Penetration Testing mailing list archives

RE: Hiding scheduled tasks in 2K/XP

From: "Dan Perez" <danperez () san rr com>
Date: Tue, 3 Jun 2003 14:25:45 -0700

The folks at DiamondCS had released a while back a tool called AutoStart
Viewer that can detect/document tasks hidden in this way (it is still
ostensibly in beta but I have found no problems with it).

The tool can be obtained from
http://www.diamondcs.com.au/index.php?page=asguard

This is one of the third-party freeware tools that I use in my own free
Intrusion Audit system that I recently posted for public review at

http://sourceforge.net/projects.ntida/ (although this too is in beta :(

any comments on the latter would be most welcome!

-----Original Message-----
From: winter [mailto:shonky_sec () hotpop com]
Sent: Monday, June 02, 2003 12:11 AM
To: pen-test () securityfocus com
Subject: Hiding scheduled tasks in 2K/XP


Hey all,

Ive found that you can use attrib.exe on files in %windir%\tasks,
particularly with the +h attribute. "Attrib.exe +h *" will hide all
scheduled tasks from AT, Scheduled Tasks (both Control Panel + explorer) and
"dir %windir%\tasks" (unless you use dir /a or have it set as such in
%dircmd%).  Browsing %windir%\tasks on the cmd line with "dir /a" is the
only way ive been able to detect jobs that have been hidden this way. They
run as scheduled. Tested on 2000 SP3 & XP SP1.

winter



---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Hiding scheduled tasks in 2K/XP winter (Jun 02)
- RE: Hiding scheduled tasks in 2K/XP Dan Perez (Jun 04)
- <Possible follow-ups>
- Re: Hiding scheduled tasks in 2K/XP H Carvey (Jun 03)
- RE: Hiding scheduled tasks in 2K/XP David Vincent (Jun 04)