The folks at DiamondCS had released a while back a tool called AutoStart Viewer that can detect/document tasks hidden in this way (it is still ostensibly in beta but I have found no problems with it). The tool can be obtained from http://www.diamondcs.com.au/index.php?page=asguard This is one of the third-party freeware tools that I use in my own free Intrusion Audit system that I recently posted for public review at http://sourceforge.net/projects.ntida/ (although this too is in beta :( any comments on the latter would be most welcome! -----Original Message----- From: winter [mailto:shonky_secat_private] Sent: Monday, June 02, 2003 12:11 AM To: pen-testat_private Subject: Hiding scheduled tasks in 2K/XP Hey all, Ive found that you can use attrib.exe on files in %windir%\tasks, particularly with the +h attribute. "Attrib.exe +h *" will hide all scheduled tasks from AT, Scheduled Tasks (both Control Panel + explorer) and "dir %windir%\tasks" (unless you use dir /a or have it set as such in %dircmd%). Browsing %windir%\tasks on the cmd line with "dir /a" is the only way ive been able to detect jobs that have been hidden this way. They run as scheduled. Tested on 2000 SP3 & XP SP1. winter --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Jun 04 2003 - 13:34:04 PDT