detecting a rootkit using _root_regedit.exe

iceni60 · Nov 25, 2004

i was reading this , half way down the page to the task manager picture, and it says...

A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs.

is it really that easy to find a rootkit?

nick s · Nov 25, 2004

iceni60 said:

i was reading this , half way down the page to the task manager picture, and it says...

A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs.

is it really that easy to find a rootkit?
Click to expand...

Hi iceni60,

I believe that the "_root_" wildcard only works with the "NT Rootkit", which has not been updated in a few years.

Nick

iceni60 · Nov 25, 2004

nick s said:

Hi iceni60,

I believe that the "_root_" wildcard only works with the "NT Rootkit", which has not been updated in a few years.

Nick
Click to expand...

thanks, Nick. that makes alot of sense. i should have know from what had been said before, that it was an early rootkit. thanks

Log in or Sign up

detecting a rootkit using _root_regedit.exe

iceni60 ( ^o^)

nick s Registered Member

iceni60 ( ^o^)

Log in or Sign up

detecting a rootkit using _root_regedit.exe

iceni60 ( ^o^)

nick s Registered Member

iceni60 ( ^o^)

Useful Searches