-
June 8th, 2006, 01:37 PM
#1
Junior Member
Detecting recently executed programs
Hello all.
Name some ways one can detect a recently executed program in Windows XP SP2. (Rootkits, Trojans, or any other malware excluded, for now..)
I will start with some easy ones..
%Userprofile%\Cookies\
%Userprofile%\Local Settings\Temporary Internet Files\
%Userprofile%\Local Settings\History\
%Userprofile%\Local Settings\Temp\
%Userprofile%\Recent\
%windir%\Temp\
And perhaps even Windows prefetch or pagefile.sys
Say all this stuff has been shredded on logon/logoff. Where will he/she look next?
-
June 8th, 2006, 02:06 PM
#2
Hi soulstace and welcome to AO,
Please don't forget the activity viewer and event logs. Particularly the application log.
Also remember that quite a few applications have their own logs, as do firewalls.
-
June 8th, 2006, 02:27 PM
#3
Alas for the registry.
MRU is a goldmine, MUICache is another good spot.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
June 8th, 2006, 02:51 PM
#4
the search feature in windows also allows to look for a file by the time it was last accessed.
\"America is the only country that went from barbarism to decadence without civilization in between.\"
\"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
Oscar Wilde(1854-1900)
-
June 8th, 2006, 03:29 PM
#5
Configure File and Object Auditing. It's there for a reason
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 17th, 2006, 02:57 AM
#6
Junior Member
Hi guys thanks for your responses. nihil thank you for the warm welcome as well
I'm now working on a batch file that will remove all temporary files and traces of executed programs. Here is what I have so far;
Code:
@ECHO OFF
rem - Batch file to erase any traces of recently executed programs
:: %userprofile%
ERASE /F /S /Q "%userprofile%\Cookies\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\History\*.*"
ERASE /F /S /Q "%userprofile%\Local Settings\Temp\*.*"
ERASE /F /S /Q "%userprofile%\Recent\*.*"
:: %windir%
ERASE /F /S /Q "%windir%\Temp\*.*"
ERASE /F /S /Q "%windir%\Prefetch\*.pf"
:: reg
reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
subinacl.exe /keyreg "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /deny=Administrators=f
:END
Any ideas what I could add this script for maximum security?
BTW I already enabled things like clear pagefile at shutdown and no recent docs history via another reg script.
Once I get the script finished I will probably end up using sdelete command by Sysinternals. This should actually shred the sensitive files with 3 or more passes instead of just deleting them.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|