The Myth of the Unbreakable Password

Complete books have been written about the topic of security and the correct way to create passwords. Each expert claims that if you only adhere to the conventions that he or she sets forth, that your computer will be safe. Let me say up front that the unbreakable password is a myth. Yes, you need to come up with something a lot better than “Secret” or your birthday, but be assured that any password you use is breakable. In fact, in the real world, what you’re striving to do is create a password that takes longer to break—realizing that anyone who really wants access to your system will gain it. Computer hardware has become so powerful that seemingly unbreakable cryptography is quite vulnerable today.

Many security experts want you to use completely undecipherable passwords such as @f*/L12-X]. If you can’t come up with a good password of your own, PCTools actually provides a generator to create one for you. If you’re unsure about the safety of your password, you can have it checked to determine how long it would take to crack. (Unfortunately, the number you get isn’t completely realistic because computer technology for cracking passwords improves all the time, as does the capability of the hardware used to crack it.) Of course, it would be absolutely impossible to remember such a password, so anyone having such a password is going to write it down. All someone has to do is pose as a janitor and pick up all the yellow stickies that have the password printed on them (or write them down as they pass through to avoid suspicion). For that matter, social engineering attacks can often yield passwords through a phone call in a few minutes.

Because truly secure passwords are the stuff of science fiction, other experts have come up with the passphrase. A passphrase such as “My yellow car is gr8!” theoretically has a long crack time and are easy to remember. Unfortunately, recent advances in cracking technology seem to make passphrases a bad bet too. It seems that the crackers now use grammar as part of their strategy to figure out your password. They use applications to figure out the most common words that would come in a sequence of words.

The advice today is to use unrelated words separated by special characters—something I have advocated in any book I write that contains information about security. A password like “Elephant*Green?H3llo” is infinitely easier to remember than @f*/L12-X], but still quite secure. Even so, if someone is determined, they can combine a dictionary attack with some brute force techniques and discover your password in a reasonable amount of time—assuming you don’t simply give it to them as part of a social engineering attack.

There are technologies that promise to make it harder for crackers to gain entry to a system, but they’re usually complicated. For example, you can add a retina (iris) scanner or thumbprint reader to improve security, but that means an additional purchase, specialized software, training, and other costly changes to your setup. Security cards are another option, but again, you have additional costs to consider and the use of a security card is open to social engineering attacks (unlike a person’s thumb or retina, which are firmly attached). Most organizations still rely on passwords or passphrases in the interest of saving money, so creating usable, easily remembered passwords that truly are safe should be the focus of administrators whenever possible.

One new method of securing systems does appear in Windows 8. In this case, the system displays a picture when you start it up and you use gestures to circle or otherwise identify pictorial elements in place of typing a password. There are some experts who are already saying the feature is easily cracked. It seems as if the technique would be unwieldy with a mouse and it has already been said that most people aren’t buying touch screens to use with Windows 8 (see my Some Interesting Windows 8 Information post for details), so this security feature may be a non-starter for most organizations.

Passwords and passphrases won’t likely go away soon, so the best approach for most users and administrators is to create a system where passwords are complex, easily remembered (and therefore, not written down), and changed relatively often. The combination of these three elements should make your PC safer from crackers. However, the best security is vigilance. Check your system for intrusion often. Rest assured, someone who really wants to get in will do so and without too much effort. Let me know your thoughts about passwords at [email protected].

 

Creating Links Between File Extensions and Batch Files

A couple of weeks ago I wrote a post entitled, “Adding Batch Files to the Windows Explorer New Context Menu” that describes how to create an entry on the New context menu for batch files. It’s a helpful way to create new batch files when you work with them regularly, as I do. Readers of both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference need this sort of information to work with batch files effectively. It wasn’t long afterward that a reader asked me about creating links between file extensions and batch files. For example, it might be necessary to use a batch file to launch certain applications that require more information than double clicking can provide.

This example is going to be extremely simple, but the principle that it demonstrates will work for every sort of file extension that you can think about. Fortunately, you don’t even need to use the Registry Editor (RegEdit) to make this change as you did when modifying the New menu. The example uses this simple batch file named ViewIt.BAT.

@Echo Processing %1
@Type %1 | More
@Pause

Notice that the batch file contains a %1 entry that accepts the filename and path the Windows sends to it. You only receive this single piece of information from Windows, but that should be enough for many situations. All you need to do then is create a reasonably smart batch file to perform whatever processing is necessary before interacting with the file. This batch file will interact with text (.TXT extension) files. However, the same steps work with any other file extension. In addition, this isn’t a one-time assignment—you can assign as many batch files as desired to a single file extension. Use these steps to make the assignment (I’m assuming you have already created the batch file).

  1. Right-click any text file in Windows Explorer and choose Open With from the context menu.
  2. Click Choose Default Program from the list of options. You see the Open With dialog box shown here.
    Link01
  3. Clear the Always Use the Select Program to Open this Kind of File option.
  4. Click Browse. You see the Open With dialog box.
  5. Locate and highlight the batch file you want to use to interact with the text file (or any other file for that matter) and click Open. You see the batch file added to the Open With dialog box.
  6. Click OK. You see the batch file executed on the selected file as shown here.
    Link02

At this point, you can right-click any file that has the appropriate extension and choose the batch file from the Open With menu. The batch file will receive the full path to the file as shown in this example. It can use the information as needed to configure the environment and perform other tasks, including user interaction. Let me know your thoughts on linking file extensions to batch files at [email protected].

 

Adding Batch Files to the Windows Explorer New Context Menu

Administrators are always looking for ways to perform tasks faster. Most administrators have little time to spare, so I don’t blame them for looking for new techniques. One of the ways in which administrators gain a little extra time is to automate tasks using batch files. Both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference provide significant information about creating and using batch files to make tasks simpler. However, a number of readers have asked how to make creating the batch files faster by adding batch files to the Windows Explorer New context menu. That’s the menu that appears when you right click in Windows Explorer. It contains items such as .TXT files by default, but not .BAT (batch) files.

Being able to right click anywhere you’re working and creating a batch file would be helpful. Actually, the technique in this post will work for any sort of file you want to add to that menu, not just batch files, but the steps are specific to batch files.

 

  1. Open the Registry editor by typing RegEdit in the Search Programs and Files field of the Start Menu and clicking on the RegEdit entry at the top of the list.
  2. Right click the HKEY_CLASSES_ROOT\.bat key and choose New | Key from the context menu. You’ll see a new key added to the left pane.
  3. Type ShellNew and press Enter.
  4. Right click the new ShellNew key and choose New | String Value from the context menu. You’ll see a new string value added to the right pane.
  5. Type NullFile and press Enter. Your Registry Editor display should look like the one shown here.
    NewBatchFile01

At this point, you should be able to access the new entry in Windows Explorer. Right click anywhere in Windows Explorer and choose the New context menu. You should see the Windows Batch File entry shown here:

NewBatchFile02

Selecting this entry will create a blank batch file for you in the location you selected. All you need to do is open the file and begin editing it. What other sorts of time saving methods do you find helpful in working with batch files? Let me know at [email protected].

 

Virus Scares and Hoaxes Galore

It seems as if the holiday season can bring out the worst in some people for whatever reason-I have never figured out why. My inbox is sometimes packed with e-mail from concerned readers about this hoax or that virus. I read about viruses and hoaxes galore online as well. It seems as if there is an upsurge every year in the number, variety, and severity of these complete wastes of time. In my book, the people who perpetuate these sorts of things are either ill-informed or simply sad. If all of the energy that goes into creating these scares would go instead into some productive use, I can’t even begin to imagine the benefit to mankind as a whole. Instead, we have readers running about like Chicken Little exclaiming that the sky is falling. Of course, there is the issue of if a pandemic actually were to happen in the future, we would have to worry about what information was true and what wasn’t. This could cause a lot of confusion, especially if we had to make a tough decision during a global crisis. I hope the government would take the lead in tackling any misinformation, or at least produce an official US list of open states should we find ourselves in a lockdown. We want to be able to trust what we hear, read, and see. If we can’t do that, it will cause a lot of issues and maybe even lives.

John Dvorak ran an article in his blog the other day entitled, “Did You Fall for the Facebook Hoax?” I’m not too thrilled about some of the language he used, but the information he provides is right on the mark. You can probably sum it up as, “Anything that sounds too good, weird, or evil to be true, probably isn’t.” Of course, most of us want to be sure that something really is a hoax, so it pays to check out Hoax Busters, VMyths, or Snopes.com, just to be certain. These sites track all of the current myths and hoaxes out there, so you can see the basis for that hoax that arrived in your e-mail this afternoon. The point is that hoaxes aren’t real and you shouldn’t believe them, even a little.

When it comes to viruses, you can be sure that the Internet is plagued with them. Tomorrow I fully expect to see an article about the next major virus that will take down the Internet after emptying every bank in the world of funds. Yes, civilization will cease to exist with the next virus created by the cracker (a black hat hacker who uses his/her skills for ill, rather than good) who works only at midnight in a darkened room above a garage.

The fact is that viruses are real, but crackers often attack the least prepared Web surfers just as any other thief attacks the unsuspecting person on the street. There are enough people who are ill prepared to work on the Internet that crackers really don’t have to worry about creating a truly devastating virus that will invade every network on the planet. For one thing, it’s a waste of the cracker’s time-for another, must viruses have a relatively short active life before someone comes along with a fix that prevents them from spreading. Crackers know this, so they create viruses that work well enough for the time they expect the virus to be active, and then the cracker moves on to something else.

In general, a computer system can be invaded by a virus at any time-just as you can get a cold at any time. You tend to catch colds when your bodily defenses are down. The same holds true for your computer. When you let your computer defenses down, it has a better chance of getting a virus. However, even with the best defenses, there is a small chance you could still get a virus, but being prepared significantly reduces the risks. Here are five things you can do to ensure you’re prepared for a virus attack.

  1. Keep your virus protection updated.
  2. Install all of the required patches for your operating system and applications.
  3. Don’t open an e-mail from someone you don’t know, no matter how tempting the message might be (remember Pandora’s Box).
  4. Don’t go to sites you don’t trust.
  5. Keep your browser locked down so that it doesn’t automatically execute code when you visit a site. This means setting your browser to disable both JavaScript and Java support. Most browsers have an exception list you can create for sites you trust, so these sites will continue to work as they always have.


When you follow these five guidelines, you have a very good chance of avoiding viruses on your computer. The next time you see an e-mail message containing a hoax or trying to get you excited about the latest virus that will take down the Internet, consider the fact that these sorts of messages have been going around the Internet for quite a long time now and we have yet to see a major Internet down time. Let me know your thoughts about viruses and hoaxes at [email protected].

Exercise Care When Synching to External Time Sources

I read with interest an article by Mary Jo Foley recently entitled, “Microsoft offers guidance on Windows Server Year 2000 time-rollback issue.” It seems that the time source at USNO.NAVY.MIL experienced a problem and rolled back the clocks on a number of servers to the year 2000 during the evening of November 19th. I wouldn’t have wanted to be one of the administrators who had to fix that problem, especially if there were time-sensitive processes running at the time. Can you imagine the effect on applications such as billing? Of course, the effects are devastating for time-sensitive server features such as Active Directory.

If your organization has a single server that relies on a single time source for synching purposes, it probably isn’t possible to detect this sort of problem immediately, unless you have a human being observing the synching process. Given that administrators love automation, having someone physically sync the server won’t happen in most cases. However, good advice in this case is not to sync to the time server every day—sync only on days when someone will be there to monitor the servers. At least the administrator can quickly react to errant updates of the sort mentioned in the article.

Larger installations with multiple servers could possibly set up multiple time servers and use an application to monitor them. When the servers are out of sync, the application can notify the administrator about the issue. It’s also possible to use the W32Tm utility to perform time monitoring or to compare the time settings of two systems using a strip chart.

Actually, it’s a bad idea to sync to the time server at times when an administrator isn’t available to monitor the system, such as during the middle of the night or a holiday. The best option is to sync the server immediately before the staff arrives in the morning or immediately after they leave at night, when an administrator is available to quickly fix the problem. My personal preference is to include the W32Tm utility in a batch file that runs when I start my system in the morning. This batch file syncs all of the systems on the network at a time when I’m specifically watching to see the results. Both Administering Windows Server 2008 Server Core and Windows Command-Line Administration Instant Reference provide information on how to use this utility to perform a wide variety of time-related tasks.

If you happened to be affected by this issue, make sure you read the Microsoft blog post entitled, “Fixing When Your Domain Traveled Back In Time, the Great System Time Rollback to the Year 2000.” Even if you have already fixed the problem, the information in the article is useful because it helps define the problem and provides some useful information for avoiding the problem in the future. The vast majority of servers affected by this problem have Windows 2003 installed without time jump protection enabled. I’d actually like to hear if someone has encountered something odd in this particular circumstance so that I get a better feel how this problem manifested itself in the real world.

How do you work through time-related issues in your organization? Have you ever encountered a problem of this sort with your system? Let me know your thoughts at [email protected].

 

Retiring Windows XP

A number of readers have written me recently to ask about Windows XP and its impending retirement. The same questions occurred when Microsoft decided to retire Windows 98 and many of the same conditions remain true. Whether you have a good personal reason to switch or not depends on what you’re doing with your computers. I imagine a lot of people are still running Windows XP because it continues to meet their needs. After all, one of the older versions of Office probably works fine for most home users (truth be told, I don’t use the vast majority of the new features in Office myself). Your games will continue to run, just as they always have. If the system is meeting your personal needs, there probably isn’t a good reason to upgrade it from a personal perspective.

That said, mainstream support for Windows XP ended April 14, 2009 and extended support will end on April 8, 2014. From a management perspective, Windows XP is becoming a liability in some situations. You’re already not getting any sort of bug updates for Windows XP.  When extended (paid) support ends, you won’t get any security fixes either. That could be a problem if your systems are attached to the Internet and someone finds a way to exploit the security problems in Windows XP (and believe me, they will). Let’s just say you want to have a newer OS in place before the support situation gets too bad if you’re planning to remain connected to the Internet.

Nothing says that you ever have to upgrade if you don’t want to. I still run a copy of Windows 98 for some older applications I have and love. That system has no connections to anything else—it’s a standalone system and there is no chance whatsoever of contamination from it. I don’t care about upgrades because I’m not running any new software on it. Basically, it’s a working museum piece. So, if you’re willing to use these older operating systems in a safe environment—go for it, but I wouldn’t recommend continuing to use Windows XP for much longer on a system connected to the Internet—time for an upgrade.

The other problem you’ll eventually encounter is hardware-related. I currently have three machine’s worth of spare parts for my Windows 98 museum piece. As long as I have spare parts, I can continue running that system and enjoying my old software on it, but there is going to come a time when the spares run out. At that point, using a new part in the old system doesn’t make sense. For one thing, the new part may not run at all because I won’t have drivers for it. In fact, the old motherboard may not even provide connectors for it. So, you may eventually have a need to upgrade your system simply because you no longer have working parts for the old one.

After I share my views on Windows XP, the next question that readers are asking is which operating system I recommend as an upgrade. My personal preference now is Windows 7 because it seems to be stable and offers improved security over Windows XP, without some of the issues presented by Windows Vista. I haven’t worked enough yet with Windows 8 to recommend it, but I feel that the new Metro Interface is likely to cause problems for people who have worked with Windows XP for a long time. The Windows 7 interface changes will be enough of a shock.

For me, the bottom line is that you’ll have to retire Windows XP eventually. Whether you retire it now or wait until later is up to you, but eventually you won’t have the hardware required to make the operating system perform well anymore. I ran into this problem at one point with Windows 3.1 and had to stop supporting any books that relied on that operating system. (As an interesting side note, I do maintain a DOS system and haven’t encountered any hardware so far that won’t run the ancient operating system.) I imagine that my Windows 98 museum piece will eventually fail too, never to rise again. If you truly enjoy using Windows XP, you shouldn’t let Microsoft dictate an upgrade to you. Then again, you have to consider the risks and eventual loss of ability to run the operating system. Let me know your thoughts about running museum piece systems at [email protected].

 

Using Assoc and FType to Create a New Type

On page 74 of Windows Command-Line Administration Instant Reference, I describe how to add an Open command to an existing file type, txtfile. The txtfile type already appears in the registry, so adding a new command to it is relatively straightforward. However, what happens if you want to create an entirely new type—one that doesn’t currently exist in the Registry?

Before you can do anything, you need to open an Administrator command prompt because Vista, Windows 7, and anything else newer won’t let you make the required registry changes with a standard account. Follow these steps in order to open an administrator command prompt.

 

  1. Choose Start > All Programs > Accessories.
  2. Right click the Command Prompt icon and choose Run As Administrator from the context menu. You’ll see a User Account Control dialog box.
  3. Click Yes. You’ll see a new command prompt open. However, instead of the usual title bar entry, you’ll see Administrator: Command Prompt. In addition, instead of opening to your personal user folder, the prompt will display C:\Windows\system32>. If you don’t see these differences, then you haven’t opened an administrator command prompt.


Let’s say you want to include a new file extension and it’s associated type. For example, you might want to create a .RIN file extension and associate it with a type of RINFile. Once you create this association, you may want to use Notepad to open the file. In order to perform this task, you need to use two different utilities as shown in the following steps.

 

  1. Type Assoc .RIN=RINFile and press Enter. You’ll see, “.RIN=RINFile” appear at the command line. This command creates a .RIN file extension entry in the Registry as shown here.
    AssocFType01
  2. Type FType RINFile=%SystemRoot%\Notepad.exe %1 and press Enter. Notice that you don’t enclose the command in double quotesit will fail if you do. You’ll see, “RINFile=C:\Windows\Notepad.exe %1” (or something similar) appear at the command line. This command creates the RINFile association in the Registry as shown here.
    AssocFType02
  3. Create a new .RIN file on your hard drive. You don’t have to do anything with it, just create the file.
  4. Double click the new .RIN file. Windows will open the file using Notepad.


This technique works with any file extension and association you want to create. In fact, you could easily create a batch file to patch user configurations where the file associations have become damaged in some way. The big thing to remember is that this is always a two-step process when the file extension doesn’t already exist or the association is new. Use the Assoc utility to create a link between any file extension and it’s association and the FType utility to create the association itself. Let me know if you have any questions about this technique at [email protected].

 

New RecImg Utility in Windows 8

Microsoft is constantly changing the command line, which is why books such as Windows Command-Line Administration Instant Reference get outdated. Every new version of Windows comes with new command line utilities. In most cases, these new utilities support new Windows features or allow some new level of maintenance or administration. The RecImg utility creates an image of the Windows 8 installation, including installed applications, to the location you specify. The purpose of this image is to allow a refresh of the Windows installation should something happen to it. A refresh installs a new copy of Windows, but preserves the data and application setup. In many respects, this feature sounds like a simplified version of products such as Norton Ghost. You can read about this new refresh functionality in the Refresh and reset your PC post on the Building Windows 8 site.

I find this new feature exciting because it provides the means for someone like me to recover a hard drive even if I have to support several configurations for a book. It should be possible to create as many images as needed and know that Windows will support them because the feature is built into the operating system. The basic command line for working with this utility is:

RecImg -CreateImage Location

where Location is the directory you want to use for the Windows image. As with any Windows 8 feature, the current version of the utility has problems that you can read about on the Computer Performance site. I’m assuming at this point that the utility will include additional command line switches. Otherwise, Microsoft wouldn’t have included a specific -CreateImage command line switch. Of course, the presence of this new utility means that administrators can perform image updates from a batch file or as part of automated maintenance.

I’ll keep you posted on this, and other, Windows 8 utilities as I have time to review and study them. In the meantime, let me know if you hear anything about interesting new Windows 8 utilities and utility changes. Also let me know if you hear about any utilities that Microsoft decides not to support. Often, you find out about these changes only after you’ve tried to use it in a batch file.

What is your take on this new Windows 8 feature? Let me know at [email protected].

 

Windows 7 and the PowerCfg Utility

On page 327 of Administering Windows Server 2008 Server Core, you find the PowerCfg utility and may not even find it all that interesting. Yes, this utility makes it possible to configure the power settings for a system from a remote location. An administrator can use it to ensure that everyone has a power saving setup by adding the command to the user’s login script. However, as utilities go, it isn’t all that interesting. For that reason, the command doesn’t even appear in Windows Command-Line Administration Instant Reference. A number of beta readers said they didn’t even use it.

Microsoft is showing an increasing interest in power management with each version of Windows. In fact, from what I’ve been reading about Windows 8, power management is going to take a relatively large leap forward (read about the changes in, “Building a power-smart general-purpose Windows“). With this in mind, the Windows 7 version of the PowerCfg utility has added four new command line switches:

 

  • /Requests: Enumerates the application and driver power requests. Applications and drivers make power requests to ensure that resources are available when needed. However, sometimes these requests can also become a problem when they’re abused. Power requests can also prevent the computer from automatically turning the display off or going into hibernate mode, which wastes power.
  • /RequestOverride: Forces the system to disregard an application or driver power request. The positive aspect of this command line switch is that you can enforce a power management strategy when you have applications and drivers that abuse power requests. However, by denying applications and drivers access to resources, you could also cause system instability or data loss when the application or driver crashes.
  • /Energy: Performs an energy survey of the system. This is probably the most important addition that Microsoft has made. Using this particular feature, you can detect system elements that are consuming a lot of power and reduce its energy footprint. Generally, you use this feature with just the system running to determine what the system uses. However, you can also use it with single applications open to detect the energy cost of using that application, which I think is actually the more revealing way to use this command line switch. Most people don’t associate an energy cost with using an application. This feature makes the energy cost significantly more apparent. Yes, every application you use has a cost, so keeping needless applications open is costing you money.
  • /WakeTimers: Displays a list of timers that are set to wake the system from sleep or hibernate states. Waking a system too often also costs you money. For example, it costs more to perform individual maintenance tasks at separate times than to perform them during a single time. An organization could use this command line switch to ensure that every system wakes at the same time, performs required maintenance, and then goes back into either the sleep or hibernate states.


As mentioned in the list, I consider the /Energy command line switch the most important PowerCfg addition to date. If you’re interested in self-sufficiency, as I am, then you begin to count even the pennies of energy usage. For example, in my CFLs for Free I discuss how I bought just one CFL and turned it into a complete setup for my entire home. This particular feature has allowed me to perform an energy survey of the applications I use. I found out, for example, that streaming audio using Firefox does indeed cost less than using a separate device for the purpose (such as a radio) and also delivers clearer audio. However, streaming impacts system performance and tacks a network bandwidth penalty onto other applications that rely on Internet connectivity, so there are times where using the separate device is actually better.

Let’s look at the /Energy command line switch in a little more detail. The easiest way to use this command is to open an Administrator command prompt, change directories to a directory you can write in (I’m using C:\Temp), and then type PowerCfg /Energy and press Enter. I purposely ran the command with a number of applications running and some misconfiguration in place to generate some errors, warnings, and informational messages as shown here.

PowerCfg01

The report required a little over a minute to generate. You can see the results in the Energy-Report.HTML file. Here are the results I generated from this run.

PowerCfg02

The PowerCfg utility makes it possible to diagnose energy problems with a system and significantly reduce the cost of running it. The language of the report does require a little interpretation at times, but normally the language is plain enough for an administrator to figure out with little effort. By correcting every error and 12 out of the 13 warnings, I was able to reduce the power requirements of this system by about 15 percent (as measured by a watt meter). So, how does that equate in dollars? You use the equation: Cost = ((Watts / 1000) * Hours Used) * kWh rate, where kWh is the kilowatt hour rate provided by your power company on your electrical bill. This system was averaging a little over 520 watts before tuning it. For the sake of argument, let’s say you’re using it 60 hours per week and the electrical rate is $0.12. The weekly cost of running this system is:

 


((520 / 1000) * 60) * 0.12 or $3.74

After tuning this one system the power usage was only 442 watts on average. That means the weekly cost went down to:

 


((442 / 1000) * 60) * 0.12 or $3.18

a savings of $0.56 for this one system each week or a total of $29.12 for the year.  I have three systems that I tuned this way, so I’m hoping for a $87.36 savings from performing this tuning. Each system required about 30 minutes to tune, so I’ve made $58.24/hour from this activity. If you’ve read other posts, I do like to put a dollar figure on my time—you should too. Not many people can afford to throw away money like this and the PowerCfg utility, along with a watt meter, can help you better understand how your system uses (and abuses) power.

There are two additional command line switches you should know about when using the /Energy command line switch. The /Duration:Time command line switch changes the duration from 60 seconds to some other value. For example, if you want to change the duration to 120 minutes, you’d type /Duration:120. Longer testing times are often required when you’re trying to determine how an application is using energy. Take my advice and don’t set the duration lower than the default 60 secondsyou’ll be disappointed with the results.

The /XML command line switch outputs the data in XML format so that you can incorporate the information into a database. If you have a large setup, the XML format is absolutely essential. No one has time to look at individual HTML pages. Using XML output and a centralized database also makes it possible for you to look for organization-wide trends, which could produce even bigger savings.

The /Energy command line switch can also be used with the /Trace command line switch to trace energy usage without performing any analysis. This output isn’t as helpful or as accessible as using the /Energy command line switch alone. The output is an Event Trace Log (.ETL) file. To view this file, open the Event Viewer console found in the Administrative Tools folder of the Control Panel. Right click the Event Viewer folder and choose Open Saved Log from the context menu. You’ll see a dialog box asking whether you want to convert the .ETL file into the new format used by Windows 7. Click Yes. You’ll see a list of energy events like the ones shown here.

PowerCfg03

By carefully reviewing the events, you can discern energy usage patterns, filter data about specific events, and perform other analysis. However, this raw data is a little hard to use and the administrator would be better off generating the report, unless your organization has an application designed to analyze the raw data in some way.

So, how do you save energy in your organization? Do you rely on specialized tools such as a watt meter and PowerCfg? If not, how do you tune your equipment to deliver optimum service and minimum cost? Let me know at [email protected]

 

Security Implications of the AT Command

I read the security post provided by Roger Grimes with interest this morning because I’ve always felt that the Task Scheduler is just another entry point for viruses and the like on any system. As he mentions, it’s an avenue that many administrators fail to check because they don’t really think about it. As Roger points out, there are three ways to add new entries, but this post focuses on the oldest of the three, the AT command.

Before you can interact with the Task Scheduler, you must have its service started. This is a given on Vista and Windows 7, where Windows relies heavily on the Task Scheduler. However, you’ll want to read my Interacting with the Task Scheduler Service for details about this service. It’s important to have the service setup correctly in order to work with it error free.

The AT command is the oldest way of working with the Task Scheduler. At one time you could access it from the command prompt even if you weren’t an administrator. This meant that any virus or other piece of nasty software could cause woe without notice on your part. However, if you try to use the AT command at a normal command prompt in Windows 7, you’ll receive an Access Denied error message, which is at least a start in the right direction.

To use the AT command to create a new entry, you must provide a time and command as a minimum. For example, if you type AT 15:00 “Dir C:\” and press Enter, you’ll create a new task that starts at 3:00 pm on the current day. You’ll receive a numeric identifier for the task. The entry also shows up in the Task Scheduler console (found in the Administrative Tools folder of the Control Panel) as At plus the identifier, such as At1 as shown here.

TaskSchedulerEntries01

If you want to list the jobs created by the AT command, you type AT and press Enter. The AT command only lists those jobs that it creates—you won’t see any jobs created using other Task Scheduler techniques.

Likewise, to delete jobs using the AT command, you provide the identifier you received when you created the job along with the /Delete command line switch. For example, if the identifier for the task you created earlier in this post is 1, then you’d type AT 1 /Delete and press Enter. In this case, the AT command doesn’t provide any output. In order to verify that the job is actually gone, you must type AT and press Enter. Here’s what the command output from this session looks like.

TaskSchedulerEntries02

The true power of AT lies in remote access. For example, if you have an Administrator command line open, have a server named WinServer on your network, and possess administrator privileges on that server, you can type AT \\WinServer 15:00 “Dir C:\” and press Enter to create a command that starts at 3:00 p.m. (local time) on WinServer. It’s important to realize that the command will execute when it’s 3:00 p.m. on the server, not 3:00 p.m. on your system. You can likewise list and delete remote entries using the same commands you’d use for local entries. Again, the Task Scheduler console will display these entries, but only on the host machine (so you’d need to access that system remotely to see it from your local computer).

Windows 7 does make it harder to use the AT command, but not impossible. If an outsider should gain access to an account with administrator privileges, it wouldn’t take long for a virus to add all sorts of nasty commands to every machine on the network. As Roger comments in his post, administrators need to exercise vigilance in order to catch potential security issues such as this one. Let me know if you have any questions at [email protected].