We recently had a chance to pick the brain of Dr. Mark Russinovich on Sysinternals, His book, Windows Vista, and DRM. Mark is the chief software architect of Winternals and co-author of the Windows Internals book. Mark is also the individual who gave Sony a black eye for its DRM Scheme.
Windows Connected - Why have you continued to give away such valuable tools via Sysinternals?
Mark - We didn’t realize that we could make money on the tools at first. Regmon and Filemon were created in ’96 as freeware and we like to keep them that way. Keeping them freeware means we can keep it a hobby and update them at our leisure. The publicity from these early tools helped us launch Winternals.
What prompted the change in the license for Sysinternals?
We found that some large organizations and service providers were using them as troubleshooting tools. This new license makes it possible to license the source and code.
Anything new coming from Winternals or Sysinternals that we should know about?
Winternals recently released Protection Manager. Protection Manager will allow administrators to succeed at running as a limited user on Windows XP.
I am currently working on a new product for Sysinternals called Process Monitor which has features of Filemon and Regmon to show you what component is responsible for I/O operations. This will be another core utility to add to your malware hunting.
Will you be updating Windows Internals to reflect changes in Windows Vista?
Yes, my co-author, Dave Solomon, and I are hoping for a release early next year.
Do you have any more books in the works?
No, Windows Internals is plenty to keep me busy!
Windows Vista
Do you think Windows Vista represents a major step forward in security for Windows Operating systems?
Yes, I think it is a major step, but it isn’t the last step. There are still weaknesses. As one example, the new elevation has the same problems as ActiveX. Users will become complacent with the dialogs and it also offers relative ease for social engineering of elevation.
Do you think Microsoft will succeed in its goal of having people run as a limited user?
If by Limited user you mean Administrator with the token removed then, Yes. True limited user won’t be the default account so it won’t be used as much.
Rootkits
Why the interest in rootkits?
I became aware of them back at Carnegie Mellon where I was working on UNIX and realized that system-calls, upon which part of my PhD research project was based, allowed an convenient vector for subverting a system. When I moved to Windows I was using system-call hooking in one of our first Sysinternals apps, Regmon, some of that same technique is used in Rootkits.
Will Windows Vista provide us any more protection from rootkits?
The fact that users aren’t admin will protect against kernel mode rootkits, but it doesn’t provide any protection for user mode ones
64-bit Windows goes a step further in protecting users by requiring digital signatures on all kernel-mode code.
Rootkits seem to be a never ending game of hide and seek, will we see an end to this game and how?
Not with the current Windows architecture, which was built for flexibility and compatibility.
DRM
In your opinion, is there some common ground we could get to between labels and consumers?
Content providers have a right to protect their property. iTunes has sold over a billion songs so it seems a minority are complaining about the usage model its adopted. The fundamental things that DRM providers need to abide by are full disclosure of use, clear inventory, and not hiding from the user.
Thanks Mark for taking the time out of your busy schedule to do this for us, we really appreciate it! Those of you attending Tech-Ed this year can catch Mark at any number of his presentations. I am sure these will be standing room only, just like last year! Also, if you haven’t already, check out Mark’s blog.
Posted
Jun 01 2006, 07:02 AM
by
Josh Phillips
Did you enjoy this article? If yes, then subscribe to our
