Using Filemon and Regmon

Discussion in 'Malware Removal FAQ' started by chaslang, May 25, 2007.

Thread Status:
Not open for further replies.
  1. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download the below two tools and extract them to a folder of there own.
    You can put both into the same folder.
    Setting up FileMon to monitor file access
    • Run Filemon by double clicking on filemon.exe
    • When it comes up, change the *.* in the Include box to be filename where filename is the actual filename that you wish to monitor. Like hpbahpb.dll, ungjjhjm.sys , or kpwn1.exe ...etc
    • Then click Apply and OK.
    • The Filemon window now comes up and will monitor for anything accessing filename.
    • Now just leave this running and continue.
    Setting up RegMon to monitor registry access
    • Run Regmon by double clicking on regmon.exe
    • When it comes up, click the icon that sort of looks like a diamond with some blue color on top. This is the Regmon filter.
    • In this filter, enter the filename (where filename is the actual filename that you wish to monitor for activity with in the registry. In some cases this will be the same filename entered aove for filemon)
      • Note: Regmon can also monitor access to registry keys themselves. This is useful when you know a particular registry key by name that keeps getting recreated.
    • Then click Apply and then OK. It will ask if you want to apply the filter to the current output. Say yes
    The Filemon & Regmon utilities can be setup and used to help you determine what may be recreating a particalur file or registry key after you delete them. If you enable FileMon and Regmon just before deleting the files or registry keys, the two programs will log the requested activities and may reveal the root process/file that is the cause of the malware files being recreated.

    Once you have deleted the files or registry keys and you notice they have returned, you can go back to the Filemon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like filemon.log and post it back here as an attachment.

    Also after a registy key has returned, Regmon will show the activity. It should also show if anything else is putting the entry back into the registry. So go back to the Regmon screen and click File and then uncheck the Capture Events selection to stop the capture process. Then use File, Save As to save the log to a file like regmon.log and post it back here as an attachment.


    If you don't understand any of the above procedure or have a problem getting them to work as desired, ask questions in your thread.
     
    chaslang, May 25, 2007
    #1
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds