Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

FRST Tutorial Comment

* * * * * 1 votes FRST farbar tutorial

  • Please log in to reply
180 replies to this topic

#121
Herman_Salim

Herman_Salim

    Member

  • Member
  • PipPip
  • 36 posts

The difference is already stated in the tutorial description. The second command requires an external third-party tool and MBR dump made earlier by the tool.

 

 

I mean, if we can reset MBR with CMD: bootrec /FixMbr, why we must be bothered with RestoreMbr:? As RestoreMbr: also need Third Party and MBR.bin.

 

Thank You..


  • 0

Advertisements


#122
picasso

picasso

    Trusted Helper

  • Malware Removal
  • 113 posts
  • MVP

RestoreMbr: can be used to restore a copy made before altering MBR (eg. with the Microsoft tool) in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert). There are no such possibilities with the Microsoft tool, no backup is made, the operation cannot be undone by the tool itself.


  • 0

#123
Herman_Salim

Herman_Salim

    Member

  • Member
  • PipPip
  • 36 posts

RestoreMbr: can be used to restore a copy made before altering MBR (eg. with the Microsoft tool) in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert). There are no such possibilities with the Microsoft tool, no backup is made, the operation cannot be undone by the tool itself.

 

Thank you for your patience in explaining.

 

 

in case of a failure with the fixing or to load a manually edited MBR dump (prepared by an expert)

 

Do you mean that CMD: bootrec/fixmbr can't fix/reset/undone this failure?


  • 0

#124
picasso

picasso

    Trusted Helper

  • Malware Removal
  • 113 posts
  • MVP

I mean that the bootrec command overwrites MBR, but doesn't create any backup allowing to reverse the action in case of side effects. Also, keep in mind that the command writes a standard MBR code, special customizations done by an OEM manufacturer (eg. a pointer to a Recovery program) could be lost. So it is always a good option to create an MBR backup before trying to fix MBR.


  • 0

#125
Herman_Salim

Herman_Salim

    Member

  • Member
  • PipPip
  • 36 posts

I mean that the bootrec command overwrites MBR, but doesn't create any backup allowing to reverse the action in case of side effects. Also, keep in mind that the command writes a standard MBR code, special customizations done by an OEM manufacturer (eg. a pointer to a Recovery program) could be lost. So it is always a good option to create an MBR backup before trying to fix MBR.

 

Very clearly. I have understood now. Thank you.


  • 0

#126
Herman_Salim

Herman_Salim

    Member

  • Member
  • PipPip
  • 36 posts

Hello Malware Fighter and Instructor.. :D

 

What is the different Between delete Folder with usual way and RemoveDirectory: ?


  • 0

#127
picasso

picasso

    Trusted Helper

  • Malware Removal
  • 113 posts
  • MVP

In the first case a folder is moved to the Quarantine and can be restored. RemoveDirectory: permanently removes a folder (no copy in the Quarantine).


  • 0

#128
Herman_Salim

Herman_Salim

    Member

  • Member
  • PipPip
  • 36 posts

In the first case a folder is moved to the Quarantine and can be restored. RemoveDirectory: permanently removes a folder (no copy in the Quarantine).

 

Thank you for your fast Response. :)


  • 0

#129
mrfixiter

mrfixiter

    New Member

  • Member
  • Pip
  • 9 posts

Hi :)

 

There is a typo here:

Association

Note: The "Association" will appear on the FRST.txt log when FRST is run from the Recovery Environment. When FRST is run outside Recovery Environment the section will appear on the Addition.txt. The scan in the Recovery Environment is limited to .exe file association.

Lists machine-wide .exe file association like this:
 

Quote

    HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION


As with other registry entries you can just copy and past the entries with the issue in the fixlist.txt and they will be restored. No need to do registry fixes.

 

Thanks for your help.

 

mrfixiter


  • 0

#130
PeterJ

PeterJ

    Visiting Consultant

  • Visiting Consultant
  • 22 posts

Hi,

 

What is meant by "task is ontgrendeld." in a Addition log like below:

(Logfile created on a Windows 10 x64 machine)

==================== Geplande Taken (gefilterd) =============
...
"{01C7C80F-DA6A-4698-BA70-4DA27991C5A9}" task is ontgrendeld. <===== AANDACHT
"{08629A58-75ED-46AA-8646-8C7015698215}" task is ontgrendeld. <===== AANDACHT
"{094CD275-5C71-4753-B57E-5566CA859498}" task is ontgrendeld. <===== AANDACHT


  • 0

Advertisements


#131
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,023 posts

When I translate that it appears to say "task is unlocked" Without looking at the whole path I don't know what it refers to but it is being signaled by FRST to be checked.

 

This is not the place to post logs for analysis.
 
You might like to open topic in the Malware forum here and post a FRST log so that an expert can have a look.


  • 0

#132
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 20,023 posts

@ mrfixiter

 

Thank you for the heads up. It has been noted for correcting at next update. :)


  • 0

#133
mrfixiter

mrfixiter

    New Member

  • Member
  • Pip
  • 9 posts

Hi :)
 
Regarding this entry in the tutorial:

FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

There seems to be an overlap between the standard file attributes and other categories not documented in the Wikipedia article. One notable omission in the above list is the Archive bit. Was that just an oversight?

 

Thanks for your assistance.

 

mrfixiter


  • 0

#134
Dragokas

Dragokas

    Malware Expert

  • Expert
  • 52 posts

Hi, mrfixiter !

 

You can read official documentation:

File Attribute Constants


  • 0

#135
picasso

picasso

    Trusted Helper

  • Malware Removal
  • 113 posts
  • MVP

Hi :)
 
Regarding this entry in the tutorial:

FRST adds notations to certain log entries:

C - Compressed
D - Directory
H - Hidden
L - Symbolic Link
N - Normal (does not have other attributes set)
O - Offline
R - Readonly
S - System
T - Temporary
X - No scrub (Windows 8+)

There seems to be an overlap between the standard file attributes and other categories not documented in the Wikipedia article. One notable omission in the above list is the Archive bit. Was that just an oversight?

 

Thanks for your assistance.

 

mrfixiter

 

Hi,

 

The information in the tutorial is correct. "A" attribute is not shown in FRST log. It is filtered by purpose to prevent cluttering FRST log (most items would have this attribute). "A" was shown in FRST log in the past, but due to my request it was removed from the output.

 

EDIT: To be clear, FRST has a capability to list so called extended attributes, so the list in the tutorial is wider than on Wikipedia, except of those filtered by purpose.


  • 0





Also tagged with one or more of these keywords: FRST, farbar, tutorial

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.