newest version here
Purpose: detecting rootkits.
Quick overview: when you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, click on the Deep Scan tab.
Background: Rootkits like to hide by blending into system functions and avoiding that they get listed themselves. Windows systems are quite complex though, and files and registry entries can be listed using various ways, processes are referred to in different places, and many rootkits just don't hide from all of them, but only the standard ones that hide them from the regular user. RootAlyzer goes through the file system, the registry and process related lists using various different methods, and compares the results.
Some screenshots: to see what I'm talking about, here are some screenshots:
The property sheets are actually a bit newer inside the release version, offering Delete/Terminate buttons.
- The Quick Scan screen shown when starting the appplication:
- The drive selection when switching to the Deep Scan:
- The Deep scan itself:
- Properties shown for a hidden file:
- Properties shown for a hidden registry key:
- Properties for a hidden process:
- More properties for a hidden process:
It's a work-in-progress (with a new project tools category available here to track bugs and feature requests), but it's already helping to easily locate some of the current malware rootkits.