| Deutsch English Français Italiano |
|
<slrn1050rdo.47r1.candycanearter07@candydeb.host.invalid> View for Bookmarking (what is this?) Look up another Usenet article |
Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: candycanearter07 <candycanearter07@candycanearter07.nomail.afraid>
Newsgroups: comp.os.linux.advocacy,alt.comp.os.windows-11
Subject: Re: About That =?UTF-8?Q?=E2=80=9Cinetpub=E2=80=9D?= Folder ...
Date: Mon, 16 Jun 2025 19:20:06 -0000 (UTC)
Organization: the-candyden-of-code
Lines: 83
Message-ID: <slrn1050rdo.47r1.candycanearter07@candydeb.host.invalid>
References: <1027sfb$qu5d$1@dont-email.me> <1029lgc$1c3ad$1@dont-email.me>
<102aff5$1icjg$2@dont-email.me>
<slrn104lqt8.1qmpe.candycanearter07@candydeb.host.invalid>
<102fr9c$30kmr$1@dont-email.me>
<slrn104p3fl.19jrh.candycanearter07@candydeb.host.invalid>
<102i9vg$3nopv$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Injection-Date: Mon, 16 Jun 2025 21:20:06 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="83cc0c09db1cc70fa03d59d628c893f3";
logging-data="1934551"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/TUuVeIglw1YLzLoCyh8tl7kshqDHs/tR5iTwWdbBKfg=="
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:X0wQ0qsC+O6eFkpKl0k7yLiFWaE=
X-Face: b{dPmN&%4|lEo,wUO\"KLEOu5N_br(N2Yuc5/qcR5i>9-!^e\.Tw9?/m0}/~:UOM:Zf]%
b+ V4R8q|QiU/R8\|G\WpC`-s?=)\fbtNc&=/a3a)r7xbRI]Vl)r<%PTriJ3pGpl_/B6!8pe\btzx
`~R! r3.0#lHRE+^Gro0[cjsban'vZ#j7,?I/tHk{s=TFJ:H?~=]`O*~3ZX`qik`b:.gVIc-[$t/e
ZrQsWJ >|l^I_[pbsIqwoz.WGA]<D
Paul <nospam@needed.invalid> wrote at 22:50 this Friday (GMT):
> On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote:
>> Paul <nospam@needed.invalid> wrote at 00:27 this Friday (GMT):
>>> On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:
>>>> Lawrence D'Oliveiro <ldo@nz.invalid> wrote at 23:35 this Tuesday (GMT):
>>>>> On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:
>>>>>
>>>>>> Can someone just give me the best way to get rid of it safely?
>>>>>
>>>>> You can’t. It’s needed for the Windows security mechanism to work.
>>>>
>>>>
>>>> That seems like a really dumb and insecure bandaid fix.
>>>>
>>>
>>> I'm surprised they didn't set the Hidden attribute on it.
>>>
>>> Paul
>>
>>
>> They DIDN'T?? That seems like a disaster waiting to happen.
>>
>
> The purpose of hiding it, is so the ordinary users do not remove it.
>
> It has nothing to do with protecting a thing from an exploit.
>
> This is why I like the protections on WinRE.wim file (emergency
> boot OS container). It's got all sorts of Hidden and System
> attributes set on it. All this does, is annoy the fuck out
> of people like me, working on fixing it. And it does nothing
> at all to stop a Black Hat.
>
> But still, the Hidden is to hide cosmetic issues, such
> as if you are using this trick (temporarily) as a fix.
>
> As an example, the Process Monitor you can download from
> Microsoft, it has a boot trace option, where you can trace
> execution (ETW events) from T=0. What people don't know
> (because they can't see it), is a "procmon23.sys" or similar,
> is added to System32, and that module is loaded at boot time.
> Since the Hidden bit is set on it, people can't see it, and
> the program does not clean up after itself and remove the
> file again. When the API changes, the version is bumped
> to "procmon24.sys".
>
> How can I spot those ? Using nfi.exe , for NTFS listing.
> That parses the $MFT (Master File Table) and avoids a lot of issues.
>
> Let's see if I have a procmon passenger on board.
>
> .\nfi.exe C: > D:\nfi-c-out.txt
>
> File 8170
> \Windows\System32\drivers\PROCMON24.SYS <=== passenger!
> $STANDARD_INFORMATION (resident)
> $FILE_NAME (resident)
> $FILE_NAME (resident)
> $DATA (nonresident)
> logical sectors 287064-287223 (0x46158-0x461f7)
> logical sectors 292472-292479 (0x47678-0x4767f)
>
> *******
> Command Prompt:
>
>> cd /d C:\Windows\System32\drivers\
>
>> dir /ah PROCMON2*
> Volume in drive C is W11HOME
> Volume Serial Number is FA6E-E123
>
> Directory of C:\Windows\System32\drivers
>
> Sat, 05/31/2025 1:23 PM 82,344 PROCMON24.SYS
>
> Paul
Yeah so if it was hidden, then people wouldn't have been freaking out.
Maybe they could also provide a script to unhide it for the people who
actually use it..
--
user <candycane> is generated from /dev/urandom