SYS140 Week 7 Lab - eitan-j/tech-journal GitHub Wiki
Instructions: (Follow instructions carefully!)
Your submission will be in GitHub. If you copy and paste the questions below with asterisks, it will automatically bold those questions for you.
Suggestion: put the questions and answers in a separate document and then post to a GitHub page when you are done.
Reminder that the use of GitHub is so you can create a portfolio of your work and always have access to the information. You’ll be using GitHub in other classes in this program the remainder of your academic career. Preparation Login to your Windows 10 VM and use the AVG Secure Web Browser to download the tools for this lab. Download and run the tools and answer the questions for each tool. The download site for SysInternals is https://docs.microsoft.com/en-us/sysinternals/. You will have to navigate through the site to find each of the tools below. Objective
In this lab you run some of the Windows Sysinternal tools dealing with processes, files and disks. Before running the tools you should read the pertinent sections in the Windows Sysinternals Administrators Reference Book (You will be prompted to enter your Champlain credentials to access the e-book). Processes Process Explorer
DISCUSSION: Sometimes it is necessary to look at what is happening with processes that are running on Windows. Viewing the CPU processes and determining which ones are using the most memory is a very common task. Some rogue malware may use a lot of CPU but those are the aggressive Fake AV and ransomware. The malware written by professionals may not be so easily detected or use hardly any CPU. Spambots can send dozens of emails in a few seconds without any noticeable performance problems.
There have been times when an svchost.exe process was using 99% of the CPU at startup, but there were about 30 svchost processes running. How do you tell what is really going on? Process Explorer is a great tool to use.
Run Process Explorer with administrative rights in your Windows 10 VM. Answer the following questions. Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
Process Explorer
1. Which process (other than System Idle) is using the most CPU? (Click on the CPU tab to sort by the most used) How much is it using? NOTE: This will change in real-time so use whatever is showing up the most often. NOTE: System Idle Process is not a real process. It is how idle your Processor is on the system.
chrome.exe is using the most CPU, and is using 2.47%.
2. Which Process is using the most memory (Private Bytes and Working Set combined)? How much of each?
MsMpEng.exe is using the most memory. It is using 817,652 K of Private Bytes and 711,328 K of Working Set
3. What are “Private Bytes” and “Working Set?” How are those relevant to the question in this assignment?
Private Bytes are memory that is exclusive to that application. Working Set are the pages that are in physical memory.
CITE the source(s) where you found the response to the question above.
Private Bytes VS Working Set in Process Explorer - Super User
4. What options does Process Explorer offer that Task Manager does not?
Process Explorer allows configuration, setting process priority, creating dumps, suspending processes, and other things.
Autoruns
DISCUSSION: There are a lot of programs that autostart when you load Windows. Some are required, but others are loaded by the manufacturer that you didn’t even know existed.
Malware, the garden variety kind, will put itself into the startup folder so it can be reactivated on a reboot so this tool is useful for capturing that information.. Preparation Download Autoruns on your Windows 10 VM
Extract and run the Autoruns file (Autoruns64) and select the Everything Tab.
Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
Autoruns
1. Look through the entries.
2. Click the Logon Tab. How many “Auto Entry” results do you see?
I see 16 entries
3. Look through all of the entries that startup at Logon. Find three to do some research on. What information can you find out about those processes after performing an online search?
NOTE: This is to help you start the process of learning to find out how to analyze your computer system.
I have AMD Dual-Core Optimizer, despite having no AMD processor. It seems to have been installed with some game. It likely isn’t doing anything. I removed it.
Java Update Scheduler checks for Java updates every week.
Windows Command Processor is needed for Windows and has to do with the command prompt. I learned that malicious actors can disguise malware as Windows Command Processor.
CITE the source(s) where you found the response to the question above.
why do i have AMD Dual-Core Optimizer? - Linus Tech Tips
What Is jusched.exe and Why Is It Running? - How-To Geek
Fix: Windows Command Processor on Startup in Windows 10 - Appuals.com
4. Right-click on a startup entry. What options are available to you? What do they mean? In the screenshot below, I did a right-click on the entry “Java” the questions “What do they mean?” is asking what the options in the context menu mean (“Delete”, “Copy”, etc.)
The delete option deletes an autostart. Jump to Image shows the location on disk. Jump to Entry shows the autostart entry in the registry. Copy copies the information about the entry. Verify Image verifies the code signature. Check VirusTotal uploads the files to VirusTotal to be scanned. Process Explorer shows the details of the process if it is running. Search Online Googles the program. Find searches the entries for specific text. Properties shows properties of the program.
5. Export the results of autoruns into a CSV file. Upload the CSV file as a separate file when you submit your link for this assignment
NOTE: Why is it important to save the data to a CSV file? Comma-separated Values (CSV) provides a format that makes it easy to view the data in a spreadsheet so it can be sorted and searched. CSV also provides a unified format to make it easy to parse using scripting and programming languages. NOTE: Even though it is called “Comma-separated Values,” you can have the data separated by other values besides a comma.
Take a moment to look inside the file to see the formatting.
Disk Utilities
DISCUSSION: Have you ever found that your hard drive is running out of space and you can’t figure out which directory is using the most data? Du can come to your rescue, but you need to run it from the command prompt.
Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
DU Preparation:
1. Download DU from the sysinternals website
2. Open the folder where you extracted the du program. In the URL bar, type:
cmd
and that will open the command prompt in the current directory to complete this lab.
Paste the following line into the command prompt:
du –c “c:\Program Files\*”
3. What information does this give you? How useful is this? Only handwritten submissions are required here. (1 point)
It shows info about how much data is in the directory. It’s somewhat useful, but doesn’t tell me what is taking up the most data.
4. Add a 2 level search by adding “–L 2” to the command line after the command you typed in #2
5. Is this more useful? How would you use this tool to track down where your disk is filling up?
Yes. I could export it as a CSV, and order and analyse the data in a program such as Excel.
SUBMISSION SUMMARY: • Answers to questions #1 through #4 in ‘Processes’ • Answer to questions #3 and #6 in ‘Autoruns’ • CSV file from question #5 in ‘Autoruns.’ Upload it along with the link to your GitHub submission for this week. • Answers to questions #3 and #5 in ‘Disk Utilities’