|
|
|
By John Woram
Is someone looking over your shoulder? Or worse: Is the office nosy-body sneaking peeks at your PC-and the latest files you've used-when you're down the hall getting a caffeine fix? Even honest, diligent Windows 95 users occasionally want to cover up their digital document trail so snoopers can't trace their recent PC activities.
At first glance, hiding your document trail on Win95 appears to be challenging. That's because the last 15 documents you've opened- perhaps even your résumé-are listed on the Start menu's Documents option. Similarly, the Start menu's Run option contains-you guessed it-a list of recently run applications.
To kill these lists, some Microsoft documentation suggests erasing the contents of certain Registry keys. Unfortunately, after only a few hours of work or play, there's a new record of your recent activity. But don't lose hope. There are several foolproof ways to more effectively flush these lists.
The first trick is understanding INF files, which can be trained to do all sorts of general housekeeping, including killing your Document and Run lists during boot-up or via a simple desktop shortcut. The C:\WINDOWS\INF folder is full of these files, and just about every new Windows 95 hardware device comes with one INF file of its own. Usually, the setup procedure reads the file and then configures Windows 95 to accommodate the new hardware. In addition, there's an Install option on every INF file's Context menu-click on it and the appropriate software will be installed, which means that the INF file hacked the Registry to add the necessary support.
Peek inside almost any INF file and you'll see that it resembles an INI file. With a closer look you may discover a DelReg= line near the top of the file, which was my clue that the INF file can delete Registry entries. (Use Explorer's Find option on the Tools menu to find only those INF files that contain the DelReg= entry.)
That being the case, I decided to write an INF file that can "install" some nonexistent software and delete the Registry section that maintains my list of recently opened documents. To do so I copied an existing INF file. I then pruned the copy, cutting away everything that wasn't needed, and edited a few lines until it looked like this:
[version]
signature=$Chicago$
[DefaultInstall]
AddReg=AddRegKey
DelReg=DelRegKey
[AddRegKey]
HKCU, Software\Microsoft\
Windows\CurrentVersion\
Explorer\RecentDocs
[DelRegKey]
HKCU, Software\Microsoft\
Windows\CurrentVersion\
Explorer\RecentDocs,
Some programmers delight in giving obscure names to the sections above, but I haven't found any advantage to this. Consequently, I've given each section a simple name that describes what it does. Of course, real programmers may change these names to help assure minimum comprehension.
The [version] section above must specify the old beta name for Windows 95. (Forgot it was Chicago, didn't you?) Perhaps revising this to read $Windows95$ wasn't worth the effort because there were too many third-party INF files circulating. If you have the print edition of the Windows 95 Resource Kit, make the necessary correction on page 1,159 (the CD-ROM version is correct).
The two lines in my [DefaultInstall] section set the stage for where detailed setup instructions are to be found. As the names suggest, AddReg= points to where Registry additions are specified, and DelReg= is the equivalent for Registry deletions. Note the required comma immediately after RecentDocs in the [DelRegKey]section. Leave it out, and the code won't work.
Although the Resource Kit cites an [Install] section only, the section head must be [DefaultInstall]. This lets an INF file correctly edit the Registry when you select its Context menu's Install option. The INF file processes the section specified by the DelReg= line first, then proceeds to the AddReg= line. As a result, the existing RecentDocs key and its contents are deleted, then a new (and empty) key is added. Strictly speaking, the AddReg= line isn't really needed here, since Windows 95 will automatically supply it.
Save the edited file as DumpDocs.INF (or a similar name). You can "install" it every time you feel the urge to cover your trail. And don't forget to restart Windows 95 to flush the list from the Start menu's Documents list. Better yet, add a few extra steps and Win95 will clean out the Registry and flush the Documents list without requiring the shutdown step.
There are other options for covering your tracks in Windows 95. For instance, you could create a little batch file to install the INF file and erase all the link files in the C:\WINDOWS\PROFILES folder. (This folder tracks individual user settings when multiple people share a PC.) These link files represent the very files in your cascading Documents menu.
The first step is understanding what really happens when you select any INF file's Install option. To do so, get out your Registry shovel and dig down to the HKEY_CLASSES_ ROOT\inffile\shell\install\command key. The Data column shows a rather long (and somewhat confusing) command line that ends with a replaceable %1 parameter. Double-click on the small "ab" icon next to the name column, then press Ctrl+C to copy the highlighted line to Clipboard (that's much easier than typing it). Click on the Cancel button, then open Notepad and paste the line into it. Next, swap the %1 replaceable parameter format with the actual path and name for the specific INF file (that is, DumpDocs.INF). Finally, add a line to erase the contents of the C:\WINDOWS\RECENT folder. Your completed batch file should look like this:
C:\Windows\rundll.exe set-
upx.dll, InstallHinf
Section DefaultInstall
132 C:\Windows\Inf\
DumpDocs.INF
erase C:\Windows\Recent\*.LNK
The string that begins with C:\ and ends with ".INF" is, of course, one long line. Since all the files in the C:\WINDOWS\RECENT folder are shortcut links, the erase... *.LNK line nukes your dreaded recently used document list. Save the file as DumpDocs.BAT on the Desktop. Except for a bit of mopping up, you're done.
Highlight the file icon, open the Context menu, select the Properties option and then the Program tab. Change the Run line to Minimized, put a check mark in the Close on exit box, then click on the Apply and OK buttons.
Click Here to see a 23.2 KB bitmap image of artwork which goes with this article, entitled:
Big Brother's Watching
When you double-click on the DumpDocs icon, the Registry key and the contents of the C:\WINDOWS\RECENT folder will be deleted. Also, the Start menu's cascading Documents menu will immediately come up empty.
Use the same general technique to bury other evidence by adding one or more of the following lines to the [DelRegKey] section described above.
[DelRegKey]
HKCU, Software\Microsoft\
Windows\Current
Version\Explorer\
RunMRU,
HKCU, Software\Microsoft\
Windows\CurrentVer-
sion\Explorer\"Doc Find
Spec MRU",
HKCU, Software\Microsoft\
Windows\CurrentVersion
\Explorer\Find-
ComputerMRU,
Add each line to the [AddRegKey]section too, but without the final comma. The first line kills the Run history, although in this case you'll need to restart Windows 95 to lose it. The next two lines wipe out the cascading Find menu's Files or Folders, and the last line rids your system of Computer histories. Both slates are wiped clean immediately. (I suspect the Doc Find Spec MRU key was written by one of those real programmers: I would have called it FindFilesMRU.)
Now, whenever there's a snooper alert, you can immediately wipe out the evidence by double-clicking on the DumpDocs.BAT icon. To make this a permanent feature, just put the batch file into the C:\WINDOWS\START MENU\PROGRAMS\STARTUP folder. This will erase the document histories each time Windows 95 starts. Of course, you can drag a shortcut onto the Desktop to do periodic purges without exiting. And you can change the shortcut icon and name to something uninformative, so others won't think to clean up for you.
If you'd rather not hack the Registry, download Windows 95 PowerToys from Microsoft ( http://www.microsoft.com/windows/software/powertoy.htm). The included TweakUI applet icon appears in your Control Panel. Its window has a tab aptly labeled Paranoia, with four check boxes in the Covering Your Tracks section to handle the tasks described earlier.
Using this applet is certainly easier than hacking the Registry, but you'll need to go through a four-step process (open Control Panel, open TweakUI, click Paranoia tab, click Clear button) to flush on the fly. The Desktop shortcut described above is faster. Depending on your paranoia level, you might consider it.
My experiments with the INF file also include using it as a general Registry-editing tool. For example, the Registry Editor's own Import option can write new data into the Registry and can also revise existing entries by overwriting the data contained in them. However, the Import option will not delete an existing Registry entry in the absence of a replacement line, and, therefore, is not always a reliable medium for executing a complete Registry key replacement.
By contrast, the INF file structure supports two methods of deleting all or part of any subkey. In addition to the DelReg=DelRegKey and the [DelRegKey] section described earlier, you can use an undocumented flag in the AddReg= section to delete a single Name and Data entry, as shown here:
[DefaultInstall]
AddReg=AddRegKey
[AddRegKey]
HKCR, .abc,
TestEntry1, 4,
Assuming there is an entry in the HKCR\.abc key whose name is TestEntry1, the 4 flag shown above (the 4, immediately after TestEntry1) will remove that entry from the Contents pane, regardless of its Data format, and its apparently contradictory appearance within a section that is supposed to add data to the Registry.
Other flags in the same section actually do add data to the Registry, as shown in these examples:
[AddRegKey]
HKCR, .abc, TestLineA,
0,"Line Enclosed In
Quotes"
HKCR, .abc, TestLineB, ,
Line Not Enclosed In
Quotes
HKCR, .abc, TestLineC, 1,
FF, 38, 95, D3, 5F
In the first two HKCR lines, if the flag is 0 or null (that is, nothing between the commas), whatever follows will be entered as an ASCII text string. To preserve spaces in the string, enclose it in quotes. A "1" flag signifies binary data, which must be entered with a comma between each byte.
For more information, Appendix C of the Resource Kit explains general INF file structure in a charming style that is almost as clear as the Registry itself. I'll try to explain some of its features in a future column. That is, if I can get my computer to reboot.
Senior Contributing Editor John Woram is the author of Windows Configuration Handbook (Random House, 1993). Contact John in the "Optimizing Windows" topic of the WINDOWS Magazine areas on America Online and CompuServe John Woram's e-mail ID is: jworam@msn.com
|
|
|