WinME RESTORE bug

Discussion in 'Computer Science & Culture' started by Stryder, Nov 23, 2002.

Thread Status:
Not open for further replies.
  1. Stryder

    Stryder Keeper of "good" ideas. Valued Senior Member

    Messages:
    13,105
    For those of you that run WinME, you might like to find out that the system is Flawed by it's use of a RESTORE server that runs in the background taking snapshots of your every move.

    You might think this a brilliant idea for if you make a critical mistake and want to roll back your system to replacing a critical file you just deleted but this in itself is actually a flaw.

    Let's say your running RESTORE and you check your e-mail, and your a silly person because you haven't updated your antivirus program recently. Suddenly you find on your next long awaited update your system has been infected with something like "BugBear", so you delete the file, remove various registeration keys that it generates and any other files that were created on the date and around the time the infect file was accessed.

    This should mean your system is clean, but you would be wrong purely because you accessing your e-mail was "Captured" by RESTORE, which means the infection stays in your system.

    Now this wouldn't be a problem if you could just delete the offending files which would be in C:\_RESTORE\TEMP as *.CPY files. But Microsoft didn't want you deleting those files because it would allow people to get around you being able to roll back.

    How was this achieved, well it's just through one registery key entry.
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\PerUser_PCHealth]
    "IsInstalled"= 01 00 00 00
    (change 01 to 00, and voila you can delete the Restore folder or files in the folder)
    You would have to change this registery key with regedit to be able to allow an antivirus program to remove the infected files.

    You'll also notice that those CPY files can take up loads of space (One I came across was 255mb's but some people have over 500mb's tied up in RESTORE files)

    It is possible to turn off the RESTORE server (follow the link at the end)

    http://www.arstechnica.com/ask-ars/

    BTW, this bug hasn't been reported to M$, but really the Anti-virus firms are going to have to patch their programs to deal with it.
     
    Stryder, Nov 23, 2002
    #1
Thread Status:
Not open for further replies.

Share This Page