184 replies to this topic

[Herman_Salim]

Will it be useful if Farbar add a password to a Zip file that created from zip: Directive?

[farbar]

Useful or not, I think this is a luxury I can't afford to attend to.

 

I would like to request every one not to put a feature request here. This topic is just for discussing tutorial.

[Herman_Salim]

Sorry.. My bad..

Is there any place for average user to disscuss about feature?

[farbar]

No Worries.

 

The helpers have their own channels. I don't mind a feature request through PM with the following requirements:

 

1. Clear description of the feature request.

2. Clear description of the reason or necessity of the feature request.

[picasso]

Hi,
 
This topic is not meant for feature requests. From this and this post:
 

I would like to request every one not to put a feature request here. This topic is just for discussing tutorial.

 

The helpers have their own channels. I don't mind a feature request through PM with the following requirements:
 
1. Clear description of the feature request.
2. Clear description of the reason or necessity of the feature request.

[picasso]

As quoted above, there is no such topic available for avarage users and the only option is to send a PM to Farbar.

[picasso]

Similar question was already in this topic here. Adding to the emeraldnzl's answer: the line has informational purpose only (can't be processed in the Fix) and it means that there was no access to the task and FRST resetted permissions. The task could be legit or bad - you need to take new Addition log.

 

Note also this part:
 

This is not the place to post logs for analysis.
 
You might like to open topic in the Malware forum here and post a FRST log so that an expert can have a look.

[farbar]

While picasso is right about not posting the log here, this one is a bug and will be fixed soon.

[farbar]

Not sure what it was. I thought it was a bug. It could be a temporary permissions issue.

However, FRST it updated to unlock locked task keys only if the logged in user is administrator.

[BBOYMIG]

Dear FRST developers! I have a few questions for you. If you run the program on behalf of the SYSTEM account, will the program show all information from all users? Do you consider the console version of the program, or the ability to run the program in stealth mode to collect data? For example, with startup keys. Thank you! P.S. This text has been translated with the help of an online translator.

[picasso]

Do you consider the console version of the program, or the ability to run the program in stealth mode to collect data? For example, with startup keys.

This topic is not meant for feature requests as pointed in post #171.

 

If you run the program on behalf of the SYSTEM account, will the program show all information from all users?

 
No. To list data from more users, accounts have to be loaded within running Windows. From FRST Tutorial:
 

Fourth line: tells you what account  (profile) the user is logged in under i.e. the loaded user hive. Next, in parenthesis, the "Available profiles" records all profiles on the machine including those that are not currently loaded.

Note: When you log into Windows, only the user hive of the logged on user is loaded. If the user logs into another account without restarting (by using "Switch user" or "Log off"), the second user hive gets loaded but the first one doesn't get unloaded. In that situation FRST will list the registry entries of both the users but doesn't list the registry entries specific to any other users because those hives are not loaded.

 
Note also that in the RE environment FRST always runs from the SYSTEM context as indicated in all headers:
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.01.2018
Ran by SYSTEM on MININT-CJBLIKS (16-01-2018 10:05:09)
Running from E:\

[Herman_Salim]

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\":
WMI:subscription\__EventFilter->BVTFilter:
WMI:subscription\CommandLineEventConsumer->BVTConsumer:

What is this lines mean?

Thank you..

[picasso]

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\":
WMI:subscription\__EventFilter->BVTFilter:
WMI:subscription\CommandLineEventConsumer->BVTConsumer:

What is this lines mean?

Those are legit entries. More about BVTConsumer / BVTFilter here and here.

[PeterJ]

The scan log file FRST.TXT sometimes shows a line like this example:

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

"Path" (%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\program files\microsoft network monitor 3\;c:\program files (x86)\windows live\shared;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common -> %SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;c:\windows\system32\windowspowershell\v1.0\;c:\program files\microsoft network monitor 3\;c:\program files (x86)\windows live\shared;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common) <==== Repaired successfully

It repaired the environ variable "Path" but what was wrong with it ?

I couldn't find it in de manual.

Edited by PeterJ, 28 December 2018 - 05:48 PM.

[farbar]

The reason is the order of the paths in the string. Those paths should be placed at the start of the string:

 

%SystemRoot%\System32;%SystemRoot%;%SystemRoot%\System32\Wbem;

 

Instead, they are placed after some other custom paths:

 

%INTEL_DEV_REDIST%redist\intel64\compiler;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\VulkanSDK\1.0.65.0\Bin;c:\programdata\oracle\java\javapath;c:\program files\common files\microsoft shared\windows live;c:\program files (x86)\common files\microsoft shared\windows live;c:\windows\system32;c:\windows;c:\windows\system32\wbem;

 

In this case when Windows starts the autorun entries, when it encounters a file name instead of the full path, Windows start to look into those paths for the existence of the file in the order is given. So if a malware adds its own path to the start of the string and creates its own file with a legit system file name, instead of the legit file the fake one will run.

 

However, the automatic repairing will be changed shortly and FRST will only report the deviation from default value instead of repairing it.