What is the Trinity Rescue Kit (TRK)?
www.trinityhome.org
Trinity Rescue Kit or TRK is a free live Linux distribution that aims specifically at recovery and repair operations on Windows machines, but is equally usable for Linux recovery issues.
- Easily reset windows passwords with the improved winpass tool
- Simple and easy menu interface
- 5 different virusscan products integrated in a single uniform commandline with online update capability
- Full ntfs write support thanks to ntfs-3g
- Winclean, a utility that cleans up all sorts of unnecessary temporary files on your computer.
- Clone computers over the network via multicast.
- Wide range of hardware support (kernel 2.6.35 )
- Contributed backup utility called "pi", to automate local machine backups
- Easy script to find and mount all local filesystems
- Self update capability to include and update all virusscanners + local changes you made to TRK.
- Full proxyserver support.
- Run a samba fileserver (windows like filesharing)
- Run a ssh server
- Recovery and undeletion of files with utilities and procedures
- Recovery of lost partitions
- Evacuation of dying disks
- Full read/write and rpm support
- UTF-8 international character support (select keyboard language from the scrollable textmenu at startup)
- 2 rootkit detection uitilities
- Most software updated to recent versions
- Literally thousands of changes and bugfixes since version 3.3
- Elaborated documentation, including manpages for all commands (also TRK 's own)
Today we will look at Winpass and Winclean.
Wednesday, June 26, 2013
Monday, June 24, 2013
Boot Logging
Today we discuss the difference in the ntblog.txt (boot log) file when performing a normal start and a safe mode start. We began by enabling boot logging using msconfig.exe. Once enabled we restarted in order to make the changes go into effect and to generate our first "normal start" log. Once completed, we did a manual crash and restarted into safe mode. Again, we saved the boot log. Once we were up and running in normal mode we used WinMerge to compare the two files.
The comparison tool showed a very long list of drivers that did not load when using safe mode. The list can be found here. It appears that just primary drivers are loaded when booting into safe mode.
The following drivers were loaded in both instances:
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\halmacpi.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\ACPI.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_tg.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\intelide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\msahci.sys
Loaded driver \SystemRoot\system32\drivers\amdxata.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\System32\Drivers\msrpc.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\System32\Drivers\cng.sys
Loaded driver \SystemRoot\System32\drivers\pcw.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\system32\drivers\vmstorfl.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\drivers\rdyboost.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_strg.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_pv32.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys
Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
The comparison tool showed a very long list of drivers that did not load when using safe mode. The list can be found here. It appears that just primary drivers are loaded when booting into safe mode.
The following drivers were loaded in both instances:
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\halmacpi.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\ACPI.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_tg.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\drivers\volmgr.sys
Loaded driver \SystemRoot\System32\drivers\volmgrx.sys
Loaded driver \SystemRoot\system32\drivers\intelide.sys
Loaded driver \SystemRoot\system32\drivers\PCIIDEX.SYS
Loaded driver \SystemRoot\System32\drivers\mountmgr.sys
Loaded driver \SystemRoot\system32\drivers\atapi.sys
Loaded driver \SystemRoot\system32\drivers\ataport.SYS
Loaded driver \SystemRoot\system32\drivers\msahci.sys
Loaded driver \SystemRoot\system32\drivers\amdxata.sys
Loaded driver \SystemRoot\system32\drivers\fltmgr.sys
Loaded driver \SystemRoot\system32\drivers\fileinfo.sys
Loaded driver \SystemRoot\System32\Drivers\Ntfs.sys
Loaded driver \SystemRoot\System32\Drivers\msrpc.sys
Loaded driver \SystemRoot\System32\Drivers\ksecdd.sys
Loaded driver \SystemRoot\System32\Drivers\cng.sys
Loaded driver \SystemRoot\System32\drivers\pcw.sys
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.sys
Loaded driver \SystemRoot\system32\drivers\ndis.sys
Loaded driver \SystemRoot\system32\drivers\NETIO.SYS
Loaded driver \SystemRoot\System32\Drivers\ksecpkg.sys
Loaded driver \SystemRoot\System32\drivers\tcpip.sys
Loaded driver \SystemRoot\System32\drivers\fwpkclnt.sys
Loaded driver \SystemRoot\system32\drivers\vmstorfl.sys
Loaded driver \SystemRoot\system32\drivers\volsnap.sys
Loaded driver \SystemRoot\System32\drivers\rdyboost.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_strg.sys
Loaded driver \SystemRoot\system32\DRIVERS\prl_pv32.sys
Loaded driver \SystemRoot\System32\Drivers\mup.sys
Loaded driver \SystemRoot\System32\drivers\hwpolicy.sys
Loaded driver \SystemRoot\System32\DRIVERS\fvevol.sys
Loaded driver \SystemRoot\system32\drivers\disk.sys
Loaded driver \SystemRoot\system32\drivers\CLASSPNP.SYS
Sunday, June 23, 2013
Blue Screen of Death Analysis
In this lab we initiate a manual BSOD and create a dump file. We also discuss ways to resolve BSOD issues in the real world environment.
To manually force a BSOD we created a new DWORD Value in regedit. The value was named "CrashOnCtrlScroll" and was placed in "HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > services > i8042prt > Parameters". Right click the newly created DWORD Value and select Modify. Set the Value Data to "1". Now when you hold right control and press scroll lock twice, it will cause a manual blue screen of death.
To manually force a BSOD we created a new DWORD Value in regedit. The value was named "CrashOnCtrlScroll" and was placed in "HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > services > i8042prt > Parameters". Right click the newly created DWORD Value and select Modify. Set the Value Data to "1". Now when you hold right control and press scroll lock twice, it will cause a manual blue screen of death.
Tuesday, June 18, 2013
Deleting Internet Explorer and Comparing Registries
For this lab we examine the difference in registries after deleting Internet Explorer.
First we began by saving the entire registry before deleting Internet Explorer, and then again after. I searched the registry for "Internet Explore" before and after the deletion. It appeared that no changes to the registry were made. The screenshot below shows the different file sizes proving that some changes were in fact made.
First we began by saving the entire registry before deleting Internet Explorer, and then again after. I searched the registry for "Internet Explore" before and after the deletion. It appeared that no changes to the registry were made. The screenshot below shows the different file sizes proving that some changes were in fact made.
Renaming the "Recycling Bin" Using Regedit.exe
In this lab we utilize the regedit.exe utility to change the name of the Recycling Bin to "My Junk".
First I found a tutorial on changing the name of the Recycling Bin here: http://www.sevenforums.com/tutorials/104976-recycle-bin-rename-windows-7-a.html
I used the tutorial to locate the correct key. After finding the key, I then utilized Microsoft's instructions on how to back up the registry key found here: http://support.microsoft.com/kb/136393
After following all the steps of the tutorial, I was able to successfully change the name of the recycling bin to "My Junk." This did require a log off and on to show on the desktop.
I tested the recycling bin to ensure that it was still operating as expected. Once it was verified, I used the backup registry key to restore the Recycling Bin to it's original name.
First I found a tutorial on changing the name of the Recycling Bin here: http://www.sevenforums.com/tutorials/104976-recycle-bin-rename-windows-7-a.html
I used the tutorial to locate the correct key. After finding the key, I then utilized Microsoft's instructions on how to back up the registry key found here: http://support.microsoft.com/kb/136393
"Back up by Exporting a Portion of the Registry
- Click the Start button, click Run, and type REGEDIT. Click OK.
- In the Registry Editor, select the key you want to back up.
- From the Registry menu, choose Export Registry File.
- In the Save In list, select the folder where you want to save the backup.
- In the File Name box, type a name for your backup file, such as "Options" or "Backup."
- In the Export Range box, be sure that "Selected branch" is selected.
- Click Save. The file is saved with a .reg extension."
After following all the steps of the tutorial, I was able to successfully change the name of the recycling bin to "My Junk." This did require a log off and on to show on the desktop.
I tested the recycling bin to ensure that it was still operating as expected. Once it was verified, I used the backup registry key to restore the Recycling Bin to it's original name.
Tuesday, June 11, 2013
Analysis of CMD Commands: "FC" and "FIND"
Analysis of "FC"
The command FC is used to compare two files or sets of files and displays the differences between them. Once completed, FC will return lines that differ between the two files. If no lines differ, you will receive a message indicating no differences encountered.
Analysis of "FIND"
The "FIND" command searches for a text string in a file or files. This is used to find text within a file and not the file itself. It is helpful to use the /N command so that the output displays the line numbers with the output.
The command FC is used to compare two files or sets of files and displays the differences between them. Once completed, FC will return lines that differ between the two files. If no lines differ, you will receive a message indicating no differences encountered.
Analysis of "FIND"
The "FIND" command searches for a text string in a file or files. This is used to find text within a file and not the file itself. It is helpful to use the /N command so that the output displays the line numbers with the output.
Thursday, June 6, 2013
Analysis of dwm.exe
This post encompasses an analysis of the dwm.exe process.
The dwm.exe process is the window manager that gives opened windows their translucent and other visual effects such as live taskbar thumbnails. The OS actually writes a picture of the window to memory and creates a composite view of all the windows on the screen before sending them to be viewed on the monitor. This allows the OS to use video card hardware acceleration to create very smooth animations for actions such as minimizing and restoring windows, and even transparency effects.
I was able to kill the process via the task manager. I had to kill it twice to actual get it to stop. After killing the process the windows I had opened simply defaulted to the "Basic Windows Theme" option as if I had made that selection in the control panel. You can also permanently disable the process by double clicking the process and in the general tab select the start up type as "Disabled."
The dwm.exe process is the window manager that gives opened windows their translucent and other visual effects such as live taskbar thumbnails. The OS actually writes a picture of the window to memory and creates a composite view of all the windows on the screen before sending them to be viewed on the monitor. This allows the OS to use video card hardware acceleration to create very smooth animations for actions such as minimizing and restoring windows, and even transparency effects.
I was able to kill the process via the task manager. I had to kill it twice to actual get it to stop. After killing the process the windows I had opened simply defaulted to the "Basic Windows Theme" option as if I had made that selection in the control panel. You can also permanently disable the process by double clicking the process and in the general tab select the start up type as "Disabled."
Analysis of CSRSS.EXE
This post encompasses a lab wherein I research and examine the functions of the CSRSS.exe process in Windows.
"This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment." CSRSS is mainly responsible for Win32 console handling and GUI shutdown.
It is critical to system operation and terminating this process will result in system failure. CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and Windows 8 Developer Preview, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue. I was not able to kill the process in Windows XP, 7, or 8.
Some virus hoax emails claim that csrss.exe is a virus that has been confirmed by Microsoft, and that the user should terminate it immediately. This, obviously, would actually lead to system failure and a blue screen of death. CSRSS is called along with winlogon.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a Blue Screen of Death. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.
Some viruses, spyware, and trojans are known to disguise themselves as the CSRSS.exe process. These types of threats may include, but are not limited to:
Nimda.E
W32/Netsky.ab
W32/VBMania
Sources:
http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem
http://technet.microsoft.com/en-us/security/bulletin/ms13-033
"This is the user-mode portion of the Win32 subsystem; Win32.sys is the kernel-mode portion. Csrss stands for Client/Server Run-Time Subsystem, and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and implementing some portions of the 16-bit virtual MS-DOS environment." CSRSS is mainly responsible for Win32 console handling and GUI shutdown.
It is critical to system operation and terminating this process will result in system failure. CSRSS cannot be terminated with the taskkill command or with Windows Task Manager, although it is possible in Vista if the Task Manager is run in Administrator mode. On Windows 7 and Windows 8 Developer Preview, Task Manager will inform the user that terminating the process will result in system failure, and prompt if they want to continue. I was not able to kill the process in Windows XP, 7, or 8.
Some virus hoax emails claim that csrss.exe is a virus that has been confirmed by Microsoft, and that the user should terminate it immediately. This, obviously, would actually lead to system failure and a blue screen of death. CSRSS is called along with winlogon.exe at Windows start-up. If either of the files is corrupted or otherwise inaccessible, the NT kernel will shut down the start-up process with a Blue Screen of Death. This is caused by a failure to move out of kernel mode and into user mode, the "normal" operation of Windows. The error code for this fault is 0xc000021a.
Some viruses, spyware, and trojans are known to disguise themselves as the CSRSS.exe process. These types of threats may include, but are not limited to:
Nimda.E
W32/Netsky.ab
W32/VBMania
Sources:
http://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem
http://technet.microsoft.com/en-us/security/bulletin/ms13-033
Sunday, June 2, 2013
Windows 7 Unattended Installation
This tutorial will cover the basic steps to create an unattended installation for Windows 7 using the Windows System Image Manager.
What is an unattended installation?
A hands-free installation.
An installation that requires no interaction while it's happening.
An installation where all the answers have been provided ahead of time.
A time saving feature!
Resources of an Unattended Installation:
Windows Automated Installation Kit, a free download from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=5753
Windows System Image Manager (A part of Windows AIK)
A source copy of Windows 7 OS
Simplified Steps:
What is an unattended installation?
A hands-free installation.
An installation that requires no interaction while it's happening.
An installation where all the answers have been provided ahead of time.
A time saving feature!
Resources of an Unattended Installation:
Windows Automated Installation Kit, a free download from Microsoft:
http://www.microsoft.com/en-us/download/details.aspx?id=5753
Windows System Image Manager (A part of Windows AIK)
A source copy of Windows 7 OS
Simplified Steps:
- After installing the Windows AIK open Windows System Image Manager.
- In the the Windows Image box in the bottom left corner right click "Select a Windows Image" and browse to your Windows 7 installation iso (or DVD) and select the Sources\Install.wim file.
3. For this tutorial we will use the sample auto unattended file provided with Windows Image Manager and make adjustments as needed. In the Answer File box right click click "Untitled" and select "Open Answer File."The file is located at C:\Program Files\Windows AIK\Samples\autounattended_sample.
4. In the Answer File box, we will be primarily working with the "1 windowsPE" pass and the "4 specialize" pass.
- In the "1 windowsPE" pass we can set up our disk configuration and partitions. These settings will remain unchanged for this tutorial.
- Under "UserData" we will input our product key.
- In the "4 specialize" pass we can set up our computer name and OEM information.
5. Use the Tools drop down box at the top of Windows System Image Manager and select "Validate Answer File." This will check for errors and if found report them in the messages box.
6. Save the answer file by going to File > Save Answer File As > "autounattend.xml" (File must be named exactly!)
7. Use the Windows 7 USB/DVD tool to create a bootable USB or DVD.
8. Copy the autoattend.xml file you just created to the root layer of the USB drive. Alternatively, you could use a third party program to create a new iso file that combines the Windows 7 installation with the autounattend.xml file.
9. Use the Bootable USB drive to install Windows 7 as you normally would; except this time you can enjoy a glass of ice tea and a sandwich while windows installs without needing attention from you!
Subscribe to:
Comments (Atom)