Syngress Winternals Defragmentation Recovery And Administration Field Guide Sep 2006 ISBN 1597490792 pdf
Visit us at w w w . s y n g r e s s . c o m
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-tomers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our solutions@syngress.com Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web site, FAQs from the book, corrections, and any updates from
the author(s).ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration,CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in download-
able Adobe PDF form. These eBooks are often available weeks before hard copies,
and are priced affordably.SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.SITE LICENSING
Syngress has a well-established program for site licensing our ebooks onto servers
in corporations, educational institutions, and large organizations. Contact us at
sales@syngress.com for more information.CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.Contact us at sales@syngress.com for more information.
Lawrence Abrams Nancy Altholz Kimon Andreou Brian Barber Tony Bradley Daniel Covell
Laura E. Hunter
Mahesh SatyanarayanaCraig A. Schiller
Darren Windham
Winternals ®
D e f r a g m e n t a t i o n , Re c o v e r y, a n d A d m i n i s t r a t i o n F i e l d G u i d e Dave Kleiman Technical Editor
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or otherincidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One ™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.KEY SERIAL NUMBER
001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 JL922134FC 005 CVPLQ6WQ23 006
VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010
IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Winternals Defragmentation, Recovery, and Administration Field Guide
Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright
Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0ISBN: 1-59749-079-2 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Gary Byrne Copy Editor: Audrey Doyle Technical Editor: Dave Kleiman Indexer: Nara Wood Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,
at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by
O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,
and we would like to thank everyone there for their time and efforts to bringSyngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike
Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, KyleHart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal
Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope.David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai
Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors
for the enthusiasm with which they receive our books.David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,
Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane
for distributing our books throughout Australia, New Zealand, Papua New
Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. vTechnical Editor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE) has worked in the information technology security sector since 1990. Currently, he is the owner of SecurityBreachResponse.com and is the Chief Information Security Officer for Securit-e-Doc, Inc. Before starting this position, he was Vice President of Technical Operations at Intelliswitch, Inc., where he supervised an international telecommunications and Internet ser-
vice provider network. Dave is a recognized security expert. A
former Florida Certified Law Enforcement Officer, he specializes in computer forensic investigations, incident response, intrusion anal- ysis, security audits, and secure network infrastructures. He has written several secure installation and configuration guides about Microsoft technologies that are used by network professionals. He has developed a Windows operating system lockdown tool, S-Lok (www.s-doc.com/products/slok.asp ), which surpasses NSA, NIST, and Microsoft Common Criteria Guidelines.Dave was a contributing author to Microsoft Log Parser Toolkit (Syngress Publishing, ISBN: 1-932266-52-6). He is frequently a speaker at many national security conferences and is a regular con- tributor to many security-related newsletters, Web sites, and Internet forums. Dave is a member of several organizations, including the
International Association of Counter Terrorism and Security
Professionals (IACSP), International Society of Forensic Computer Examiners® (ISFCE), Information Systems Audit and ControlAssociation® (ISACA), High Technology Crime Investigation
Association (HTCIA), Network and Systems Professionals
Association (NaSPA), Association of Certified Fraud Examiners (ACFE), Anti Terrorism Accreditation Board (ATAB), and ASIS International®. He is also a Secure Member and Sector Chief for Information Technology at The FBI’s InfraGard® and a Member and Director of Education at the International Information Systems Forensics Association (IISFA). viiContributing Authors Lawrence Abrams is the CTO for Thorn Communications, an Internet service provider based in New York City that focuses on managed services for colocation customers at its three data centers. Lawrence manages the technical and security operations as well as being involved in the day-to-day operations of the business. He is involved with the deployment and monitoring of intrusion preven-
tion systems, intrusion detection systems, and firewall systems
throughout Thorn’s network to protect Thorn’s customers. Lawrence is also the creator of BleepingComputer.com, a Web site designed to provide computer help and security information to people with all levels of technical skills. With more than a million different visitors each month, it has become a leading resource to find the latest spy- ware removal guides.Lawrence’s areas of expertise include malware removal and com- puter forensics. He is active in the various online antimalware com- munities where he researches new malware programs as they are released and disseminates this information to the public in the form
of removal guides. He was awarded a Microsoft Most Valuable
Professional (MVP) in Windows security for this activity.Lawrence currently resides in New York City with his wife, Jill, and his twin boys, Alec and Isaac.
Nancy Altholz (MSCS, MVP) is a Microsoft MVP in Windows Security. She is a security expert and Wiki Malware Removal Sysop at the CastleCops Security Forum. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention.
As a security expert, she helps computer users with various
Windows computer security issues. Nancy is currently coauthoring Rootkits for Dummies ( John Wiley Publishing), which is due for release in August 2006. She was formerly employed by Medelec’s viiiVickers Medical Division as a Software Engineer in New Product
Development. Nancy holds a master’s degree in Computer Science.
She lives with her family in Briarcliff Manor, NY.Kimon Andreou is the Chief Technology Officer at Secure Data Solutions (SDS) in West Palm Beach, FL. SDS develops software
solutions for electronic discovery in the legal and accounting indus-
tries. SDS is also a provider of computer forensic services. Hisexpertise is in software development, software quality assurance, data
warehousing, and data security. Kimon’s experience includes posi- tions as Manager of Support & QA at S-doc, a software securitycompany, and as Chief Solution Architect for SPSS in the Enabling
Technology Division. He also has led projects in Asia, Europe, North
America, and South America. Kimon holds a Bachelor of Science in
Business Administration from the American College of Greece and a
Master of Science in Management Information Systems from Florida International University.
Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3,
CNA-GW) is coauthor of Syngress Publishing’s Configuring Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring andTroubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and
two study guides for the MSCE on Windows Server 2003 track (exams 70-296 [ISBN: 1-932266-57-7] and 70-297 [ISBN: 1- 932266-54-2]). He is a Senior Technology Consultant with Sierra Systems Consultants Inc. in Ottawa, Canada. He specializes in IT service management and technical and infrastructure architecture,focusing on systems management, multiplatform integration, direc-
tory services, and messaging. In the past he has held the positions of
Senior Technical Analyst at MetLife Canada and Senior Technical Coordinator at the LGS Group Inc. (now a part of IBM Global Services). ixTony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune
100 security architect and consultant with more than eight years of
computer networking and administration experience, focusing the last four years on security.Tony provides design, implementation,and management of security solutions for many Fortune 500 enter-
prise networks.Tony is also the writer and editor of the About.com
site for Internet/network security. He writes frequently for many technical publications and Web sites.
I want to thank my wife, Nicki, for her support and dedication as I
worked on this project. She is my “Sunshine” and my inspiration. I alsowant to thank Gary Byrne and Dave Kleiman for inviting me to participate
on this project and for their unending patience as we worked to put it all together.
Daniel Covell (CCNA, MCP) is a Senior Systems Analyst at Sharp
HealthCare in San Diego. Sharp HealthCare is an integrated regional health-care delivery system that includes four acute-care hospitals, three specialty hospitals, and three medical groups. Sharp has more than 14,000 employees and represents $1 billion in assets and $1.4 billion in revenue. Daniel is a key team member in sup-porting more than 10,000 desktops and thousands of PDAs, laptops,
and tablets.Daniel has more than 13 years of experience in desktop support,
network support, and system design. He has worked for government
agencies, large outsourcing projects, and several consulting firms. His
experience gives him a very broad understanding of technology and
its management.
Daniel also owns a small computer consultancy business and
currently resides in El Cajon, CA, with his wife, Dana.Daniel wrote the section of Chapter 5 titled “Advanced Disk Fragmentation Management (Defrag Manager).” Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is an IT Project Leader and Systems Manager at the University of Pennsylvania, where she provides network planning, x implementation, and troubleshooting services for various business units and schools within the university. Her specialties include
Windows 2000 and 2003 Active Directory design and implementa-
tion, troubleshooting, and security topics. Laura has more than adecade of experience with Windows computers; her previous expe-
rience includes a position as the Director of Computer Services for
the Salvation Army and as the LAN administrator for a medical supply firm. She is a contributor to the TechTarget family of Web sites and to Redmond Magazine (formerly Microsoft Certified Professional Magazine).Laura has previously contributed to the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series
as a DVD presenter, author, and technical reviewer, and is the author
of the Active Directory Consultant’s Field Guide (ISBN: 1-59059-492-
4) from APress. Laura is a three-time recipient of the prestigious Microsoft MVP award in the area of Windows Server— Networking. Laura graduated with honors from the University of Pennsylvania and also works as a freelance writer, trainer, speaker and consultant.
Laura wrote Chapter 3 and was the technical editor for Chapters 5
and 6.
Mahesh Satyanarayana is a final-semester electronics and commu-
nications engineering student at the Visveswaraiah Technological University in Shimoga, India. He expects to graduate this summer and has currently accepted an offer to work for Caritor Inc., anSEI-CMM Level 5 global consulting and systems integration com-
pany headquartered in San Ramon, CA. Caritor provides IT infras-
tructure and business solutions to clients in several sectors worldwide. Mahesh will be joining the Architecture and Designdomain at Caritor’s development center in Bangalore, India, where
he will develop software systems for mobile devices. His areas ofexpertise include Windows security and related Microsoft program-
ming technologies. He is also currently working toward adminis- trator-level certification on the Red Hat Linux platform. xiCraig A. Schiller (CISSP-ISSMP, ISSAP) is the President of Hawkeye Security Training, LLC. He is the primary author of the first Generally Accepted System Security Principles. He was a coau- thor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management.
Craig has cofounded two ISSA U.S. regional chapters: the Central Plains Chapter and the Texas Gulf Coast Chapter. He is a member of the Police Reserve Specialists unit of the Hillsboro Police Department in Oregon. He leads the unit’s Police-to-Business- High-Tech speakers’ initiative and assists with Internet forensics.
Darren Windham (CISSP) is the Information Security lead at ViewPoint Bank, where he is responsible for ensuring compliance with GLB, FFIEC, OTS, FDIC, and SOX regulations, as well as managing technology risks within the organization.
Darren’s previous experience in technology includes network design, system configuration, security audits, internal investigations, and regulatory compliance. He has also worked as a security consul- tant for local companies, including other financial institutions. His background also includes system administration for manufacturing firms and one of the .coms of the late 1990s. Darren was a reviewer for the book Hacking Exposed: Computer Forensics (McGraw-Hill Osborne Media, ISBN: 0-07225-675-3).
Darren is a member of Information Systems Audit and Control Association® (ISACA), North Texas Electronic Crimes Task Force (N-TEC), and the North Texas Snort User Group.
Companion Web Site Some of the code presented throughout this book is available for download from www.syngress.com/solutions. Look for the Syngress icon in the margins indicating which examples are available from the companion Web site. xii xiii Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Chapter 1 Recovering Your Computer with ERD Commander. . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Utilizing ERD Commander . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Creating the ERD Commander Boot CD . . . . . . . . . . . . . . . .2 Using ERD Commander Recovery Utilities . . . . . . . . . . . . .14 Booting a Dead System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Being the Locksmith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Accessing Restore Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Removing Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Chapter 2 Examining Your Computer . . . . . . . . . . . . . . . . . . 35
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Exploring Process Activity with Process Explorer . . . . . . . . . . . . .36 Default Display Explanation . . . . . . . . . . . . . . . . . . . . . . . . .36 The Upper Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 The Lower Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 The Toolbar Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 The Mini-CPU Graph . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Examining Process Resource Consumption . . . . . . . . . . . . . .39 Viewing and Controlling Process Activity Using Process Explorer . . . . . . . . . . . . . . . . . . . . . . . . . .45 Process Explorer’s Control Features . . . . . . . . . . . . . . . . . . . .45 File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 DLL/Handle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Viewing Process Informationand Controlling Process Activity . . . . . . . . . . . . . . . . . . . . . .49 The Process Context Menu . . . . . . . . . . . . . . . . . . . . . . .49
xiv Contents
The Process Properties Dialog . . . . . . . . . . . . . . . . . . . . . .50 The Shortcut Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Significant Toolbar Shortcut Functions . . . . . . . . . . . . . . .52 General Malware Symptoms Recognizable by Process Explorer . . . . . . . . . . . . . . . . . . . . .52
Packed Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Exploring Program Autostart Locations Using Autoruns . . . . .57 Describing the Main Window View . . . . . . . . . . . . . . . . . . . .59
What the Column Headers Mean . . . . . . . . . . . . . . . . . . .60 Understanding the Display Feature Groupings . . . . . . . . . . . .61
Everything . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Shell Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Image Hijacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 AppInit DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Boot Execute Native Images . . . . . . . . . . . . . . . . . . . . . . .64 Known DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 WinLogon Notifications . . . . . . . . . . . . . . . . . . . . . . . . . .65 Winsock Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 LSA Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Printer Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Using the Autoruns Menu Functions . . . . . . . . . . . . . . . . . . .66 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
What’s in the Autoruns Log . . . . . . . . . . . . . . . . . . . . . . . . . .68 Registry and Folder Autostart Locations Monitored by Autoruns . . . . . . . . . . . . . . . . . . .69 Newly Reported Startup Entry Slated for Next Version of Autoruns . . . . . . . . . . . . . . . . .72 Researching an Autostart Item . . . . . . . . . . . . . . . . . . . . .73
The Dynamic Duo: Using Autoruns and Process Explorer Together to Troubleshoot Startups and Combat Malware . . . . . . . .74
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Investigating Autoruns Startups . . . . . . . . . . . . . . . . . . . . . . .75 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Contents xv
Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Step 1: Download and Install AntiHookExec.exe . . . . . . . .86 Step 2: Change the PATH Environment Variable . . . . . . . .86 Step 3: Launch Autoruns and Process Explorer . . . . . . . . .86 Step 4: View Autoruns for Relevant Entries . . . . . . . . . . . .87 Step 5: View Process Explorer for Relevant Entries . . . . .90 Step 6: Stop and Delete the hxdef Service, and Then Reboot . . . . . . . . . . . . . . . . . . . .92 Step 7: Delete the hxdef Files and Registry Autostarts . . . .94 Step 8: Remove the Malware Payload . . . . . . . . . . . . . . . .95
Example 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Other Examples of Malware That Uses Nontraditional Hidden Startups Locatable in Autoruns . . . . .102
The SmitFraud Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . .102 The Vundo Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Using File Compare in Autoruns to Diagnose Changes in Startups . . . . . . . . . . . . . . . . . . . . .104 Most Common Malware Starting Locations . . . . . . . . . .105 Other Common Malware Startup Locations . . . . . . . . . .106
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Chapter 3 Checking the Security of Your Computer . . . . . . 113 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Viewing the Security Settings
of Your Resources (AccessEnum) . . . . . . . . . . . . . . . . . . . . . . . .114 Understanding File and Directory Access Rights . . . . . . . . . .114
Configuring Access Control Lists . . . . . . . . . . . . . . . . . .115 Configuring Permissions Inheritance . . . . . . . . . . . . . . . .118
Understanding Registry Access Rights . . . . . . . . . . . . . . . . .120 Using AccessEnum and Interpreting Its Results . . . . . . . . . . .122
Comparing Permissions over Time . . . . . . . . . . . . . . . . .125 Listing the Users with Access to Encrypted Files (EFSDump) . . .126
Running EFSDump and Interpreting Its Results . . . . . . . . . .127 Moving/Deleting Files in Use on Reboot (PendMoves, MoveFile) . . . . . . . . . . . . . . . . . . .128
Running PendMoves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Running MoveFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Viewing Shared Resources and Their Access Permissions (ShareEnum) . . . . . . . . . . . . . . . . . . . .131
xvi Contents
Running ShareEnum and Interpreting Its Results . . . . . . . . .132 Investigating Suspicious Local Files (Sigcheck) . . . . . . . . . . . . . .135
Running Sigcheck and Interpreting Its Results . . . . . . . . . . .135 Searching for Installed Rootkits (RootkitRevealer) . . . . . . . . . . .138
Scanning a Computer for Rootkits . . . . . . . . . . . . . . . . . . .140 Removing a Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Chapter 4 Computer Monitoring . . . . . . . . . . . . . . . . . . . . . 151 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Viewing Users Who Are Logged On and What They’re Doing . . . . . . . . . . . . . . . . . . . . . . . . . .152 Using PsLoggedOn to See Logged-On Users . . . . . . . . . . . .152 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Using LogonSessions to Find Information about a Logged-On User . . . . . . . . . . . . . . . . .155 Understanding Logon Sessions . . . . . . . . . . . . . . . . . . . .156 Using LogonSessions.exe to View Current Windows Sessions . . . . . . . . . . . . . . . . . . .156 Understanding the Output
of LogonSessions.exe . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Using Tokenmon to Monitor a User’s Security Tokens . . . . .161
What Is a Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Impersonation and Its Importance . . . . . . . . . . . . . . . . . .162 Configuring and Running Tokenmon . . . . . . . . . . . . . . .163 Understanding Tokenmon’s Output . . . . . . . . . . . . . . . . .165 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Practical Uses of Tokenmon . . . . . . . . . . . . . . . . . . . . . .168
Finding Open Resources and the Processes That Are Accessing Them . . . . . . . . . . . . . . . . . . .168 Using PsTools to Examine Running Processes and Files . . . .168
Remotely Monitoring Open Files with PsFile.exe . . . . . .169 Monitoring Processes with PsList.exe . . . . . . . . . . . . . . .172 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . .176
Using Handle to Determine What Local Files a User Has Open . . . . . . . . . . . . . . . . . . .178
Downloading and Using Handle . . . . . . . . . . . . . . . . . . .179 Searching for Handles . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Closing Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Viewing All File Activity with Filemon . . . . . . . . . . . . . . . . . . .182
Contents xvii
Using Filemon to Monitor Real-Time File System Activity . . . . . . . . . . . . . . . . . . . . . .182
Configuring Filemon . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Selecting the Volumes to Monitor . . . . . . . . . . . . . . . . . .185 Understanding Filemon’s Output . . . . . . . . . . . . . . . . . .186 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Viewing All Registry Activity with Regmon . . . . . . . . . . . . . . .196 A Brief Introduction to the Windows Registry . . . . . . . . . . .197 Using Regmon to Monitor Real-Time Activity in the Registry . . . . . . . . . . . . . . . . . . .199
Configuring Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Understanding Regmon’s Output . . . . . . . . . . . . . . . . . .201 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 Examining the Registry during the Windows Boot Sequence in an NT-Based Operating System . . . . . .208 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Chapter 5 Disk Management . . . . . . . . . . . . . . . . . . . . . . . . 217 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Managing Disk Fragmentation
(Defrag Manager, PageDefrag, Contig, DiskView) . . . . . . . . . . . .218 Managing Pagefile Fragmentation . . . . . . . . . . . . . . . . . . . . .220
Removing PageDefrag Manually . . . . . . . . . . . . . . . . . . .222 Optimizing Frequently Accessed Files . . . . . . . . . . . . . . . . . .223
Defragmenting Multiple Files Using Contig . . . . . . . . . .226 Creating Optimized Files Using Contig . . . . . . . . . . . . . .228 Using DiskView to Locate Fragmented Files . . . . . . . . . .229 Making Contig an Environment Variable . . . . . . . . . . . . .231
Advanced Disk Fragmentation Management (Defrag Manager) . . . . . . . . . . . . . . . . . . . . . .232
Installing Defrag Manager . . . . . . . . . . . . . . . . . . . . . . . .232 Running the Defrag Manager Schedule Console . . . . . . .234 Adding Workstations and Servers to Schedules . . . . . . . . .242 Working with Schedules . . . . . . . . . . . . . . . . . . . . . . . . .243 The Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Command-Line Defragmentation . . . . . . . . . . . . . . . . . .244 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Getting Extended File/Disk Information (DiskExt, DiskView, NTFSInfo, LDMDump) . . . . . . . . . . . . . . .247
xviii Contents
DiskExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Understanding Basic Disks . . . . . . . . . . . . . . . . . . . . . . .248 Understanding Dynamic Disks . . . . . . . . . . . . . . . . . . . .248 Using DiskExt to Determine Extensions . . . . . . . . . . . . .249
DiskView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Finding a File’s Cluster Properties . . . . . . . . . . . . . . . . . .250 Finding the MFT Zone . . . . . . . . . . . . . . . . . . . . . . . . .251
NTFSInfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 LDMDump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Analyzing the Partition Layout Using LDMDump . . . . . .254 Finding Volume Information Using LDMDump . . . . . . .255
Disk Volume Management (NTFSInfo, VolumeID, LDMDump) . . . . . . . . . . . . . . . . . . . . . .257
Getting Extended NTFS Information . . . . . . . . . . . . . . . . . .257 Using NTFSInfo to Get MFT Details . . . . . . . . . . . . . . .260 Metadata Files and NTFSInfo . . . . . . . . . . . . . . . . . . . . .261
Investigating the Internals of the Logical Disk Manager . . . . .261 Looking inside the LDM Database . . . . . . . . . . . . . . . . .263
Managing Volume IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Managing Disk Utilization (Du, DiskView) . . . . . . . . . . . . . . . .270
An Easier Way to Find Large Directories . . . . . . . . . . . . . . .271 Finding Space Utilized by User Documents and Applications . . . . . . . . . . . . . . . . . .272
Viewing Where Files Are Located on a Disk . . . . . . . . . . . . .272 Viewing NTFS Metadata Files from DiskView . . . . . . . .273
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Chapter 6 Recovering Lost Data . . . . . . . . . . . . . . . . . . . . . 281 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Recovering Data Across a Network (Remote Recover) . . . . . . . .282 Remote Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Remote Disk Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Recovering Files (FileRestore) . . . . . . . . . . . . . . . . . . . . . . . . . .284 The File Restoration Process . . . . . . . . . . . . . . . . . . . . . . . .284 Recovering the Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Recovering Data with NTRecover . . . . . . . . . . . . . . . . . . .287 Local File Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Caveats and Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Advanced Data Recovery and Centralized Recovery (Recovery Manager) . . . . . . . . . . . . . . . .288 Setup and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Contents xix
Recovery Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Precision Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
System Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Restoring Lost Active Directory Data (AdRestore) . . . . . . . . . . .293
Restoration Methodologies . . . . . . . . . . . . . . . . . . . . . . . . .293 How AdRestore Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Chapter 7 System Troubleshooting . . . . . . . . . . . . . . . . . . . 299 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Making Sense of a Windows Crash (Crash Analyzer Wizard) . . . .300 Running the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .300 Crash Analyzer Wizard Prerequisites . . . . . . . . . . . . . . . .301 Using the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .301 Taking Corrective Action . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Install Updated Driver . . . . . . . . . . . . . . . . . . . . . . . . . .307 Find a Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Disable the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Identifying Errant Drivers (LoadOrder) . . . . . . . . . . . . . . . . . . .308 Running the Utility and Interpreting the Data . . . . . . . . . . .308 Execute LoadOrder . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Interpret LoadOrder Results . . . . . . . . . . . . . . . . . . . . . .310 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Detecting Problematic File and Registry Accesses (FileMon, Regmon) . . . . . . . . . . . . . . . . . . . .311 Problematic File Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Installing FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Configuring FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Problematic Registry Accesses . . . . . . . . . . . . . . . . . . . . . . .316 Installing Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Using Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .318 Analyzing Running Processes (PsTools) . . . . . . . . . . . . . . . . . . .319 Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319 Listing Process Information . . . . . . . . . . . . . . . . . . . . . . .319 Stopping a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Putting It All Together (FileMon, RegMon, PsTools) . . . . . . . . . .322 Finding Suspicious Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
xx Contents
Digging Deeper with RegMon . . . . . . . . . . . . . . . . . . . . . .323 Wrapping It Up with PsTools . . . . . . . . . . . . . . . . . . . . . . .324
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Chapter 8 Network Troubleshooting . . . . . . . . . . . . . . . . . . 331 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Monitoring Active Network Connections
(TCPView,Tcpvcon,TCPView Pro) . . . . . . . . . . . . . . . . . . . . .332 TCPView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Tcpvcon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335 TCPView Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Performing DNS and Reverse DNS Lookups (Hostname) . . . . .344 Domain Name Addressing . . . . . . . . . . . . . . . . . . . . . . . . . .344 How Hostname Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Getting Public Domain Information (Whois) . . . . . . . . . . . . . . .346 Internet Domain Registration . . . . . . . . . . . . . . . . . . . . . . .346 Running Whois and Interpreting the Results . . . . . . . . . . . .346
Identifying Problematic Network Applications (TDIMon,TCPView Pro) . . . . . . . . . . . . . . . . . . .351
Using the Tools to Find and Correct Issues . . . . . . . . . . . . . .353
IRP Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355 TDI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Chapter 9 Tools for Programmers . . . . . . . . . . . . . . . . . . . . 363 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Implementing a Trace Feature (DebugView) . . . . . . . . . . . . . . . .364 Using a Trace Feature During Application Development/Debugging . . . . . . . . . . . . . . . . . . . . . . . . . .365 Using a Trace Feature While in Deployment . . . . . . . . . . . . .365 Sample Trace Feature Implementations . . . . . . . . . . . . . . . . .366 Identifying I/O Bottlenecks
(Filemon, Regmon,Tokenmon, Process Explorer) . . . . . . . . . . . .368 CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Viewing Loaded Objects . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Benchmarking File, Registry, and Token Accesses . . . . . . . . .372 Isolating Areas for Optimization . . . . . . . . . . . . . . . . . . . . . .373
Analyzing Applications (Process Explorer, Strings) . . . . . . . . . . . .374 Examining a Running Application . . . . . . . . . . . . . . . . . . . .374
Contents xxi
Running Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374 Open Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Open Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Finding Embedded Text . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
I Wonder How It’s Doing That . . . . . . . . . . . . . . . . . . . . . .378 Debugging Windows (LiveKd) . . . . . . . . . . . . . . . . . . . . . . . . . .379
Debugging a Live Windows System . . . . . . . . . . . . . . . . . . .380 A Programmer’s View of a System Crash . . . . . . . . . . . . . . .381
Tracking Application Configuration Problems (Process Explorer,Tokenmon) . . . . . . . . . . . . . . . . . . .382
Listing Active Security Credentials . . . . . . . . . . . . . . . . . . . .382 Verifying That the Correct Files and Modules Are Loaded . . .384
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .388