Re: New Version (Major Update) of SysInternals Process Explorer
- From: "pmj" <post@xxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Feb 2006 15:05:25 GMT
"Rabbit" <Rabbit_is@xxxxxxxxxxx> wrote in message
news:45bkdqF5tr8fU1@xxxxxxxxxxxxxxxxx
"pmj" <post@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Ie0If.19420$wl.2902@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'd be interested to know whether or not your (Medion) PC
shows up the same (or similar) results to mine, when Running
a "RootKitRevealer" Scan...
Actually I was just running it, looking at it and wondering what
I was going to do with it if it found anything :-)
Well, the first thing to do, would be to check out (look up) & find
out about anything that it showed up...
... TBH I'd have chickened out if I hadn't trusted the person who
told me about it, you in this case. All that *dumping* at the
start and the *cleaning up* at the end. Eh what's it dumping and
what's it cleaning up ?
It's looking fort stuff that's *hidden* (& concealed)...
That's the whole point of it.
Have a read of the Info about it on the SysInternals Website.
http://sysinternals.com/Utilities/RootkitRevealer.html
(& also look in the Help File (.CHM) that comes with it.
They explain what it does & how to interpret the results.
Basically, it "Dumps" [*1] the Contents of the Registry Hive(s)
to temporary Files on the Disk, so it can Read them directly.
It then Reads the Registry using the standard windoze API
(Application Programming Interface) calls - which is what
ordinary Programs use.
It then compares the results of using the API calls with what
it sees when it reads the Hive Files directly & reports any
discrepancies.
[*1]
"Dump" (in Computer terms) is a word which (basically) means
"Saves a load of the Information out from Memory, to a File
(or Display on Screen)" - Have you heard things like "Hex Dump"
& "Core Dump" & "Kernel Dump"?
That's a similar sort of thing.
It does the same for the Disk Filing System.
It uses standard API calls, then Reads the Filing System directly
& compares them & reports any discrepancies.
When it's done all that, it then has to clean up (Delete) the
Temporary Files that it created in the process.
What yo usee in teh "StatusBar" is it telling you what's going on.
<snip>I've looked at the Scan results
...& am happy that there aren't any that shouldn't be there
(other than the ones I have Created myself, for "testing").
But the RootKitRevealer *does* show a discrepancy in a Registry
Entry, on my Machine.
I'm happy that it's not Malicious, but I'm intrigued as to why
there is a discrepancy...
It's in:
HKLM\SOFTWARE\Classes\webcal\URL Protocol
"Data mismatch between Windows API & Raw Hive Data"
That "URL Protocol" Entry (in my Registry) is a String Value
& it contains just the (obviously? erroneous?) Text: "URL Pr"
I've looked in the Help File (which explains about how to interpret
the Results) & I can see that it's not Malicious.
I suspect it's just a Corrupted Entry & has been there right from
the beginning.
Looks like I've got the same on my C drive but not on the two
new installs.
Ah right!!!
So that *is* what I suspected....
HKLM\SOFTWARE\Classes\webcal\URL Protocol 05/08/2005 12:29
13 bytes Data mismatch between Windows API and raw hive data.
Which IIRC is dated before I got the machine.
It's in there as part of the Medion Factory Installation Image -
I think that's something to do with the Version of M$ Works that
comes Pre-Installed with them - it's just a slight Bug in the
Installation Routine or somthing.
So when you do a "Plain Vanilla" Installation of WinXP,
then that Registry Entry isn't there.
Thanks.
--
pmj
.
- References:
- Prev by Date: Re: FAO Rabbit:
- Next by Date: Re: Try this!
- Previous by thread: Re: New Version (Major Update) of SysInternals Process Explorer
- Next by thread: Re: New Version (Major Update) of SysInternals Process Explorer
- Index(es):
Relevant Pages
|
