Detecting recently executed programs

Printable View

June 8th, 2006, 01:37 PM
soulstace

Detecting recently executed programs

Hello all.

Name some ways one can detect a recently executed program in Windows XP SP2. (Rootkits, Trojans, or any other malware excluded, for now..)

I will start with some easy ones..

%Userprofile%\Cookies\
%Userprofile%\Local Settings\Temporary Internet Files\
%Userprofile%\Local Settings\History\
%Userprofile%\Local Settings\Temp\
%Userprofile%\Recent\
%windir%\Temp\

And perhaps even Windows prefetch or pagefile.sys

Say all this stuff has been shredded on logon/logoff. Where will he/she look next?
June 8th, 2006, 02:06 PM
nihil

Hi soulstace and welcome to AO,

Please don't forget the activity viewer and event logs. Particularly the application log.

;)

Also remember that quite a few applications have their own logs, as do firewalls.
June 8th, 2006, 02:27 PM
hogfly

Alas for the registry.

MRU is a goldmine, MUICache is another good spot.
June 8th, 2006, 02:51 PM
MURACU

the search feature in windows also allows to look for a file by the time it was last accessed.
June 8th, 2006, 03:29 PM
SirDice

Configure File and Object Auditing. It's there for a reason ;)
June 17th, 2006, 02:57 AM
soulstace

Hi guys thanks for your responses. nihil thank you for the warm welcome as well ;)

I'm now working on a batch file that will remove all temporary files and traces of executed programs. Here is what I have so far;

Code:

@ECHO OFF rem - Batch file to erase any traces of recently executed programs :: %userprofile% ERASE /F /S /Q "%userprofile%\Cookies\*.*" ERASE /F /S /Q "%userprofile%\Local Settings\Temporary Internet Files\*.*" ERASE /F /S /Q "%userprofile%\Local Settings\History\*.*" ERASE /F /S /Q "%userprofile%\Local Settings\Temp\*.*" ERASE /F /S /Q "%userprofile%\Recent\*.*" :: %windir% ERASE /F /S /Q "%windir%\Temp\*.*" ERASE /F /S /Q "%windir%\Prefetch\*.pf" :: reg reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f subinacl.exe /keyreg "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /deny=Administrators=f :END

Any ideas what I could add this script for maximum security?

BTW I already enabled things like clear pagefile at shutdown and no recent docs history via another reg script.

Once I get the script finished I will probably end up using sdelete command by Sysinternals. This should actually shred the sensitive files with 3 or more passes instead of just deleting them.