Episode: 40
Title: HPR0040: Sys internals Part 1
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0040/hpr0040.mp3
Transcribed: 2025-10-07 10:39:24

---

.
.
.
.
.
.
.
.
.
.
.
.
I'm Zoke on IRC and I'm going to talk to you about the system tunnel suite.
Used to be done by an independent company and now it got bought out by Microsoft so you
may want to read the eulers very carefully.
First programs in the system tunnel suite, I'm just going to go through some of them.
You can go and google for them.
Some of the main programs that I used to use at work and I think you'll find quite useful.
So runs, this basically gives you a list of every program that automatically runs.
It's quite good in the fact that it does search the startup folders, the registry keys,
both the local machine and local user and a bunch of other places I'd never heard of.
It gives you an option to remove all of them, you can go through and rip any of the crap
that's on a machine out.
This also includes a lot of the spyware you can look like to hide itself in odd places
you can remove all that and clear up machines pretty well.
Next up we have BG info, this puts text on the desktop.
Yeah, exciting, isn't it?
You can put the IP address, version info, specific build, numbers and stuff.
We use it on the test machine so you can see what they were running.
Blue screen, screens over the emulates, blue screen or death, you're going to have that
just for putting on a friend's computer and watching them freak out as it blue screens
on them.
Filemon, short for filemonitor, this will monitor your files and show you what's accessing
them.
It's pretty much real time, it's going to take a fraction of a second touch, show on screen.
Basically you can run filemon and then you have to do is remove or filter all the hard drive
access that Windows does, which is a lot.
Your antivirus is going to be in there, if you've got a file wall that's going to be in
there.
Windows itself opens a ton of files all the time.
So you can just right lock on them and filter and remove them.
But then you run the program that you're going to install, watch it install and it will
show you exactly what it's installing where, which is very cool and useful.
Handle shows the open files, any file handles that you have open on your system.
So all the open files basically, that can be called to see what's got, what open, where,
there's DLLs, there's DLLs, funnily enough, this can be cool if you've got DLL issues.
A rather annoying problem we had at work was we had most of visual studio and then we
had the crystal reports, sports separately.
The version that came with visual basic was a very cut down crappy version of the full
blame version of crystal reports, but it had a higher number on the DLL.
So when we installed it, the program we used for rolling out all the software looked
at it and thought higher number, installed that one and ended up breaking half the stuff.
Things that Lissie allows will show you what open DLLs are on your system and you can
check the version numbers from there.
Log on sessions shows any logged on users on your machine.
It's very useful to see if someone's logged into your machine remotely.
For example, trying to do something like opening your CD-ROM drive, don't ask, there is
a story behind that though.
The HD-Frag will defrag a page file, that's what it says on the can basically, set it
to a D-Frag on next reboot and reboot pretty much simple.
Process Explorer, it's a very cool utility, it shows you what DLLs and any other things
are being called by a program, so you select the program and then you can see exactly
what it's calling.
So if you're looking for missing DLLs, you can see what the program is looking for and
specifically which calls in there.
Now we come to the PS Tools Suite which is one of the most useful bits in my mind anyway.
If for nothing else for then just for annoying or co-workers, you can download the entire
suite but there are various bits inside there and I'll go through some of the main programs.
PSExec, this executes files remotely on another machine assuming you have permission.
At work we had local admin access on every single machine because we were the IT guys.
You can use it to remotely install and register the DLLs for example on another machine
which we were looking at to fix problems if they had DLL issues.
Alternatively you could just take over a co-workers machine and make Internet Explorer,
load up two girls, one cup or another website that Dan's told you about.
File will show you any open files on a local or remote machine, this could be quite useful
if you're trying to upgrade one of the files and you can't because someone's using it,
you can see why.
PSInfo shows you information about the local or remote machine.
PSKill will kill a running process on a local or remote machine.
Found this quite useful, a friend had a VMware session up and it crashed.
He was running it full screen, couldn't do anything else on the machine.
He phoned me up around PSKill, killed the process off from he got his machine back, managed
to save the word document he had open and another window hadn't saved.
PSList lists the running processes on a local or remote machine, this can be very useful
in debugging.
PS logged on shows who's logged on, finally enough.
PSService, you can list start or stop services, very useful for debugging or even hacking
a machine if you so desired and PS shutdown will make the machine shut down, finally enough.
So you can go and copy some stuff over, set up services up to be started, whatever from
to reboot and pretty much run anything you want from the machine remotely.
Reg1, very similar to File1, instead of monitoring files, they're Reg1, monitors the registry.
If you were so inclined you could find some shareware 30 day only program, run Reg1, run
the 30 day program in Stooler, watch what registry files it changed where, delete the registry
files, oh look you've got your 30 days back again.
Of course there's no real point nowadays, you just have a virtual machine to do it and
then you don't get any extra crap floating around on your machine.
Hey it's there anyway, Rukit Reveals 1, I'll probably be talking about in a later episode.
It's Reveals Rukits, the Sony DRM stuff came up and was found by this by Mark Rusnovich
or however you pronounce the surname, run it, see what differences it thinks between the
operating system and what's actually on the disk again, I'll talk more about that later.
Just realised I pretty much guarantee that I'm going to be doing at least one more episode.
That'll be it for this episode.
In my next episodes I'll actually have to be good into windows and we'll go through
some of the tools and some of the actual options you can do.
Thank you very much for listening and if anyone wants to catch up on me, I'm normally
on the IRC in the 3.0.net in the Ash Linux reality and Ash a lot of Linux links rooms.
Thanks for listening.
Thanks for public radio, HPR is sponsored by Carol.net so head on over to CARO.NC for all