User.dat - security flaw 2

[Guest_imported]

I have gone to extensive lengths to ensure that my computer is locked tight from hackers and internal prying eyes(bestcrypt, pgp, zonealarm...) Most of my private files (employee records) are kept in an encrypted container. Imagine my surprise when I opened my user.dat file in a text editor to find most of those encrypted file names readable as plain text(ie johnsmith-emplreview0202200.doc). While this does not give access to the files. It lets someone know that they exist somewhere. How do get these names out of the user.dat file? If you alternative suggestion for this type of security please comment.

 

[Alt255]

Instead of using easily read file names, eg. "johnsmith-emplreview0202200.doc", you might try using file names that "blend" into the registry, i.e. {0ADFC009-0D-2400B87C-0202200}.doc

Just a thought. You lose the convenience of instantly recognizing the nature of the file... but so does the occasional snoop.

Alt255@Vorpalcom.Intranets.com​

 

[Guest_imported]

Thanks for the renaming idea, in my case it may be some what impractical. I have been trying to discover how the files get into the user.dat file, how long they stay there and when they leave. To date all I have discovered is that some but not all files get listed, none ever seem to leave. I have a set of files that I have been tracking in user.dat that I have not accessed for over a month, yet the names persist. Anyone know of a windows specific site that would cover this? My search to this point has been fruitless and this board has provided the best clues. All ideas are welcome.

 

[Alt255]

Under what registry key do the file names appear? If the key is controlled by your encryption software you may be better off finding a different encryption solution. If the key is under the control of a Windows component, such as Explorer, you might prevent the file names from appearing in the registry by tweaking a reg setting or two. Try one of these (the usual warnings about editing the registry go without saying):
[tt]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsHistory = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ClearRecentDocsOnExit = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRecentDocsMenu = 1
[/tt]
All values are of type REG_DWORD.

Even if the file names are saved by your encryption software (probably under a "RecentDocs" or "Recent File List" sub-key) you might be able to remove them with a registry script. Use this approach with considerable caution and only after making a good backup.

It would be helpful to have more information regarding the location of the file names in the registry.

Alt255@Vorpalcom.Intranets.com​

 

[Alt255]

Ah... I just noticed from your first post that you had used a text editor to view User.dat. I hope you won't try to edit the registry using such an editor.

If I have spoken out of turn, disregard the preceding.

Alt255@Vorpalcom.Intranets.com​

 

[Guest_imported]

Thanks again for the help. I am not trying to edit user.dat with the text editor. In scanning the registry using regedit I do not find the file names that I see in user.dat. I discovered that the file names were in user.dat by doing a search for files that contain text... I could not remember the name of the exact file I was looking for. But user.dat turned up in the list so I opened it up in wordpad. Surprise! Found lots of stuff in there that could be useful in corporate snooping. I guess I am being paranoid. But I can't see what some file name persist in the user.dat file.

 

[chiph]

Try a tool like WindowWasher. It's usually used to clean out your internet explorer cache, but it also removes files from your MRU lists (Most Recently Used), which are stored in the registry.

Chip H.

 

[steveaubrey]

Could the extraneous, floating, non-going-away file names be from a random chunk of memory (disk or RAM) that just happened to be in USER.DAT?

In other words, could their appearance in USER.DAT be an artifact of a poorly written program (or operating system).

I don't know, but I'm not sure that this is an obstacle that can be overcome . . .

Steve

 

[Alt255]

I don't think it odd you could find the file names by opening user.dat with a text editor but not by scanning the registry with regedit. They may be orphaned entries in a fragmented registry.

If you have any doubts that such a thing could happen, try an experiment: create a new string value in the registry, give it a unique name and enter a unique value so you can find it later. Close regedit and search user.dat for the value (just to verify that you can find it). Reopen regedit, delete the value and search user.dat again. You should find it without a doubt, even though regedit won't be able to find it.

The registry is a bit like the file system. Simply deleting a file (or registry entry) doesn't remove it from the FAT (or the registry).

I would opt for a solution similar to chiph's. I'm not familiar with WindowWasher... don't know if it can defrag the registry... but there are plenty tools out there that do a good job.

I recently tried Fix-It Utilities from Ontrack and was very happy.

Alt255@Vorpalcom.Intranets.com​

 

[reghakr]

Excellent answer Alt255. The registry will not be compacted untill it reaches 500KB+ of unused space.

Try hitting F8 on startup, choose command prompt only. At the c: prompt, type:
cd\windows\command
then type:
scanreg /fix /opt

Now see if the entries are still there.

reghakr

 

[Guest_imported]

Nice work Gang!
My user.dat file no longer has the filenames that were vexing me. It must have been an errant memory chunk.
This has been an interesting exercise in understanding the file. Not everything is explainable by registry entries but I am begining to grok the internal file structure.
Thanks, Danke, Merci,

 

[TheGodSplinter]

THE SOLUTION DESCRIBED (APPROXIMATELY) AS...

1. Use F8 on startup.
2. Select "Command prompt only".
3. At the C prompt, type "cd\windows\command"...
4. Then, type "scanreg /fix /opt"

...was EXCELLENT! CONGRATS, REGHAKR!

You have resolved a security problem that had been worrying me for many weeks. I did it! It works, perfectly! Your advice is now an indispensible piece of mental "kit" for me to keep. RECOMMENDED, YOU GUYS! GOOD LUCK TO ALL!

 

[Guest_imported]

Scanreg/fix/opt only fixes my system dat leaving useless file names in user dat with no reg keys linked.Please help!

 

[Guest_imported]

Alt255-You said you are not familiar with window washer? Well, it's story time. I was given a P-133 copy with a 255MB hard drive. I installed Windows 95, and IE 4. It was a small system and I didn't expect too much. So I'm surfing regularly and I notice that my hard drive is filling up with something and the comp starts to give errors and so on. Win95 and IE4 initially had taken up about half of the drive. I started looking it up after deleting my own data that I had saved to make the comp useable. I found Internet Eraser ($) and Window washer (free trial). Window washer removes all of the cached files (there are lots if you surf, trust me), cookies, and so on that are left in your system. I do not understand Microsoft's logic here. Why create an operating system that, if used properly, will eventually fill your entire hard drive to the point that your machine is unuseable? Window washer is a solution. If you are really a programmer, you could script these things away in a startup file or something (seen it done), but why should you have to after paying the big bucks for the machines people use these days? I am not a representative of the company, but I constantly recomend this software to everyone interested in system performance. And as far as the registry thing goes, no, it does not defrag your registry (my initial message that got me typing). My user.dat file still has all of that crap in it too. Ok, there's the plug for the day. Now I'm going to try reghakr's little dos thing there. I'll post whether or not it works for me.

 

[Guest_imported]

My hat is off to you reghakr!!!!

I have been perplexed by the left over crap in my user.dat files and has been in my user.dat files for about 12 months.

Your scanreg/fix/opt solution got rid of all the crap.....thanks heaps!!!!!

 

[stevndal]

Those remedies did work with user.dat, but I also noticed file name fragments in user.nav and user.rsc. Can I just erase those files? They're not registery linked are they?

Also, I would like to wipe the mailbox.pst. Is this possible? I have tried some of the commericial products, like evidence eliminator, but it doesn't seem to touch these files, especially .nav and .rsc.

I also do electronic banking. Is is possible my pin numbers are being recorded somewhere on my Windows system even though I use the bank's web page to logon?

I travel overseas and worry about names, files names, etc.

 

[reghakr]

stevndal,

User.nav and system.nav are created by Norton AntiVirus on install. They are backups of the system.dat and user.dat files. Those can be safely deleted if you're sure that programs or other majir changes have taken place. look at te date of the file to be sure.

I don't know what the .rsc extension referes to.

reghaker

 

[stevndal]

Thanks for the information. The .rsc comes from yet another file I found on my HD called user.rsc.

And just in the short time between filing the orginial message and now, I have a new filed called. user.new, but it appears to only have a small portion of what's in the user.dat.

And since I've been playing, I've found even more file name fragments in the unallocated clusters. Can these be cleaned?
Or am I just going to have to reformat and start new and be extra careful (although I don't how that will help since if I receive a sensitive file and open it the machine, I will be faced with the same problem I have now.

I think I need to go and have a glass of vino...

All your comments are appreciated.