In recent discussions surrounding Windows 95, we have delved into various aspects of this iconic operating system, from its innovative bundling of entertainment software to its mechanisms for safeguarding critical system components. Today, we uncover another intriguing facet of its development.
Innovative Detection Mechanisms
Raymond Chen, a veteran at Microsoft, shared insights into the challenges faced by the team behind Windows 95, particularly in their efforts to prevent problematic external installers from downgrading essential system components. A significant hurdle was the detection of running installers or setup files.
To address this issue, Microsoft implemented a straightforward heuristics-based approach. The strategy involved “guessing” the nature of a file based on its name. If the executing program contained terms like “setup,” “installer,” or “inst,” it was likely identified as an installer file. This method was not limited to English; variations for other languages were also considered, incorporating terms such as “imposta,” “ayarla,” and “felrak.”
In instances where these keywords were absent from the program name, Windows 95 employed a fallback mechanism. It would check the file path for the presence of “setup,” operating under the same premise that a setup file would typically include an explicit identifier.
Chen elaborated on the operational nuances of this system:
In the above two cases, the file check is delayed until the next start, because some setup programs will realize that the file is in use and cannot be replaced, so they use ExitWindowsExec to exit Windows back to MS-DOS, run a batch file, and then start Windows back up. We have to wait until the restart of Windows to catch any files that were improperly modified by the batch file.
Interestingly, Windows 95 did conduct live file checks specifically for multimedia driver installations via INF files, as this team was granted a special exception.
This glimpse into the operational tactics of Windows 95 reveals a reliance on relatively simple mechanisms to identify setup files. In contrast, it is fascinating to consider how modern operating systems, such as Windows 11, have evolved to incorporate far more sophisticated methodologies to navigate the complexities of today’s advanced threat landscape.