands for SharedDLLs.

MD5SD will read the SharedDLLs key in the registry and and create an MD5 key with the same name consisting of the the filespecs and MD5 signatures. It works on a flushing basis so that when run subsequently it only adds new files found. On my system I have 1143 entries totalling 235.7Mb. MD5Check took only 43 seconds to compare the signature of the files on disk with those in the list. Obviously, not a job to be done on a Restart/Shutdown but a little task to be included with the regular maintenance regime.

If any dlls get corupted any application which uses it will probably not say "Sorry, I cannot complete this task because whatever.dll is corrupted" but would probably just fall over. If an app does fall over then a quick check on the SharedDLLs key may just save a lot of time.â€

merlin

How are doing with the testing?

 

ge - testing soon - got waylaid by the bootable CD needs.
regards