Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] Window's O/S

from [Fielder, Kevin \(GE Consumer Finance\)] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] Window's O/S
Date: Thu, 24 Nov 2005 12:27:01 -0000 
 

-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Brian
Dessent
Sent: 24 November 2005 12:19
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Window's O/S

Greg wrote:


In C:\windows\ the file "nnotepad.exe" remained as I had changed it 
and a brand new (from the same date as the renamed exe) "notepad.exe" 
appeared and same under c:\windows\system32 and c:\windows\dllcache as

well.

http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx


So my question next is "If I have renamed the whole lot that I could 
find, where did this replacement notepad.exe come from?" and I cant 
really answer


The WFP thread watches for file changes and replaces files deemed
"system" files whenever they are modified or replaced.  This is not
unique to notepad.  I don't know how this daemon works but I'd assume it
keeps a private cached copy of all files so that it can replace them
when changed.  I think this is what "dllcache" is.  This means there are
always two copies of the file at any given time, and since it's
impossible to atomically delete two files simultaneously, the WFP thread
can always use one copy of the file to replace the other.  If not it
could probably grab it from the .cab file that's usually tucked away in
%WINDIR% somewhere.


that one excepting to say that because notepad is the default html 
editor in IE6, perhaps IE6 has notepad somehow protected? BTW, my 
changed default


No, it has nothing to do with IE or the original subject of this thread.
Notepad.exe just happens to be one of a large number of files that WFP
has on its list.

Brian

Hi

If you want to test, this feature can be disabled by turning off system
restore. - right click my computer - properties - system restore tab.

This feature can be a pain in the arse if you are trying to get rid of
infected files that it thinks are system files.

Agree with the previous posts, I think this is just down to a path issue
when windows is trying to work out what to do when you open something.

K


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Window's O/S, Andres Tarasco
Next by Date:  Re: [Full-disclosure] Window's O/S, Marek Isalski
Previous by Thread:  RE: [Full-disclosure] Window's O/S, Haaland, Vegar Linge
Next by Thread:  Re: [Full-disclosure] Window's O/S, Stuart Dunkeld
Indexes:  [Date] [Thread] [Top] [All Lists]