Visit us at w w w . s y n g r e s s . c o m

  

Syngress is committed to publishing high-quality books for IT Professionals and

delivering those books in media and formats that fit the demands of our cus-

tomers. We are also committed to extending the utility of the book you purchase

via additional materials available from our Web site.

  SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions. Once registered, you can

access our solutions@syngress.com Web pages. There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book,

URLs of related Web site, FAQs from the book, corrections, and any updates from

the author(s).

  ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of

some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration,

CyberCrime Investigation, Open Source Security, and Firewall Configuration, to

name a few.

  DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in download-

able Adobe PDF form. These eBooks are often available weeks before hard copies,

and are priced affordably.

  SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt

books at significant savings.

  SITE LICENSING

Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations. Contact us at

sales@syngress.com for more information.

  CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress

books, as well as their own content, into a single volume for their own internal use.

  Contact us at sales@syngress.com for more information.

  Lawrence Abrams Nancy Altholz Kimon Andreou Brian Barber Tony Bradley Daniel Covell

Laura E. Hunter

Mahesh Satyanarayana

Craig A. Schiller

Darren Windham

  Winternals ®

  D e f r a g m e n t a t i o n , Re c o v e r y, a n d A d m i n i s t r a t i o n F i e l d G u i d e Dave Kleiman Technical Editor

  

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

  There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is

sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other

incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working

with computers, networks, data, and files. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One ™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 JL922134FC 005 CVPLQ6WQ23 006

  VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010

  IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Winternals Defragmentation, Recovery, and Administration Field Guide

Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright

Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or

stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0

  ISBN: 1-59749-079-2 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Gary Byrne Copy Editor: Audrey Doyle Technical Editor: Dave Kleiman Indexer: Nara Wood Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585.

  Acknowledgments Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by

O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,

and we would like to thank everyone there for their time and efforts to bring

Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike

Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle

Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal

Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope.

David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai

Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors

for the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,

Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane

for distributing our books throughout Australia, New Zealand, Papua New

Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. v

  Technical Editor Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP, MCSE) has worked in the information technology security sector since 1990. Currently, he is the owner of SecurityBreachResponse.com and is the Chief Information Security Officer for Securit-e-Doc, Inc. Before starting this position, he was Vice President of Technical Operations at Intelliswitch, Inc., where he supervised an international telecommunications and Internet ser-

vice provider network. Dave is a recognized security expert. A

former Florida Certified Law Enforcement Officer, he specializes in computer forensic investigations, incident response, intrusion anal- ysis, security audits, and secure network infrastructures. He has written several secure installation and configuration guides about Microsoft technologies that are used by network professionals. He has developed a Windows operating system lockdown tool, S-Lok (www.s-doc.com/products/slok.asp ), which surpasses NSA, NIST, and Microsoft Common Criteria Guidelines.

  Dave was a contributing author to Microsoft Log Parser Toolkit (Syngress Publishing, ISBN: 1-932266-52-6). He is frequently a speaker at many national security conferences and is a regular con- tributor to many security-related newsletters, Web sites, and Internet forums. Dave is a member of several organizations, including the

International Association of Counter Terrorism and Security

Professionals (IACSP), International Society of Forensic Computer Examiners® (ISFCE), Information Systems Audit and Control

Association® (ISACA), High Technology Crime Investigation

Association (HTCIA), Network and Systems Professionals

Association (NaSPA), Association of Certified Fraud Examiners (ACFE), Anti Terrorism Accreditation Board (ATAB), and ASIS International®. He is also a Secure Member and Sector Chief for Information Technology at The FBI’s InfraGard® and a Member and Director of Education at the International Information Systems Forensics Association (IISFA). vii

  Contributing Authors Lawrence Abrams is the CTO for Thorn Communications, an Internet service provider based in New York City that focuses on managed services for colocation customers at its three data centers. Lawrence manages the technical and security operations as well as being involved in the day-to-day operations of the business. He is involved with the deployment and monitoring of intrusion preven-

tion systems, intrusion detection systems, and firewall systems

throughout Thorn’s network to protect Thorn’s customers. Lawrence is also the creator of BleepingComputer.com, a Web site designed to provide computer help and security information to people with all levels of technical skills. With more than a million different visitors each month, it has become a leading resource to find the latest spy- ware removal guides.

  Lawrence’s areas of expertise include malware removal and com- puter forensics. He is active in the various online antimalware com- munities where he researches new malware programs as they are released and disseminates this information to the public in the form

of removal guides. He was awarded a Microsoft Most Valuable

Professional (MVP) in Windows security for this activity.

  Lawrence currently resides in New York City with his wife, Jill, and his twin boys, Alec and Isaac.

  Nancy Altholz (MSCS, MVP) is a Microsoft MVP in Windows Security. She is a security expert and Wiki Malware Removal Sysop at the CastleCops Security Forum. As Wiki Malware Removal Sysop, she oversees and authors many of the procedures that assist site visitors and staff in system disinfection and malware prevention.

  

As a security expert, she helps computer users with various

Windows computer security issues. Nancy is currently coauthoring Rootkits for Dummies ( John Wiley Publishing), which is due for release in August 2006. She was formerly employed by Medelec’s viii

  Vickers Medical Division as a Software Engineer in New Product

Development. Nancy holds a master’s degree in Computer Science.

She lives with her family in Briarcliff Manor, NY.

  Kimon Andreou is the Chief Technology Officer at Secure Data Solutions (SDS) in West Palm Beach, FL. SDS develops software

solutions for electronic discovery in the legal and accounting indus-

tries. SDS is also a provider of computer forensic services. His

expertise is in software development, software quality assurance, data

warehousing, and data security. Kimon’s experience includes posi- tions as Manager of Support & QA at S-doc, a software security

company, and as Chief Solution Architect for SPSS in the Enabling

Technology Division. He also has led projects in Asia, Europe, North

America, and South America. Kimon holds a Bachelor of Science in

Business Administration from the American College of Greece and a

Master of Science in Management Information Systems from Florida International University.

  

Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3,

CNA-GW) is coauthor of Syngress Publishing’s Configuring Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring and

Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and

two study guides for the MSCE on Windows Server 2003 track (exams 70-296 [ISBN: 1-932266-57-7] and 70-297 [ISBN: 1- 932266-54-2]). He is a Senior Technology Consultant with Sierra Systems Consultants Inc. in Ottawa, Canada. He specializes in IT service management and technical and infrastructure architecture,

focusing on systems management, multiplatform integration, direc-

tory services, and messaging. In the past he has held the positions of

Senior Technical Analyst at MetLife Canada and Senior Technical Coordinator at the LGS Group Inc. (now a part of IBM Global Services). ix

  Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune

100 security architect and consultant with more than eight years of

computer networking and administration experience, focusing the last four years on security.Tony provides design, implementation,

and management of security solutions for many Fortune 500 enter-

prise networks.Tony is also the writer and editor of the About.com

site for Internet/network security. He writes frequently for many technical publications and Web sites.

  

I want to thank my wife, Nicki, for her support and dedication as I

worked on this project. She is my “Sunshine” and my inspiration. I also

want to thank Gary Byrne and Dave Kleiman for inviting me to participate

on this project and for their unending patience as we worked to put it all together.

  

Daniel Covell (CCNA, MCP) is a Senior Systems Analyst at Sharp

HealthCare in San Diego. Sharp HealthCare is an integrated regional health-care delivery system that includes four acute-care hospitals, three specialty hospitals, and three medical groups. Sharp has more than 14,000 employees and represents $1 billion in assets and $1.4 billion in revenue. Daniel is a key team member in sup-

porting more than 10,000 desktops and thousands of PDAs, laptops,

and tablets.

  Daniel has more than 13 years of experience in desktop support,

network support, and system design. He has worked for government

agencies, large outsourcing projects, and several consulting firms. His

experience gives him a very broad understanding of technology and

its management.

  

Daniel also owns a small computer consultancy business and

currently resides in El Cajon, CA, with his wife, Dana.

  Daniel wrote the section of Chapter 5 titled “Advanced Disk Fragmentation Management (Defrag Manager).” Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is an IT Project Leader and Systems Manager at the University of Pennsylvania, where she provides network planning, x implementation, and troubleshooting services for various business units and schools within the university. Her specialties include

Windows 2000 and 2003 Active Directory design and implementa-

tion, troubleshooting, and security topics. Laura has more than a

decade of experience with Windows computers; her previous expe-

rience includes a position as the Director of Computer Services for

the Salvation Army and as the LAN administrator for a medical supply firm. She is a contributor to the TechTarget family of Web sites and to Redmond Magazine (formerly Microsoft Certified Professional Magazine).

  Laura has previously contributed to the Syngress Windows Server 2003 MCSE/MCSA DVD Guide & Training System series

as a DVD presenter, author, and technical reviewer, and is the author

of the Active Directory Consultant’s Field Guide (ISBN: 1-59059-492-

4) from APress. Laura is a three-time recipient of the prestigious Microsoft MVP award in the area of Windows Server— Networking. Laura graduated with honors from the University of Pennsylvania and also works as a freelance writer, trainer, speaker and consultant.

  

Laura wrote Chapter 3 and was the technical editor for Chapters 5

and 6.

  

Mahesh Satyanarayana is a final-semester electronics and commu-

nications engineering student at the Visveswaraiah Technological University in Shimoga, India. He expects to graduate this summer and has currently accepted an offer to work for Caritor Inc., an

SEI-CMM Level 5 global consulting and systems integration com-

pany headquartered in San Ramon, CA. Caritor provides IT infras-

tructure and business solutions to clients in several sectors worldwide. Mahesh will be joining the Architecture and Design

domain at Caritor’s development center in Bangalore, India, where

he will develop software systems for mobile devices. His areas of

expertise include Windows security and related Microsoft program-

ming technologies. He is also currently working toward adminis- trator-level certification on the Red Hat Linux platform. xi

  Craig A. Schiller (CISSP-ISSMP, ISSAP) is the President of Hawkeye Security Training, LLC. He is the primary author of the first Generally Accepted System Security Principles. He was a coau- thor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management.

  Craig has cofounded two ISSA U.S. regional chapters: the Central Plains Chapter and the Texas Gulf Coast Chapter. He is a member of the Police Reserve Specialists unit of the Hillsboro Police Department in Oregon. He leads the unit’s Police-to-Business- High-Tech speakers’ initiative and assists with Internet forensics.

  Darren Windham (CISSP) is the Information Security lead at ViewPoint Bank, where he is responsible for ensuring compliance with GLB, FFIEC, OTS, FDIC, and SOX regulations, as well as managing technology risks within the organization.

  Darren’s previous experience in technology includes network design, system configuration, security audits, internal investigations, and regulatory compliance. He has also worked as a security consul- tant for local companies, including other financial institutions. His background also includes system administration for manufacturing firms and one of the .coms of the late 1990s. Darren was a reviewer for the book Hacking Exposed: Computer Forensics (McGraw-Hill Osborne Media, ISBN: 0-07225-675-3).

  Darren is a member of Information Systems Audit and Control Association® (ISACA), North Texas Electronic Crimes Task Force (N-TEC), and the North Texas Snort User Group.

  Companion Web Site Some of the code presented throughout this book is available for download from www.syngress.com/solutions. Look for the Syngress icon in the margins indicating which examples are available from the companion Web site. xii xiii Contents

  

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

  Chapter 1 Recovering Your Computer with ERD Commander. . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Utilizing ERD Commander . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Creating the ERD Commander Boot CD . . . . . . . . . . . . . . . .2 Using ERD Commander Recovery Utilities . . . . . . . . . . . . .14 Booting a Dead System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Being the Locksmith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17 Accessing Restore Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Removing Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Chapter 2 Examining Your Computer . . . . . . . . . . . . . . . . . . 35

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Exploring Process Activity with Process Explorer . . . . . . . . . . . . .36 Default Display Explanation . . . . . . . . . . . . . . . . . . . . . . . . .36 The Upper Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 The Lower Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 The Toolbar Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 The Mini-CPU Graph . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Examining Process Resource Consumption . . . . . . . . . . . . . .39 Viewing and Controlling Process Activity Using Process Explorer . . . . . . . . . . . . . . . . . . . . . . . . . .45 Process Explorer’s Control Features . . . . . . . . . . . . . . . . . . . .45 File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 DLL/Handle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49 Viewing Process Information

  and Controlling Process Activity . . . . . . . . . . . . . . . . . . . . . .49 The Process Context Menu . . . . . . . . . . . . . . . . . . . . . . .49

  xiv Contents

  The Process Properties Dialog . . . . . . . . . . . . . . . . . . . . . .50 The Shortcut Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

  Significant Toolbar Shortcut Functions . . . . . . . . . . . . . . .52 General Malware Symptoms Recognizable by Process Explorer . . . . . . . . . . . . . . . . . . . . .52

  Packed Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Exploring Program Autostart Locations Using Autoruns . . . . .57 Describing the Main Window View . . . . . . . . . . . . . . . . . . . .59

  What the Column Headers Mean . . . . . . . . . . . . . . . . . . .60 Understanding the Display Feature Groupings . . . . . . . . . . . .61

  Everything . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61 Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Shell Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Image Hijacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 AppInit DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64 Boot Execute Native Images . . . . . . . . . . . . . . . . . . . . . . .64 Known DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 WinLogon Notifications . . . . . . . . . . . . . . . . . . . . . . . . . .65 Winsock Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 LSA Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65 Printer Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66

  Using the Autoruns Menu Functions . . . . . . . . . . . . . . . . . . .66 Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66 File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67

  What’s in the Autoruns Log . . . . . . . . . . . . . . . . . . . . . . . . . .68 Registry and Folder Autostart Locations Monitored by Autoruns . . . . . . . . . . . . . . . . . . .69 Newly Reported Startup Entry Slated for Next Version of Autoruns . . . . . . . . . . . . . . . . .72 Researching an Autostart Item . . . . . . . . . . . . . . . . . . . . .73

  The Dynamic Duo: Using Autoruns and Process Explorer Together to Troubleshoot Startups and Combat Malware . . . . . . . .74

  Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74 Investigating Autoruns Startups . . . . . . . . . . . . . . . . . . . . . . .75 Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75 Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

  Contents xv

  Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84

  Step 1: Download and Install AntiHookExec.exe . . . . . . . .86 Step 2: Change the PATH Environment Variable . . . . . . . .86 Step 3: Launch Autoruns and Process Explorer . . . . . . . . .86 Step 4: View Autoruns for Relevant Entries . . . . . . . . . . . .87 Step 5: View Process Explorer for Relevant Entries . . . . .90 Step 6: Stop and Delete the hxdef Service, and Then Reboot . . . . . . . . . . . . . . . . . . . .92 Step 7: Delete the hxdef Files and Registry Autostarts . . . .94 Step 8: Remove the Malware Payload . . . . . . . . . . . . . . . .95

  Example 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96 Other Examples of Malware That Uses Nontraditional Hidden Startups Locatable in Autoruns . . . . .102

  The SmitFraud Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . .102 The Vundo Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

  Using File Compare in Autoruns to Diagnose Changes in Startups . . . . . . . . . . . . . . . . . . . . .104 Most Common Malware Starting Locations . . . . . . . . . .105 Other Common Malware Startup Locations . . . . . . . . . .106

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .111

Chapter 3 Checking the Security of Your Computer . . . . . . 113 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114 Viewing the Security Settings

  of Your Resources (AccessEnum) . . . . . . . . . . . . . . . . . . . . . . . .114 Understanding File and Directory Access Rights . . . . . . . . . .114

  Configuring Access Control Lists . . . . . . . . . . . . . . . . . .115 Configuring Permissions Inheritance . . . . . . . . . . . . . . . .118

  Understanding Registry Access Rights . . . . . . . . . . . . . . . . .120 Using AccessEnum and Interpreting Its Results . . . . . . . . . . .122

  Comparing Permissions over Time . . . . . . . . . . . . . . . . .125 Listing the Users with Access to Encrypted Files (EFSDump) . . .126

  Running EFSDump and Interpreting Its Results . . . . . . . . . .127 Moving/Deleting Files in Use on Reboot (PendMoves, MoveFile) . . . . . . . . . . . . . . . . . . .128

  Running PendMoves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Running MoveFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

  Viewing Shared Resources and Their Access Permissions (ShareEnum) . . . . . . . . . . . . . . . . . . . .131

  xvi Contents

  Running ShareEnum and Interpreting Its Results . . . . . . . . .132 Investigating Suspicious Local Files (Sigcheck) . . . . . . . . . . . . . .135

  Running Sigcheck and Interpreting Its Results . . . . . . . . . . .135 Searching for Installed Rootkits (RootkitRevealer) . . . . . . . . . . .138

  Scanning a Computer for Rootkits . . . . . . . . . . . . . . . . . . .140 Removing a Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .149

Chapter 4 Computer Monitoring . . . . . . . . . . . . . . . . . . . . . 151 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Viewing Users Who Are Logged On and What They’re Doing . . . . . . . . . . . . . . . . . . . . . . . . . .152 Using PsLoggedOn to See Logged-On Users . . . . . . . . . . . .152 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Using LogonSessions to Find Information about a Logged-On User . . . . . . . . . . . . . . . . .155 Understanding Logon Sessions . . . . . . . . . . . . . . . . . . . .156 Using LogonSessions.exe to View Current Windows Sessions . . . . . . . . . . . . . . . . . . .156 Understanding the Output

  of LogonSessions.exe . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Using Tokenmon to Monitor a User’s Security Tokens . . . . .161

  What Is a Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Impersonation and Its Importance . . . . . . . . . . . . . . . . . .162 Configuring and Running Tokenmon . . . . . . . . . . . . . . .163 Understanding Tokenmon’s Output . . . . . . . . . . . . . . . . .165 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Practical Uses of Tokenmon . . . . . . . . . . . . . . . . . . . . . .168

  Finding Open Resources and the Processes That Are Accessing Them . . . . . . . . . . . . . . . . . . .168 Using PsTools to Examine Running Processes and Files . . . .168

  Remotely Monitoring Open Files with PsFile.exe . . . . . .169 Monitoring Processes with PsList.exe . . . . . . . . . . . . . . .172 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . .176

  Using Handle to Determine What Local Files a User Has Open . . . . . . . . . . . . . . . . . . .178

  Downloading and Using Handle . . . . . . . . . . . . . . . . . . .179 Searching for Handles . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Closing Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .182

  Viewing All File Activity with Filemon . . . . . . . . . . . . . . . . . . .182

  Contents xvii

  Using Filemon to Monitor Real-Time File System Activity . . . . . . . . . . . . . . . . . . . . . .182

  Configuring Filemon . . . . . . . . . . . . . . . . . . . . . . . . . . .184 Selecting the Volumes to Monitor . . . . . . . . . . . . . . . . . .185 Understanding Filemon’s Output . . . . . . . . . . . . . . . . . .186 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .192

  Viewing All Registry Activity with Regmon . . . . . . . . . . . . . . .196 A Brief Introduction to the Windows Registry . . . . . . . . . . .197 Using Regmon to Monitor Real-Time Activity in the Registry . . . . . . . . . . . . . . . . . . .199

  Configuring Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Understanding Regmon’s Output . . . . . . . . . . . . . . . . . .201 Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 Examining the Registry during the Windows Boot Sequence in an NT-Based Operating System . . . . . .208 Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .209

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .214

Chapter 5 Disk Management . . . . . . . . . . . . . . . . . . . . . . . . 217 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218 Managing Disk Fragmentation

  (Defrag Manager, PageDefrag, Contig, DiskView) . . . . . . . . . . . .218 Managing Pagefile Fragmentation . . . . . . . . . . . . . . . . . . . . .220

  Removing PageDefrag Manually . . . . . . . . . . . . . . . . . . .222 Optimizing Frequently Accessed Files . . . . . . . . . . . . . . . . . .223

  Defragmenting Multiple Files Using Contig . . . . . . . . . .226 Creating Optimized Files Using Contig . . . . . . . . . . . . . .228 Using DiskView to Locate Fragmented Files . . . . . . . . . .229 Making Contig an Environment Variable . . . . . . . . . . . . .231

  Advanced Disk Fragmentation Management (Defrag Manager) . . . . . . . . . . . . . . . . . . . . . .232

  Installing Defrag Manager . . . . . . . . . . . . . . . . . . . . . . . .232 Running the Defrag Manager Schedule Console . . . . . . .234 Adding Workstations and Servers to Schedules . . . . . . . . .242 Working with Schedules . . . . . . . . . . . . . . . . . . . . . . . . .243 The Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Command-Line Defragmentation . . . . . . . . . . . . . . . . . .244 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

  Getting Extended File/Disk Information (DiskExt, DiskView, NTFSInfo, LDMDump) . . . . . . . . . . . . . . .247

  xviii Contents

  DiskExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247 Understanding Basic Disks . . . . . . . . . . . . . . . . . . . . . . .248 Understanding Dynamic Disks . . . . . . . . . . . . . . . . . . . .248 Using DiskExt to Determine Extensions . . . . . . . . . . . . .249

  DiskView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250 Finding a File’s Cluster Properties . . . . . . . . . . . . . . . . . .250 Finding the MFT Zone . . . . . . . . . . . . . . . . . . . . . . . . .251

  NTFSInfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 LDMDump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254

  Analyzing the Partition Layout Using LDMDump . . . . . .254 Finding Volume Information Using LDMDump . . . . . . .255

  Disk Volume Management (NTFSInfo, VolumeID, LDMDump) . . . . . . . . . . . . . . . . . . . . . .257

  Getting Extended NTFS Information . . . . . . . . . . . . . . . . . .257 Using NTFSInfo to Get MFT Details . . . . . . . . . . . . . . .260 Metadata Files and NTFSInfo . . . . . . . . . . . . . . . . . . . . .261

  Investigating the Internals of the Logical Disk Manager . . . . .261 Looking inside the LDM Database . . . . . . . . . . . . . . . . .263

  Managing Volume IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Managing Disk Utilization (Du, DiskView) . . . . . . . . . . . . . . . .270

  An Easier Way to Find Large Directories . . . . . . . . . . . . . . .271 Finding Space Utilized by User Documents and Applications . . . . . . . . . . . . . . . . . .272

  Viewing Where Files Are Located on a Disk . . . . . . . . . . . . .272 Viewing NTFS Metadata Files from DiskView . . . . . . . .273

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .278

Chapter 6 Recovering Lost Data . . . . . . . . . . . . . . . . . . . . . 281 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Recovering Data Across a Network (Remote Recover) . . . . . . . .282 Remote Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .282 Remote Disk Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Recovering Files (FileRestore) . . . . . . . . . . . . . . . . . . . . . . . . . .284 The File Restoration Process . . . . . . . . . . . . . . . . . . . . . . . .284 Recovering the Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .285 Recovering Data with NTRecover . . . . . . . . . . . . . . . . . . .287 Local File Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Caveats and Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287 Advanced Data Recovery and Centralized Recovery (Recovery Manager) . . . . . . . . . . . . . . . .288 Setup and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

  Contents xix

  Recovery Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288 Precision Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

  System Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292 Restoring Lost Active Directory Data (AdRestore) . . . . . . . . . . .293

  Restoration Methodologies . . . . . . . . . . . . . . . . . . . . . . . . .293 How AdRestore Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Chapter 7 System Troubleshooting . . . . . . . . . . . . . . . . . . . 299 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Making Sense of a Windows Crash (Crash Analyzer Wizard) . . . .300 Running the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .300 Crash Analyzer Wizard Prerequisites . . . . . . . . . . . . . . . .301 Using the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .301 Taking Corrective Action . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Install Updated Driver . . . . . . . . . . . . . . . . . . . . . . . . . .307 Find a Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Disable the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .308 Identifying Errant Drivers (LoadOrder) . . . . . . . . . . . . . . . . . . .308 Running the Utility and Interpreting the Data . . . . . . . . . . .308 Execute LoadOrder . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Interpret LoadOrder Results . . . . . . . . . . . . . . . . . . . . . .310 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Detecting Problematic File and Registry Accesses (FileMon, Regmon) . . . . . . . . . . . . . . . . . . . .311 Problematic File Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Installing FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311 Configuring FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Problematic Registry Accesses . . . . . . . . . . . . . . . . . . . . . . .316 Installing Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Using Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316 Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .318 Analyzing Running Processes (PsTools) . . . . . . . . . . . . . . . . . . .319 Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319 Listing Process Information . . . . . . . . . . . . . . . . . . . . . . .319 Stopping a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Putting It All Together (FileMon, RegMon, PsTools) . . . . . . . . . .322 Finding Suspicious Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

  xx Contents

  Digging Deeper with RegMon . . . . . . . . . . . . . . . . . . . . . .323 Wrapping It Up with PsTools . . . . . . . . . . . . . . . . . . . . . . .324

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

  Chapter 8 Network Troubleshooting . . . . . . . . . . . . . . . . . . 331 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Monitoring Active Network Connections

  (TCPView,Tcpvcon,TCPView Pro) . . . . . . . . . . . . . . . . . . . . .332 TCPView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Tcpvcon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335 TCPView Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343

  Performing DNS and Reverse DNS Lookups (Hostname) . . . . .344 Domain Name Addressing . . . . . . . . . . . . . . . . . . . . . . . . . .344 How Hostname Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .345

  Getting Public Domain Information (Whois) . . . . . . . . . . . . . . .346 Internet Domain Registration . . . . . . . . . . . . . . . . . . . . . . .346 Running Whois and Interpreting the Results . . . . . . . . . . . .346

  Identifying Problematic Network Applications (TDIMon,TCPView Pro) . . . . . . . . . . . . . . . . . . .351

  Using the Tools to Find and Correct Issues . . . . . . . . . . . . . .353

  IRP Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355 TDI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .362

  Chapter 9 Tools for Programmers . . . . . . . . . . . . . . . . . . . . 363 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Implementing a Trace Feature (DebugView) . . . . . . . . . . . . . . . .364 Using a Trace Feature During Application Development/Debugging . . . . . . . . . . . . . . . . . . . . . . . . . .365 Using a Trace Feature While in Deployment . . . . . . . . . . . . .365 Sample Trace Feature Implementations . . . . . . . . . . . . . . . . .366 Identifying I/O Bottlenecks

  (Filemon, Regmon,Tokenmon, Process Explorer) . . . . . . . . . . . .368 CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Viewing Loaded Objects . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Benchmarking File, Registry, and Token Accesses . . . . . . . . .372 Isolating Areas for Optimization . . . . . . . . . . . . . . . . . . . . . .373

  Analyzing Applications (Process Explorer, Strings) . . . . . . . . . . . .374 Examining a Running Application . . . . . . . . . . . . . . . . . . . .374

  Contents xxi

  Running Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374 Open Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Open Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376

  Finding Embedded Text . . . . . . . . . . . . . . . . . . . . . . . . . . . .376

  I Wonder How It’s Doing That . . . . . . . . . . . . . . . . . . . . . .378 Debugging Windows (LiveKd) . . . . . . . . . . . . . . . . . . . . . . . . . .379

  Debugging a Live Windows System . . . . . . . . . . . . . . . . . . .380 A Programmer’s View of a System Crash . . . . . . . . . . . . . . .381

  Tracking Application Configuration Problems (Process Explorer,Tokenmon) . . . . . . . . . . . . . . . . . . .382

  Listing Active Security Credentials . . . . . . . . . . . . . . . . . . . .382 Verifying That the Correct Files and Modules Are Loaded . . .384

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .388