Sujet : Re: About That “inetpub” Folder ...
De : candycanearter07 (at) *nospam* candycanearter07.nomail.afraid (candycanearter07)
Groupes : comp.os.linux.advocacy alt.comp.os.windows-11Date : 16. Jun 2025, 20:20:06
Autres entêtes
Organisation : the-candyden-of-code
Message-ID : <slrn1050rdo.47r1.candycanearter07@candydeb.host.invalid>
References : 1 2 3 4 5 6 7
User-Agent : slrn/1.0.3 (Linux)
Paul <
nospam@needed.invalid> wrote at 22:50 this Friday (GMT):
On Fri, 6/13/2025 4:50 PM, candycanearter07 wrote:
Paul <nospam@needed.invalid> wrote at 00:27 this Friday (GMT):
On Thu, 6/12/2025 11:10 AM, candycanearter07 wrote:
Lawrence D'Oliveiro <ldo@nz.invalid> wrote at 23:35 this Tuesday (GMT):
On Tue, 10 Jun 2025 12:11:56 -0400, Oscar wrote:
>
Can someone just give me the best way to get rid of it safely?
>
You can’t. It’s needed for the Windows security mechanism to work.
>
>
That seems like a really dumb and insecure bandaid fix.
>
>
I'm surprised they didn't set the Hidden attribute on it.
>
Paul
They DIDN'T?? That seems like a disaster waiting to happen.
>
The purpose of hiding it, is so the ordinary users do not remove it.
>
It has nothing to do with protecting a thing from an exploit.
>
This is why I like the protections on WinRE.wim file (emergency
boot OS container). It's got all sorts of Hidden and System
attributes set on it. All this does, is annoy the fuck out
of people like me, working on fixing it. And it does nothing
at all to stop a Black Hat.
>
But still, the Hidden is to hide cosmetic issues, such
as if you are using this trick (temporarily) as a fix.
>
As an example, the Process Monitor you can download from
Microsoft, it has a boot trace option, where you can trace
execution (ETW events) from T=0. What people don't know
(because they can't see it), is a "procmon23.sys" or similar,
is added to System32, and that module is loaded at boot time.
Since the Hidden bit is set on it, people can't see it, and
the program does not clean up after itself and remove the
file again. When the API changes, the version is bumped
to "procmon24.sys".
>
How can I spot those ? Using nfi.exe , for NTFS listing.
That parses the $MFT (Master File Table) and avoids a lot of issues.
>
Let's see if I have a procmon passenger on board.
>
.\nfi.exe C: > D:\nfi-c-out.txt
>
File 8170
\Windows\System32\drivers\PROCMON24.SYS <=== passenger!
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 287064-287223 (0x46158-0x461f7)
logical sectors 292472-292479 (0x47678-0x4767f)
>
*******
Command Prompt:
>
cd /d C:\Windows\System32\drivers\
>
dir /ah PROCMON2*
Volume in drive C is W11HOME
Volume Serial Number is FA6E-E123
>
Directory of C:\Windows\System32\drivers
>
Sat, 05/31/2025 1:23 PM 82,344 PROCMON24.SYS
>
Paul
Yeah so if it was hidden, then people wouldn't have been freaking out.
Maybe they could also provide a script to unhide it for the people who
actually use it..
-- user <candycane> is generated from /dev/urandom
About That “inetpub” Folder ...
Re: About That “inetpub” Folder ...