How to hide a file from the Windows GUI and regedit?

redbeard1

Diamond Member
Dec 12, 2001
3,006
0
0
This link is to a post describing a fight I had with a tricky spyware. The file that was running and it's registry entry could not be seen in Windows or using Windows regedit. They could be seen using other methods however. The post has a better explanation.

So how can a file be hidden from view in Windows, with "view all files" turned on, be seen from a command prompt?

Forums Thread
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: redbeard1
up

It isn't that difficult ... imagine a device driver (kind of like the driver that lets your graphics card work) that hides all files that match svga.sys. Bingo - we can easily put a file called svga.sys into your system, and you'd never be the wiser. That's easy.

Now, let's imagine a device driver that can hide *itself* too, so not only can it put that svga.sys file on your hard drive (which can do whatever it wants to your computer), but it *also* is invisible from within both RegEdit and any other editing or viewing tools you might have, like, say, MPS Reports.

Sometimes you can see svga.sys if you look at the directory where it is located from *another* computer, but it's possible even that can be hidden if it could hit your network layers.

Pretty tricky, but not uncommon.

Lots of times you can pick that up by looking at an NTBACKUP backup of the system files - it will be visible in that registry. Or you can boot with WinPE or Recovery Console, make a backup of the registry, and then mail the registry off to someone so they can look at it and see the bad service/driver that's installed. Sometimes you can see the malware in safe mode, but that's beatable too, so even safe mode isn't a perfectly reliable indication, either.

:)
 

redbeard1

Diamond Member
Dec 12, 2001
3,006
0
0
How can you enable viewing of these without using a remote connection or non microsoft tools?
 

dclive

Elite Member
Oct 23, 2003
5,626
2
81
Originally posted by: redbeard1
How can you enable viewing of these without using a remote connection or non microsoft tools?

Use NTBACKUP's ERD (2000) or System State backup (XP and later) or XP's automatic registry backup feature to back up the registry, and then look at your backed up registry for malware.

In other words, there's no easy way if the hack is sophisticated enough. The malware removal tools can get the simple ones, but there are some that are more difficult to catch.

Safe mode usually makes these visible, but it's possible that sometimes it won't allow fixing the issue.