[Tfug] OT: Windows "Tracking Software"
Jeffry Johnston
tfug at kidsquid.com
Thu Mar 5 20:06:22 MST 2009
Hi,
My guess is that the employer doesn't want you hacking their computer.
If as a potential employer I had intentionally locked down a computer
and then caught an employee poking around trying to defeat it, they'd
be fired. After all, how is them hacking the computer helping the
bottom line? And not only that, why are they hacking it? Are they
trying to do something illegal on my system, or are they just trying
to hide the fact that they are goofing off? My advice would be for
this person to either quit being so paranoid or to use the work
computer only for doing actual WORK. If they want to surf the web on
a break, they can use the wifi at a coffee shop, etc.
However, if the person decides they absolutely must.. then the
important thing to remember is that this monitoring program has to be
run from somewhere. I think we can assume that it's not burned into
the BIOS (god, I hope not).
So, where can programs get loaded?
MBR, boot sector, then from there once an OS is available, you have a
lot of options.
1) Change boot order to boot from a CD first. If you can't, due to a
password, open the case and reset the CMOS. If you can't even open
the case, you're SOL. Give up.
2) Boot from a linux live cd.. or possibly floppy or usb? Bypassing
any possible code in the HD MBR or boot sector
3) Running from linux, use an emulator like qemu to execute fdisk
/mbr. Replace the boot sector with a known good one from a different
windows drive.
4) Replace the windows system files with known good copies. Includes
all .com, .exe, .dll, etc.
5) Now, check into all the normal locations for Windows to be loading
stuff.. autoexec.bat, config.sys, win.ini, system.ini, the registry
(Run, RunOnce, RunOnceEx, etc.. I know know the ones from 95/98, there
are probably more in XP) , the "Run" folder in each users start menu.
Remove anything that isn't a system executable you replaced in step
4.
And that still might not work. Best advice: make any potential
logging program useless by using the machine only for working.
Jeff
On Wed, Mar 4, 2009 at 9:21 AM, Andrew Ayre <andy at britishideas.com> wrote:
> Bexley Hall wrote:
>>
>> Hi, Andy,
>>
>>> If I suspected my PC had something like that then I would
>>> get the free Process Explorer and examine all the processes.
>>> Kill any I didn't want running.
>>
>> And what do you do if you aren't running as Administrator
>> (i.e., because the machine is maintained/provided by your
>> *employer*)?
>>
>>> Also I would investigate safe mode to see if that stopped
>>> the tracking behaviour.
>>
>> But, you don't even know (yet) that "tracking" is taking
>> place! <grin> I.e., that is the first part of my
>> question: "detect and defeat"
>>
>>> I would run msconfig and stop any services and processes
>>> from running at startup that I didn't recognize.
>>
>> Again, that only works if you have root privileges.
>>
>>> Worst case I would reinstall windows.
>>
>> Your boss would undoubtedly have something to say if you
>> had done this. Also, many newer machines can be configured
>> so that booting off a CD/DVD is disallowed.
>>
>> You're assumingthis is *your* machine and that someone has
>> slipped something onto it surreptitiously. What if it is
>> *my* machine that *you* use 8 hours a day (on my behalf)?
>
> Why didn't you tell us in the first place that no administrator access is
> available? It's a waste of everyone's time to try and help you if you don't
> give us all the requirements. I'm guessing you knew that no administrator
> access was a requirement for your problem when you first posted. Sigh... :(
>
> Andy
>
> --
> Andy
> PGP Key ID: 0xDC1B5864
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
More information about the tfug
mailing list