Figure 1
You can add more columns to get more information about applications, events, and processes, as shown in Figure 2.
Figure 2
The amount of information that Process Monitor provides is very much because there are so many processes running in the background on a Windows system. That means that we need to filter if we want to capture information related to the task of finding malware. Interestingly, the Process Monitor filters restrict what will be displayed, not what is captured. So all data will still be captured but you only see what you need. So you can display entries that match the process name, user, specific time of the day, etc. Many options are shown in Figure 3.
Figure 3
It is possible to create multiple filters to find entries, such as entries created by a particular process at a specific time of the day or may also choose other conditions. This versatility significantly enhances the ability to detect events without being distracted by too many other irrelevant information.
There are many useful buttons on the toolbar that allow you to display registry actions, network actions, file system actions, processes and events, etc. You can take notes and set timelines. need to record to limit the total number of stored events.
When a malware program automatically installs on your system, it extracts files to different locations on the hard drive, copies the driver file to the Windows system directory, adds keys to the Windows registry, and so on. Monitor, you can identify what is creating those files and what appears again after you have deleted, or what are creating suspicious registry entries.
To find out what a process is suspecting, you first need to set up filters to display entries for the process with that name. You can further filter the results or you can review each result line to show what the process is doing. For example, you can choose to display only registry access events to determine what registry keys the process is accessing, changing or adding. Then check that registry value to find out the effect of the changes that are taking place. You can check the file system access entries to find out what files are being taken by a process, or which files are being deleted or added to the system.
It may be easier to review information in other programs, such as Excel or Office. In addition, you can save a copy of information under one of those formats. In that case, you can export the data to a .CSV or .XML file using the 'save to file' option (you can also save the file as the original Process Monitor format, .PML, if you want to open it. re it in Process Monitor.
Process Monitor can be used together with Process Explorer and AutoRuns creates a set of powerful tools in monitoring and removing malware from the system.
As I have demonstrated in this three-part series, Sysinternals tools are great help in finding and killing malware, especially useful when using 'zero day' days, when not yet There are new signatures provided by anti-malware vendors. However, sometimes Sysinternals tools do not work because the malware author has thoroughly studied and knows how to bypass these popular tools (as well as commercial anti-virus and anti-malware products) to infiltrate your system. Now you can use Process Explorer, Process Monitor or Autoruns to find the malicious process.
In this three-part series, I showed you how to use tools like Process Explorer, Autoruns and Process Monitor to find and kill malware. Besides the free Sysinternals tools, it also provides good support for anyone who wants to learn more about malicious code and wants to exclude it from their system. All can be downloaded for free from the Microsoft website.