Category: System32

System32 Discovery #5 - Malicious software removal tool

   
Application title Microsoft Windows Malicious Software Removal Tool
File name MRT.exe
File name stands for Malicious Software Removal Tool
Syntax MRT.exe [/Q\|/quiet] [/?\|/help] [/F] [/F:Y]
Type Application/Console Application
File description Microsoft Windows Malicious Software Removal Tool
WinSxS package N/A

⚠️ Warning!

Messing around with system32 files without knowing what you’re doing can demage your system! The author doens’t take any responsibility for demaged systems and installations.

Introduction

image

The Microsoft Windows Malicious Software Removal Tool helps you identifying malicious software and removing them. This software gets updated over Windows update to stay up to date with new software threats.

This tool is no replacement

Type of scans

You can start 3 types of scan:

image

Quick scan

Scans only areas, where most malicious software is located like system32 or Program Files.

Full scan

Scans all files on the computer.

Customized scan

This scan executes a quick scan, but also a costum folder you can choose.

Commandline arguments

/Q and /quiet

Surpesees the GUI.

/? and /help

Shows help dialog with explenation to the command line arguments.

image

/N

Only detects and logs malicious software.

/F

Foreces full scan.

/F:Y

Foreces full scan and removes the infected files.

System32 Discovery #4 - The secret behind the System32 folder

⚠️ Warning!

Messing around with system32 files without knowing what you’re doing can demage your system! The author doens’t take any responsibility for demaged systems and installations.

Introduction

You may know the System32 folder as the folder where all the system files are located. But that’s not necessarily true. All these applications, dll files and other stuff are so called hard links.

You surely know shortcuts in Windows. These can also be called soft links. If you remove or rename a softlink file it will not have any affect on the other file. It’s just a pointer to where the file is located.

softlink

A hard link for comparsion is two times the same file, just at different location. If you rename the file on one end it will also get renamed on the other end.

hardlink

Why?

So, why are these files all hardlinks?

Because you can execute all the commands from this folder directly. You don’t have to go first into the folder where they are really located and then execute explorer logonui, etc.

With all these files in one folder it’s easier to index them all.

Where are they really?

They are mostly in package folders in the %windir%/WinSxS folder.

The package name has the following pattern:

[target platform]_([platform])_[name]_[id]_[version]_[language]_[hash]

[target platform]

The targeted platform: x86, wow64, msil or amd64

[platform]

Optional indicator of the platform. For example:

  • system
  • Microsoft-Windows
  • bth

[name]

The package name. If the name is too long ... will replace a part of the name.

e.g.:

  • basicrender.inf.resources
  • s..store-adm.resources
  • syncres.resources

[id]

Unknown

[version]

The version of the system

[language]

The language of a package

[hash]

Unknown

System32 Discovery #3 - System information

   
Application title System Information
File name msinfo32.exe
File name stands for MicroSoft Information
Syntax Msinfo32.exe [/?] [/nfo Path] [/report Path] [/computer ComputerName]
Type Application/Console Application
File description System Information
WinSxS package md64_microsoft-windows-msinfo32-exe

System32 Discovery #2 - Phone dialler

   
Application title Phone Dialler
File name dialer.exe
File name stands for Dialer
Syntax dialer.exe
Type Application
File description Microsoft Windows Phone Dialler
Real path %windir%\WinSxS\amd64_microsoft-windows-tapicore_31bf3856ad364e35_10.0.22526.1000_none_c511b7f7427de12a\dialer.exe

System32 Discovery #1 - Bluetooth file transfer dialog

   
Application title Bluetooth file transfer
File name fsquirt.exe
File name stands for File Squirt
Syntax fsquirt.exe [-send\|-receive]
Type Application
File description  
Real path %windir%\WinSxS\amd64_microsoft-windows-bth-user_31bf3856ad364e35_10.0.22526.1000_none_45f11f58d1155a4d\fsquirt.exe

System32 Discovery #0 - Introduction

Thumbnail