Can I trace who wrote a file?

  • Thread starter Thread starter Todd
  • Start date Start date
Todd said:
Delete it and it comes right back. Overwrite it with something
else and it comes right back. Virus Total says it is legit.

And it harasses Kaspersky's installer. Says it does not have
permission to delete it.

I want to find who is writing it back after I delete it.
Click to expand...


Windows is. Stuff in the system32 folder is protected. By Windows.



--

dadiOH
____________________________

Winters getting colder? Tired of the rat race?
Maybe just ready for a change? Check it out...
http://www.floridaloghouse.net
 
Only if you prepared in advance.

Maybe Sysinternals Procmon, could record certain file system calls ?
Then, you'd have to go back through the log, after the fact, for
evidence.

This would be an example of a filter in Procmon.

"Operation" "Is" "CreateFile" "Include"

I think ProcMon by default, stores things in system RAM. But, there's
a preference, where you can store results in a file. Perhaps you'd need
that option, if you're going to leave it running all the time.

http://technet.microsoft.com/en-us/sysinternals/bb896645 (Process
Monitor)

If you wanted something lower level or more inclusive than that,
you'd likely need to run a "real debugger".

And, as you'd expect, you can't catch everything that way.
A rootkit, for example, could hide from such an effort.
A rootkit hooks some of the same things that ProcMon might
be using.

HTH,
Paul
Click to expand...

You know, I saw winlogon light up some CPU's every time I tried
to erase grpconv. I uploaded winlogon to virus total, but it
was clean
 
You know, I saw winlogon light up some CPU's every time I tried
to erase grpconv. I uploaded winlogon to virus total, but it
was clean
Click to expand...

winlogon? grpcnv.exe? Seems like you need a beginner course in Windows
system files. What's next, kernel.exe?
 
winlogon? grpcnv.exe? Seems like you need a beginner course in Windows
system files. What's next, kernel.exe?
Click to expand...

I stand on the shoulders of giants. Kernel? That is a type of corn,
is it not? :-)

-T
 
Todd said:
I stand on the shoulders of giants. Kernel? That is a type of corn,
is it not? :-)

-T
Click to expand...

I think at this point, you need more than virustotal :-)

If you're installing a package, and something is trying to
"erase" a protected system file, there's got to be a reason.

Paul
 
I think at this point, you need more than virustotal :-)

If you're installing a package, and something is trying to
"erase" a protected system file, there's got to be a reason.

Paul
Click to expand...

Give you the feel of a trojan. Turned out to be a bug
in the Kaspsersky installer.

Kernel, isn't that a military rank for those that
sell chicken? Kernel Sanders? :-)

-T
 
Todd said:
Kernel, isn't that a military rank for those that
sell chicken? Kernel Sanders? :-)

-T
Click to expand...

Well, he did a stint in the military, so he earned it.

http://en.wikipedia.org/wiki/Colonel_sanders

"Sanders falsified his date of birth and enlisted in the
United States Army at the age of fifteen, completing his
service commitment as a mule handler in Cuba. He was
honorably discharged after four months and made his way
to Sheffield, Alabama where an uncle lived."

Paul
 
Well, he did a stint in the military, so he earned it.

http://en.wikipedia.org/wiki/Colonel_sanders

"Sanders falsified his date of birth and enlisted in the
United States Army at the age of fifteen, completing his
service commitment as a mule handler in Cuba. He was
honorably discharged after four months and made his way
to Sheffield, Alabama where an uncle lived."

Paul
Click to expand...

Being named a "Kentucky Colonel" is actually a pretty high
honor (and obligation).
 
Back
Top