James,
you should do this through the at command in a command prompt. Through the GUI
you're required to submit a user. this is no requirement for the at command.
syntax :
C:\>at 21:31 cmd.exe
This is not a 'real hack' since you already need sysadmin rights to perform
this action.
-----------------OFF TOPIC
All other forensics@securityfocus.com subscribers, please tweak your
OOO-settings, because getting the "I'm not here", "I left the company and will
not return before 2099", "I won the lottery so I'm outta here" message
50+ times in under 10 seconds is no fun at all !
--------------------------
Regards,
Wim
-----Original Message-----
From: James Zaros [mailto:hawespipe@hotmail.com]
Sent: donderdag 11 mei 2006 18:31
To: forensics@securityfocus.com; Wim Remes
Subject: cmd.exe hack
This question relates to the post immediately below. When the cmd.exe task
is running it shows to be running as the administrator in the task manager.
Is that incorrect, it is actually running as SYSTEM?
--------------------------------------------------------------------------------
From: Wim Remes [mailto:Wim_Remes@msp.be]
Sent: Mon 5/8/2006 4:11 AM
To: Admin.mmm; MikeMackrill@BC.com; filbanks@gmail.com;
forensics@securityfocus.com
Subject: RE: Tracking moved files?
you can gain SYSTEM privileges by scheduling cmd.exe as administrator. When
the app starts it runs under SYSTEM. This was shown to me by MS support when
I had some GPO stuff where one of my admins took to many righs away. When
running cmd.exe scheduled, from there you can start mmc or any other app,
that app will run under the same privileges. It allowed me to reset
privileges on the GPO stuff and see them again on a normal MMC.
just my â.02
Wim
-----Original Message-----
From: Admin.mmm [mailto:admin.mmm@iinet.net.au]
Sent: maandag 8 mei 2006 13:11
To: MikeMackrill@BC.com; filbanks@gmail.com; forensics@securityfocus.com
Subject: RE: Tracking moved files?
I vaguely remember something about a DLT system in w2k.
It tracks the files for indexing purposes and creates a hidden log file.
I dragged this off the MS site:
"The DLT Client service monitors activity on NTFS volumes and stores
maintenance information in a file called Tracking.log, which is located in a
hidden folder called System Volume Information at the root of each volume.
This folder is protected by permissions that allow only the system to have
access to it. The folder is also used by other Windows services, such as
Indexing Service."
If you could log in as system you may glean something from there.
J
-----Original Message-----
From: MikeMackrill@BC.com [mailto:MikeMackrill@BC.com]
Sent: Monday, May 08, 2006 3:51 AM
To: filbanks@gmail.com; forensics@securityfocus.com
Subject: Re: Tracking moved files?
Did you check the recent items to look for a reference to the file on the
thumb drive?
All I could think of on a Sunday morning.
Mike Mackrill
-----Original Message-----
From: Serge Jorgensen <filbanks@gmail.com>
To: forensics@securityfocus.com <forensics@securityfocus.com>
Sent: Thu May 04 10:16:08 2006
Subject: Tracking moved files?
Hello!
I'm try to show that files were copied and/or moved off a W2K drive
onto a USB stick. Obviously the registry and setupapi files show the
USB installation info - but I can't find the log file (or other
method?) that Windows must use to track files being moved and copied.
I don't have the USB device - which would make this a whole lot easier.
Any ideas would be great.
Thanks.
George
Blessed is the man who, having nothing to say, abstains from
giving wordy evidence of the fact.
George Eliot
(1819-1880, British Novelist)
