Detecting recently executed programs
Results 1 to 6 of 6

Thread: Detecting recently executed programs

  1. #1
    Junior Member
    Join Date
    Mar 2006

    Question Detecting recently executed programs

    Hello all.

    Name some ways one can detect a recently executed program in Windows XP SP2. (Rootkits, Trojans, or any other malware excluded, for now..)

    I will start with some easy ones..

    %Userprofile%\Local Settings\Temporary Internet Files\
    %Userprofile%\Local Settings\History\
    %Userprofile%\Local Settings\Temp\

    And perhaps even Windows prefetch or pagefile.sys

    Say all this stuff has been shredded on logon/logoff. Where will he/she look next?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    Hi soulstace and welcome to AO,

    Please don't forget the activity viewer and event logs. Particularly the application log.

    Also remember that quite a few applications have their own logs, as do firewalls.

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Alas for the registry.

    MRU is a goldmine, MUICache is another good spot.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    the search feature in windows also allows to look for a file by the time it was last accessed.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Configure File and Object Auditing. It's there for a reason
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Hi guys thanks for your responses. nihil thank you for the warm welcome as well

    I'm now working on a batch file that will remove all temporary files and traces of executed programs. Here is what I have so far;

    rem - Batch file to erase any traces of recently executed programs
    :: %userprofile%
    ERASE /F /S /Q "%userprofile%\Cookies\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\History\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\Temp\*.*"
    ERASE /F /S /Q "%userprofile%\Recent\*.*"
    :: %windir%
    ERASE /F /S /Q "%windir%\Temp\*.*"
    ERASE /F /S /Q "%windir%\Prefetch\*.pf"
    :: reg
    reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
    subinacl.exe /keyreg "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /deny=Administrators=f

    Any ideas what I could add this script for maximum security?

    BTW I already enabled things like clear pagefile at shutdown and no recent docs history via another reg script.

    Once I get the script finished I will probably end up using sdelete command by Sysinternals. This should actually shred the sensitive files with 3 or more passes instead of just deleting them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts