Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to Hard Reboot a system?

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi All,

I want to hard reboot the system when a particular
condition is hit. Please tell me how it can be achieved
in kernel mode.

Thanks & Regards,
Rajendra.

Comments

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,444
    Why do you want to do this? Anti debug measure?

    d

    Sent from my phone with no t9, all spilling mistakes are not intentional.

    -----Original Message-----
    From: xxxxx@yahoo.com <xxxxx@yahoo.com>
    Sent: Wednesday, September 09, 2009 9:27 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: [ntdev] How to Hard Reboot a system?


    Hi All,

    I want to hard reboot the system when a particular
    condition is hit. Please tell me how it can be achieved
    in kernel mode.

    Thanks & Regards,
    Rajendra.


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    >>Why do you want to do this? Anti debug measure?

    Actually not Anti debug measure, but anti malware.
    We are disabling a malware by doing some modifications to it's settings.
    But it restores it's settings after some time. So if we hard boot it will
    not get chance to restores it's settings.

    We have tested it by manually hard rebooting the system.
    Now we want to do it programmatically.
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,444
    I am speechless that you think that a hard reboot is the right answer.

    d

    Sent from my phone with no t9, all spilling mistakes are not intentional.

    -----Original Message-----
    From: xxxxx@yahoo.com <xxxxx@yahoo.com>
    Sent: Wednesday, September 09, 2009 9:47 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] How to Hard Reboot a system?


    >>Why do you want to do this? Anti debug measure?

    Actually not Anti debug measure, but anti malware.
    We are disabling a malware by doing some modifications to it's settings.
    But it restores it's settings after some time. So if we hard boot it will
    not get chance to restores it's settings.

    We have tested it by manually hard rebooting the system.
    Now we want to do it programmatically.

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,444
    I am speechless that you think that a hard reboot is the right answer.

    d

    Sent from my phone with no t9, all spilling mistakes are not intentional.

    -----Original Message-----
    From: xxxxx@yahoo.com <xxxxx@yahoo.com>
    Sent: Wednesday, September 09, 2009 9:47 PM
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE:[ntdev] How to Hard Reboot a system?

    >>Why do you want to do this? Anti debug measure?

    Actually not Anti debug measure, but anti malware.
    We are disabling a malware by doing some modifications to it's settings.
    But it restores it's settings after some time. So if we hard boot it will
    not get chance to restores it's settings.

    We have tested it by manually hard rebooting the system.
    Now we want to do it programmatically.

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • zhitao_zhou-1zhitao_zhou-1 Member Posts: 1
    KeBugCheck(POWER_FAILURE_SIMULATE);

    or

    mov dx, 64h
    mov al, 0FEh
    out dx, al
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,444
    You can of course hard hang the machine if the i8042prt driver is touching the hardware at the same time. And of course this does not work on a machine where the ps2 resources are not pure io ports (memory mapped io etc)

    d

    -----Original Message-----
    From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of zhzhtst@163.com
    Sent: Wednesday, September 09, 2009 10:33 PM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] How to Hard Reboot a system?

    KeBugCheck(POWER_FAILURE_SIMULATE);

    or

    mov dx, 64h
    mov al, 0FEh
    out dx, al


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > KeBugCheck(POWER_FAILURE_SIMULATE);

    HalReturnToFirmware is better.

    > mov dx, 64h
    > mov al, 0FEh
    > out dx, al

    Not obliged to work on modern ACPI/APIC machines.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > But it restores it's settings after some time. So if we hard boot it will
    > not get chance to restores it's settings.

    The software which hard reboots the machine with the user working on it is _malware_, yes, really so, even if its goal is to protect against another (possible worse) malware.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • James_HarperJames_Harper Member Posts: 1,615
    >
    > > But it restores it's settings after some time. So if we hard boot it
    will
    > > not get chance to restores it's settings.
    >
    > The software which hard reboots the machine with the user working on
    it is
    > _malware_, yes, really so, even if its goal is to protect against
    another
    > (possible worse) malware.
    >

    If the user installs the software that works exactly as described, and
    is installed by the user with a full understanding of what it is going
    to do, then why do you say it is malware? Software with bugs (eg Windows
    7 - http://isc.sans.org/diary.html?storyid=7093) can make worse things
    happen to your system, and you don't call that malware (or maybe you do
    :)

    That said, I think that there are better ways to solve the problem.

    James
  • Based on my experience with one latest variant of a rootkit, I will say the OP is in correct direction.

    One can treat is as a malware; but than other options are format the system or live with the rootkit. based on the several feedback I received from our support guys, customers are ready to try anything to avoid format. *even* when support guys told them that xyz tool is in beta and may crash your machine to unrecoverable state.

    regarding the malware,

    I observed is that the latest version of one type of rootkits which do not drop any files in machine; instead they change sectors, hooks to storage stack. rootkit driver has registered shutdown notification so even if you change the infected part on disk the rootkit will overwrite that during shutdown IRP processing. So the only possible workaround is to restart the machine without generating shutdown notification, and we have tested this working with success till the latest version of rootkit.

    Aditya
  • James_HarperJames_Harper Member Posts: 1,615
    >
    > Based on my experience with one latest variant of a rootkit, I will
    say the OP
    > is in correct direction.
    >
    > One can treat is as a malware; but than other options are format the
    system
    > or live with the rootkit. based on the several feedback I received
    from our
    > support guys, customers are ready to try anything to avoid format.
    *even* when
    > support guys told them that xyz tool is in beta and may crash your
    machine to
    > unrecoverable state.
    >
    > regarding the malware,
    >
    > I observed is that the latest version of one type of rootkits which do
    not
    > drop any files in machine; instead they change sectors, hooks to
    storage
    > stack. rootkit driver has registered shutdown notification so even if
    you
    > change the infected part on disk the rootkit will overwrite that
    during
    > shutdown IRP processing. So the only possible workaround is to restart
    the
    > machine without generating shutdown notification, and we have tested
    this
    > working with success till the latest version of rootkit.
    >

    I have found that they are also 'safe mode proof' so the old trick of
    booting into safe mode and cleaning out the registry just doesn't work
    anymore.

    I know I'm taking this further offtopic, but do you (or anyone else)
    have an opinion on the protections offered by the 64 bit kernels and how
    useful they are in preventing this sort of exploit? My opinion based on
    general observations of such protections is that they only need to be
    broken once and it's all over until the next windows patch (and between
    the time when the patch is released and when it starts to get rolled
    out, the malware has already been updated too).

    James
  • >>I have found that they are also 'safe mode proof' so the old trick of booting into safe mode and cleaning out the registry just doesn't work anymore.

    Correct, the recent ones are too advanced. The rootkit (to which I referred in last post) writers are actually improving it by reverse engineering the detection tools. They start with one security researcher sample, than improved it based on one anti-rootkit tool and so on. So It seems that very soon they will became almost(:-), i'll not say competely) invisible.

    If you are referring to patch guard than that is reverse-engineered long back(which probably you already know). For expert comments I guess Skywing should be *informed*.

    Regarding usefulness of 64 bit protection in such malware cases, I don't think they actually check for hooking of drivers in storage stack currently. And as this malware is not touching any SSDT, IDT etc, patch guard will *probably* not take any action against them. Also as a filter can be placed above port driver I do not think there is any possibility of even detecting that using current techniques.

    Not allowing unsigned binary to be loaded may help(as already in place in Vista and above) but I never went to the details of this aspect, so may be there is an alternative to this also.

    Aditya
  • Crispin_WrightCrispin_Wright Member Posts: 88
    Yes they undeniable offer "more protection", but you're still in the same
    old cat and mouse malware game that you've always been in, Russinovich
    mentions this in his blog I think, it just depends how hard the other party
    is trying...

    I also don't believe there has been a "pressure" on the rootkit community to
    *really* put effort into either x86 or x64 Vista/Win7 based rootkits simply
    because the corporate take up of Vista has been so poor. Having said that,
    as Win7 rolls out and large corporates "actually" start to move away from XP
    (will they?), we may see a surge of development in this area.

    As far as corporates adopting x64 technology though over x86 in the current
    economy, they would have to have good reason I imagine, and also good
    understanding of the benefits to be excited about it.....

    But I'd dare to say that if someone had explained to the Dalai Lama how
    Vista x64 would have stopped the Chinese Govt hacking him simply through
    driver signing protection, that he might have been receptive to an
    upgrade.....ahh the joy of hindsight.

    Alex Ionescu has done some some interesting work regarding PatchGuard and
    session 0 exploits though James, and the usual rootkit site links also have
    some "interesting" code.

    My 2 english pence.

    crispin.

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of James Harper
    Sent: 10 September 2009 10:54
    To: Windows System Software Devs Interest List
    Subject: RE: [ntdev] How to Hard Reboot a system?

    >
    > Based on my experience with one latest variant of a rootkit, I will
    say the OP
    > is in correct direction.
    >
    > One can treat is as a malware; but than other options are format the
    system
    > or live with the rootkit. based on the several feedback I received
    from our
    > support guys, customers are ready to try anything to avoid format.
    *even* when
    > support guys told them that xyz tool is in beta and may crash your
    machine to
    > unrecoverable state.
    >
    > regarding the malware,
    >
    > I observed is that the latest version of one type of rootkits which do
    not
    > drop any files in machine; instead they change sectors, hooks to
    storage
    > stack. rootkit driver has registered shutdown notification so even if
    you
    > change the infected part on disk the rootkit will overwrite that
    during
    > shutdown IRP processing. So the only possible workaround is to restart
    the
    > machine without generating shutdown notification, and we have tested
    this
    > working with success till the latest version of rootkit.
    >

    I have found that they are also 'safe mode proof' so the old trick of
    booting into safe mode and cleaning out the registry just doesn't work
    anymore.

    I know I'm taking this further offtopic, but do you (or anyone else)
    have an opinion on the protections offered by the 64 bit kernels and how
    useful they are in preventing this sort of exploit? My opinion based on
    general observations of such protections is that they only need to be
    broken once and it's all over until the next windows patch (and between
    the time when the patch is released and when it starts to get rolled
    out, the malware has already been updated too).

    James


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer

    __________ Information from ESET NOD32 Antivirus, version of virus signature
    database 4413 (20090910) __________

    The message was checked by ESET NOD32 Antivirus.

    http://www.eset.com




    __________ Information from ESET NOD32 Antivirus, version of virus signature
    database 4413 (20090910) __________

    The message was checked by ESET NOD32 Antivirus.

    http://www.eset.com
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,106
    Doron Holan wrote:
    > I am speechless that you think that a hard reboot is the right answer.
    >

    Although I would be aghast if a shipping product tried to do this, I
    know that I have had to use exactly this scheme to kill certain kinds of
    malware in some of our client's machines. As a one-time clean-up
    tactic, it's not completely loony.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • David_R._CattleyDavid_R._Cattley Member - All Emails Posts: 2,112
    Offline cleanup seems to be a potentially safer alternative. The
    file-system and registry can be 'cleaned' of the malware in the static state
    of not having the malware (presumably assisted by a rootkit of some type)
    running and thus able to hide/re-attach itself.

    Better than "Safe Mode", I refer to it as "Dead Mode". It has been very
    helpful in rescuing some non-technical friends systems when they have shown
    up with a bad case of drive-by-malware hangover.

    Cheers,
    Dave Cattley

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
    Sent: Thursday, September 10, 2009 12:58 PM
    To: Windows System Software Devs Interest List
    Subject: Re: [ntdev] How to Hard Reboot a system?

    Doron Holan wrote:
    > I am speechless that you think that a hard reboot is the right answer.
    >

    Although I would be aghast if a shipping product tried to do this, I
    know that I have had to use exactly this scheme to kill certain kinds of
    malware in some of our client's machines. As a one-time clean-up
    tactic, it's not completely loony.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at
    http://www.osronline.com/page.cfm?name=ListServer
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    PatchGuard is not a security mitigation (something that makes it more difficult to reliably gain code execution by exploiting a vulnerability).

    That being said, mitigations have been added to the platform over time (e.g. ASLR on Vista, NX, ...), and I think that it's a safe bet to say that more will come in time. Mitigations are based on attacking the conditions needed to gain meaningful code execution vs. trying to clean up afterwards.

    - S

    -----Original Message-----
    From: James Harper <xxxxx@bendigoit.com.au>
    Sent: Thursday, September 10, 2009 02:53
    To: Windows System Software Devs Interest List <xxxxx@lists.osr.com>
    Subject: RE: [ntdev] How to Hard Reboot a system?


    >
    > Based on my experience with one latest variant of a rootkit, I will
    say the OP
    > is in correct direction.
    >
    > One can treat is as a malware; but than other options are format the
    system
    > or live with the rootkit. based on the several feedback I received
    from our
    > support guys, customers are ready to try anything to avoid format.
    *even* when
    > support guys told them that xyz tool is in beta and may crash your
    machine to
    > unrecoverable state.
    >
    > regarding the malware,
    >
    > I observed is that the latest version of one type of rootkits which do
    not
    > drop any files in machine; instead they change sectors, hooks to
    storage
    > stack. rootkit driver has registered shutdown notification so even if
    you
    > change the infected part on disk the rootkit will overwrite that
    during
    > shutdown IRP processing. So the only possible workaround is to restart
    the
    > machine without generating shutdown notification, and we have tested
    this
    > working with success till the latest version of rootkit.
    >

    I have found that they are also 'safe mode proof' so the old trick of
    booting into safe mode and cleaning out the registry just doesn't work
    anymore.

    I know I'm taking this further offtopic, but do you (or anyone else)
    have an opinion on the protections offered by the 64 bit kernels and how
    useful they are in preventing this sort of exploit? My opinion based on
    general observations of such protections is that they only need to be
    broken once and it's all over until the next windows patch (and between
    the time when the patch is released and when it starts to get rolled
    out, the malware has already been updated too).

    James


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • David_J._CraigDavid_J._Craig Member Posts: 1,885
    I think Windows PE booting from optical media or USB stick is a much better
    solution. Less chance of leaving the disk in an partially updated state.
    With the free WAIK, you can run the same version of Windows and do pretty
    much anything to the hard drive. Mounting the registry for cleanup can be
    done easily using Resplendence Registrar Registry Manager. Symantec Ghost
    can create a bootable Windows PE USB stick and copy Ghost32.exe onto it for
    drive and/or volume backup and restoration. They can also do the same using
    PC-DOS but accessing NTFS partitions is not native to the command line, but
    internal to the Ghost program.

    There are registers that will permit a hard reboot, either cold or warm. It
    is not that difficult to find out how to do it, but I don't want any
    software that does it on my system unless I specifically authorize it to do
    it each time.

    "David R. Cattley" wrote in message news:xxxxx@ntdev...
    > Offline cleanup seems to be a potentially safer alternative. The
    > file-system and registry can be 'cleaned' of the malware in the static
    > state
    > of not having the malware (presumably assisted by a rootkit of some type)
    > running and thus able to hide/re-attach itself.
    >
    > Better than "Safe Mode", I refer to it as "Dead Mode". It has been very
    > helpful in rescuing some non-technical friends systems when they have
    > shown
    > up with a bad case of drive-by-malware hangover.
    >
    > Cheers,
    > Dave Cattley
    >
    > -----Original Message-----
    > From: xxxxx@lists.osr.com
    > [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
    > Sent: Thursday, September 10, 2009 12:58 PM
    > To: Windows System Software Devs Interest List
    > Subject: Re: [ntdev] How to Hard Reboot a system?
    >
    > Doron Holan wrote:
    >> I am speechless that you think that a hard reboot is the right answer.
    >>
    >
    > Although I would be aghast if a shipping product tried to do this, I
    > know that I have had to use exactly this scheme to kill certain kinds of
    > malware in some of our client's machines. As a one-time clean-up
    > tactic, it's not completely loony.
    >
    > --
    > Tim Roberts, xxxxx@probo.com
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
    >
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > One can treat is as a malware; but than other options are format the system or live with the rootkit.

    The best option is to boot off antivirus product CD and scan.

    Another option is to detach the hard disk, attach to another computer with AutoRun off, and do AV scan there.

    >processing. So the only possible workaround is

    ...is to boot off antivirus CD.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • >>The best option is to boot off antivirus product CD and scan.

    Well, Not for this case,

    that AV scanners scans for files and not for disk sectors and I found that the said rootkit just put its data at some sectors, so I do no think AV product CD will have any chance cleaning it.

    Another must have thing to clean that using this method is signatures for that rootkit file, which may not have any information pertaining to the said malware because if it would have signature of the rootkit file than it could have cleaned that in first place without even giving it a chance to execute.

    I am not saying that this will not help but as mentioned it will not be helpful in all scenarios like this one. And than if certain tool is saving a customer from a format on the price of a hard reboot, I think it should be acceptable. So I agree that hard reboot is not good, but at times it could be the only possible solution.

    Thanks,
    Aditya
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    But what if it spreads to other systems? The cost of reinstalling one system won't look so bad at that point, but it will be to late, and the cost of reinstalling a single system has to be less than the cost of extensive analysis to arrive at the conclusion that it's 'clean.'

    mm
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > Well, Not for this case,

    For absolutely any case (if the AV has the databases fresh enough).

    No need in rootkit revealers in any kind, absolutely any kind. Just boot from a clean CD/DVD/another hard drive and run the usual AV with fresh databases.

    > that AV scanners scans for files and not for disk sectors and I found that the said rootkit just put its
    >data at some sectors

    Not important. It will still need to patch some usual location (boot sector or a file) for this hidden file to gain control.

    > Another must have thing to clean that using this method is signatures for that rootkit file, which may not
    >have any information pertaining to the said malware

    If the AV software is obsolete, then the game is lost :-) so is the obsolete rootkit revealer :-)

    >And than if certain tool is saving a customer from a format on the price of a hard reboot

    Sooner or later, the customer's machine will experience random crashes and hungs with such software, and format (at least Windows reinstall) is the _fastest_ and _most cost-effective_ way of curing this.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • James_HarperJames_Harper Member Posts: 1,615
    > > Well, Not for this case,
    >
    > For absolutely any case (if the AV has the databases fresh enough).

    Always assume that your AV database is not fresh enough.

    > No need in rootkit revealers in any kind, absolutely any kind. Just
    boot from
    > a clean CD/DVD/another hard drive and run the usual AV with fresh
    databases.

    If your AV database knows about version n, then the rootkit only has to
    be version n+1 and you will either find nothing, or will fail to clean a
    hook or two and the virus will be right back on the next boot.

    >
    > > that AV scanners scans for files and not for disk sectors and I
    found that
    > > the said rootkit just put its
    > > data at some sectors
    >
    > Not important. It will still need to patch some usual location (boot
    sector or
    > a file) for this hidden file to gain control.

    They are finding more and more places to patch unfortunately.

    > > Another must have thing to clean that using this method is
    signatures for
    > > that rootkit file, which may not
    > > have any information pertaining to the said malware
    >
    > If the AV software is obsolete, then the game is lost :-) so is the
    obsolete
    > rootkit revealer :-)

    Always assume your AV software is obsolete. I'm getting to the point
    where I think the only good AV software is software that either
    completely disconnects the computer from the network (some do, but I'm
    sure a virus that was motivated enough could disable that) on detected
    infection ('something is not right' detection), or wipes the bootsector
    and turns it off hard, like the OP wants to do, forcing a reinstall (or
    a bootfix)

    > > And than if certain tool is saving a customer from a format on the
    price of a
    > > hard reboot
    >
    > Sooner or later, the customer's machine will experience random crashes
    and
    > hungs with such software, and format (at least Windows reinstall) is
    the
    > _fastest_ and _most cost-effective_ way of curing this.
    >

    And if the computer is on a network, probably all the other machines on
    the network too (port 445 exploits anyone?)

    James (feeling paranoid this morning :)
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    >They are finding more and more places to patch unfortunately.

    Proper AV should just check the boot sector and then check the _MS's digital signatures_ on all Windows files. :-)

    The most "killer" way of doing things. Then the usual registry cleanup and so on.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi All,

    I am very thankful of all of you for providing different solutions.

    Thanks & Regards,
    Rajendra.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE