Results 1 to 3 of 3

Thread: More suggestions

  1. 2007-12-18, 20:04 #1
    Leolo
    Leolo is offline
    Junior Member
    Join Date
    Jul 2006
    Posts
    15

    Default More suggestions

    Hi,

    Thanks a lot for the improvements in the new 0.7.3 version.

    I'd like to make a few more suggestions:

    - Add support for x64 operating systems.

    These two links may be useful for that:
    http://msdn2.microsoft.com/en-us/library/aa384129.aspx

    http://support.microsoft.com/kb/896459

    - Check the svchost.exe file to make sure it's from Microsoft and mark green all the services that are loaded from it. With the current version I have a lot of entries that aren't marked green because they are services loaded from svchost.exe

    Thanks a million.
    Best regards.
  2. 2007-12-18, 21:53 #2
    PepiMK
    PepiMK is offline
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,601

    Default

    Support for 64 bit systems is in there
    You can recognize it for example on the Autorun tab - the Run "tree groups" exist in two variants, labeled Global (64 bit) and Global (32 bit). Same for some stuff on the Advanced Startups tab, most groups on the Explorer Plugins tab and on the Installed Software tab.

    Or are you referring to usage on PE again? I'm afraid when loading registry hives from inactive installations, those flags from your first link won't work. There, we probably would need some kind of dirty workarounds?
    (I'm working on updating RegAlyzer to handle the registry in both 32 and 64 bit currently though, the only real 64 bit construction lot right now.

    svchost.exe is also able to load bad services, isn't it?
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)
  3. 2007-12-24, 04:46 #3
    Leolo
    Leolo is offline
    Junior Member
    Join Date
    Jul 2006
    Posts
    15

    Default

    Hi,

    Yes, sorry, I didn't specify that I was referring to WinPE.

    I put the links because I thought they could be of use there. But it seems that under WinPE everything is much more complicated for the developer! I really appreciate the extra work you are doing to add support for WinPE.

    Regarding the svchost.exe, you're right, it would be absurd to mark a service green just because svchost.exe launched it.

    I suppose that the solution would be to check the service's dll, no?

    For example: the "ServiceDll" value for the DHCP Client Service is "%SystemRoot%\System32\dhcpcsvc.dll", so you would check the signature of dhcpcsvc.dll and mark it green if it's correctly signed by Microsoft.

    Could that be feasible?

    My goal would be to have marked green as many services from Microsoft as possible. That would help a lot to pinpoint strange or malicious ones.

    Best regards.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules