Penetration Testing mailing list archives

Re: Hiding scheduled tasks in 2K/XP

From: H Carvey <keydet89 () yahoo com>
Date: 3 Jun 2003 19:15:05 -0000

In-Reply-To: <000301c328d6$15c4d780$1202020a@hey>

Winter,

I've verified this on Win2K SP2.  Interesting. 

I use Perl for system programming on Windows platforms,
particularly for IR and forensics.  The
Win32::TaskScheduler module will completely enumerate
even the hidden (attrib +h) tasks...

I mention this, as I'm putting together a full-blown IR
application that is made up of my scripts, and can be
run from a CD.  This will be included in my upcoming book.

Harlan

Ive found that you can use attrib.exe on files in

%windir%\tasks,

particularly with the +h attribute. "Attrib.exe +h *"

will hide all

scheduled tasks from AT, Scheduled Tasks (both Control

Panel + explorer) =

and
"dir %windir%\tasks" (unless you use dir /a or have it

set as such in

%dircmd%).  Browsing %windir%\tasks on the cmd line

with "dir /a" is the

only way ive been able to detect jobs that have been

hidden this way. =

They
run as scheduled. Tested on 2000 SP3 & XP SP1.



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Hiding scheduled tasks in 2K/XP winter (Jun 02)
- RE: Hiding scheduled tasks in 2K/XP Dan Perez (Jun 04)
- <Possible follow-ups>
- Re: Hiding scheduled tasks in 2K/XP H Carvey (Jun 03)
- RE: Hiding scheduled tasks in 2K/XP David Vincent (Jun 04)