Obviously, you need to find a hack before you can take measures to stop the attack and recover from it. Where do you begin? Every hack is unique, but you should always check certain places first. Here are the key locations in which to start your search.

Registry subkeys. If you suspect that a particular machine has been hacked, check the Run subkeys in that machine’s registry first. Look for any unfamiliar programs that load from these subkeys. Not only do attackers favor the Run subkeys as a launching point for rogue programs, but intruders can launch viruses from those subkeys as well. The subkeys apply to Windows Server 2003, Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x. The specific subkeys to check are:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

If you’re running Windows 2003, XP, Win2K, or NT systems, you also need to check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer\Run subkey.

Any program that you don’t recognize is a potential hacking program. Use Google or a similar search engine to search the Internet for the program name and determine whether the program is legitimate. You should be especially suspicious of programs that load from C:, C:\windows, and C:\windows\system32. I strongly suggest that you make a habit of regularly reviewing these registry keys so you become familiar with all the programs that are set to automatically load on your computers.

The following subkeys are less commonly used to launch hacking programs, but you need to check them also. These subkeys apply to all Windows OSs. If the default registry key contains a value other than “%1” %*, the program is most likely a hacker program.

  • HKEY_CLASSES_ROOT\batfile\shell\open\command
  • HKEY_CLASSES_ROOT\comfile\shell\open\command
  • HKEY_CLASSES_ROOT\exefile\shell\open\command
  • HKEY_CLASSES_ROOT\htafile\shell\open\command
  • HKEY_CLASSES_ROOT\piffile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafila\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command

Services. Review the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry subkey on all Windows OSs. The entries under this subkey specify the services that are defined on your computer. I suggest that you look directly in the registry instead of using Windows’ Services GUI because some services (e.g., Type 1 services) don’t show up in the Services GUI. Again, check for programs you don’t recognize. If possible, compare the Services subkey entries and values to a machine that you know is hack-free and investigate any differences you find.

Startup Folder. Check the C:\Documents and Settings\All Users\Start Menu\Programs\Startup and C:\Documents and Settings\user_name>\Start Menu\Programs\Startup folders for unfamiliar programs and hidden files. To display a list of hidden files in the current folder and any subfolders, at a command prompt, enter

dir /a h /s

Task Scheduler. Check the C:\windows\tasks folder for unauthorized tasks. Investigate any scheduled task that you don’t recognize.

Win.ini. Malicious users can load hacking programs automatically from C:\windows\win.ini. Look in the following section of the win.ini file:

\[windows\]                              Run=                              Load=

Any program listed after Run= or Load= will load automatically when Windows starts.

System.ini. Intruders can use shell commands to load programs in C:\windows\system.ini. Search system.ini for:

\[boot\]                              shell=explorer.exe

Any program listed after explorer.exe will load automatically when Windows starts.

Other locations exist from which a hacker can automatically load programs to launch when Windows starts. Sysinternals’ Autoruns freeware utility shows you which programs are configured to load during startup on NT and later systems. You can download the tool from http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml.

Open Ports and Unauthorized Users
After you’ve run your initial key-locations check for hacking activity, look for unexpected or suspicious open ports.