# Windows 98 key logger



## h3z (Jun 25, 2013)

This is way off topic. The only reason it might even be relevant, is to support the greater trust involved in using open source software.

It was at least ten years ago. But, I recall reading a handful of websites that exposed a compressed hidden file on Windows 98. It contained every single keystroke that ever occurred on the host PC. You could only view the file using an alternative operating system like Linux or some third party program. I tested it and found it to be true. It is not all that surprising that I can't find any of those websites now. Since, Windows 98 is likely to only receive Google hits involving virtual machine configurations and what not.

Does anyone else remember this?

Does anyone remember the name of the file? It might yield as a more useful search engine keyword.

I would like to get my hands on more information about this topic.

It is noted that I should probably be asking this on a Windows forum. But, I thought it unrealistic to hope for any useful information there.

Many BSD gurus are versed in the history of many operating systems. And, I thought that this would be a not soon forgotten memory. Since, it would've been a great inspiration for investigate a BSD platform, having learned about this hidden Windows key logger.


----------



## fonz (Jun 25, 2013)

h3z said:
			
		

> Does anyone else remember this?


I do remember the rather embarrassing out-of-band bug that led to the hilarious WinNuke saga (and all the pranks that could be pulled with it). Your story rings a bell, but no more than that.


----------



## ShelLuser (Jun 26, 2013)

h3z said:
			
		

> This is way off topic. The only reason it might even be relevant, is to support the greater trust involved in using open source software.


Or just to bring up some good memories  It's been ages since I messed with Windows 95 and later 98. If I recall correctly I had just purchased an IBM Aptiva during that time for the sole purpose of running OS/2. Naive as I was back then I figured that if I would get myself a real IBM computer then surely it should be no problem to get OS/2 running as optimal as possible?

Well, think again. It had no problem with Windows 98 but OS/2 just didn't work. I eventually ended up with an Compaq Presario... something with a nice 486DX4 processor. Not only did it run OS/2 very smoothly; they even provided native OS/2 drivers for it (I purchased an extra "administrator" set of drivers; that got me approximately 3 or 4 boxes of 3.5" floppy disks with all the hardware drivers I could need).

ALAS...

You're extremely off topic and now I might be saying something extremely silly; but I think you couldn't have picked a better technical forum. First we're a bunch of adults here, second; I think most of us like to tinker. And third; most of us know what we're talking about. On several Microsoft fora you'll often come across people who merely recite facts, but more than often without understanding the theory behind it themselves.



			
				h3z said:
			
		

> But, I recall reading a handful of websites that exposed a compressed hidden file on Windows 98. It contained every single keystroke that ever occurred on the host PC. You could only view the file using an alternative operating system like Linux or some third party program.


My company has a TechNet subscription, which isn't only very easy to gain access to an almost complete library of Microsoft software, it also provides full access to several technical documents.

I just took a quick peek and only now do I notice that both Windows 95 and 98 aren't available in the library. Which is pretty weird considering that I can still grab Windows 3.1 or 3.11. I can even get MS-DOS 6.0 or 6.22 if I want to.

Even Windows 3.2, that's new to me. Windows 3.2.144, only in simplified Chinese.

But I did come across this TechNet article regarding the Windows 98 registry. And that made me wonder if these files couldn't be user.dat or system.dat?

I know that Windows used to store a lot of sensitive information back then. Even the system swap file always contained a lot of information about recent system usage, which might also be a relevant target.

But right now I'm wondering if this couldn't be related to user.dat, even though this is a rough guess on my part.



			
				h3z said:
			
		

> It is noted that I should probably be asking this on a Windows forum. But, I thought it unrealistic to hope for any useful information there.


I fully agree. And well, this is a forum for off topic items 
	

	
	
		
		

		
			





.

Hope this can help. And I'll be sure to keep this in the back of my head as well. If something pops up I'll be sure to get back to you.


----------



## throAU (Jun 26, 2013)

h3z said:
			
		

> This is way off topic. The only reason it might even be relevant, is to support the greater trust involved in using open source software.
> 
> It was at least ten years ago. But, I recall reading a handful of websites that exposed a compressed hidden file on Windows 98. It contained every single keystroke that ever occurred on the host PC. You could only view the file using an alternative operating system like Linux or some third party program. I tested it and found it to be true.




Any more details?  I have a Windows 98 VM that I'm curious to have a poke around on


----------



## SirDice (Jun 26, 2013)

h3z said:
			
		

> It was at least ten years ago. But, I recall reading a handful of websites that exposed a compressed hidden file on Windows 98. It contained every single keystroke that ever occurred on the host PC. You could only view the file using an alternative operating system like Linux or some third party program.


Not without any malware.


----------



## Crivens (Jun 26, 2013)

SirDice said:
			
		

> Not without any malware.


<trollmode=ON> The OP is asking about something in Win_dows_ 98. So yes, with malware. </trollmode>

But yes, even when Win_dows_ 98 does not tick all the boxes for malware, it will have a complete zoo once you connect it to the _I_nternet and let it sit there for about ten seconds.

Ok ok, going back to work


----------



## h3z (Jun 26, 2013)

throAU said:
			
		

> Any more details?  I have a Windows 98 VM that I'm curious to have a poke around on



I can't remember the location. One site supplied two tools for finding the file. One a Linux floppy disk image. The other a free tool the site author had written. The site did contain information about Windows XP. Mainly regarding the ntfs file system. Wish I could remember more. I am still hunting around, but have only turned up easter egg information. There can't be that many files, only seen externally of the operating system itself. And, it can't be that the file is unseen from the operating system whilst it is running. Or, the site(s) would have mentioned using a _DOS_ boot disk. This was also exposed as an intended function of the Windows system. Not something resulting from a commonly contracted toy.



			
				ShelLuser said:
			
		

> nice 486DX4 processor


Good times 




			
				ShelLuser said:
			
		

> You're extremely off topic and now I might be saying something extremely silly; but I think you couldn't have picked a better technical forum. First we're a bunch of adults here, second; I think most of us like to tinker. And third; most of us know what we're talking about. On several Microsoft fora you'll often come across people who merely recite facts, but more than often without understanding the theory behind it themselves.



In my search I did stumble upon a Microsoft tech. declaring to someone else looking for the same thing, that Gates would've have been sued if anything like that existed. And, that_'_s actually the closest I have gotten to finding any resemblance of what is I am seeking.




			
				ShelLuser said:
			
		

> I think you couldn't have picked a better technical forum



It seems to me, that the users here are a rare catch. I don't know of a perfect description for the atmosphere here. Love of knowledge does come to mind.


----------



## _martin (Jun 26, 2013)

Hm, that's interesting. Frankly I don't remember this. But I'm curious_:_ how would W98 Windows 98 hide those files on _a_ FAT filesystem? NTFS has _a_ neat way of doing that (ooh th_ose_ times when pr0n movies were hidden under _a_ few bytes on notes.txt), but FAT? Hm... you caught my attention. 

But thinking that out loud - if you consider disk size at that time, that would be _a_ pretty big log. Even if you zip it small.


----------



## kpa (Jun 26, 2013)

It would be humongous if it contained anything else but the keystrokes, like timestamps.


----------



## throAU (Jun 27, 2013)

Crivens said:
			
		

> <trollmode=ON> The OP is asking about something in Win_dows_ 98. So yes, with malware. </trollmode>
> 
> But yes, even when Win_dows_ 98 does not tick all the boxes for malware, it will have a complete zoo once you connect it to the _I_nternet and let it sit there for about ten seconds.
> 
> Ok ok, going back to work



Have you tested that lately?  I'm somewhat keen to give that a shot myself - Windows 98 is so old now that it may well not support many of the APIs that are currently being exploited in the wild.

It doesn't listen on any ports by default, from memory (other than ICMP?).  I could be wrong on that, it's been a while.


----------



## ShelLuser (Jun 27, 2013)

matoatlantis said:
			
		

> Hm, that's interesting. Frankly I don't remember this. But I'm curious_:_ how would W98 Windows 98 hide those files on _a_ FAT filesystem?


About the same way DOS used to hide files which had the h attribute set I think. The underlying file system doesn't really matter in these cases; it depends on how the operating system provides the information to the end user.


----------



## Crivens (Jun 27, 2013)

throAU said:
			
		

> Have you tested that lately?  I'm somewhat keen to give that a shot myself - Windows 98 is so old now that it may well not support many of the APIs that are currently being exploited in the wild.
> 
> It doesn't listen on any ports by default, from memory (other than ICMP?).  I could be wrong on that, it's been a while.



No, I did not test it. I can only extrapolate from the time it took a flatmate from connecting his computer to the LAN and then asking me why it suddenly was throwing up demands to plug in the modem so it could dial some expensive numbers. But you may well be right in assuming that most of the current malware will simply not work. Maybe it demands C# runtime support or something like that.

This reminds me of an admin I know who had the outbound firewall running on NetBSD/VAX, grinning every time when some script kiddie tried something.


----------



## h3z (Jun 27, 2013)

I found my old Win_dows_ 98 _SE_ disk. It was like finding something molding in the fridge. Only I was out looking for it. Somewhat dismayed by the thought of actually using it.


----------



## gkontos (Jun 27, 2013)

http://bit.ly/15JEgIv


----------



## MorgothV8 (Jun 27, 2013)

I installed Windows 95 to give it a try. It survived - no viruses harm. But even google.com refused to go  Funny  Also I've installed (after a really long time) NT 3.51 - but WOW it has no _I_nternet client at all  Anyway - big fun - I'll try Windows (8, my favorite Windows: NT4.0, FreeBSD 3.X (my first Unix-like) and so on. Host = Mac Mountain Lion and Vbox newest. Guest = old systems I remember.


----------



## gkontos (Jun 27, 2013)

MorgothV8 said:
			
		

> It survived - no viruses harm.



That's because you are behind NAT. Try hooking one directly to the Internet.


----------



## throAU (Jun 28, 2013)

gkontos said:
			
		

> That's because you are behind NAT. Try hooking one directly to the Internet.



There's not a lot of people firing off _W_in_N_uke any more, Windows 95 doesn't expose any network ports by default (hell, TCP/IP and file sharing isn't even installed by default).

It doesn't support Java or Javascript by default.  Doesn't support _F_lash by default. _I'm p_retty sure Internet Explorer 1 doesn't support iframes, ActiveX or any of the other nasties.

I'd take the _P_epsi _C_hallenge and put money on Windows 95 RTM being much safer on today's _I_nternet than Windows XP 

Sure, if someone was to actively target you, it would be a walk in the park.  But the market share is so small now that it isn't targeted.


----------



## MorgothV8 (Jun 28, 2013)

It cannot even go to google.com. _The b_rowser hangs etc and I think it is impossible to update to IE 9.X, 10.X  I have no antivirus at all - it is just plain Win_dows_ 95 installed inside VirtualBox. NT 4.0 also works OK, and also cannot handle google.com properly. I have no browser in NT 3.51, and I don't know if there is any supported, but _P_u_TTY_/_SSH_ to _the h_ost works OK.


----------

