1. Why PCs Are Fragile and What We Can Do About It: A Study of Windows Registry Problems Archana Ganapathi (UC Berkeley) Yi-Min Wang (Microsoft Research) Ni Lao (MSR Asia) Ji-Rong Wen (MSR Asia)

2. Outline Motivation Motivation Strider Project Overview Strider Project Overview Background: Windows Registry Background: Windows Registry Data Sets Data Sets Why are PCs Fragile? Why are PCs Fragile? What Can We Do About Fragility? What Can We Do About Fragility? Conclusions Conclusions

3. Motivation Understand why users consider PCs fragile Understand why users consider PCs fragile Gain first-hand experience with Gain first-hand experience with fragility problems fragility problems their manifestations their manifestations Suggest techniques to Suggest techniques to avoid problems avoid problems detect problem detect problem simplify troubleshooting simplify troubleshooting

4. Strider Project Overview PC Genomics Database DSN 2003, LISA 2003, IPTPS 2004, LISA 2004 ICAC 2004, DSN 2004, Self-* 2004 Flight Data Recorder Configuration Troubleshooting Patch Management LISA 2004ICAC 2004 Spyware Management LISA 2004 http://research.microsoft.com/sm/strider MSR Systems Management Research Group

5. Background: Windows Registry Repository for configuration data Repository for configuration data Hierarchical structure Hierarchical structure Shared by OS and App software Shared by OS and App software Data is named and typed Data is named and typed Binary, string, dword, … Binary, string, dword, … Single most vulnerable component Single most vulnerable component Too complex for average user Too complex for average user

6. Registry Structure HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\5.0\AdobeViewer See my comments in next page. HIVES KEYS ITEMS

7. Data Sets Text-mined PSS case logs Text-mined PSS case logs Extract registry-related problems from e-mails Extract registry-related problems from e-mails Manually eliminate problems lacking info Manually eliminate problems lacking info Chose top 100 problems (5379 occurrences) Chose top 100 problems (5379 occurrences) Strider-verified Strider-verified ~100 problems from peers, helpdesk and Web forums ~100 problems from peers, helpdesk and Web forums Inject mis-configuration and verify symptoms/solutions using Strider Troubleshooter Inject mis-configuration and verify symptoms/solutions using Strider Troubleshooter

8. Text-mined Data Distribution Only 100 most common problems graphed

9. Why Are PCs Fragile? Problem Manifestation Problem Manifestation Understand how users are affected Understand how users are affected Multiple symptoms result from single modification Multiple symptoms result from single modification Impact Scope Impact Scope System-wide vs. user-specific System-wide vs. user-specific Single-app vs. Multiple-apps vs. System Level Single-app vs. Multiple-apps vs. System Level

10. Case Studies “double-clicking a folder on the right pane of Explore opens a Search Window when HKCR\Directory\shell\(Default) is changed from ‘none’ to ” “double-clicking a folder on the right pane of Explore opens a Search Window when HKCR\Directory\shell\(Default) is changed from ‘none’ to ” “deleting HKCR\.htc\Content Type prevents System Restore from showing the calendar of restore points” “deleting HKCR\.htc\Content Type prevents System Restore from showing the calendar of restore points”

11. Category 1: Problem Manifestation TMDSSVDS Unstable/unusable system Unstable/unusable system 2 (143) 6 Cannot perform function/action Cannot perform function/action 62 (4212) 32 Unanticipated response Unanticipated response 18 (676) 23 Unanticipated side-effect Unanticipated side-effect 9 (196) 14 Cannot locate UI Cannot locate UI 1 (16) 9 UI disappears, functionality ok UI disappears, functionality ok 3 (65) 12 Unexpected program adaptation Unexpected program adaptation 5 (71) 4

12. Category 2: Impact Scope Impact Scope I TMDSSVDS System-wide System-wide 71 (4312) 59 User-specific User-specific 29 (1067) 41 Impact Scope II Single Application Single Application 28 (994) 48 Multiple Applications Multiple Applications 31 (3081) 16 System Level System Level 41 (1304) 36

13. What Can We Do About Fragility? Monitoring Monitoring Post-deployment health checking Post-deployment health checking Fault Injection Fault Injection Test robustness of app/system during development Test robustness of app/system during development Test monitoring tool robustness Test monitoring tool robustness Access Protection Access Protection At each new OS version release At each new OS version release

14. Monitoring TMDSSVDS Known bad entry22 (2746)35 Potential bad + symptom match71 (2390)60 Can’t help7 (243)5 Plethora of monitoring tools already exist! Plethora of monitoring tools already exist! E.g. Registry Mechanic, Registry Healer, … E.g. Registry Mechanic, Registry Healer, … Key features: Key features: Active and passive monitoring Active and passive monitoring Distinguish known bad and potential bad entries Distinguish known bad and potential bad entries Dynamic rule update mechanism Dynamic rule update mechanism

15. Fault Injection TMDSSVDS Bad data22 (832)24 Data legal but considered bad39 (933)41 Item exists3 (278)9 Item missing5 (136)10 Key exists12 (2454)7 Key missing5 (146)9 Bad key8 (263)0 Bad sub-key5 (325)0 Type corrupt1 (12)0

16. Fault Injection Key features Key features Predicate-based injection Predicate-based injection Case-specific bad config vs. global bad config Case-specific bad config vs. global bad config When does the change become user-visible? When does the change become user-visible? App/explorer restart, re-login, system reboot. App/explorer restart, re-login, system reboot. Simple fault injection: Simple fault injection: ‘reg’ operation in windows command line. ‘reg’ operation in windows command line.

17. Access Protection TMDSSVDS OS lockdown OS lockdown 9 (296) 20 Check rules upon modification Check rules upon modification 18 (659) 14 Copy on Write Copy on Write 3 (118) 1 Log changes Log changes 56 (1757) 58 Can’t help Can’t help 14 (2549) 2 Ignore Ignore 0 (0) 5

18. Access Protection OS lockdown – few but most critical entries! OS lockdown – few but most critical entries! Rule checks feasible only for some entries Rule checks feasible only for some entries Not good for user-modifiable configurations Not good for user-modifiable configurations Can check at creation/deletion Can check at creation/deletion Logging changes does not always help Logging changes does not always help Problems untraceable to Registry entry modification Problems untraceable to Registry entry modification E.g. Leftover entries from software uninstallation E.g. Leftover entries from software uninstallation Ignore if too expensive to protect Ignore if too expensive to protect

19. Conclusions Important to develop effective Registry troubleshooters Important to develop effective Registry troubleshooters Simple interface for the average PC user Simple interface for the average PC user Reduce likeliness of accidentally introducing errors Reduce likeliness of accidentally introducing errors Build and maintain a comprehensive knowledge base of problems Build and maintain a comprehensive knowledge base of problems Users query for matching problem symptoms Users query for matching problem symptoms Users & support gurus contribute solutions Users & support gurus contribute solutions Reduce impact of PC fragility on total cost of ownership and user satisfaction. Reduce impact of PC fragility on total cost of ownership and user satisfaction.

20. Related Work Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, Sal Stolfo, “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses,” RAID 2002. Frank Apap, Andrew Honig, Shlomo Hershkop, Eleazar Eskin, Sal Stolfo, “Detecting Malicious Software by Monitoring Anomalous Windows Registry Accesses,” RAID 2002.RAID 2002RAID 2002 Ram Chillarege, Nicholas S. Bowen, “Understanding Large System Failures – A Fault Injection Experiment,” Digest 19th Int. Symp. Fault-tolerant Computing, 1989. Ram Chillarege, Nicholas S. Bowen, “Understanding Large System Failures – A Fault Injection Experiment,” Digest 19th Int. Symp. Fault-tolerant Computing, 1989. M. Kalyanakrishnam, “Analysis of Failures in Windows NT Systems,” Masters Thesis, Technical report CRHC 98-08, University of Illinois at Urbana-Champaign, 1998. M. Kalyanakrishnam, “Analysis of Failures in Windows NT Systems,” Masters Thesis, Technical report CRHC 98-08, University of Illinois at Urbana-Champaign, 1998. I. Lee and R.K. Iyer, “Software Dependability in the Tandem GUARDIAN Operating System,” IEEE Trans. On Software Engineering, Vol. 21, No. 5, pp. 455-467, May 1995. I. Lee and R.K. Iyer, “Software Dependability in the Tandem GUARDIAN Operating System,” IEEE Trans. On Software Engineering, Vol. 21, No. 5, pp. 455-467, May 1995. A. Thakur, R.K. Iyer, L. Young, I. Lee, “Analysis of Failures in the Tandem NonStop-UX Operating System,” Proc. Int. Symp. Software Reliability Engineering, pp. 40-49, 1995 A. Thakur, R.K. Iyer, L. Young, I. Lee, “Analysis of Failures in the Tandem NonStop-UX Operating System,” Proc. Int. Symp. Software Reliability Engineering, pp. 40-49, 1995 Don Wilson, Brendan Murphy, Lisa Spainhower, “Progress on Defining Standardized Classes for Comparing the Dependability of Computer Systems,” DSN Workshop on Dependability Benchmarking, June 25, 2002. Don Wilson, Brendan Murphy, Lisa Spainhower, “Progress on Defining Standardized Classes for Comparing the Dependability of Computer Systems,” DSN Workshop on Dependability Benchmarking, June 25, 2002.