Preparation

Login to your Windows 10 VM and use the AVG Secure Web Browser to download the tools for this lab. Download and run the tools and answer the questions for each tool. The download site for SysInternals is https://docs.microsoft.com/en-us/sysinternals/. You will have to navigate through the site to find each of the tools below. Objective

In this lab you run some of the Windows Sysinternal tools dealing with processes, files and disks. Before running the tools you should read the pertinent sections in the Windows Sysinternals Administrators Reference Book (You will be prompted to enter your Champlain credentials to access the e-book). Processes Process Explorer

DISCUSSION:

Sometimes it is necessary to look at what is happening with processes that are running on Windows. Viewing the CPU processes and determining which ones are using the most memory is a very common task. Some rogue malware may use a lot of CPU but those are the aggressive Fake AV and ransomware. The malware written by professionals may not be so easily detected or use hardly any CPU. Spambots can send dozens of emails in a few seconds without any noticeable performance problems.

There have been times when an svchost.exe process was using 99% of the CPU at startup, but there were about 30 svchost processes running. How do you tell what is really going on? Process Explorer is a great tool to use.

Run Process Explorer with administrative rights in your Windows 10 VM. Answer the following questions. Be sure you have the text in bold below in your GitHub submission AND the answer underneath.

Process Explorer

1. Which process (other than System Idle) is using the most CPU? (Click on the CPU tab to sort by the most used) How much is it using? NOTE: This will change in real-time so use whatever is showing up the most often. NOTE: System Idle Process is not a real process. It is how idle your Processor is on the system.

Procexp64.exe

2. Which Process is using the most memory (Private Bytes and Working Set combined)? How much of each?

ASCService.exe (22,328 K Private Bytes, 11,268 K Working Set)

3. What are “Private Bytes” and “Working Set?” How are those relevant to the question in this assignment?

Working set: The current size, in bytes, of memory pages touched recently by threads in the process. Private Bytes: Current size of memory, in bytes, that cannot be allocated to other processes

CITE the source(s) where you found the response to the question above. https://stackoverflow.com/questions/1984186/what-is-private-bytes-virtual-bytes-working-set

4. What options does Process Explorer offer that Task Manager does not?

Process explorer gives a company name and the Process ID, which task manager doesn’t. Autoruns

DISCUSSION:

There are a lot of programs that autostart when you load Windows. Some are required, but others are loaded by the manufacturer that you didn’t even know existed.

Malware, the garden variety kind, will put itself into the startup folder so it can be reactivated on a reboot so this tool is useful for capturing that information.. Preparation Download Autoruns on your Windows 10 VM

Extract and run the Autoruns file (Autoruns64) and select the Everything Tab.

Be sure you have the text in bold below in your GitHub submission AND the answer underneath.

Autoruns 1. Look through the entries. 2. Click the Logon Tab. How many “Auto Entry” results do you see? Eleven Auto Entry Results 3. Look through all of the entries that startup at Logon. Find three to do some research on. What information can you find out about those processes after performing an online search? NOTE: This is to help you start the process of learning to find out how to analyze your computer system.

CUE: Corsair Utility Engine is software for corsair devices on your computer. It allows you to configure things such as RGB lighting, watch temperatures, and change fan speeds. https://www.techspot.com/downloads/7070-corsair-utility-engine.html

DSATray: DSATray is an Intel Driver assistance software for your computer. https://www.file.net/process/dsatray.exe.html

SunJavaUpdateSched: An automatic update checker for the Java suite. Checks for and installs java updates. https://smartpctools.com/startupprogramlist/sunjavaupdatesched/

CITE the source(s) where you found the response to the question above.

4. Right-click on a startup entry. What options are available to you? What do they mean? In the screenshot below, I did a right-click on the entry “Java” the questions “What do they mean?” is asking what the options in the context menu mean (“Delete”, “Copy”, etc.)

Delete removes the process from startup, Copy copies it to clipboard, Jump to entry brings you to the entry in the Everything tab, jump to image brings you to the file location, Verify image presumably checks if it is a real process but it is greyed out for me, check VirusTotal allows you to submit the process to Virustotal to check if it is legit. Process Explorer brings you to the entry in process explorer, search online does a search for the entry online, find lets you search for a keyword, and properties shows more information on the process.

5. Export the results of autoruns into a CSV file. Upload the CSV file as a separate file when you submit your link for this assignment

NOTE: Why is it important to save the data to a CSV file? Comma-separated Values (CSV) provides a format that makes it easy to view the data in a spreadsheet so it can be sorted and searched. CSV also provides a unified format to make it easy to parse using scripting and programming languages. NOTE: Even though it is called “Comma-separated Values,” you can have the data separated by other values besides a comma.

Take a moment to look inside the file to see the formatting.

Disk Utilities

DISCUSSION:

Have you ever found that your hard drive is running out of space and you can’t figure out which directory is using the most data? Du can come to your rescue, but you need to run it from the command prompt.

Be sure you have the text in bold below in your GitHub submission AND the answer underneath.

DU

Preparation:

1. Download DU from the sysinternals website

2. Open the folder where you extracted the du program. In the URL bar, type: cmd

and that will open the command prompt in the current directory to complete this lab.

Paste the following line into the command prompt:

**du –c “c:\Program Files\*”**

3. What information does this give you? How useful is this? Only handwritten submissions are required here. (1 point)

This command shows you all of the disk space uses of the current Program Files.

4. Add a 2 level search by adding “–L 2” to the command line after the command you typed in #2

5. Is this more useful? How would you use this tool to track down where your disk is filling up?

I think this is more useful and you can use this tool to identify the largest files taking up disk space and then decide whether to delete them or move them.