'reg'
A review by an antivirus vendor can help you gain more knowledge inside the registry keys that the malware may have modified. To query the registry key with the command line, use the reg command. Even if an antivirus site does not provide registry keys for search purposes, you can research the most common registry keys modified by malware: the keys related to the system's startup and the user's login. use. Known as " run " registry keys, the reg command can help display their values at the command line. However, note that many legitimate software also activate themselves using these keys. After running the command, you will see the items under these registry keys. Next, do a few searches on Google for what is shown to help you eliminate what are the valid settings and what is malware.
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRun
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
C:> reg query HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce
We recommend that you run the commands with a relative amount of time, replacing HKLM with HKCU. The alternative will find the auto-start registry key associated with the user, instead of just the entire system settings in HKLM.
'dir'
You should also check the autostart directory to find unwanted programs starting from here. Run the dir command, use / A to display files with or without a set of attributes, as well as hidden and non-hidden files.
C:> dir / A "C: Documents and SettingsAll UsersStart MenuProgramsStartup"
'net users' and 'localgroup administrators'
Some malware can create accounts in your local computer. In that case, we need to run the command 'net users' , which is the command to check accounts defined on the system. In addition, because some bot software can register an account of the local administrators group, then we should run " localgroup administrators ", which is a test of membership of this group. Do you know all the people in the administrator group? The following figure shows an example of this case.
'tasklist / svc'
There are also more vital areas that we need to analyze: running processes. On Windows XP Professional, the tasklist command can provide a lot of useful information. This command itself displays running processes, their process ID numbers and memory usage. However, if running 'tasklist / svc' , you will see all the services that have run out of process, see below. This gives you a lot of information to look for when researching whether the system is infected by bad programs. In particular, svchost.exe processes are often quite busy, running many services. Besides spyware sometimes inserts other services into these processes or services to check or control your computer.
Some of the commands that I will show you in this article will give you a deeper understanding of the configuration of a Windows computer. But practicing a lot will make you perfect. It takes time to analyze 'clean' systems, from which you will gain knowledge of what appears on a normal Windows computer. You can then detect if a computer is infected. With some preparation and practice, command line skills will significantly improve your understanding of Windows computers and prepare you for the battle with malware that is happening every day.