Hunt Down and Kill Malware with Sysinternals Tools (Part 3)

by [Published on 5 Oct. 2011 / Last Updated on 5 Oct. 2011]

This third and last installment in the series will cover how to use Process Monitor for detecting changes to the registry and file system that may be made by malware.

If you would like to read the other parts in this article series please go to:

Introduction

In parts 1 and 2 of this three-part series, we looked at how you can use Process Explorer and Autoruns to identify malicious software on a Windows system. Since the publication of the first article, a new version of Process Explorer (v15.01) was released this month, so be sure to get the latest version here.

The new version uses less memory, and it now displays GPU usage and gives you the ability to restart services. Performance graphs look nicer, too.

Installing and Using Process Monitor

Process Monitor replaces the old FileMon and RegMon tools and combines and updates the functionality of both. The current version of Process Monitor is v2.95 and  you can download it from the Microsoft TechNet web site.

So what can you do with it? A lot. This tool is used to capture all sorts of real-time data about the processes on a machine, including image path, command line, user and session ID, and the relationships of processes. Its filtering is non-destructive so you don’t have to worry about losing information when you set filters. With the information that you collect, you can analyze the malware you find and determine what it does and how to get rid of it.

You can download and install Process Monitor on your machine (it’s a 1.26 MB download) or you can fun it from Live.Sysinternals.com. Process Monitor installs a device driver to capture information, then presents it in the user-friendly graphical interface. As you can see in Figure 1, Process Monitor displays a line of information for every operation that takes place on the system. By default, the columns displayed include the time, the process name and its PID, the operation it conducted, the path, the result of the operation and details about the operation (in the figure, I have hidden the path information because it contains identifying information about the user account, computer name and domain name).


Figure 1

You can add many other columns for additional information about the application, the event and process management, as shown in Figure 2.


Figure 2

The amount of information that Process Monitor provides can be overwhelming, since there are so many processes that typically run in the background on a Windows system. That means filtering is essential if you want to be able to capture the information that’s relevant to your mission of tracking malware. The nice thing is that the Process Monitor filters restrict what is displayed, not what is actually captured. So all the data is still captured, but you only see what you need to see. So you can display entries that match a particular process name, a particular user, a particular time of the day, etc. You can see the selections in Figure 3.


Figure 3

You can create multiple filters, so that you could look just at entries generated by a particular process on a particular date and time, for example. You can choose that a condition is, is not, is less or more than, begins with or ends with, or includes or excludes a particular value, and you can specify that entries meeting that criteria be included or excluded. This flexibility greatly enhances your ability to spot out-of-the-ordinary events without being distracted by extraneous information.

There are handy buttons on the toolbar that you can use to show registry activity, show network activity, file system activity, process and thread activity and/or profiling events. You can enable boot logging and set the history depth to limit the total number of events that will be kept during a run.

When a malware program installs itself on your system, it may extract files to various locations on your hard drive, copy driver files to the Windows system folder, add keys to the Windows registry, etc. With Process Monitor, you can identify what is creating particular files that “rise from the dead” and reappear after you’ve deleted them, or what is creating suspicious registry entries.

To find out what a suspicious process is actually doing, you would first set filters to show only the entries for that process name. You may be able to further filter the results, or you may need to review the results line by line to figure out what the process is doing. For example, you might select to show only registry access events, so you can determine what registry keys the process is accessing, changing or adding. You can then examine these registry value to find out the effects of any changes that are being made. You can examine the file system access entries to find out what files a process is pulling information from, or files that it might be deleting from or adding to your system.

It might be easier for you to review the information in another program, such as Excel or Office. Or you might want to save a copy of the information in one of those formats. In that case, you can export the data to a .CSV file or an .XML file, using the “save to file” option (you can also save the file in native Process Monitor format, .PML, if you want to open it back up in Process Monitor).

Process Monitor can be used along with Process Explorer and AutoRuns to give you a powerful set of tools for manually tracking down malware so that you can remove it from your system.

What if the Sysinternals tools won’t run?

As we’ve demonstrated in this three-part article, the Sysinternals tools are great aids in manually hunting down and killing malware, and are especially useful when dealing with the “zero day” variety for which signatures haven’t yet been created by the anti-malware vendors. But sometimes, you might find that the Sysinternals tools won’t run because malware authors have started targeting these popular tools (as well as commercial anti-virus and anti-malware products) in order to stay ahead of you and keep you from cleaning the malicious code off your system. You might try to start Process Explorer, Process Monitor or Autoruns only to find that the process is immediately terminated.

Depending on how sophisticated the malware is, you may be able to thwart its attempts to prevent you from using the tools by renaming them or by running them on an alternate virtual desktop, using the Desktops utility. Mark describes a case where a Sysinternals user ran into exactly that problem in his blog post titled The Case of the Sysinternals-Blocking Malware.

Summary

This three-part series covered the basics of how to use tools such as Process Explorer, Autoruns and Process Monitor to hunt down and kill malware. The free Sysinternals tools are invaluable aids for anyone who wants to delve deeply into the hunt for malicious code and eliminate it from your systems. You can download them free from the Microsoft TechNet web site, and if you really want to ramp up on how to use them most effectively, check out Mark’s book (with Aaron Margosis), Windows Sysinternals Administrator’s Reference, which is published by O’Reilly and came out in June 2011.

If you would like to read the other parts in this article series please go to:

See Also


The Author — Deb Shinder

Deb Shinder avatar

Debra Littlejohn Shinder, MCSE, MVP (Security) is a technology consultant, trainer and writer who has authored a number of books on computer operating systems, networking, and security.