RootkitRevealer

Last updated
Sysinternals RootkitRevealer
Developer(s) Bryce Cogswell and Mark Russinovich
Final release
1.7 / November 1, 2006;16 years ago (2006-11-01)
Written inMicrosoft C++ [1] :07:08
Operating system Windows XP and Windows Server 2003
Platform IA-32
Size 231 KB
Available inEnglish
Type Security software
License Closed-source freeware
Website technet.microsoft.com/en-us/sysinternals/bb897445

RootkitRevealer is a proprietary freeware tool for rootkit detection on Microsoft Windows by Bryce Cogswell and Mark Russinovich. It runs on Windows XP and Windows Server 2003 (32-bit-versions only). Its output lists Windows Registry and file system API discrepancies that may indicate the presence of a rootkit. It is the same tool that triggered the Sony BMG copy protection rootkit scandal. [2]

RootkitRevealer is no longer being developed. [1] :08:16

See also

Related Research Articles

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Windows NT 3.5</span> Second major release of Windows NT, released in 1994

Windows NT 3.5 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was released on September 21, 1994, as the successor to Windows NT 3.1 and the predecessor to Windows NT 3.51.

PageDefrag is a program, developed by Sysinternals, for Microsoft Windows that runs at start-up to defragment the virtual memory page file, the registry files and the Event Viewer's logs.

<span class="mw-page-title-main">Sysprep</span> Microsoft tool for Windows deployment

Sysprep is Microsoft's System Preparation Tool for Microsoft Windows operating system deployment.

Svchost.exe is a system process that can host one or more Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update, get reported by users as involving svchost.

A registry cleaner is a class of third-party utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

<span class="mw-page-title-main">Extended Copy Protection</span>

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

<span class="mw-page-title-main">Mark Russinovich</span> Spanish-born American software engineer

Mark Eugene Russinovich is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before it was acquired by Microsoft in 2006.

<span class="mw-page-title-main">Sony BMG copy protection rootkit scandal</span> Sony BMGs implementation of copy protection measures

The Sony BMG CD copy protection scandal concerns the copy protection measures included by Sony BMG on compact discs in 2005. When inserted into a computer, the CDs installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.

Windows Sysinternals is a website that offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed without affecting the security attributes of objects that refer to the principal.

<span class="mw-page-title-main">Windows Boot Manager</span> Boot process used in modern Windows NT-based products

The Windows Boot Manager (BOOTMGR) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.

<span class="mw-page-title-main">Process Explorer</span> Freeware system monitor for Windows

Process Explorer is a freeware task manager and system monitor for Microsoft Windows created by SysInternals, which has been acquired by Microsoft and re-branded as Windows Sysinternals. It provides the functionality of Windows Task Manager along with a rich set of features for collecting information about processes running on the user's system. It can be used as the first step in debugging software or system problems.

Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The following is a comparison of notable file system defragmentation software:

EMCO MoveOnBoot is a freeware utility for managing locked file system resources on the Windows platform. The utility allows moving, renaming or deleting selected locked files or folders during the next Windows reboot.

Memory forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

<span class="mw-page-title-main">Server Core</span> Windows Server installation option

Server Core is a minimalistic Microsoft Windows Server installation option, debuted in Windows Server 2008. Server Core provides a server environment with functionality scaled back to core server features, and because of limited features, it has reduced servicing and management requirements, attack surface, disk and memory usage. Andrew Mason, a program manager on the Windows Server team, noted that a primary motivation for producing a Server Core variant of Windows Server 2008 was to reduce the attack surface of the operating system, and that about 70% of the security vulnerabilities in Microsoft Windows from the prior five years would not have affected Server Core. Most notably, no Windows Explorer shell is installed. All configuration and maintenance is done entirely through command-line interface windows, or by connecting to the machine remotely using Microsoft Management Console (MMC), remote server administration tools, and PowerShell.

<span class="mw-page-title-main">ProcDump</span>

ProcDump is a command-line application used for monitoring an application for CPU spikes and creating crash dumps during a spike. The crash dumps can then be used by an administrator or software developer to determine the cause of the spike. ProcDump supports monitoring of hung windows and unhandled exceptions. It can also create dumps based on the values of system performance counters.

References

  1. 1 2 Russinovich, Mark; Margosis, Aaron (28 July 2011). Mark Russinovich and Aaron Margosis: Introducing Windows Sysinternals Administrator's Reference. Channel 9 . Microsoft Corporation. Retrieved 10 November 2011.
  2. Russinovich, Mark (31 October 2005). "Sony, Rootkits and Digital Rights Management Gone Too Far". Mark's Blog. Retrieved 10 November 2011.