?_&Ml&77Spider%Copyright Ward Van Wanrooij - 1999ZmainmainOmO:mOz0  Om##O,l\/&;)z4|CONTEXTD|CTXOMAP<|FONT;|SYSTEM|TOPIC|TTLBTREE<%66 9E1Ewb@Contents2 w& ContentsHEE Z NG  Spider by Ward van Wanrooij - ward@ward.nuDisclaimer wF Z h! Subject: Hidden files which record user-activity.Software concerned: Microsoft Internet Explorer 3.0X for Windows 95 and Windows NT, Microsoft Internet Explorer 4.0X for Windows 9X and possibly Windows NT, as a result hereof also Microsoft Windows 95 OSR 2.0 and greater, Microsoft Windows 98 and Microsoft Windows NT 4.0 (all SP). It is also reported to work with Microsoft Internet Explorer 5.0.Author: Ward van Wanrooij - ward@ward.nu+ $ URL: http://www.fsm.nl/ward/ I have started my research after reading a webpage, which read that Internet Explorer records user-activity. I will present my findings here. I have conducted my research on Windows 95 OSR 2.1 using Internet Explorer 4.01. Internet Explorer 3 has similar behaviour, but its filenames and some details are a little bit different.When one of the above mentioned programs is installed, there will be several hidden files in several directories, these files are called index.dat in IE4. The directory-names depend on the language version of the program. In the English version they are: \Cookies, \History, \Temporary Internet Files and underlying directories; if userprofiles are installed, then the following directories are also used: \Profiles\\Cookies, \Profiles\\History and \Profiles\\Temporary Internet Files.bv R r!    K[ K[ These files (and directories) are hidden well. If, for example, the following DOS-command is issued:C:\WINDOWS> DIR /A /S INDEX.DATthen no files will be found. In most cicrumstances it also is not possible to rename or delete these files. When the user tries to do so, DOS confronts the user with the following error messages (I use a Dutch version, so they might be different): Divide by Zero or Double filename or the file is already in use. Microsoft Support explains this in Appendix A. and in Appendix B.  E X u  u Al these files (screendump 1) start with the text Client UrlCache MMF. The same text can be found in the file \System\Wininet.dll (screendump 2). These files (index.dat) are maintained from Wininet.dll. However, this DLL is not necessary for Internet access, depsite its suggesting name: only Internet Explorer 4 needs it; Netscape Navigator 4.X not!These files (index.dat) contain URLs and Cookies of websites previously visited by the user.lv jh             If the user tries to erase all traces of earlier visited web pages, by going through the following procedure: Start Inter Explorer, View, Internet Options, Clear History, Yes, Delete Files, Yes, Settings, View Files, Ctrl-A, Del, Yes, then the historic information remains in (at least) one of the (index.dat) files. This does not correspond to the explanation of Microsoft Support (Appendix), because earlier visited URLs do not have to be stored if the user clears the cache and history! Try the procedure mentioned here and then try the program which you can find at http://www.fsm.nl/ward/ . b@* " Now the question remains: why is this and what can be the consequences?The link between the files and Wininet.dll could make us believe, that these files can be transferred when certain command are issued by the server. I do not want to speculate about the why is this-question, but I can think about some reasons. Fact is that a situation is created, whether jb@ created by accident or on purpose, where the privacy of the user is at stake...= j@1 @lGscreendump 26b@@&  screendump 22@C@ NA?Screendump 2,Binary,C:\WINDOWS\SYSTEM\WININET.DLL,Alphanumeric Characters14380 Visited: :\ D$ S UVWC C,3 P{ { { { { { {${({D `143C0 pt$ V g ; 8 3 -8 p IL$ Qj@ C L14400 $ A D$ P s D D$ C Pj@ 3 C ; L$14440 s U h |$ (O!p { j f 5H $pj h s14480 p54 pC K A j = _ UQ+kH ` p C 144C0 = @ f ? ; u*9{H ( C$@:@AEF ZA?14500 $ # CD 3 _9CH^][ index.dat SUVW|$ W h14540 p , j W X p3 _^][ D$ T$ y \14580 j X U j h P!phtq$pd Pd% QQ $SVWe ] e e145C0 S$j Y P!p 3 B 3 ; t ;C s 9r B$K 14600 @ M f ? ; uq;B(rl} } } } j Y / E e } s E C$14640 U u t E E E E } s M } [$C$9E w 9E w E14680 ;C(u M M E M d _^[ Client UrlCache MMF Ver 4.7+ClG@ NA?146C0 2 "p6 "p L$ H P!pI H H $p ; p) $pC $pH $p ; p14700 L $p $pU QV F @$@ E t1WSj [ } t"F M j Q p P ] 14740 t t [_^ t$ \ $pj = $p V 14780 ^ D$ $p V h@ $pN * 3 F,F4F0 = F F 147C0 ^ 3 9L$ H H H H L$ U $SVW3 14800 R!p hR!pWM N 9] u !] E PVM x } t14840 u ph,S!pWM 3 9} u E M PV} ; 9} t u = AEG1GJscreendump 16lGG&  screendump 1CG"JG \A?Screendump 1,Binary,C:\WINDOWS\HISTORY\INDEX.DAT,Alphanumeric Characters 0 Client UrlCache MMF Ver 4.7 @ @ &127 40 T 80 &127 &127 C0 &127 Tw 100 w 140 | tv 180 P E GJG \A? 1C0 q 200 240 280 2C0 300 340 380 3C0 400 440 480 4C0: "J%K1%KYKAppendixB4JYK& Appendix B&%KK# YKM/ , Title: Description of the Mm256.dat and Mm2048.dat FilesURL: http://support.microsoft.com/support/kb/articles/q178/7/02.asp Last reviewed: December 31, 1997Article ID: Q178702 The information in this article applies to: Microsoft Internet Explorer version 3.02 for Windows 95, Microsoft Internet Explorer version 3.02 for Windows NT 4.0 SUMMARYThis article describes the Mm256.dat and Mm2048.dat files located in the Windows\Cookies and Windows\History folders. Kd0 .E MORE INFORMATIONThe Mm256.dat and Mm2048.dat files are cache files used by Internet Explorer. When you visit a Web page, Internet Explorer assigns the Web address a unique identification number and searches the Mm256.dat and Mm2048.dat files for that identification number. If the Web page's identification number is found, the contents of the Web page are stored locally on your computer's hard disk and Internet Explorer uses the locally stored content instead of downloading the information from the Internet. If the Web page's identification number is not found, the contents of MdJthe Web page must be downloaded from the Internet. This occurs if you have not visited the Web page before, the Web page has changed, or the Web page's identification number has expired. When the Web page's content has been downloaded to the hard disk, the Mm256.dat or Mm2048.dat file is updated with the Web page's identification number. M0 . The Mm256.dat file is used to store the identification numbers of Web pages whose Web addresses are equal to or less than 256 characters. The Mm2048.dat is used to store the identification numbers of Web pages whose Web addresses are between 257 and 2048 characters. Note that in Internet Explorer 4.0, the Index.dat file in the Temporary Internet Files folder performs this function.: dU1UAppendixA4& Appendix A&U# @/ ,# Title: Errors Reported When Using Microsoft BackupURL: http://support.microsoft.com/support/kb/articles/q185/7/13.asp Last reviewed: June 30, 1998Article ID: Q185713 The information in this article applies to: Microsoft Windows, versions 95, 98SYMPTOMSWhen you use Microsoft Backup to create a full system backup or a backup that includes the Windows folder, the status box may indicate that errors occurred during the back up. When you click Report to view the backup report, you may see the following error messages: < F Error: C:\WINDOWS\Cookies\index.dat - busyError: C:\WINDOWS\History\index.dat - busyError: C:\WINDOWS\Temporary Internet Files\index.dat - busyWarning: C:\WINDOWS\Cookies\index.dat was busy during backup. It cannotbe restored or compared.Warning: C:\WINDOWS\History\index.dat was busy during backup. It cannotbe restored or compared.Warning: C:\WINDOWS\Temporary Internet Files\index.dat was busy duringbackup. It cannot be restored or compared.CAUSEThis behavior can occur because the index.dat files that are in each of these locations are open if Internet Explorer is running. Since Internet Explorer is part of the Windows 98 graphical user interface (GUI), these files are always open and therefore cannot be backed up. This behavior occurs in Windows 95 if you are running Internet Explorer when you run Microsoft Backup, or if Internet Explorer 4.0 or 4.01 is installed on your computer and you have enabled the Windows Desktop Update component. - ( MORE INFORMATIONThe Index.dat files are re-created each time Internet Explorer starts. Therefore, it is not necessary to back up these files. All other files that you selected to back up are successfully backed up.; 9159mqWorkAround4m& WorkAround9q> J  The inevitable had been encountered: IE5 still contains this bug! Microsoft did *NOT* provide the workaround, they said "they were looking into". In the mean-time, I have found a partial work-around:1) Go to you registry2) Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache3) Change persistent from 1 to 0.4) Clean your history and temporary internet-files using Internet Explorer/View/Options etc. ; m1 DisclaimerDq 6 :== D I S C L A I M E R ==LICENCE CONDITIONS USE OF THE ENCLOSED SOFTWARE INDICATES YOUR ASSENT TO THE FOLLOWING LICENCE CONDITIONS. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented, you must not claim that you wrote the original software. Software using this code must contain a visible line of credit, q 2 2 to Ward van Wanrooij and Daniel Kinnaer. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.Legal issues: Copyright (C) 1999 by - Ward van Wanrooij - Daniel Kinnaer DISCLAIMER: $. * THIS SOFTWARE IS PROVIDED BY THE AUTHORS 'AS IS'. ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSrE- ( INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. BY USING THIS SOFTWARE, YOU AGREE TO THIS NO-NONSENSE LICENSE.1$1U$" 11yHelvCourierMS Sans SerifArialCourier NewTimes New RomanWingdingsSymbol$H$3*Oo/&;)Lz  Contentsscreendump 2screendump 1oAppendixBAppendixAOWorkAround# Disclaimer/&;)L4NG# h!OU%K[K[ouu