Note: this content originally from http://mygreenpaste.blogspot.com. If you are reading it from some other site, please take the time to visit My Green Paste, Inc. Thank you.

Previously, I wrote about the FLAGS switch for REG.EXE in Vista and covered a technique that would set the virtualization-related flags of a registry key programmatically. This post intends to cover the other side - querying for the virtualization-related flags of a registry key. Again, we're dealing with an "undocumented" function in NTDLL.DLL - NtQueryKey:

To retrieve the flags for a key, call NtQueryKey with KeyInformationClass set to 5, which WDM.h tells us is KeyFlagsInformation.


REG.EXE supplies 12 for the value of the Length param, and the last 4 bytes of the buffer (KeyInformation) are modified when NtQueryKey returns. This would seem to suggest that the struct to receive the information containing the virtualization flags looks something like:


Putting it all together, then, we have something like:


The flags (_CONTROL_FLAGS, from Part 1) are stored as a bitmask in kfi.ControlFlags.


The code above provides the same information as invoking REG.EXE FLAGS HKLM\Software\Whatever QUERY.

Again - note that this exploration was done on Windows Vista SP1. I would expect the content here to also apply to Windows Vista (no SP) as well as Windows Server 2008, but...

Do you know what VirusRemover2008 is?

DESCRIPTION

VirusRemover2008 is phony anti-spyware software designed to extort money from computer users who make the mistake of purchasing the full VirusRemover2008 program. It is a very big mistake if you even download and install VirusRemover2008 because you run the risk of damaging your computer.

VirusRemover2008 or Virus Remover 2008, has nothing to do with removing parasites from your computer. VirusRemover2008 is all about taking your money in return for a useless program that may cause havoc on your system. VirusRemover2008 may be installed without your permission through a Trojan infection.

In non-techie terms: Ultimately, VirusRemover2008 tries its best to convince you that you need the full version of VirusRemover2008 to remove parasites that it found on your computer. Do not believe that BS. VirusRemover2008 is worthless and a complete waste of your time. VirusRemover2008 should be called VirusCREATOR2008 because it is on the verge of being a bothersome virus. VirusRemover2008 is also known to come directly from VirusRemover2008.com which is a malicious website that should always be avoided.

Have you experienced any programs such as VirusRemover2008 being installed on your computer without your permission? Tell us your story and how you got rid of it.

Aliases: VirusRemover2008, Virus Remover 2008, VirusRemover 2008, VirusRemover2008.com.

VirusRemover2008 screen shot image:

VirusRemover2008.com website image:

VirusRemover2008 Automatic Removal Instructions

This automatic removal method is for non-techie computer users. If you’re too lazy to learn about spyware removal or how to access sensitive files in your computer, then this is the method for you.
Before you start: Print or bookmark these instructions because you’ll have to reboot into Safe Mode. Also back up your computer in case you make a mistake.

1. Download and save SmitFraudFix to your desktop.
2. Restart your computer in Safe Mode (how to do safe mode). Once the
   desktop appears, double click on the SmitfraudFix.exe on your desktop.
3. After the credits screen, you’ll see a menu. Select the option number 2, which is ‘Clean (safe mode recommended)’, and then
   press Enter to delete infect files.
4. SmitFraudFix will begin cleaning your computer and take a series of cleanup processes. When the process is over, it will automatically begin the Disk Cleanup program.
5. Once the Disk Cleanup program is complete, you will be prompted with the message ‘Registry cleaning - Do you want to clean the registry’. Answer Y (Yes) and hit Enter. Reboot your computer.
6. SmitFraudFix will now check if wininet.dll is infected. SmitFraudFix will ask you whether to replace the infected file (if there’s any) ‘Replace infected
   file?’ Answer by typing Y (Yes) and hit Enter.
7. Reboot your computer to complete the cleaning process.
8. After reboot, a Notepad screen may appear containing a log of all the files
   removed from your computer. If it doesn’t appear, a file will be created called
   rapport.txt in the root of your drive, (Local Disk C:).
9. Restart your computer in Safe Mode (how to do safe mode).
10. Go to C:\Windows\Temp, click Edit, click Select All, press DELETE, and then
    click Yes to confirm that you want all the items to go to the Recycle Bin.
11. Go to C:\Documents and Settings\[LISTED USER]\Local Settings\Temp, click Edit, click Select All, press DELETE, and then click Yes to confirm that
    you want all the items to go to the Recycle Bin.
12. Reboot your computer back to normal mode. Go to Windows Update and download all critical updates.

VirusRemover2008 Manual Removal Instructions

This manual removal method is for techie computer users. VirusRemover2008 manual removal may be difficult and time consuming to remove. There’s no guarantee that VirusRemover2008 will be removed completely. So read the VirusRemover2008 removal steps carefully and good luck.
Before you start: Close all programs and Internet browsers. Also back up your computer in case you make a mistake and your computer stops working.

1. Uninstall VirusRemover2008 Program
   Click on Start > Settings > Control Panel > Double-click on Add/Remove Programs. Search for and uninstall VirusRemover2008 if found.
2. To stop VirusRemover2008 processes (view process removal steps)
   Go to Start > Run > type taskmgr. The click the Processes tab and you’ll see a list of running processes.
   Search and stop these VirusRemover2008 processes:
   VirusRemover2008.exe
   VRM2008.exe
   For each unwanted process, right-click on it and then select “End task”.
3. To Unregister VirusRemover2008 DLLs (view DLL removal steps)
   Search and unregister these VirusRemover2008 DLLs:
   VirusRemover2008.dll
   VRM2008.dll

   To locate the VirusRemover2008 DLL path, go to Start > Search > All Files or Folders. Type VirusRemover2008 and in the Look in: select either My Computer or Local Hard Drives. Click the Search button.
   Once you have the VirusRemover2008 DLL path, go to Start and then click on Run. In the Run command box, type cmd, and then click on OK.
   To locate the exact DLL path, type cd in order to change the current directory. To display the contents of the directory, use the dir command. To remove the DLL file type regsvr32 /u FILENAME.dll (FILENAME is the name of the file that you want to unregister).

4. To unregister VirusRemover2008 registry keys (view registry keys removal steps)
   Go to Start > Run > type regedit > press OK.
   Edit the value (on the right pane) by right-clicking on it and selecting the Modify option. Select the Delete option.
   Search and delete these VirusRemover2008 registry keys:

   5222008A-DD62-49c7-A735-7BD18ECC7350
   HKEY_CURRENT_USERSoftwareVirusRemover2008
   

5. If your homepage has been changed, go to Start > Control Panel > Internet Options > click on the General > click Use Default under Home Page. Add the your desired default homepage, then click Apply > click OK. Open a new web browser to check that you have your desired default homepage.
6. Remove VirusRemover2008 Directories.
   To find VirusRemover2008 directories, go to Start > My Computer > Local Disk (C:) > Program Files > Show the contents of this folder.
   Search and delete the following VirusRemover2008 directories:
   C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008
   C:\Program Files\VirusRemover2008\

   Right-click on the VirusRemover2008 folder and select Delete.
   A message will appear saying ‘Are you sure you want to remove the folder VirusRemover2008 and move all its contents to the Recycle Bin?’, click Yes.
   Another message will appear saying ‘Renaming, moving or deleting VirusRemover2008 could make some programs not work. Are you sure you want to do this?’, click Yes.

7. To remove VirusRemover2008 icons on your Desktop, drag and drop them to the Recycle Bin.

You’ve completed the VirusRemover2008 manual removal instructions!
I hope this article has helped you solve your VirusRemover2008 problems. If you want to contribute to this article, post your comment below.

Disclaimer: This article is for educational purposes. By using this information you agree to be bound by the disclaimer. There’s no guarantee that VirusRemover2008 will be completely removed from your computer. Seek professional help if your computer continues to experience problems.

Windows Live OneCare 2.5 is now available and I've got some information for both new and existing Windows Live OneCare subscribers regarding the Windows Live OneCare 2.5 release I'd like to share.

Beginning last week (July 1st to be exact) - existing Windows Live OneCare users (paid subscribers) began automatically receiving Windows Live OneCare 2.5. The Windows Live OneCare website also began offering Windows Live OneCare 2.5 for new users as well. If you are a Windows Live OneCare subscriber and have not yet been automatically updated, you can either wait until the update occurs or download the new version from the Windows Live OneCare website.

NOTE:  If you choose not to wait for the automatic update to occur and want to go ahead and "manually" update yourself via downloading the new version off the Windows Live OneCare website - you will need to uninstall the previous version first before Windows Live OneCare 2.5 will install. I had not been automatically upgraded so I chose to install manually on 1 of my PCs but the others were automatically updated soon after.

So what's new with Windows Live OneCare 2.5? As I stated previously, the Windows Live OneCare 2.5 release is mainly an "under-the-hood" release. That means all the improvements take place behind-the-scenes so you will not notice any major new features or changes to the overall UI. Windows Live OneCare 2.5 is an incremental release that highlights Microsoft's ongoing commitment to improving Windows Live OneCare for paying subscribers.

However, Windows Live OneCare 2.5 does bring some changes worth taking note of. Windows Live OneCare is now available in 3 new markets: Brazil, India and Hong Kong. Also, if you are using the Online Photo Backup feature in Windows Live OneCare, you will be pleased to see that online storage capacity has been increased from 10GB to 50GB! Online Photo Backup is an added benefit to Windows Live OneCare users where they can pay $50 a year (on top of their existing Windows Live OneCare subscription) to have their digital photos automatically backed up to the "cloud".

As a Windows Live OneCare user myself, I enjoy seeing updates to Windows Live OneCare even if they aren't major updates. The priority for me is simply keeping my PC protected.

Internet Explorer is one of the most difficult parts of Windows to clean because it stores data all over your drive, which makes clearing the data more difficult than just deleting one folder. Every time you want to clean all your Internet Explorer history, you need to clear recent addresses, remove history files, erase temporary Web files, and remove cookies. The below are some suggestion:

Removing address bar suggestions
Windows Vista, like other versions of Windows, includes a feature called AutoComplete that is always activated for the address box. This can be a convenient feature because it can help you when typing in an address by presenting you with various suggestions you already used. The suggestions are based on your address box history. Although this feature offers a great convenience, it also will risk your privacy. When I start typing http://www.Twea in my address bar, it automatically suggests http://www.tweakvista.com because I have visited that site. Anyone who uses my computer and starts typing addresses in manually can see sites that I have visited. If they just type in www.s or www.t, they will be presented with a small list of all the sites that I have visited that have URLs that start with s or t.

How do you stop the suggestions? You have to go after the source. Unfortunately, this effort can be a little tricky. The file that stores this information is called the URL cache and is named index.dat. This file resides in your Cookies directory within the root user folder. To remove the information that Windows records, you just have to delete the file. However, deleting this file is not as easy as deleting normal files. The URL cache file is always in use when the operating system is running. And because it is impossible to delete files that are in use, the only way to delete this file is to delete the file in Safe mode or when the system is loading. One solution to this dilemma is to boot into Safe mode with Command Prompt and delete the file. That works because when you boot into Safe mode with Command Prompt, the file is no longer in use.

Follow these steps to delete the index.dat file by booting into Safe mode:
1. Reboot your computer and press F8 repeatedly right after the BIOS power-on test finishes to get the Safe mode boot menu.

2. When the Advanced boot menu loads, select Safe Mode with Command Prompt and press Enter. Windows will now load into a repair environment called Safe mode that has only the core Windows components running.

3. When the logon screen appears, log on with your username and password.

4. When Command Prompt loads after you sign in, you are ready to get started deleting the file in DOS. You are going to want to navigate through C:\Users\ Your Username \AppData\Roaming\Microsoft\Windows\Cookies. In Command Prompt, you will start out in the C:\Users\ Your Username \ folder. Type cd AppData\Roaming\Microsoft\Windows\Cookies and press Enter to navigate the rest of the way.

5. When you are at the right folder, you are ready to delete the file. Type del index.dat, and press Enter.

You are now finished and can reboot your computer. The index.dat file has been deleted and cleared out.

After you reboot the computer, the file will have been erased. Do not be surprised if you see a new index.dat file generated after you reboot. A new empty file will be generated again to replace the existing file.


Clearing temporary Internet files, history, and cookies
Every time that you visit a Web site, the files for the Web page (such as the HTML and the images) are downloaded and stored in a temporary directory known as Temporary Internet Files. Over time, this directory can become full of images and HTML from various Web sites that you have visited. This directory can end up taking up a lot of space on your hard drive. Additionally, a user can browse your Temporary Internet Files directory and find out exactly what sites you have been visiting just as if they were looking at your browser history. If you are concerned about your privacy, or just concerned about disk space, then clearing the temporary Internet files is a must.

The web browsing history is another area that users often like to clear. Internet Explorer, by default, is configured to record all the Web sites that you visit for a 30-day period. If you are concerned about your privacy, your browsing history should be cleaned frequently and history settings configured best for your privacy. Doing so will ensure that any user of your computer will not be able to easily see exactly what you have been doing.

Cookies are also created on your computer when you visit Web sites. Contrary to popular belief, cookies are really not that bad. Most Web sites use them to save user data to a browser. An example of this is site preferences or automatic logon when you visit a Web site. A Web site you visit can detect if the Web site has given you a cookie already that has your user ID stored in it. If it finds one, then it knows exactly who you are and logs you on automatically. Advertisers also use cookies to store personal data. Instead of showing you the same advertisement 50 times, they use cookies to keep track of how many times an advertisement is displayed on your screen.

A common myth about cookies is that they allow Web sites to track what other sites you visit. That is just not true. The only cost of having cookies on your computer is a privacy concern for local users. Any user that has physical access to you computer can browse to the directory that the cookies are stored in and view what Web sites you visit because the cookies are named after the Web site that instructed your browser to put them on your computer.

Clearing the temporary Internet files, history, and cookies is a very simple task. Just follow these steps to clear these files:
1. Open Internet Explorer 7.

2. Click Tools and select Delete Browsing History.

3. When the Delete Browser History Window loads, click Delete All on the bottom of the window to clear all temporary files, history, and cookies from your computer.

3. On the confirmation screen, select Also delete files and settings stored by add-ons, and click Yes. All your browser data will now be cleaned.

Now users will no longer be able to see what Web sites you visit from the cookies and temporary Internet files that are stored on your computer. Additionally, you will have freed up some disk space by deleting these files.


Adjusting your cookie security policy
As mentioned, cookies are not as bad as some people in the computing world would like you to believe. Instead, the only real risk they present is a loss of some privacy, as I mentioned previously. If you allow your browser to be instructed to create cookies on your computer, over time your PC would have quite a collection of them. Anyone who used your computer would then know what sites you visited, if they knew where the cookie files were located.

The latest version of Internet Explorer includes many new enhancements. One of the enhancements includes a new way of accepting cookies. Now you have the capability to specify if you would like your browser to block all cookies or just certain types of cookies. To be able to use this new feature, you need to understand the two different types of cookies:

First-party cookies: Placed on your computer by the current site that you are visiting.
Third-party cookies: Placed on your computer by remote sites, such as advertisement servers.

If you do not want your computer to accept third-party cookies that are often used for online marketing or if you just want to adjust your cookie acceptance settings, follow these steps:
1. Open Internet Explorer.

2. Click Tools and select Internet Options.

3. When Internet Options loads, click the Privacy tab.

4. You will see the up-and-down slider that allows you to select different levels of cookie security. I recommend that you bypass this and just click the Advanced button instead.

5. After you have clicked the Advanced button and see the Advanced Privacy Settings window, select the box that says Override Automatic Cookie Handling.

6. Your settings for first-and third-party cookies will now be available for adjustment,. I recommend that you always accept first-party cookies. You can decide if you want to block all third-party cookies or be prompted to accept them. If you select the Prompt option, a dialog box notifies you that a cookies request has been received.

7. When you are finished with your settings, click OK to save your changes and return to Internet Options.

8. Click OK once more to close Internet Options.

Now that you have set the cookie privacy setting manually, you can eliminate cookies from being stored on your hard drive in the first place. Doing so will allow you to protect your privacy and still be able to use Web sites that need cookies.


Saying no to encrypted Web pages
If you manage your finances or shop online, then you probably have had experience with using secure Web connections, otherwise known as SSL. These secure connections encrypt the data that is transferred from a Web server to your computer. When the data gets to your computer, your browser has a special key that decrypts the information and displays it on your computer. During this process, when the file is decrypted, it is saved in the Temporary Internet Files directory so that the browser can display it.

This default appears to be harmless because the Web page is saved on your computer only. If no one has remote access to your computer, the data would be safe, right? Not necessarily, because your data is now vulnerable to anyone who has physical local access to your computer. If that person is clever and lucky enough, he or she can sort through your Temporary Internet Files directory and just might find some confidential information such as your online banking information. All this information is saved by default on your hard drive for anyone to look at who knows how to get to it. They do not even need to know your password or even log onto your account on the bank's Web site because a snapshot of the Web page is stored locally on your computer.

What can you do to protect your computer from this vulnerability besides setting up better computer security such as complex passwords? There is a cool feature of Internet Explorer that you just have to turn on that will eliminate the problem completely. Simply called Do Not Save Encrypted Pages to Disk, this feature, when enabled, solves your problems. To enable it, follow these steps:

1. Open Internet Explorer.

2. Click Tools and select Internet Options.

3. Click the Advanced tab.

4. Scroll down though the list toward the bottom of the window until you see the Security section.

5. Locate Do Not Save Encrypted Pages to Disk, and check the box to the left of it.

6. Click OK to save and activate your changes.

Now you will no longer have to worry about pages that were encrypted being saved to your drive for anyone who has access to your computer to see.


Disabling AutoComplete
AutoComplete also tries to give a helping hand when you are filling in text boxes on Web pages. In this situation, AutoComplete works exactly the same as it does with the address bar. As you begin to fill in the text box, several suggestions will appear based on information that you have already typed in.

To get an idea of how this works in action, visit a search site such as Google (http://www.google.com) and start to type in words for which you want to search. When you do so, words similar to the ones you have typed in the box on other visits to the site will appear. This capability allows anyone that uses your computer to be able to see what other users of the computer have searched for on the site, even if the browser history was cleared.

Clearly, having this feature enabled would be a big concern if you were concerned about your privacy. Disabling the AutoComplete feature is not very difficult and will completely take care of this privacy concern. Follow these steps to put an end to AutoComplete:

1. Open Internet Explorer.

2. Click Tools and select Internet Options.

3. Click the Content tab and then Settings button under the AutoComplete section.

4. After the AutoComplete Settings window loads, clear all the boxes.

5. When you are finished, just click OK to save your changes.

6. Click OK once more to close Internet Options and activate your changes.

AutoComplete is now a thing of the past. You no longer have to worry that people who use your computer will be shown all the things that you type into your address and text boxes.


Clearing temporary Internet files automatically
Earlier I showed you how to clear your temporary Internet files so that they will not be a privacy concern. Over time, your Temporary Internet Files folder will fill up again and will once again become a privacy concern. One easy way to fix this is to use a cool hidden feature of Internet Explorer that automatically deletes these files every time you close Internet Explorer. This way, you will not have to worry about clearing all the files every time that you use Internet Explorer. Follow these steps to activate this cool feature:

1. Open Internet Explorer.

2. Click the Tools menu bar item and then select Internet Options.

3. Click the Advanced tab and scroll down to the bottom of the screen.

4. Locate and select Empty Temporary Internet Files Folder when browser is closed.

5. Click OK to close Internet Options and activate your changes.

Enabling the automatic empty feature is a great way to easily maintain a clean PC. Keep in mind that this will delete only your temporary Internet files, not your cookies.

The Reliability and Performance Monitor snap-in enables you to monitor server performance in real time. You can monitor hardware and application performance and create threshold alerts and performance reports. In terms of defining performance and reliability, performance describes how quickly the server completes the tasks it must accomplish. Reliability, on the other hand, is more a measure of how often the server performs exactly as you would expect in relation to its configuration.

The Reliability and Performance Monitor snap-in also provides access to the Performance Monitor, which was available in Windows Server 2003, and the new Reliability Monitor. The Performance Monitor enables you to add counters to quickly view real-time hardware information such as the percent processor time and also view information related to system services such as HTTP (on a web server).

The Reliability Monitor provides a System Stability chart that can be used to quickly view specific information about hardware, application, and Windows failures. You can click on a chart date, which runs along the x-axis of the chart and then view various system stability reports related to alerts and failures. The Reliability Monitor, which, in effect, provides some of the same type of information that you could glean from the Event Viewer, is discussed later in the hour.

Obviously, the Reliability and Performance Monitor provides a lot of potential information related to how a server is performing in terms of both hardware and software (including the operating system). What you are really trying to do when you monitor server performance is identify potential performance bottlenecks (say the CPU or the hard drive). When you measure reliability, you are looking for such things as device drivers that failed to initialize or services that had to stop and restart. Reliability often relates to the server configuration rather than hardware configuration, as performance does.

You can open the Reliability and Performance Monitor in the Server Manager (Start, Administrative Tools, Reliability and Performance Monitor). Expand the Diagnostic node and then select the Reliability and Performance node.

You can also run the Reliability and Performance Monitor snap-in in the MMC (Start, Administrative Tools, Reliability and Performance Monitor

The Resource View pane of the Reliability and Performance Monitor provides you with a quick look at CPU, Disk, Network, and Memory usage on the server. Real-time counters at the top of the window show you how each of these resources is currently affected by demand on the server from such things as user access, resources served to users, and other processes running on the server that are related to the various roles you have assigned the server.

Below the Resource View graphs is the Resource View details area. By default, all the Resource details are closed and show a counter that provides the running data points that are shown in the associated graph.

You can expand each of the Resource views to view the details related to a particular resource such as the CPU resource, which measures the total percentage of CPU capacity currently in use. When you expand the CPU resource, you are in the Resource Overview details (for CPU capacity), which provides a detail table.

Let's look at each of the resources measured in the Reliability and Performance Monitor and what kind of details are provided when you look at the expanded view details for a particular resource. The Resource view provides the following information:

• CPU— The total percentage of CPU use is displayed in green. The CPU Maximum Frequency is displayed in blue. The details table contains the following:
Image— Application using the CPU
PID— The application instance's process ID
Description— The application name
Threads— Active threads from the application instance
CPU— CPU cycles active from the application instance
Average CPU— Average CPU load (over the last 60 seconds) from the application instance

The PID or process identifier is the unique number the operating system assigns to a process. A thread is part of an application that can execute independently.

• Disk— The total input/output (current) is displayed in green. The percentage for the highest active time is displayed in blue. The details table contains the following:
Image— Application using the disk
PID— The application instance's process ID
File— The file read/written by an application
Read— The current read speed (in bytes/minute) for the data by an application
Write— The speed (bytes/minute) at which the application is writing data
IO Priority— The I/O task priority for the application
Response Time— Disk response time in milliseconds

• Network— Displays the total network traffic (Kbps) in green and the network capacity percentage currently in use in blue. The details table contains the following:
Image— Application using the network resources
PID— The application instance's process ID
Description— The application name
Address— The network address (IP address, FQDN name, or computer name) with which the local computer is exchanging information
Send— The data currently being sent from the local computer (as sent by the application named in the Image line)
Receive— The amount of data currently being received (bytes/minute)
Total— Total bandwidth used (that is, sent and received) in bytes/minute by the application

• Memory— Displays the hard faults per second in green and the physical memory currently in use percentage in blue. The details table contains the following:

A hard fault or page fault is basically when data requested by the application instance is not in real memory and so must be retrieved from the paging file and loaded into memory.

Image— Application using the network resources
PID— The application instance's process ID
Description— The application name
Hard Faults/Min— Hard faults (per minute) resulting from the application instance; a lot of hard faults would indicate that your server's memory is becoming a performance bottleneck
Working Set (KB)— The amount of memory (in kilobytes) currently being used by the application instance
Shareable (KB)— The amount of memory in the working set that may be available to other applications.
Private (KB)— The amount of memory in the working set reserved for the application instance

Obviously, the Resource view details provide a lot of information. But the key to using this information really lies in the fact that server performance can be affected in a negative way by two things: hardware problems and software problems.

The typical hardware bottlenecks for a server are the CPU, disks, network adapter (or adapters), and memory. The Reliability and Performance Monitor provides graphs for these hardware components because they can often be the reason the server is underperforming.

If the problem isn't directly related to a hardware malfunction, the problem can be a software issue that is monopolizing one of the key server hardware components, such as the CPU or the network adapter. Having quick access to the information related to the application instance enables you to potentially identify a malfunctioning software entity. So, although you can gain more specific real-time data using the various counters available in the Performance Monitor and more details related to server hardware and software events that are logged in the Event Viewer, the Reliability and Performance Monitor is definitely a quick way to survey a server's health.

The Reliability Monitor, a new tool provided by the Reliability and Performance Monitor snap-in, provides a system stability chart that enables you to view events related to software, application, and hardware failures. It provides quick access to "bad" events in a timeline, making it a useful addition to server troubleshooting, particularly when used with Event Viewer data.