P
Pamela Fischer
How do mere mortals find the actual "product owner" of scores of cloaked
CLSID registry keys which the SysInternals rootkit revealer revealed?
The background on this simple question is lengthy (and in the public record
already) - essentially, I ran Mark Russinovich's SysInternals rootkit
decloaker ( http://www.sysinternals.com/utilities/rootkitrevealer.html )
which found scores of cloaked Windows XP registry keys & files containing a
universally unique identifier (UUID) in the form of an 8-4-4-4-20 hex class
id which I still don't now know what to do with.
Here is just one example cloaked CLSID key I am trying to figure out what
product line it belongs to.
- HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
\InprocServer32* 6/16/2004 9:19 PM 0 bytes Key name contains embedded nulls
(*)
To find the product associated with that unique class id, I searched the
Microsoft CLASSID web site
http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas
sid.mspx
but I didn't find any lookup table cross referencing these unique 40 hex
characters to a unique product line.
What am I missing?
Does such a cross-reference table actually exist?
How are we supposed to figure out the product owner of these 40 character
hex class ids?
Thank you in advance for your assistance to me and all with this question,
Pamela Fischer
CLSID registry keys which the SysInternals rootkit revealer revealed?
The background on this simple question is lengthy (and in the public record
already) - essentially, I ran Mark Russinovich's SysInternals rootkit
decloaker ( http://www.sysinternals.com/utilities/rootkitrevealer.html )
which found scores of cloaked Windows XP registry keys & files containing a
universally unique identifier (UUID) in the form of an 8-4-4-4-20 hex class
id which I still don't now know what to do with.
Here is just one example cloaked CLSID key I am trying to figure out what
product line it belongs to.
- HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}
\InprocServer32* 6/16/2004 9:19 PM 0 bytes Key name contains embedded nulls
(*)
To find the product associated with that unique class id, I searched the
Microsoft CLASSID web site
http://www.microsoft.com/technet/prodtechnol/host/proddocs/appint/asdefclas
sid.mspx
but I didn't find any lookup table cross referencing these unique 40 hex
characters to a unique product line.
What am I missing?
Does such a cross-reference table actually exist?
How are we supposed to figure out the product owner of these 40 character
hex class ids?
Thank you in advance for your assistance to me and all with this question,
Pamela Fischer