PDA

View Full Version : More suggestions

Leolo
2007-12-18, 21:04
Hi,

Thanks a lot for the improvements in the new 0.7.3 version.

I'd like to make a few more suggestions:

- Add support for x64 operating systems.

These two links may be useful for that:
http://msdn2.microsoft.com/en-us/library/aa384129.aspx

http://support.microsoft.com/kb/896459

- Check the svchost.exe file to make sure it's from Microsoft and mark green all the services that are loaded from it. With the current version I have a lot of entries that aren't marked green because they are services loaded from svchost.exe

Thanks a million.
Best regards.
PepiMK
2007-12-18, 22:53
Support for 64 bit systems is in there ;)
You can recognize it for example on the Autorun tab - the Run "tree groups" exist in two variants, labeled Global (64 bit) and Global (32 bit). Same for some stuff on the Advanced Startups tab, most groups on the Explorer Plugins tab and on the Installed Software tab.

Or are you referring to usage on PE again? I'm afraid when loading registry hives from inactive installations, those flags from your first link won't work. There, we probably would need some kind of dirty workarounds?
(I'm working on updating RegAlyzer to handle the registry in both 32 and 64 bit currently though, the only real 64 bit construction lot right now.

svchost.exe is also able to load bad services, isn't it?
Leolo
2007-12-24, 05:46
Hi,

Yes, sorry, I didn't specify that I was referring to WinPE.

I put the links because I thought they could be of use there. But it seems that under WinPE everything is much more complicated for the developer! I really appreciate the extra work you are doing to add support for WinPE.

Regarding the svchost.exe, you're right, it would be absurd to mark a service green just because svchost.exe launched it.

I suppose that the solution would be to check the service's dll, no?

For example: the "ServiceDll" value for the DHCP Client Service is "%SystemRoot%\System32\dhcpcsvc.dll", so you would check the signature of dhcpcsvc.dll and mark it green if it's correctly signed by Microsoft.

Could that be feasible?

My goal would be to have marked green as many services from Microsoft as possible. That would help a lot to pinpoint strange or malicious ones.

Best regards.