DAMIRA’S “KNOW YOUR OWN COMPUTER” LAB

Exercise 1: Detection of Malicious Code in Registry and Task Manager

• In this exercise, you will learn how to manually search the Windows Registry and Task Manager to
detect any spyware / adware processes running on your computer. In addition, you will use the
Windows Sysinternals “Autoruns” software to find malicious programs on your Windows machine.

• The Windows registry is a database which stores all the options and settings for the Microsoft
Windows operating system. This includes hardware, user settings, system policies and is separated
into the following files/folders:

1. HKEY_CLASSES_ROOT: The information stored here makes sure that the correct program
opens when you open a file by using Windows Explorer.
2. HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is
currently logged on. The user's folders, screen colors, and Control Panel settings are stored here.
This information is associated with the user's profile.
3. HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any
user).
4. HKEY_USERS: Contains all the actively loaded user profiles on the computer.
5. HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the
local computer at system startup.

• Malicious code can often hide in the following folders:

1. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
3. HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load
4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
6. HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit

• When clicking through each folder, specific information is divided into three columns: 1) Name, 2)
Type, and 3) Data. We will be considering Name (given name of a program) and Data (the path for
the actual file).

• The Windows Task Manager shows the current processes and programs that are running on your
computer in RAM.

What you need:

1. Windows server/workstation (NT or higher, e.g. 2000, XP, Vista)

2. Internet access

Steps for Manually Viewing Windows Registry/Tasks for Spyware & Adware:

1. Log on to Windows machine using an account with administrator privileges.

2. Open up the “Start Menu” and click on the “Run…” option.
3. At the “Open...” prompt type “regedit” and click on “OK” to open the Windows Registry.
4. In the left-hand pane, select the following folders in succession: “HKEY_LOCAL_MACHINE” Æ
“SOFTWARE” Æ “Microsoft” Æ “Windows” Æ “CurrentVersion” Æ “Run”
5. List two of the names and associated filenames that seem unfamiliar (located at the end of the path in
Data column). An example would be vptray (VPTray.exe)
_____________________________________________________________________________
_____________________________________________________________________________

Damira Pon, University at Albany, SUNY Created 3/7/07, Edited 3/5/08

6. Do NOT close the Windows Registry window, but click CTRL-ALT-DEL to get to the Windows Task
Manager. This is often used to attempt to end a process when a program is not responding.
7. Click the “Task Manager” button and select the “Processes” tab.
8. Make sure that the “Show processes from all users” option is checked.
9. Like earlier, write down two “Image Names” from the process list that seem unfamiliar. If you don’t
recognize any of them, just choose two. Try to make sure they are different from those selected in the
registry.
_____________________________________________________________________________
_____________________________________________________________________________

10. Close the “Task Manager” window.

11. Go to: http://www.processlibrary.com/ and input each filename into the “Find Process or DLL (ex:
explorer.exe):” and click on FIND. List what the purpose of the file is and whether it is critical, a threat,
and/or should be removed.

Purpose Critical/Threat Remove?

_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________

12. If you wish to remove some registry items based on what you find in processlibrary.com (it’s ok to
remove the registry item), right-click on the name in the registry and select “Delete”.
13. Click on “Yes” to confirm the deletion.
14. Close the Windows Registry.

• By going through all of your registry/process items and searching online it is possible to see many
malicious (non-essential) programs that startup with your machine. However, tools have also been
created to make this process simpler.

Steps for using Windows Sysinternals “Autoruns” to detect Spyware & Adware:

1. Go to: http://download.sysinternals.com/Files/Autoruns.zip and save the file to the desktop.

2. Unzip the Autoruns.zip file using either WinZip, WinRAR or some other compression utility.
3. Click on the “autoruns.exe” file to start the program.
4. Select “Options” Æ “Hide Microsoft Entries” to not view Microsoft processes and so it is easier to
identify third-party processes.
5. Click the “F5” key to refresh the screen after changing this option.
6. By default, the tab selected is “Everything”. However, it may be easier to sort through the each
individual section.
7. For each of the following tabs, see if you find any entries that look suspicious based on the “Autorun
Entry”, “Description”, and “Publisher”. If there are too many, select 2-3 each.
Logon
Services
Drivers
WinLogon
Internet Explorer
8. Right-click on the suspicious entries and select “Verify”. If it is verified to a known company it will list
(Verified) before the Publisher name. This probably means that the program is OK.
9. Cross out the entries above that have been verified.
10. For the rest of the entries, right-click and select “Search Online”. This will quickly input the process
name into the default search engine. By clicking on any of the first three results, you should come up
with relevant process information.
11. Circle any entries which are determined to be a virus or Trojan. If something may or may not be a
system process, you will have to look carefully at the system path.
12. You can either double click on the process and manually delete the registry key (will be highlighted)
or right-click and select “Delete”.

Damira Pon, University at Albany, SUNY Created 3/7/07, Edited 3/5/08

 Exercise 2: Checking for Rootkits

• In this exercise, you will be using a software tool to reveal rootkits.

• Rootkits are software designed to conceal processes (so that you would not be able to normally see
them using Task Manager. This involves hiding files, connections, registry entries, etc. that would
otherwise identify a process. They often modify parts of the Operating System or disguise themselves
as drivers or kernel modules.
• A rootkit may be evidence of a botnet infection (where someone is able to take control of your
machine remotely)
• The best way to find a root-kit is to use a live CD to view the system (preventing the rootkit to run).
• However, there are several programs available to find rootkits and increasingly anti-virus vendors are
incorporating this functionality into their programs.

What you need:

1. Windows servers/workstations (2000 or higher, e.g. XP, Vista)

2. Internet access

Steps for Checking for Rootkits):

1. Go to: http://download.sysinternals.com/Files/RootkitRevealer.zip and save the file to the

Desktop.
2. Unzip RootkitRevealer and click on “RootkitRevealer.exe”
3. Click on the defaults to access the program.
4. Click on “Scan”. The program should go through the Registry as well as NTFS metadata files and
discover anything that might indicate a rootkit. DO NOT USE THE COMPUTER WHILE
SCANNING.
5. This may take several minutes. If it is taking too long, press the “Abort” key. Review the
discrepancies and make note of them.
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________

6. Look for a distinctive part of the registry or path name and search the RootkitRevealer (RKR)
forums at: RootkitRevealer Logs http://forum.sysinternals.com/forum_topics.asp?FID=17 and
RootkitRevealer Usage http://forum.sysinternals.com/forum_topics.asp?FID=15
7. If you find nothing there, use Google!
8. The following null keys are fine and a result of the newest version now scanning the HKLM
security hive files:
HKLM\Security\Policy\Secrets\SAC*
HKLM\Security\Policy\Secrets\SAI*
9. There should be suggestions for determining whether the discrepancy is a result of a rootkit or it
is innocuous. If it IS a rootkit, it is wise to look at the forums or Google for specific instructions for
removal.
10. Exit RootkitRevealer.

Steps for Clean Up:

11. Remove all files created from Desktop.

12. Shutdown the computer.

Damira Pon, University at Albany, SUNY Created 3/7/07, Edited 3/5/08