List of Files to check

Discussion in 'FileChecker & ID-Blaster Forum' started by dannyboy 950, Jun 27, 2006.

Thread Status:
Not open for further replies.
  1. dannyboy 950
    Offline

    dannyboy 950 Registered Member

    Does anyone have a list of the best files that one should check and monitor?
  2. tonyjl
    Offline

    tonyjl Registered Member

    Hi dannyboy

    Here's part of my list i monitor,you should also monitor the important files of your security software aswell.

    My list probably isn't complete by any means,but it'll give a good start.

    I have Win XP SP2 Home Ed. I'm useing RegWatcher as my file monitor (without it monitoring the registry,i have RegDefend for that) as it's really customisable and it allows you to keep an eye on files/folders that don't exist,it also uses minimal resources,scanning the list below plus all my security program files (which i haven't included in the list) it uses 1% CPU. I haven't found a dedicated file monitor with the same features and same resource usage yet,that why i use RegWatcher.

    %bootdrv% = C:\ Folder
    %windir% = C:\WINDOWS Folder
    %system% = C:\WINDOWS\SYSTEM32\ Folder
    * = Wild Card - for use with files
    o_O = Wild Card - for use with folders
    & = Means it is additionally checks for hidden/new files every 30 sweeps (customizable).
    # = I've started adding comments for the files,what they're used for,good and bad,as it's quite hard remembering why you added all these files/folders.


    %bootdrv%autoexec.bat
    %bootdrv%boot.ini
    %bootdrv%config.sys
    %bootdrv%desktop.ini
    %bootdrv%explorer.exe
    %bootdrv%io.sys
    %bootdrv%msdos.sys
    %bootdrv%ntdetect.com
    %bootdrv%ntldr
    %bootdrv%documents and settings\o_O\start menu\programs\startup
    &%bootdrv%*.com
    #Below is the "Global" Startup folder.
    %windir%all users\start menu\startup
    %windir%bootstat.dat
    %windir%dosstart.bat
    %windir%explorer.exe
    %windir%hosts
    %windir%regedit.exe
    %windir%snoopfreedll.dll
    %windir%snoopfreeui.exe
    %windir%system.ini
    %windir%taskman.exe
    %windir%win.ini
    %windir%wininit.ini
    %windir%winstart.bat
    &%windir%*.com
    # The folder below contains all .inf/.PNF files.
    &%windir%inf
    # The file below contains all the default settings for Internet Explorer.
    %windir%inf\iereset.inf
    #Below is a known Autostart folder.
    %windir%start menu\programs\startup
    &%windir%tasks\ashSimp2.job
    &%windir%tasks\desktop.ini
    # The file below stores the User Account information.
    %system%activeds.tlb
    %system%adsldpc.dll
    %system%advapi32.dll
    %system%alg.exe
    %system%autoexec.nt
    # The 2 files below are part of the AutoExNT Service,which allows you to start a custom batch file 'Autoexnt.bat' when you start a computer - without having to login.
    %system%Autoexnt.bat
    %system%Autoexnt.exe
    %system%bootok.exe
    %system%bootvrfy.exe
    %system%chcp.com
    # The next 8 files are part of CHI-X 3.0 beta.
    %system%chxcnsrv.exe
    %system%chxlogsv.exe
    %system%chxlssnp.dll
    %system%chxmain.dll
    %system%chxpfsnp.dll
    %system%chxpldsnp.dll
    %system%chxrmtsv.exe
    %system%chxservices.dll
    %system%cmd.exe
    %system%comctl32.dll
    %system%command.com
    %system%config.nt
    %system%csh.exe
    %system%ctl3d32.dll
    # The file below is used by DiamondCS's PortExplorer
    %system%dcsws2.dll
    %system%drwatson.exe
    %system%drwtsn32.exe
    %system%files.ic
    %system%ftp.exe
    # The next 6 files are part of CHI-X 3.0 beta.
    %system%fsadapters.dll
    %system%fsfileops.dll
    %system%fsobjlists.dll
    %system%fspfrules.dll
    %system%fspldrules.dll
    %system%fsservices.dll
    %system%gdi.exe
    %system%gdi32.dll
    %system%gui32.dll
    %system%hal.dll
    %system%icmp.dll
    # A modification to the following file can disable 'Active Desktop'.
    %system%ieuinit.inf
    %system%integritychecker.exe
    # The folder below is a known startup location.
    %system%iosubsys
    %system%ipconfig.exe
    %system%iphlpapi.dll
    %system%java.exe
    %system%javaw.exe
    %system%javaws.exe
    %system%jpicpl32.cpl
    %system%kernel32.dll
    %system%lsadump2.exe
    %system%lsass.exe
    %system%mfc42.dll
    %system%msgina.dll
    %system%mshta.exe
    %system%msiexec.exe
    %system%msv1_0.dll
    %system%mswsock.dll
    %system%nc.exe
    %system%net.exe
    %system%net1.exe
    %system%netapi.dll
    %system%netmsg.dll
    %system%netstat.exe
    %system%ntdll.dll
    %system%ntoskrnl.exe
    %system%oleaut32.dll
    %system%perl.exe
    %system%plnt.exe
    %system%procguard.dll
    %system%pwdump.exe
    %system%rcmd.exe
    %system%regedt32.exe
    %system%regsvr32.exe
    %system%riched20.dll
    %system%rundll32.exe
    %system%secur32.dll
    %system%services.exe
    # The file below is part of the AutoExNT Service,which allows you to start a custom batch file 'Autoexnt.bat' when you start a computer - without having to login.
    %system%Servmess.dll
    %system%setupapi.dll
    # The next 4 files are part of Windows System File Protection.
    %system%sfc.dll
    %system%sfc.exe
    %system%sfc_os.dll
    %system%sfcfiles.dll
    %system%shdocvw.dll
    %system%shell.dll
    %system%shell32.dll
    %system%smss.exe
    %system%snoopfreesvc.exe
    %system%svchost.exe
    %system%sysedit.exe
    %system%systray.exe
    %system%taskman.exe
    %system%taskmgr.exe
    # The next file is part of CHI-X 3.0 beta.
    %system%tcpudptables.dll
    %system%telnet.exe
    %system%tftp.exe
    %system%userinit.exe
    %system%user32.dll
    # The folder below is a known startup location.
    %system%vmm32
    %system%wgalogon.dll
    # There is a worm that goes by the same name as the file below.
    %system%wgatray.exe
    %system%win32k.sys
    %system%winlogon.exe
    %system%wininet.dll
    %system%winsock.dll
    %system%winsrv.dll
    %system%ws2_32.dll
    %system%wscript.exe
    %system%wsh.exe
    %system%wsock32.dll
    &%system%*.com
    &%system%drivers
    %system%drivers\etc
    # The folder below contains files belonging to Zone Alarm.
    %system%zonelabs
  3. brack1969
    Offline

    brack1969 Registered Member

    Thanks Tony!

    That's quite the list, many files in there I hadn't thought of...Do you like using two programs to monitor your registry and files?
  4. AintGeo
    Offline

    AintGeo Registered Member

    Please tell me: eabservr.exe - can it be watched. It is "power off"ing all by itself!

    I liked your list - I'll remember that - you type well. Good concentration skills.
  5. tonyjl
    Offline

    tonyjl Registered Member

  6. AintGeo
    Offline

    AintGeo Registered Member

    I might need that. My computer won't install MS updates. It refused to log off and restart. I tried to set to MediaPlayer 10 and got MediaPlayer 9. I found a difference in my Kerio firewall. "capture.bin" "install.log". posting elsewhere...
  7. simonguoxm
    Offline

    simonguoxm Registered Member

    so many files
Thread Status:
Not open for further replies.