Path: news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: candycanearter07 Newsgroups: comp.os.linux.advocacy,alt.comp.os.windows-11 Subject: Re: About That =?UTF-8?Q?=E2=80=9Cinetpub=E2=80=9D?= Folder ... Date: Mon, 16 Jun 2025 19:20:06 -0000 (UTC) Organization: the-candyden-of-code Lines: 83 Message-ID: References: <1027sfb$qu5d$1@dont-email.me> <1029lgc$1c3ad$1@dont-email.me> <102aff5$1icjg$2@dont-email.me> <102fr9c$30kmr$1@dont-email.me> <102i9vg$3nopv$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Mon, 16 Jun 2025 21:20:06 +0200 (CEST) Injection-Info: dont-email.me; posting-host="83cc0c09db1cc70fa03d59d628c893f3"; logging-data="1934551"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/TUuVeIglw1YLzLoCyh8tl7kshqDHs/tR5iTwWdbBKfg==" User-Agent: slrn/1.0.3 (Linux) Cancel-Lock: sha1:X0wQ0qsC+O6eFkpKl0k7yLiFWaE= X-Face: b{dPmN&%4|lEo,wUO\"KLEOu5N_br(N2Yuc5/qcR5i>9-!^e\.Tw9?/m0}/~:UOM:Zf]% b+ V4R8q|QiU/R8\|G\WpC`-s?=)\fbtNc&=/a3a)r7xbRI]Vl)r<%PTriJ3pGpl_/B6!8pe\btzx `~R! r3.0#lHRE+^Gro0[cjsban'vZ#j7,?I/tHk{s=TFJ:H?~=]`O*~3ZX`qik`b:.gVIc-[$t/e ZrQsWJ >|l^I_[pbsIqwoz.WGA] wrote at 22:50 this Friday (GMT): > On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote: >> Paul wrote at 00:27 this Friday (GMT): >>> On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote: >>>> Lawrence D'Oliveiro wrote at 23:35 this Tuesday (GMT): >>>>> On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote: >>>>> >>>>>> Can someone just give me the best way to get rid of it safely? >>>>> >>>>> You can’t. It’s needed for the Windows security mechanism to work. >>>> >>>> >>>> That seems like a really dumb and insecure bandaid fix. >>>> >>> >>> I'm surprised they didn't set the Hidden attribute on it. >>> >>> Paul >> >> >> They DIDN'T?? That seems like a disaster waiting to happen. >> > > The purpose of hiding it, is so the ordinary users do not remove it. > > It has nothing to do with protecting a thing from an exploit. > > This is why I like the protections on WinRE.wim file (emergency > boot OS container). It's got all sorts of Hidden and System > attributes set on it. All this does, is annoy the fuck out > of people like me, working on fixing it. And it does nothing > at all to stop a Black Hat. > > But still, the Hidden is to hide cosmetic issues, such > as if you are using this trick (temporarily) as a fix. > > As an example, the Process Monitor you can download from > Microsoft, it has a boot trace option, where you can trace > execution (ETW events) from T=0. What people don't know > (because they can't see it), is a "procmon23.sys" or similar, > is added to System32, and that module is loaded at boot time. > Since the Hidden bit is set on it, people can't see it, and > the program does not clean up after itself and remove the > file again. When the API changes, the version is bumped > to "procmon24.sys". > > How can I spot those ? Using nfi.exe , for NTFS listing. > That parses the $MFT (Master File Table) and avoids a lot of issues. > > Let's see if I have a procmon passenger on board. > > .\nfi.exe C: > D:\nfi-c-out.txt > > File 8170 > \Windows\System32\drivers\PROCMON24.SYS <=== passenger! > $STANDARD_INFORMATION (resident) > $FILE_NAME (resident) > $FILE_NAME (resident) > $DATA (nonresident) > logical sectors 287064-287223 (0x46158-0x461f7) > logical sectors 292472-292479 (0x47678-0x4767f) > > ******* > Command Prompt: > >> cd /d C:\Windows\System32\drivers\ > >> dir /ah PROCMON2* > Volume in drive C is W11HOME > Volume Serial Number is FA6E-E123 > > Directory of C:\Windows\System32\drivers > > Sat, 05/31/2025 1:23 PM 82,344 PROCMON24.SYS > > Paul Yeah so if it was hidden, then people wouldn't have been freaking out. Maybe they could also provide a script to unhide it for the people who actually use it.. -- user is generated from /dev/urandom