Advanced Troubleshooting for Windows: Spyware, Malware, Vulnerability-Exploit, Configuration, and App-Compatibility Problems

  • If you see a new process on your Windows XP machine and you wonder where the executable file came from, you can use the System Restore data as history audit information to get some clues:

    • Log in with admin privilege;
    • cd C:\WINDOWS\system32\Restore;
    • Type srdiag / /CabLoc:"c:\"
    • Open C:\;
    • Extract the SR-ChgLog.LOG file;
    • Open SR-ChgLog.LOG and search for the filename;
    • Look around that file-change log entry to see what other files were created/modified around the same time.

  • If the file-change log entry started with “RPDir=RP1429” and you want to find out approximately when the file was created/modified:

    • From Windows Explorer, right-click on “C:\System Volume Information”->Properties->Security ->Add your login name;
    • Navigate into “C:\System Volume Information\_restore{[some GUID]}” to see the list of RP folders, each corresponding to a System Restore checkpoint (as listed in the calendar at Start->All programs->Accessories->System Tools->System Restore->Next >);
    • The timestamp of the “RP1429\snapshot” folder is usually the timestamp of the RP1429 checkpoint;
    • The file must have been created/modified between the timestamps of RP1429 and RP1430;
    • When you're done, from Windows Explorer, right-click on “C:\System Volume Information”->Properties->Security-> Remove your login name (so that anti-spyware programs skip System Restore folders).

  • If you want to examine the Windows Registry snapshot taken as part of System Restore checkpoint “RP1429”:

    • Launch Regedit;
    • Click on HKEY_USERS;
    • File->Load Hive...;
    • Browse to the C:\System Volume Information\_restore{[some GUID]}\RP1429\snapshot folder, select _REGISTRY_MACHINE_SOFTWARE, and give it a key name such as "foo";
    • After "foo" is loaded under HKEY_USERS, you can navigate inside it and extract/export information you want;
    • After you're done, click on "foo", and File->Unload Hive... Yes.

    • Note: you can use the same steps to examine:
      1. the “known-good”, “factory-default” SYSTEM and SOFTWARE hives under C:\WINDOWS\repair;
      2. from a CD boot (such as WinPE), the normal boot-drive SOFTWARE and SYSTEM hive files under C:\WINDOWS\system32\config. This is particularly useful for removing spyware programs that self-heal deleted Registry entries and for checking malware Registry entries hidden by rootkits.

  • Other useful tools and Web sites:

Counter and Referer Script 1.0