List of Files to check

Does anyone have a list of the best files that one should check and monitor?

 

Hi dannyboy

Here's part of my list i monitor,you should also monitor the important files of your security software aswell.

My list probably isn't complete by any means,but it'll give a good start.

I have Win XP SP2 Home Ed. I'm useing RegWatcher as my file monitor (without it monitoring the registry,i have RegDefend for that) as it's really customisable and it allows you to keep an eye on files/folders that don't exist,it also uses minimal resources,scanning the list below plus all my security program files (which i haven't included in the list) it uses 1% CPU. I haven't found a dedicated file monitor with the same features and same resource usage yet,that why i use RegWatcher.

%bootdrv% = C:\ Folder
%windir% = C:\WINDOWS Folder
%system% = C:\WINDOWS\SYSTEM32\ Folder
* = Wild Card - for use with files
= Wild Card - for use with folders
& = Means it is additionally checks for hidden/new files every 30 sweeps (customizable).
# = I've started adding comments for the files,what they're used for,good and bad,as it's quite hard remembering why you added all these files/folders.


%bootdrv%autoexec.bat
%bootdrv%boot.ini
%bootdrv%config.sys
%bootdrv%desktop.ini
%bootdrv%explorer.exe
%bootdrv%io.sys
%bootdrv%msdos.sys
%bootdrv%ntdetect.com
%bootdrv%ntldr
%bootdrv%documents and settings\\start menu\programs\startup
&%bootdrv%*.com
#Below is the "Global" Startup folder.
%windir%all users\start menu\startup
%windir%bootstat.dat
%windir%dosstart.bat
%windir%explorer.exe
%windir%hosts
%windir%regedit.exe
%windir%snoopfreedll.dll
%windir%snoopfreeui.exe
%windir%system.ini
%windir%taskman.exe
%windir%win.ini
%windir%wininit.ini
%windir%winstart.bat
&%windir%*.com
# The folder below contains all .inf/.PNF files.
&%windir%inf
# The file below contains all the default settings for Internet Explorer.
%windir%inf\iereset.inf
#Below is a known Autostart folder.
%windir%start menu\programs\startup
&%windir%tasks\ashSimp2.job
&%windir%tasks\desktop.ini
# The file below stores the User Account information.
%system%activeds.tlb
%system%adsldpc.dll
%system%advapi32.dll
%system%alg.exe
%system%autoexec.nt
# The 2 files below are part of the AutoExNT Service,which allows you to start a custom batch file 'Autoexnt.bat' when you start a computer - without having to login.
%system%Autoexnt.bat
%system%Autoexnt.exe
%system%bootok.exe
%system%bootvrfy.exe
%system%chcp.com
# The next 8 files are part of CHI-X 3.0 beta.
%system%chxcnsrv.exe
%system%chxlogsv.exe
%system%chxlssnp.dll
%system%chxmain.dll
%system%chxpfsnp.dll
%system%chxpldsnp.dll
%system%chxrmtsv.exe
%system%chxservices.dll
%system%cmd.exe
%system%comctl32.dll
%system%command.com
%system%config.nt
%system%csh.exe
%system%ctl3d32.dll
# The file below is used by DiamondCS's PortExplorer
%system%dcsws2.dll
%system%drwatson.exe
%system%drwtsn32.exe
%system%files.ic
%system%ftp.exe
# The next 6 files are part of CHI-X 3.0 beta.
%system%fsadapters.dll
%system%fsfileops.dll
%system%fsobjlists.dll
%system%fspfrules.dll
%system%fspldrules.dll
%system%fsservices.dll
%system%gdi.exe
%system%gdi32.dll
%system%gui32.dll
%system%hal.dll
%system%icmp.dll
# A modification to the following file can disable 'Active Desktop'.
%system%ieuinit.inf
%system%integritychecker.exe
# The folder below is a known startup location.
%system%iosubsys
%system%ipconfig.exe
%system%iphlpapi.dll
%system%java.exe
%system%javaw.exe
%system%javaws.exe
%system%jpicpl32.cpl
%system%kernel32.dll
%system%lsadump2.exe
%system%lsass.exe
%system%mfc42.dll
%system%msgina.dll
%system%mshta.exe
%system%msiexec.exe
%system%msv1_0.dll
%system%mswsock.dll
%system%nc.exe
%system%net.exe
%system%net1.exe
%system%netapi.dll
%system%netmsg.dll
%system%netstat.exe
%system%ntdll.dll
%system%ntoskrnl.exe
%system%oleaut32.dll
%system%perl.exe
%system%plnt.exe
%system%procguard.dll
%system%pwdump.exe
%system%rcmd.exe
%system%regedt32.exe
%system%regsvr32.exe
%system%riched20.dll
%system%rundll32.exe
%system%secur32.dll
%system%services.exe
# The file below is part of the AutoExNT Service,which allows you to start a custom batch file 'Autoexnt.bat' when you start a computer - without having to login.
%system%Servmess.dll
%system%setupapi.dll
# The next 4 files are part of Windows System File Protection.
%system%sfc.dll
%system%sfc.exe
%system%sfc_os.dll
%system%sfcfiles.dll
%system%shdocvw.dll
%system%shell.dll
%system%shell32.dll
%system%smss.exe
%system%snoopfreesvc.exe
%system%svchost.exe
%system%sysedit.exe
%system%systray.exe
%system%taskman.exe
%system%taskmgr.exe
# The next file is part of CHI-X 3.0 beta.
%system%tcpudptables.dll
%system%telnet.exe
%system%tftp.exe
%system%userinit.exe
%system%user32.dll
# The folder below is a known startup location.
%system%vmm32
%system%wgalogon.dll
# There is a worm that goes by the same name as the file below.
%system%wgatray.exe
%system%win32k.sys
%system%winlogon.exe
%system%wininet.dll
%system%winsock.dll
%system%winsrv.dll
%system%ws2_32.dll
%system%wscript.exe
%system%wsh.exe
%system%wsock32.dll
&%system%*.com
&%system%drivers
%system%drivers\etc
# The folder below contains files belonging to Zone Alarm.
%system%zonelabs

 

Thanks Tony!

That's quite the list, many files in there I hadn't thought of...Do you like using two programs to monitor your registry and files?

 

Please tell me: eabservr.exe - can it be watched. It is "power off"ing all by itself!

I liked your list - I'll remember that - you type well. Good concentration skills.

 

Hi AintGeo.

eabservr.exe is the executable that manages Easy Access Buttons control panel on Compaq laptop computers. I personally don't see the point in monitoring it,but if you want to...

Have a read here - http://www.processlibrary.com/directory?files=eabservr.exe
and here - http://www.internetsecurityzone.com/Search/?_eabservr.exe

 

I might need that. My computer won't install MS updates. It refused to log off and restart. I tried to set to MediaPlayer 10 and got MediaPlayer 9. I found a difference in my Kerio firewall. "capture.bin" "install.log". posting elsewhere...

 

so many files