Re: About That “inetpub” Folder ...

On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote:

Paul <nospam@needed.invalid> wrote at 00:27 this Friday (GMT):

On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> wrote at 23:35 this Tuesday (GMT):

On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:
>

Can someone just give me the best way to get rid of it safely?

>
You can’t. It’s needed for the Windows security mechanism to work.

>
>
That seems like a really dumb and insecure bandaid fix.
>

>
I'm surprised they didn't set the Hidden attribute on it.
>
   Paul

 
 
They DIDN'T?? That seems like a disaster waiting to happen.
 

The purpose of hiding it, is so the ordinary users do not remove it.

It has nothing to do with protecting a thing from an exploit.

This is why I like the protections on WinRE.wim file (emergency
boot OS container). It's got all sorts of Hidden and System
attributes set on it. All this does, is annoy the fuck out
of people like me, working on fixing it. And it does nothing
at all to stop a Black Hat.

But still, the Hidden is to hide cosmetic issues, such
as if you are using this trick (temporarily) as a fix.

As an example, the Process Monitor you can download from
Microsoft, it has a boot trace option, where you can trace
execution (ETW events) from T=0. What people don't know
(because they can't see it), is a "procmon23.sys" or similar,
is added to System32, and that module is loaded at boot time.
Since the Hidden bit is set on it, people can't see it, and
the program does not clean up after itself and remove the
file again. When the API changes, the version is bumped
to "procmon24.sys".

How can I spot those ? Using nfi.exe , for NTFS listing.
That parses the $MFT (Master File Table) and avoids a lot of issues.

Let's see if I have a procmon passenger on board.

   .\nfi.exe   C:   > D:\nfi-c-out.txt

File 8170
\Windows\System32\drivers\PROCMON24.SYS   <=== passenger!
    $STANDARD_INFORMATION (resident)
    $FILE_NAME (resident)
    $FILE_NAME (resident)
    $DATA (nonresident)
        logical sectors 287064-287223 (0x46158-0x461f7)
        logical sectors 292472-292479 (0x47678-0x4767f)

*******
Command Prompt:

cd /d C:\Windows\System32\drivers\

dir /ah PROCMON2*

 Volume in drive C is W11HOME
 Volume Serial Number is FA6E-E123

 Directory of C:\Windows\System32\drivers

Sat, 05/31/2025  1:23 PM            82,344 PROCMON24.SYS

   Paul