How I use Sysinternals


Hey,

 In my previous post I demonstrated how to add the Sysinternals tools to your computer from https://live.sysinternals.com/.  "Neat, now what?"  This is not a comprehensive guide to Sysinternals merely how I use these tools to increase my cyber safety.

 If you browsed to https://live.sysinternals.com you'll notice there is numerous tools.  I just want to quickly show a few of the tools I have found most useful and how I use them.

 1.) Sigcheck - "Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains."

You can run it via:
PS C:\Users\Matt> \\live.sysinternals.com\tools\sigcheck.exe -h -v "C:\Users\Matt\Downloads\pro
cesshacker-3.0.1424-setup.exe" >> sigchecktest.txt

 This command is run against a "file", usually something you just downloaded/received.  You are unsure about it's safety.  You can run "Sigcheck" to view information to help you asses the file.  I added the "-h" "-v" flags which activates the "Hashing" and "Virus Total" checks.  The "Hash" is that files fingerprint (MD5,SHA1,SHA256), you can also copy and "Google" the hash to see if it relates to anything shady.  I also added an output redirect ">>", which means to put the results(output) into the file I specify "sigchecktest.txt".  The terminal window is great and all but I would rather view this info in a word processor, too ease my eyes.  Opening "sigchecktest.txt" in a word processor will show the same exact output as from the command window.
2.) AutoRuns - "This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players."

PS C:\Users\Matt> \\live.sysinternals.com\tools\autoruns.exe

 Autoruns is useful in that it shows you everything that "starts/runs" upon boot up.  If it takes forever for your desktop to load or PC acting sluggish in general, it's a good idea to check these autoruns.  The tool has a nice GUI to make it easy to use.  The other useful feature is "Save" and "Compare".

Ideally you would "Save" your Autoruns output after a re-imaging or when your computer is in a pristine state.  This file would be considered your "Clean" state.  At any point afterword when you execute Autoruns you can "Compare" it with the "Clean" file and Autoruns will point out the differences.  If you see something suspicious you can also disable it with Autoruns.  Now most of this should be considered safe, USE DISCRETION WHEN DISABLING.  Your anti-virus should also be monitoring locations so there is no reason to be over-zealous in disabling here.

 3.) Process Explorer - "Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded."

PS C:\Users\Matt> \\live.sysinternals.com\tools\procexp.exe

 You can view "Process Explorer" as a "Super Task Manager".  As the name suggests "Process Explorer" shows you all the current running processes on your computer.  The GUI is simple and easy to understand.  "Autoruns" shows you all your "Auto-starting items" and "Process Explorer" shows you all your "Currently running items".  Between these two views you should a good grasp on whats running on your computer.  You can even "right-click" a process and have it checked against Virus Total.

 These tools provided significant insight into your computer and can be used to spot malware.  Malware infections can be treated, you just have to know where to look.  You should also keep in mind the "Tools" that already come "Built-in" to your operating system (Windows) "Netstat", "Ping", "Net", "Tasklist".

 I got more posts incoming.

Comments

Post a Comment

Popular posts from this blog

A magic-wormhole!

Image
Have you ever struggled to get a file from one computer to another?  What if the file surpasses the size limits of Google Drive or Dropbox? Yes, you can SSH/SCP, FTP, HTTP, USB, script the hell out of it but isn't there something that allows us to transfer large files easily? And is "securely" too much to ask too? https://github.com/warner/magic-wormhole TL;DR, The concept is; you and your recipient would have another secure means to transfer a secure pass-phrase.  The sender would tell the receiver what pass-phrase accesses the package.  The odds somebody else entering the same phrase into the wormhole at the right time is approximately 3720 to 1! (I don't know the exact math but its really hard to MitM)  "The package is at whisky-tango-foxtrot." Here's the -help,  Magic Wormhole supports multiple modes; # Wormhole send                     # Activates prompt for a message to send, Text mes...
Read more

Quick Tip -Sysinternals-

Image
I been slacking on this blogging thing.  Anyway I wanted to show a quick tip that I want to build off going forward with more posts. Sysinternals is a great free tool that can help you with numerous computer issues. https://docs.microsoft.com/en-us/sysinternals/ Another cool thing is Sysinternals Live , basically a website that hosts all the Sysinternals Tools. https://live.sysinternals.com/ The really cool feature I wanted to go over, is mounting this website as a local drive, or calling these tools straight from the command line. P$> \\live.sysinternals.com\tools\procmon.exe This command will fire up procmon.exe. (I got a post coming up for procmon) Syntax= \\live.sysinternals.com\tools\ TOOL.EXE It may take a moment but all the Sysinternals tools are available to you, over the wire.  Pretty neat.  Another way to demonstrate this is by mapping that entire web directory to a location on your computer. Click "This PC" > "Compute...
Read more