Have you ever heard of the expression “still waters run deep”? It really applies to computers as it were. While the computer may seem to be idling there is a lot of activity happening in the background.
A computer is never really quiet in the true sense of the word. There is always something going on with it. To us it may seem that it is dormant but it is normally busy doing something or other. Through the use of tools such as RegmonNt, FilemonNt, and TdiMonNT we can view what it is that our computer is doing. These fine freeware tools were programmed by the fine folks at Sysinternals. On a side note Sysinternals was just acquired by Microsoft. I would daresay this is one of Microsoft’s best buys in recent history. Having people like Mark Russinovich and Dave Solomon on staff will be very helpful to them.
Why is it important to know what is going on in the background of your computer? Well the first thing that comes readily to mind is that it is important for you as a system administrator to become familiar with processes that run on whatever version of Microsoft that you are running. Should an end-user report a problem with their computer it is often one of these tools, dependent on the problem, that you will run in order to diagnose the problem. For myself on the other hand, and those of you who practice computer security, we have another area of interest. We also need to know what processes are running, but more in the interest of discovering rogue processes that may not be what they seem.
Dealing with malware on the enterprise network is an ever growing cottage industry it seems. Every day sys admins and the networks they monitor are targeted by malware and other forms of malicious code. Problem is that these very specimens of malware are often quite complicated in how they work. All too often malware is now compressed through the use of custom packers such as PEX to name but one. What this means is that you will have a tough time reverse engineering the piece of malware if you cannot unpack it. That only leaves the option of actually executing the malware in order to find out what it does. That is where the above noted tools from Sysinternals comes in handy. You will need to monitor changes to the registry, file system, and other parts after you have let run some piece of malware. So with that in mind let’s take a look at these three tools.
Well as the name of this program pretty much implies, it is a registry monitoring application. What it monitors is any programs accessing the registry, and what keys within it. Lastly, this program will also tell you just what part of the registry that is being read or written to, and best of all, this program will show you all of this activity in real time. If you are thinking this is a must have tool then you would indeed be correct! Let’s take a look at the screenshot below, which displays RegmonNt in action.
We can see in the screenshot above that the changes Apache is making are being noted in quick order by Regmon. From the left hand side onwards I will comment on what we are seeing. First off are the number of instances as seen by the # and a number following it. This is followed by the time stamp right down to the millisecond, and this is taken from your system clock. After that we have the application which is making changes to the registry. In this case it is the Apache Monitor service, and that in turn is followed by the process number of 948. Next up is the “Request” field which will tell what is being done to the registry, and following that is the “Path” within your registry where the changes are being made. “Result” is the next column which will tell you if the change has been successful or not. Lastly, is the “Other” column which will supply you with more information on what has been done. The toughest part about using this tool is the sheer output of it. You will need to filter out the stuff you don’t need by clicking on the “Options” menu and then in turn the “Filter/Highlight” one. This tool is best learnt by simply playing around with it. We can see that it would be a great way to monitor what changes to the registry a piece of malware may make.
Filemon works much in the same way that Regmon does but the difference is that Filemon will monitor the file system itself, and do so in real time much like Regmon. Well a picture is worth a thousand words so let’s take a look at Filemon in action.
I shall break down the columns seen above going from left to right once again. First off we have the number of instances, followed by the timestamp, without the millisecond this time. You would need to enable that option if you wanted it via the menus. After that we have the application in use under the “Process” tab followed by its process number. The “Request” column is next and this will tell you what action is being taken ie: OPEN, CLOSE and so on. “Path” is next and this will tell you what the relative path is on your computer that the application in question resides at. Now, we have the “Result” column that will simply tell you the status of the operation, and as seen above they are all “SUCCESS”. Lastly, we have the “Other” column, and there you will find more information related to the file action. Much as I mentioned above for Regmon is the fact that you would want this to monitor any changes that a piece of malware may make whilst performing dynamic analysis, or for that matter as a sys admin tracking down a problem.
This tool will let you monitor what is going on with both the TCP and UDP protocols which are used to convey information seeing as they are transport protocols. As such, this can be used by sys admins to troubleshoot network problems. On that note let’s take a look at TdiMon in action.
You are now used to the way that the Sysinternals tools such as Regmon and Filemon display information, and TdiMon does it in the same fashion. What is of interest to us is the “Process” field. This will tell you exactly what program it is that has created a socket, and also list its transport protocol under the “Local” column. The remaining fields are self evident and have been explained by me above. Why would you use this tool? Well as mentioned, if you are a sys admin it will help you track down network problems. As a computer security person it will allow you to study malware and find out if it will open up a socket and try to communicate with a distant server somewhere on the Internet.
All of the tools shown in this article are absolute must haves in your quest to further your knowledge of computers. They can be used for system administration purposes or equally for computer security issues. They are quite easy to use, and after five or ten minutes playing around with them, you will realize their worth. I for one would definitely encourage you to become familiar with them. As always, I welcome your feedback, and hope this article was of some use to you. Till next time!