Security Home > Windows 95, 98 & ME

Passwords for Compressed Folders are Recoverable

A security vulnerability exists in the folder compression feature of Windows Me and Plus 98! which could allow a user to retrieve the passwords by simple inspection of a log file.


Plus! 98, an optional package that extends Windows 98 and Windows 98 Second Edition, introduced a data compression feature called Compressed Folders that was also included in Windows Me. For interoperability with leading third-party compression tools, it provides a password protection option for folders that have been compressed. However, due to a flaw in the package’s implementation, the passwords used to protect the folders are recorded in a file on the user’s system. If an attacker gained access to an affected machine on which password-protected folders were stored, she could learn the passwords and access the files.

It is important to understand that, although this flaw does constitute a security vulnerability, the password protection feature is not intended to provide strong security. It was included in the products to enable interoperability with password-protection features in other third-party data compression products, and is only intended to provide protection against casual inspection. Customers who need strong protection for files should use Windows® 2000.

The patch will prevent passwords from being written to the user’s system in the future. However, after applying the patch, it is important to also delete c:\windows\dynazip.log, in order to ensure that all previously-recorded passwords are deleted.

Affected Products

  • Microsoft Windows Me


A software patch for Plus 98! can be downloaded from and the patch for Windows Me can be retrieved from

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: April 4, 2001

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<