Geekly Articles each Day
📜 ⬆️ ⬇️

First-aid kit sysadmin. Minimal set of utilities for the most effective problem solving

image

Each sysadmin sometimes has to maintain computers of his acquaintances or make home-based trips. In this case, he helps a proven set of utilities. Our review will tell only about free ones that do not require installation and which have become the de facto standard.

Autoruns


This program has become the hallmark of Mark Russinovich and Winternals Software (better known by the name of the site - Sysinternals.com), long taken up by Microsoft. Now it is still being developed by the author, but legally owned by Microsoft’s technical department. The current version is 13.3 written in April 2015. Since v.13.0, the program has become not just more convenient, it has received a number of new functions, in particular, advanced filtering tools, integration with other system utilities and online services.

Autoruns displays the most comprehensive and most detailed list of startup components, regardless of their type. The utility shows how to download all drivers, programs (including system ones) and their modules by registry keys. It even generates a list of all the extensions of Windows Explorer, the toolbar, automatically launched services, and many other objects, usually eluding other similar programs.
')
Color coding helps you quickly identify standard components that have a Microsoft digital signature, suspicious files, and erroneous lines that refer to non-existent files in a list of hundreds of records. To disable the ability to autorun any component, simply uncheck the box opposite it to the left.


The ghosts of autorun objects in Autoruns are highlighted in yellow.

Some components are automatically downloaded only when logging in to the system under a certain account. In Autoruns, you can select records corresponding to each account and view them separately.

Deserves attention and command line mode. It is extremely convenient for exporting the list of startup items to a text file, creating advanced reports and selective anti-virus scanning of all suspicious objects. Full help can be found on the site , here is an example of a typical command:

autorunsc -a blt -vrs -vt > C:\Autor.log

Here, `autorunsc` is a program module that runs in command line mode. The `-a` option indicates that objects to be checked are listed after it. In the example there are three: b - boot execute (that is, everything that loads after the system is started and before the user enters); l - logon, autoload components of a specific user, and t - scheduled tasks. If instead of listing blt you specify an asterisk (*), then all startup objects will be checked.

The keys `-vrs` and` -vt` indicate the mode of operation with the VirusTotal online service. The first set is for sending only those files that do not have a Microsoft digital signature and have not been previously checked. If at least one anti-virus out of fifty considers the file malicious, a detailed report will open in a separate browser tab. The second set of keys is needed so that each time the tab with the user agreement on the use of the VirusTotal service does not open and you do not have to confirm acceptance of it.

Autorunsc report is usually obtained in tens and hundreds of kilobytes. Reading it on the screen is inconvenient, so in the example the output is redirected to a log file. This is a plain text format encoded in UCS-2 Little Endian. Here is an example of a recording from it with one false positive:

 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Adobe ARM "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" Adobe Reader and Acrobat Manager Adobe Systems Incorporated 1.801.10.4720 c:\program files (x86)\common files\adobe\arm\1.0\adobearm.exe 20.11.2014 21:03 VT detection: 1/56 VT permalink: (   VirusTotal).


Two unsigned drivers turned out to be clean, and one signed driver has a VT reaction.

Download Autoruns on this page .

Process explorer


The version of the program Autoruns with a graphical interface can work together with another utility of the same author - Process Explorer (PE). If you first start PE, and then Autoruns, then the last menu will have additional items about viewing the properties of each active process from the autorun menu.

In the PE settings, you can specify the desired way to display all active processes: a simple list with sorting by name or CPU utilization level, or a tree with dependencies. An option is also set there that allows you to check unknown files (determined by hash) in VirusTotal. If you turn it on, then after some time the result of the check will appear on the right. All objects for which at least one anti-virus swears will be highlighted in red.

When you press <Ctrl + L>, the window is split horizontally, and in the lower part, full information about the selected process and its actions in the system is displayed. Pressing <Ctrl + I> will bring up an additional window with indicators of CPU utilization, GP, RAM, I / O intensity, drive utilization, and network. For each component, the total load and the most demanding process are displayed. For GP, even the percentage of occupied video memory and the load on each chip are shown, if there are several of them. Now it is especially important, since many (malicious) programs actively use video cards for non-graphical calculations. Especially this behavior is typical for Trojan miners cryptocurrency.


The test Trojan does not look suspicious yet, and four antiviruses are already fighting on µTorrent

By right-clicking on any process from the PE list, a context menu appears. It duplicates all the functions of the built-in Task Manager and adds several new ones. In particular, with one click you can send the appropriate file to a suspicious process for analysis in VirusTotal, search for its description on the Internet, make a dump or suspend execution. The paused process stops responding to any commands (including internal), and it becomes easier to analyze. After you have dealt with it, you can send the “resume” (resume) command through Process Explorer. Of course, without urgent need, you should not do this with system processes and utilities that perform low-level operations. BIOS / UEFI flashing, changing disk layout, partition alignment and other similar operations should not be interrupted.

Usually in the title of each window the name of the application that generated it is indicated, but it happens that they remain nameless. This is especially true for Trojans, which mimic the work of well-known programs or small dialog boxes with error codes. Process Explorer has a handy “find process by window” function. It is enough to click this button on the top panel and, holding the left mouse button, move the cursor to the area of ​​the strange window. The corresponding process is automatically highlighted in the PE table.


Test Trojan suspended via Process Explorer

To use all the features of Process Explorer, you need to run it with administrator rights and (in some cases) install Debugging Tools for Windows. They can be downloaded separately or downloaded as part of the Windows Driver Kit . The latest version of Process Explorer can be downloaded from the Microsoft website .

Unlocker


Without a doubt, Mark Russinovich is a real guru among the authors of system utilities for Windows, but his programs were created as universal tools. Sometimes it is worth using more highly specialized means. Such as the creation of the French programmer Cedrick Collom (Cedrick Collomb). Its tiny utility Unlocker can only do one thing: unlock a file system object that is occupied by a process in order to regain control of it. Although the latest version was released in 2013, the program still performs its functions best of all. For example, it allows you to unload dynamic libraries from memory, delete the index.dat file, work with file names that are forbidden in Windows, and perform most actions without rebooting.


Some process blocks the removal of Safari

Unloker defines the descriptors of running processes that are currently blocking work with the desired file or directory. Such blocking is required to eliminate the mutual influence of applications in a multitasking environment. During normal operation of the OS and programs, it excludes accidental deletion of used files, but sometimes there are errors. As a result, one of the applications may freeze or remain in memory after the window is closed. Then the file system object can remain locked even after this is no longer necessary.

Today, the list of active processes in an ordinary user starts from fifty, so you can search for zombies among them for a long time. Unlocker helps to immediately determine which process blocks the change or deletion of the selected file or directory. Even if he cannot find out because of the limitations of the Win32 API, he will offer to force the desired action: rename, move, or delete the object.


Unlocker did not find the cause of the lock, but it can delete the recalcitrant file

Sometimes several programs can access one directory at once, so several descriptors are defined at once among the processes blocking it. Unlocker has the ability to unlock all of them with one button.

Starting from version 1.9.0, 64-bit versions of Windows are supported. The utility can be integrated into the context menu of the explorer or run in graphical mode as a portable application. You can also install Unlocker Assistant. It will hang in the tray and automatically cause Unlocker whenever the user tries to perform manipulations with the locked file. Running with the `-h` key will display help on command line mode. The utility is available in forty languages, although there is nothing special to translate in it - everything is so intuitively clear.

AVZ


Looking at the list of features of the AVZ utility, I would like to call it analytical, not anti-virus. The tiny program of Oleg Zaitsev has many irreplaceable functions that facilitate the daily tasks of the administrator and the life of the advanced user. It will help you do system research, restore stray settings of embedded OS components to default settings, detect any changes since the last audit, find potential security problems, remove Trojan components from SPI Winsock and reconnect to the Internet, detect strange program behavior and detect rootkits. kernels.


AVZ contains many system analysis tools.

Known malware is better to remove using other virus scanners. AVZ is useful for dealing with an unknown evil, finding holes through which it can leak, and eliminating the effects of infection. In most cases, AVZ can do without reinstalling the OS, even after a severe virus attack.

You can use AVZ as a portable application, but the full set of utility functions will be revealed only if you install AVZPM - your own kernel mode driver. It controls all modules, drivers, and active applications, making it easy to identify masking processes and any technology to replace their identifiers.

AVZGuard is another kernel mode driver that can be activated from the AVZ menu. It restricts the access of active processes by suppressing anti-virus activity on the infected computer. This approach allows you to run from the AVZ window any application (including another antivirus) in protected mode.

One of the cunning technologies of countering malware remains the method of blocking its files and recreating the elements deleted by the antivirus the next time the OS is loaded. Manually it partially costs using Unlocker, but AVZ has its own technology - Boot Cleaner. This is another kernel-mode driver that extends the capabilities of the delayed-delete feature on Windows that is restarted. It loads earlier, logs the results of work and can delete registry entries, as well as files.

AVZ itself also has a lot of know-how. It is capable of checking alternative NTFS streams and speeding up the scan by excluding files from it that have been identified as safe from a Microsoft catalog or from its own database. All threats can be searched for certain types - for example, immediately exclude the HackTool category. There are separate modules for searching for keyboard interceptors, open ports with Trojan horses and behavioral analysis. AVZ allows you to copy suspicious and deleted files in separate folders for further detailed examination.


Creating a detailed study protocol in AVZ

The requirement to send reports to AVZ and its System Investigation Module has become standard practice in many virology forums, where they seek help in solving non-trivial problems.

Of course, the first-aid kit of an experienced admin may have more than one dozen programs, but these four utilities will suffice to solve most of the tasks. The rest you can easily find in the selections on the links specified in the article.

Www


The complete archive of system utilities SysInternals - 73 programs live.sysinternals.com/Files/SysinternalsSuite.zip
The complete archive of system utilities NirSoft - 56 programs www.nirsoft.net/system_tools.html
Developer site AVZ z-oleg.com

WARNING!


Using system utilities requires an understanding of the logic of their work and the device itself OS. Check out the help before making changes to the registry and interfere with the work of active processes.



First published in Hacker Magazine # 197.
Posted by: 84ckf1r3

Subscribe to "Hacker"

Source: https://habr.com/ru/post/260881/

More articles:


All Articles