Penetration Testing mailing list archives
RE: Hiding scheduled tasks in 2K/XP
From: "Dan Perez" <danperez () san rr com>
Date: Tue, 3 Jun 2003 14:25:45 -0700
The folks at DiamondCS had released a while back a tool called AutoStart Viewer that can detect/document tasks hidden in this way (it is still ostensibly in beta but I have found no problems with it). The tool can be obtained from http://www.diamondcs.com.au/index.php?page=asguard This is one of the third-party freeware tools that I use in my own free Intrusion Audit system that I recently posted for public review at http://sourceforge.net/projects.ntida/ (although this too is in beta :( any comments on the latter would be most welcome! -----Original Message----- From: winter [mailto:shonky_sec () hotpop com] Sent: Monday, June 02, 2003 12:11 AM To: pen-test () securityfocus com Subject: Hiding scheduled tasks in 2K/XP Hey all, Ive found that you can use attrib.exe on files in %windir%\tasks, particularly with the +h attribute. "Attrib.exe +h *" will hide all scheduled tasks from AT, Scheduled Tasks (both Control Panel + explorer) and "dir %windir%\tasks" (unless you use dir /a or have it set as such in %dircmd%). Browsing %windir%\tasks on the cmd line with "dir /a" is the only way ive been able to detect jobs that have been hidden this way. They run as scheduled. Tested on 2000 SP3 & XP SP1. winter --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Hiding scheduled tasks in 2K/XP winter (Jun 02)
- RE: Hiding scheduled tasks in 2K/XP Dan Perez (Jun 04)
- <Possible follow-ups>
- Re: Hiding scheduled tasks in 2K/XP H Carvey (Jun 03)
- RE: Hiding scheduled tasks in 2K/XP David Vincent (Jun 04)