• In this exercise, you will learn how to manually search the Windows Registry and Task Manager to
detect any spyware / adware processes running on your computer. In addition, you will use the
Windows Sysinternals “Autoruns” software to find malicious programs on your Windows machine.
• The Windows registry is a database which stores all the options and settings for the Microsoft
Windows operating system. This includes hardware, user settings, system policies and is separated
into the following files/folders:
1. HKEY_CLASSES_ROOT: The information stored here makes sure that the correct program
opens when you open a file by using Windows Explorer.
2. HKEY_CURRENT_USER: Contains the root of the configuration information for the user who is
currently logged on. The user's folders, screen colors, and Control Panel settings are stored here.
This information is associated with the user's profile.
3. HKEY_LOCAL_MACHINE: Contains configuration information particular to the computer (for any
user).
4. HKEY_USERS: Contains all the actively loaded user profiles on the computer.
5. HKEY_CURRENT_CONFIG: Contains information about the hardware profile that is used by the
local computer at system startup.
• When clicking through each folder, specific information is divided into three columns: 1) Name, 2)
Type, and 3) Data. We will be considering Name (given name of a program) and Data (the path for
the actual file).
• The Windows Task Manager shows the current processes and programs that are running on your
computer in RAM.
Steps for Manually Viewing Windows Registry/Tasks for Spyware & Adware:
12. If you wish to remove some registry items based on what you find in processlibrary.com (it’s ok to
remove the registry item), right-click on the name in the registry and select “Delete”.
13. Click on “Yes” to confirm the deletion.
14. Close the Windows Registry.
• By going through all of your registry/process items and searching online it is possible to see many
malicious (non-essential) programs that startup with your machine. However, tools have also been
created to make this process simpler.
Steps for using Windows Sysinternals “Autoruns” to detect Spyware & Adware:
6. Look for a distinctive part of the registry or path name and search the RootkitRevealer (RKR)
forums at: RootkitRevealer Logs http://forum.sysinternals.com/forum_topics.asp?FID=17 and
RootkitRevealer Usage http://forum.sysinternals.com/forum_topics.asp?FID=15
7. If you find nothing there, use Google!
8. The following null keys are fine and a result of the newest version now scanning the HKLM
security hive files:
HKLM\Security\Policy\Secrets\SAC*
HKLM\Security\Policy\Secrets\SAI*
9. There should be suggestions for determining whether the discrepancy is a result of a rootkit or it
is innocuous. If it IS a rootkit, it is wise to look at the forums or Google for specific instructions for
removal.
10. Exit RootkitRevealer.