Original URL: http://www.theregister.co.uk/2007/05/10/tattletale_convenience/

Don't let Windows Indexing Service know too much

Keeping index files under control

By Thomas C Greene

Posted in Security, 10th May 2007 10:33 GMT

Privacy workshop The Windows Indexing Service catalogues the contents of your hard disk, and even the contents of files, to make local searching faster.

This service creates and later consults a number of small databases containing data about your disk's contents, including the actual contents of files, which can undermine the practice of good data hygiene. Indexing creates what amounts to a scattered secondary volume of your data, and your wipe utility might fail to erase all these related traces when it erases a file.

However, the Indexing Service is also a significant convenience. It's not essential for searching, but it speeds up searches and enables you to search for strings within files. So it's not something to do away with unless you are primarily concerned about privacy and data hygiene.

There are two levels of response here, and you can choose your poison. First, indexing can be shut off altogether, and you can then wipe the index files and that will be the end of it. Second, you can shut it off temporarily, wipe the index files, and then re-enable the service, only this time selecting the particular directories to be indexed. This way, you can use the service, but prevent the indexing of directories containing sensitive information.

For those interested in the nuclear option, consider that, for an added bonus, disabling the Indexing Service will free up some processor resources and RAM. If you are unlikely to search very often, it's foolish to devote system resources to speeding up a service that you don't really depend on, or even want.

Of course, if you normally spend a great deal of time searching for files, or for strings of text within your files, you'll be grateful for the Indexing Service, although it does make data hygiene pretty much impossible if you index directories and files indiscriminately.

Regardless of which option you choose, begin by disabling the service and wiping the old index files. First, log in as an Administrator, and begin by shutting it off:

1. Go to the Start menu and choose Run.

2. Type in services.msc and click OK. The Services dialogue will launch.

3. Right-click on the Indexing Service to bring up the Properties dialogue, and click Stop if the service is running. Then select Disabled. Click Apply and close the dialogue.

4. Go to My Computer. Next, select (Local Disk C:) under "Hard Disk Drives".

5. Right-click on the (Local Disk C:) icon and choose Properties from the right-click menu. The Local Disk Properties dialogue will pop up. Near the bottom you will see a tick box beside the option: "Allow Indexing Service to index this disk for fast file searching" (the option will not be available on all systems, so don't worry if you don't see it).

6. Clear the tick box, click Apply, and in the next dialogue, select the option "Apply changes to C:\, subfolders and files." Click OK, and reboot.

Once the service is disabled, it should not be difficult to wipe any remaining index files (*.idx, *.idq, *.ida, and *.htx), if they exist. You will have to set Windows Explorer to display hidden files and system files, as described in a previous column, in order to find the files. You can then locate them with the Search Companion (aka Search Assistant) using ".ida," ".idx," ".idq," and ".htx" as terms, and wipe them.

Of course, first you'll have to configure the Search Companion because, by default, it will not search everywhere. To configure it:

1. Go to My Computer ==> Hard Disk Drives ==> Local Disk (C:).

2. The Search companion should be visible in the left-hand pane. If it is not, click the Search icon near the top of the window.

3. Select the Companion's "More advanced options", then choose "Search all files and folders" from the drop-down menu, and tick the boxes beside the options, "Search system folders", "Search hidden files and folders", and "Search subfolders", as shown.

Search Settings

Now search on the following terms: .idx, .idq, .ida, and .htx, and wipe those files that do not obviously belong to any of your applications. It's unlikely that you will find many of these files, especially on a home system, but it's important to look for them. Wiping them may be tedious, but you will only have to do it once so long as you keep the Indexing Service turned off, or later configure it to catalogue only specific "safe" directories. The catalogue files, if any should exist, will appear in the right-hand pane of the Search Companion window. You can right-click and use your wipe utility to destroy them.

Now you are rid of all your old index files. Those who wish to use the Indexing Service should re-enable it, and select the particular directories to be indexed.

1. Go to the Start menu and choose Run.

2. Type in services.msc and click OK. The Services dialogue will launch.

3. Right-click on the Indexing Service to bring up the Properties dialogue box, select "Automatic", and click Apply. Then click "Start" and exit the dialogue.

4. Go to My Computer ==> Hard Disk Drives ==> Local Disk (C:), and left-click.

5. Browse your filesystem and right-click on any directory you wish to index. Choose Properties, then click "Advanced" toward the bottom of the Properties dialogue box.

6. In the Advanced Attributes dialogue box, select the tick-box beside the option "For fast searching, allow Indexing Service to index this folder". Click OK, and you will be given the option to include that directory's subfolders and their files if you like. Repeat as needed.

This way, you can use the Indexing Service while preventing it from making duplicate data traces of directories that contain sensitive files.

One little irritant here is that if you use the Search Companion, with or without the Indexing Service, your search queries will be stored in the Windows Registry, under HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru. You can delete the contents within that key whenever you please, but you will find that there is no option to write-protect it, so your search terms will be stashed there, regardless of how you feel about it.

You can delete the entries manually from time to time using the Windows Registry Editor, or you can make a backup Registry just after purging data traces, and then restore that "clean" version whenever you like. But this is a real inconvenience, since every time you alter your system configuration or install software, you will have to make a new, clean Registry backup. The best option is simply to remain aware of this fact and take care when searching your computer for files with, let's say, "controversial" names.

Just what you've been searching for

Related to this are several important files, all named "index.dat", that you'll find in numerous locations. These are, essentially, mini-databases cataloguing the contents of directories related to your internet behaviour. Your search queries, cookies, web history, and several other peculiar items are recorded for posterity. Did you ever wonder how forensic examiners can tell that a person searched the web for "undetectable poisons", "dismembering a dead body at home", and "how to explain a spouse's sudden disappearance" a week before, well, a spouse's sudden disappearance? Index.dat.

You can delete the contents of the Internet Explorer directories, but you can't easily delete the index.dat files that record their contents. Oddly, Microsoft does not want you to play with these index files, so if you attempt to delete them, access will be denied, even to an Administrator. This is because they are "open", or in use, even when IE is not running.

To remove these tattletale files, you must restart in Safe Mode:

1. Reboot.

2. As the computer boots, but before Windows starts, press F8.

3. Use the arrow keys to highlight the Safe Mode option, then press Enter.

4. You will be able to search for the files in Safe Mode. Whether or not your wipe utility will work is another matter. If it does not, you can delete the files, restart Windows normally, then use your utility to wipe free space and file slack.

Now for the bad news: even if you wipe these files, Windows will re-create them as soon as you reboot, and continue storing data in them. I recommend that you wipe each one, reboot, and then write-protect all of them. It's also important to search for them occasionally because Windows may create additional index.dat files as you use your machine. There are numerous utilities available that claim to remove these files while Windows is running normally. If you wish to check them out perform a web search using "index.dat" as a term, and you'll find links to several such tools.

If you use a good browser like Firefox or Mozilla, you will not have to worry about index.dat files. You'll only have to wipe them once. They'll be re-created after you destroy them, but if you use a browser other than IE they will no longer record details of your internet behaviour. All of the directories that Firefox and Mozilla use can be wiped easily and securely, or emptied and write-protected (about which there'll be more in a future column).

On Windows versions earlier than Vista, you will need to keep Internet Explorer to use Windows Update manually (because of its support of ActiveX Controls), but you needn't, and shouldn't, use IE for any other purpose. Once Firefox or Mozilla is installed and configured, you can destroy all of your index.dat files once, write-protect them when they are re-created after a reboot, and not worry about them in the future.

System Restore

System Restore is another useful Windows feature with privacy implications. It creates snapshots of the system at periodic intervals called restore points. If the system is damaged by malware or a bad software installation, users can roll back their systems to a previous restore point when it was known to be working properly. Obviously, this is bad for data hygiene, though it is a real convenience. Ideally, the system contents backed up to the C:\Restore directory would not include any personal data, but that assumes that users will not unknowingly store sensitive files in directories that will be backed up.

It's also possible for viruses to remain in the C:\Restore directory when infected files are inadvertently backed up. The backed-up malware will defy removal by some anti-virus products, and when you restore the system you'll restore your viruses and malware as well.

So, System Restore is another item that's very handy, and bad for privacy and security. You will have to decide if the convenience is worth the risk, and choose your poison.

If you wish to disable System Restore, follow these steps:

1. Go to the Start menu and choose Settings ==> Control Panel ==> System to launch the System Properties dialogue (or right-click on the My Computer icon and choose Properties).

2. Choose the System Restore tab at the top of the System Properties dialogue box and choose the tick box on the line reading, "Turn off System Restore." Click OK.

3. Next, go to the Start menu, choose Run, and type services.msc to launch the Services dialogue. Find the System Restore service, stop it if it's running, set it to Disabled, and click Apply.

Temporary Files

There might be hundreds, even thousands, of temporary files on your computer. Most are deleted automatically when you shut down Windows, but whenever a power interruption or a system crash occurs, they will be left behind. They're created for scores of different reasons. Most are harmless, but it's impossible to predict what a temporary file might contain. For example, a word processor will periodically create temporary versions of documents you're working on so that if your system goes down, you'll be able to recover a recent version and very little work will be lost.

But suppose you had been composing a document that you intended to encrypt: a temporary version of the original clear-text file might be created and stored in your documents directory. If the system goes down, the temporary file will remain. We've already seen how memory swapping can cause data to be preserved in the swap file, and how the Indexing Service can record file contents. Temporary files are a third source of potentially revealing data traces. On Windows, most such files are located in directories named ~\Temp or ~\temp, and most temporary files have the extension .tmp.

From time to time, you should destroy the contents of all your temporary directories and wipe all of the files on your computer with the .tmp extension. This is quite easy using the Search Companion and a wipe utility. First you would use "temp" as a search term and find all the temporary directories (make sure your search is not case-sensitive). Most of the directories should be empty, but check each one and wipe anything you find in it. There will also be several directories called "Temporary Internet Files". Wipe the contents of those while you're at it. Next, use ".tmp" as a search term and wipe every file that the Search Companion lists. Do this as often as you please. If you do it often, fewer files will have accumulated in the mean time, so destroying them will go a lot faster. ®

Previous Workshop

Clearing swap and hibernation files properly