hidden software

Fravia's Nofrill
Web design

September 1998
Back to project 9
Back to Anonymity

What's behind the mm256.dat and mm2048.dat files?

(Don't trust your software - 1)
Concealed and hidden files inside your own computer.
D'you really know what your software is doing when you are asleep?

First essay: What's behind the mm256.dat and mm2048.dat files?
A small contribution in order to damage Micro$oft
by fravia+, 15 June 1998

Quite some time ago I started my studies of the two 'mysterious' files mm256.dat and mm2048.dat. Apart from the funny names (and we should never underestimate the importance of names on the web... a name like mm256.dat sounds MUCH more neutral and uninteresting than, say "peeping.tom") there seem to be very few serious material about these two files on the net. Both files contain, among other things (for instance all the URL you visited in your lifetime) the complete directory structure of your bootdrive (!!)
Recently a German friend (Chiphead) wrote me asking why these two files were not mentioned on my pages, since they represent classical examples of Micro$oft's 'concealed' activities. The simple answer is that I have NOT yet finished my studies on these files. But, he is right, and the question deserves to be cracked (in the BEST sense of this great word). Since I have "a lot of other cats to whip", I have decided to publish this essay right now even if it is NOT ready.
Besides, I publish this now also in the hope to damage a little more Micro$oft's current 'delicate' legal situation.
Look at this unfinished essay as a 'base of discussion' for your own work on this area, I just hope to start a "rolling avalanche" of nice reversing sessions: therefore, PLEASE, by all means, do contribute and help, because I must confess that the more I examine these files (and their "regenerating" behaviour), the more I'm puzzled. This is either the definitive proof that Billgato is cheating or the definitive proof that Billgato (and his minions) are absolute software lamers.
The fact is, as you will read here, that Micro$oft's Windows 95, (in conjunction with Internet Explorer) slips unwanted files (Mm2048.dat & Mm256.dat) on your hard disk without your knowledge or permission (5 to 7 copies of each for a total of 5 to 20 megabytes. No wonder your harddisk space is vanishing!)
MS tech support claims that you are not even supposed to know that they exist and anyway you cannot delete them: here the only explanations given -grudgingly- by Micro$oft itself:

The Mm256.dat and Mm2048.dat files are cache files used by Internet
Explorer. When you visit a Web page, Internet Explorer assigns the Web
address a unique identification number and searches the Mm256.dat and
Mm2048.dat files for that identification number. If the Web page's
identification number is found, the contents of the Web page are stored
locally on your computer's hard disk and Internet Explorer uses the
locally stored content instead of downloading the information from the
Internet. If the Web page's identification number is not found, the
contents of the Web page must be downloaded from the Internet. This occurs
if you have not visited the Web page before, the Web page has changed, or
the Web page's identification number has expired. When the Web page's
content has been downloaded to the hard disk, the Mm256.dat or Mm2048.dat
file is updated with the Web page's identification number.

The Mm256.dat file is used to store the identification numbers of Web pages whose Web addresses are equal to or less than 256 characters. The Mm2048.dat is used to store the identification numbers of Web pages whose Web addresses are between 257 and 2048 characters.

The above words, if you apply the simplest "semanthical reversing" techniques, do not mean much... (ok, I'll concede that you know now that mm256.DAT is basically meant for cookies, and mm2048.dat, instead, for web-pages) and the same words for sure don't explain either why these heavy monsters hyde the complete directory structure of your bootdrive as well inside their mysterious guts.
Come to think of it, the words do not seem to explain much why these files pop up inside harddisks of people that is NOT USING M$IE at all either.In my opinion the real interesting question therefore is: if this are the concealed activities of Windows 95 (and NT)... what will Windows 98 with built-in Internet Explorer be able to do to your hard drive and to your privacy?

Let's start with the facts

Let's have a look at mm256.dat and mm2048.dat, and see they are NOT THE SAME THING in various copies: in fact they come in three "flavours" (each): "small", "median" and "big" (in the case of mm2048.dat I would say "huge": more than a million bytes for each copy in my computer, but if you really browse a lot you may have some overbloated "3 millions bytes" beasts inside yours! (And this even if you may have set the "number of days to keep history" to "1"... Have a look for yourselves :-)
In fact you (yes, each one of you, my dear readers) have numerous copies of these two files inside your harddisk.
There is a copy of both inside c:\windows\history ("big" mm256.dat around 200.000 bytes and "middle" mm2048.dat, same size)
There is a copy of both inside c:\windows\cookies ("small" versions of both, respectively 16.000 and 8.000 bytes)
There is a copy of mm256.dat inside c:\windows\temp ("big" version, same as the one in c:\windows\history)
There is a copy of both inside each of the four cache subdirectories c:\windows\tempor~1\cache1~2~3~4 ("middle" mm256.dat at 65.536 bytes, "huge" mm2048.dat at more than a million bytes each... incidentally this takes 5 megabytes of your hard disk space without neither asking nor even showing the culprits)
BTW, You will not see the huge files in the caches with explorer (in fact, you won't see the subdirectories of c:\windows\temporary internet files: cache1, cache2, cache3 and cache4 at all).
Good old dos, being MORE user friendly, even if it will still show you an empty c:\windows\tempor~1 directory, will allow you to enter the command cd c:\windows\tempor~1\cache1 (or cache2, or cache3 or cache4) and will tehrefore allow you to have a look at the hidden cache goodies. Of course there are thousand good utilities to sniff them nevertheless, (provided you know their names)
As I said, a couple of our targets dwells inside the 'history' folder as well. In fact the History folder is not containing what you can see with Micro$oft's explorer. If you use FindFirstFile... or if you go with a command line and use DIR, you will find there 3 files: desktop.ini, mm256.dat ('big') and mm2048.dat ('median') that contain the information displayed by the explorer. History is in fact the junction point of a namespace extension (a shell extension).
At first glance all this saga could look just like a sort of semi_automated database storage and retrieval system for cookies and cached pages and images (in fact inside these targets there are in extenso ALL the URLs you have visited from your childhood until a second ago) bizarre, yet somehow understandable...


My worklist, not yet finished... :-)
How comes that the mm2048.dat and mm256.dat files are all updated regularly WITHOUT any connexion to the web whatsoever?
How comes that you have these files well updated even if you are NOT using M$IE explorer?
Those files are created and maintained by the wininet.dll subsystem? (Does M$IE use wininet to access them?)
Is it enough to check Internet Properties in Control Panel & if necessary change cache location, or these folders will be re-created even if you dleted them? Funny isn't it? Let's go on...
So what have we until now?
The ones in the History Folder contain all the data corresponding to the links you see when its opened in Windows (they effectively are the History Folder).

The ones in the Temporary Internet Files Folder contain the mapping that associates files to actual web-page elements in the cache.

A cursory look at the contents of those in the Cookies folder show they contain references to at least some (if not all) the cookies set in the browser.
If all files except these two are deleted from the Cookies Folder after M$IE has been shut down, no persistent cookies will be reloaded into Internet Explorer the next time it is launched.
It may be that these files act as a database to store and retrieve cookies while the browser is running... but they do not seem to be used to reload cookies. Any other guesses?

They are most persistant files, difficult but not impossible to get rid of, even though they often regenerate. Usually you have 13 of them, at times some more. They can often be found in c:\windows\cookies c:\windows\history and c:\\windows\tempor~1\cache1 & cache 2 & cache3 & cache4, but they may appear also in your c:\windows\java\hist# folders.

OK, let's start sniffing inside them here the ones I have RIGHT NOW (Fri 12 june 98, 13:31) on the computer I'm working on:
FF-File Find, ZauberEdition 0.50

C:\WINDOWS\TEMPOR~1\CACHE1  mm256.dat     32.768 bytes  13:16  Fri12Jun98 -median
C:\WINDOWS\TEMPOR~1\CACHE2  mm256.dat     40.960 bytes  13:16  Fri12Jun98 -median
C:\WINDOWS\TEMPOR~1\CACHE3  mm256.dat     32.768 bytes  13:16  Fri12Jun98 -median
C:\WINDOWS\TEMPOR~1\CACHE4  mm256.dat     32.768 bytes  13:16  Fri12Jun98 -median
C:\WINDOWS\HISTORY          mm256.dat    180.224 bytes  13:16  Fri12Jun98 -big
C:\WINDOWS\COOKIES          mm256.dat      8.192 bytes  13:16  Fri12Jun98 -small
6 files found oh great master!

FF-File Find, ZauberEdition 0.50
C:\WINDOWS\TEMPOR~1\CACHE1  mm2048.dat 1.310.720 bytes  13:16  Fri12Jun98 -huge
C:\WINDOWS\TEMPOR~1\CACHE2  mm2048.dat 1.253.376 bytes  13:16  Fri12Jun98 -huge
C:\WINDOWS\TEMPOR~1\CACHE3  mm2048.dat 1.269.760 bytes  13:16  Fri12Jun98 -huge
C:\WINDOWS\TEMPOR~1\CACHE4  mm2048.dat 1.187.840 bytes  13:16  Fri12Jun98 -huge
C:\WINDOWS\HISTORY          mm2048.dat   532.480 bytes  13:16  Fri12Jun98 -median
C:\WINDOWS\COOKIES          mm2048.dat     8.192 bytes  13:16  Fri12Jun98 -small
6 files found oh great master!

Let's start with the "small" mm256.dat, since the "small" mm2048.dat seems to refer only to "Remote server was not contacted, document may be out-of-date." messages.
You'll read inside both:
Client UrlCache MMF Ver 3.2
And then in the "small" mm256.dat, follows the whole collection of your planted cookies.
Well what's going on with these 'Microsoft Mail F' couple?
Inside c:\windows/system dwells a mmfmlg32.dll (the one on this PC is 295760 bytes long from 20 Mar 1997). Let's have a look at it and see, a strange alien world:
PAB entries and PAB files... (with a whole "PABImporter"... that's Personal Address Book, btw)
AutoRebuildFolders (MMF=Micro$oftMailFolders? or rather Micro$oftMailFiles?)
MMFMIG... (this is probably a migrate MMF processor)
and a whole bunch of 'relicts' from the debugging/testing time of this application, which tell us the names of some of the source files used by the lazy Micro$oft's minions:

Well, quite a mess, let's go deeper...

To conclude:
Microsoft's Windows95 (and NT) maintains a minimum of 12 "user activity" databases. These files are known as "MM256.DAT" and "MM2048.DAT" and one of each is kept in your history folder (hidden completely), your cookies folders and in each of your four cache folders (also hidden).
The cookies and cache folders are not the only records MSIE keeps on your internet activities. If you use MSIE's mail and news, everything you read and see is also recorded intact in other databases within MSIE. A good deal of information is also stored in the registry where your file system cannot get at it. What is the reason of the 'secretness' surronding these files is anybody guess.
Possible solutions
Solution number 1

Make a new directory, I named mine fravache. Do not make any of the 4 hidden sub-directories though. Open the browser and use the 'Move Folder' button to point M$IE to this new directory. Delete the default TIF directory that came with M$IE and restart your computer. When you open M$IE after restarting Windows it will create 4 hidden directories, 8 mm2*.dat files and 1 hidden *.ini file. Each sub-directory will contain the 2 mm2*.dat M$IE's cache will still work the same and you can still see and recall the stored data it contains UNTIL you poke the 'Empty Folder' button.

For the Cookies simply change the label in the Registry which will keep M$IE from writing into these 2 directories. If you don't clear M$IE's cache after these Registry changes you can still see all 'History' data in the history folder when using M$IE but if you check that directory, it should contain 3 files with more or less 17000 bytes. The History data will be shelled into this directory from M$IE's disk cache. I DO NOT know -honestly- if this will always work :-(

...and then they wonder why everybody with a brain hates the windows OS and Micro$oft...

awaiting YOUR OWN contributions!
A small contribution by ~JaY~
(23 September 1998)

Fravia, I have noticed that on the network where I work another mysterious invisible file can be found along with those two. It is called index.dat and it contains MANY URL (but not all of them) that just about everyone that has used that computer have been to. It seems that if you use Opera (still yet, another endearing quality) this file is not updated.
I just though that you would like to know this FACT, because I didn't see it mentioned in you essay on the mm256.dat and mm2048.dat files.

What if micro$oft secretly uploaded the contents of these files to an invisible incoming folder when you access sites like hotmail or anything on M$N and arranged them in database like form??
AN ERGONOMIC STUDY OF THE COMPUTING WORLD. That's what you would have. That has to be part of the reasoning behing Micro$oft's secrecy behind them. It makes sense to me. They can give people what they want by spying on what they do and making that content readily accessible and conviently commercialized. That would be so sweet if that theory became public, don't you think? Keep on Cracking....

Back to project 9
Back to Anonymity

homepage redlinks red+ORC redbots wars redstudents' essays redcounter measures
redbots wars redantismut CGI tricks redacademy database redtools redjavascript tricks
redcocktails redsearch_forms redmail_fravia+
redIs software reverse engineering illegal?

red(c) Fravia, 1995, 1996, 1997, 1998. All rights reserved