June 8th, 2006, 01:37 PM
Detecting recently executed programs
Name some ways one can detect a recently executed program in Windows XP SP2. (Rootkits, Trojans, or any other malware excluded, for now..)
I will start with some easy ones..
%Userprofile%\Local Settings\Temporary Internet Files\
And perhaps even Windows prefetch or pagefile.sys
Say all this stuff has been shredded on logon/logoff. Where will he/she look next?
June 8th, 2006, 02:06 PM
Hi soulstace and welcome to AO,
Please don't forget the activity viewer and event logs. Particularly the application log.
Also remember that quite a few applications have their own logs, as do firewalls.
June 8th, 2006, 02:27 PM
Alas for the registry.
MRU is a goldmine, MUICache is another good spot.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
June 8th, 2006, 02:51 PM
the search feature in windows also allows to look for a file by the time it was last accessed.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
June 8th, 2006, 03:29 PM
Configure File and Object Auditing. It's there for a reason
Experience is something you don't get until just after you need it.
June 17th, 2006, 02:57 AM
Hi guys thanks for your responses. nihil thank you for the warm welcome as well
I'm now working on a batch file that will remove all temporary files and traces of executed programs. Here is what I have so far;
rem - Batch file to erase any traces of recently executed programs
ERASE /F /S /Q "%userprofile%\Cookies\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\History\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\Temp\*.*"
ERASE /F /S /Q "%userprofile%\Recent\*.*"
ERASE /F /S /Q "%windir%\Temp\*.*"
ERASE /F /S /Q "%windir%\Prefetch\*.pf"
reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
subinacl.exe /keyreg "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /deny=Administrators=f
Any ideas what I could add this script for maximum security?
BTW I already enabled things like clear pagefile at shutdown and no recent docs history via another reg script.
Once I get the script finished I will probably end up using sdelete command by Sysinternals. This should actually shred the sensitive files with 3 or more passes instead of just deleting them.