Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Quick Tip: Locate Malicious Handles Quickly

25 Aug 2010   #1
dranfu

 
Quick Tip: Locate Malicious Handles Quickly

Locate Malicious Handles Quickly

A lot of us, I'm sure, use process explorer or process hacker (some might just use task manager) to view, verify and analyze the processes running on our computers. If a strange process shows up (bykxlvd.exe, for instance) we'll quickly start to investigate and take whatever actions we think necessary.

Some malicious files (the Zeus Trojan, for instance) may not show up as a running process, but instead may simply "hook" into a program by creating a handle to it. Because of this, we won't see it in task manager, and unless we are being very detailed, we might miss it in Process Explorer or Process Hacker.

The following command line command will enumerate all the handles registered in your system, then search for names that contain .exe, and then write the results to a text file and place it on your desktop.

In this way, you can look at a (hopefully) short list of executables and quickly determine if any look out of the ordinary--and then further investigate if necessary.

What you'll Need: Handles, by Sys Internals (197kb). Please either install the tool into your System32 folder, or create an entry in your PATH system variable (My Computer>Properties>Advanced>Environment Variables). If you don't do this, then you will need to include the full path name of the tool when using this command.

How to do it: Run this command in a command prompt (Note that you can also save this command to a text file and save it with a .bat extension, to run it as a clickable batch file. If running in a batch file, you will need to replace the % with two %%:

For /F "tokens=1,2,3,4*" %G in (' handle ^| find ".exe" ') do ( echo [%G] [%H] [%I] [%J] [%K] >> "%USERPROFILE%\Desktop\CurrentHandles.txt" )

Happy Hunting


Update: Edited the command so that it accurately identifies all executable handles and running executables.


My System SpecsSystem Spec
.

25 Aug 2010   #2
richc46

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium SP1, clean install, upgrade disc
 
 

Excellent advice, thanks.
My System SpecsSystem Spec
Reply

 Quick Tip: Locate Malicious Handles Quickly




Thread Tools





Similar help and support threads
Thread Forum
Problems with the way Windows handles processess.
Well here they are, I'm a little hard of english; but I tried to phrase them the best I could: In Windows 7 Ultimate 64X is their anyway to have another follow in the foot steps of 'explorer.exe' i.e. meaning that it will start or restart another whens starts. I run an auto text completion...
General Discussion
Registry location that handles log on screen
I have some pesky co-workers who like torturing me via the remote shutdown commands, and because of Group Policy here at work I cannot go to Windows Settings > Security Settings > Local Policies > User Rights Assignments: and administratively remove the "admin" from "force shutdown from a remote...
General Discussion
lsass,exe leaking resources (handles)
I noticed yesterday extreme handle usage on my system, over 120k handles, of which 80k were due to lsass.exe which is a unkillable process. The security accounts manager service is not stoppable also which uses lsass.exe. Today after I rebooted I see its not a one off problem and its leaking...
General Discussion
Gadget handles
Is it possible to not show a gadget's handle (close, options & drag gadget pad that appear by its side on mouse-over)? I'm using a few (more or less) transparent gadgets, but the handles kind~of ruin the effect. Thanks for the help!
Gadgets
Alert:Threat Type: Malicious Web Site / Malicious Code
Source - Office.Microsoft.Com Search Results Can Lead To Rogue Anti-Virus - Security Labs Alert
Security News
Latest SQL injection quickly spreads malicious JS
more..
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 02:38.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App