Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Quick Tip: Locate Malicious Handles Quickly


25 Aug 2010   #1

 
Quick Tip: Locate Malicious Handles Quickly

Locate Malicious Handles Quickly

A lot of us, I'm sure, use process explorer or process hacker (some might just use task manager) to view, verify and analyze the processes running on our computers. If a strange process shows up (bykxlvd.exe, for instance) we'll quickly start to investigate and take whatever actions we think necessary.

Some malicious files (the Zeus Trojan, for instance) may not show up as a running process, but instead may simply "hook" into a program by creating a handle to it. Because of this, we won't see it in task manager, and unless we are being very detailed, we might miss it in Process Explorer or Process Hacker.

The following command line command will enumerate all the handles registered in your system, then search for names that contain .exe, and then write the results to a text file and place it on your desktop.

In this way, you can look at a (hopefully) short list of executables and quickly determine if any look out of the ordinary--and then further investigate if necessary.

What you'll Need: Handles, by Sys Internals (197kb). Please either install the tool into your System32 folder, or create an entry in your PATH system variable (My Computer>Properties>Advanced>Environment Variables). If you don't do this, then you will need to include the full path name of the tool when using this command.

How to do it: Run this command in a command prompt (Note that you can also save this command to a text file and save it with a .bat extension, to run it as a clickable batch file. If running in a batch file, you will need to replace the % with two %%:

For /F "tokens=1,2,3,4*" %G in (' handle ^| find ".exe" ') do ( echo [%G] [%H] [%I] [%J] [%K] >> "%USERPROFILE%\Desktop\CurrentHandles.txt" )

Happy Hunting


Update: Edited the command so that it accurately identifies all executable handles and running executables.


My System SpecsSystem Spec
.

25 Aug 2010   #2

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium SP1, clean install, upgrade disc
 
 

Excellent advice, thanks.
My System SpecsSystem Spec
Reply

 Quick Tip: Locate Malicious Handles Quickly




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 12:02 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33