Look for suspicious activity by monitoring file accesses.
Suppose you’re looking at the list of processes in the task manager one day after noticing some odd behavior on your workstation, and you notice a process you haven’t seen before. Well, what do you do now? If you were running something other than Windows, you might try to determine what the process is doing by looking at the files it has open. But Windows doesn’t provide a tool to do this.
Fortunately, a third-party solution exists. Sysinternals makes an excellent tool called
Handle, which is available for free at http://www.sysinternals.com/Utilities/Handle.html. Handle is a lot like lsof [Hack #8], but it can list many other types of operating resources, including threads, events, and semaphores. It can also display open Registry keys and IOCompletion structures.
Running handle without any command-line arguments lists all open file handles on the system. You can also specify a filename, which lists the processes that are currently accessing it, by typing this:
C:>handlefilename
Or you can list only files that are opened by a particular process—in this case, Internet Explorer:
C:> handle -p iexplore
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
----------------------------------------------------------------------------
IEXPLORE.EXE pid: 688 PLUNDER\andrew
98: Section \BaseNamedObjects\MTXCOMM_MEMORY_MAPPED_FILE
9c: Section \BaseNamedObjects\MtxWndList
12c: Section \BaseNamedObjects\__R_0000000000d4_SMem_ _
18c: File C:\Documents and Settings\andrew\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
198: Section \BaseNamedObjects\C:_Documents and Settings_andrew_Local
Settings_Temporary Internet Files_Content.IE5_index.dat_3194880
1a0: File C:\Documents and Settings\andrew\Cookies\index.dat
1a8: File C:\Documents and Settings\andrew\Local Settings\History\History.IE5\
index.dat
1ac: Section \BaseNamedObjects\C:_Documents and Settings_andrew_Local
Settings_History_History.IE5_index.dat_245760
1b8: Section \BaseNamedObjects\C:_Documents and
Settings_andrew_Cookies_index.dat_81920
228: Section \BaseNamedObjects\UrlZonesSM_andrew
2a4: Section \BaseNamedObjects\SENS Information Cache
540: File C:\Documents and Settings\andrew\Application
Data\Microsoft\SystemCertificates\My
574: File C:\Documents and Settings\All Users\Desktop
5b4: Section \BaseNamedObjects\mmGlobalPnpInfo
5cc: File C:\WINNT\system32\mshtml.tlb
614: Section \BaseNamedObjects\WDMAUD_Callbacks
640: File C:\WINNT\system32\Macromed\Flash\Flash.ocx
648: File C:\WINNT\system32\STDOLE2.TLB
6a4: File \Dfs
6b4: File C:\Documents and Settings\andrew\Desktop
6c8: File C:\Documents and Settings\andrew\Local Settings\
Temporary Internet Files\Content.IE5\Q5USFST0\softwareDownloadIndex[1].htm
70c: Section \BaseNamedObjects\MSIMGSIZECacheMap
758: File C:\WINNT\system32\iepeers.dll
75c: File C:\Documents and Settings\andrew\Desktop
770: Section \BaseNamedObjects\RotHintTableIf you want to find the Internet Explorer process that owns a resource with a partial name of handle, you can type this:
C:> handle -p iexplore handle
Handle v2.10
Copyright (C) 1997-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
IEXPLORE.EXE pid: 1396 C:\Documents and Settings\andrew\Local Settings\Temporary
Internet Files\Content.IE5\H1EZGFSH\handle[1].htmAdditionally, if you want to list all types of resources, you can use the -a option. Handle is quite a powerful tool, and you can mix together any of its command-line options to quickly narrow your search and find just what you want.