Results 1 to 6 of 6

Thread: Detecting recently executed programs

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    2

    Question Detecting recently executed programs

    Hello all.

    Name some ways one can detect a recently executed program in Windows XP SP2. (Rootkits, Trojans, or any other malware excluded, for now..)

    I will start with some easy ones..

    %Userprofile%\Cookies\
    %Userprofile%\Local Settings\Temporary Internet Files\
    %Userprofile%\Local Settings\History\
    %Userprofile%\Local Settings\Temp\
    %Userprofile%\Recent\
    %windir%\Temp\

    And perhaps even Windows prefetch or pagefile.sys

    Say all this stuff has been shredded on logon/logoff. Where will he/she look next?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi soulstace and welcome to AO,

    Please don't forget the activity viewer and event logs. Particularly the application log.



    Also remember that quite a few applications have their own logs, as do firewalls.

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Alas for the registry.

    MRU is a goldmine, MUICache is another good spot.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    the search feature in windows also allows to look for a file by the time it was last accessed.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Configure File and Object Auditing. It's there for a reason
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Mar 2006
    Posts
    2
    Hi guys thanks for your responses. nihil thank you for the warm welcome as well

    I'm now working on a batch file that will remove all temporary files and traces of executed programs. Here is what I have so far;

    Code:
    @ECHO OFF
    rem - Batch file to erase any traces of recently executed programs
    
    :: %userprofile%
    ERASE /F /S /Q "%userprofile%\Cookies\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\Temporary Internet Files\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\History\*.*"
    ERASE /F /S /Q "%userprofile%\Local Settings\Temp\*.*"
    ERASE /F /S /Q "%userprofile%\Recent\*.*"
    
    :: %windir%
    ERASE /F /S /Q "%windir%\Temp\*.*"
    ERASE /F /S /Q "%windir%\Prefetch\*.pf"
    
    :: reg
    reg delete "HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU" /va /f
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /va /f
    
    subinacl.exe /keyreg "HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache" /deny=Administrators=f
    
    
    :END

    Any ideas what I could add this script for maximum security?

    BTW I already enabled things like clear pagefile at shutdown and no recent docs history via another reg script.

    Once I get the script finished I will probably end up using sdelete command by Sysinternals. This should actually shred the sensitive files with 3 or more passes instead of just deleting them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •