Social Icons

Wednesday, April 27, 2011

HOW DO U FIND IF YOUR PC IS HACKED?- PART 4


OPENFILES COMMAND

1.  Many Windows administrators are unfamiliar with the powerful openfiles command built into Windows. As its name implies, this command shows all files that are opened on the box, indicating the process name interacting with each file. It's built into modern versions of Windows, from XP Pro to Vista. Like the popular ls of command for Linux and Unix, it'll show administrators all open files on the machine, giving the process name and full path for each file. Unlike lsof, however, it doesn't provide many more details, such as process ID number, user number and other information.


2.  Considering the volume of information it gathers, it's no surprise that the openfiles command is a performance hog. Thus, the accounting associated with
openfiles is off by default, meaning users can't pull any data from this command until it is turned on. This function can be activated by running:

C:\> openfiles /local on

3.  Users will need to reboot, and when the system comes back, they will be able to run the openfiles command as follows:

C:\> openfiles /query /v

4.  This command will show verbose output, which includes the user account that each process with an open file is running under. To get an idea of what malware has been installed, or what an attacker may be doing on a machine,users should look for unusual or unexpected files, especially those associated with unexpected local users on the machine.

5.   When finished with the openfiles command, its accounting functionality can be shut off and the system returned to normal performance by running the following command and rebooting:

C:\> openfiles /local off

0 comments:

Post a Comment