How to isolate a service in its own scvhost.exe

This is a very good public link to read about service control manager internals and how to manage services. download.microsoft.com/download/f/3/9/f3900e1e-a45c-45a4-b716-740e553e1f62/SPTCF_SYS.doc Description of svchost.exe http://support.microsoft.com/kb/314056 C:\Documents and Settings\ganand>tasklist /svc   As you see right now my bits service is running under svchost along with other services…   Image Name                     PID Services ========================= ======== ============================================ System Idle…

6

How do transition from user mode to kernel mode takes place

NTDLL is used to call into the operating system, which is (generally) in the address range (0x80000000-0xFFFFFFFF).  The operating system addresses are not accessible in user-mode; therefore a special protected mechanism (using a CPU instruction which is sysenter..earlier it used to be Int 2e) is used to control the transition from user-mode to kernel-mode. NTDLL…

1

Dumping out notepad.exe and ntdll.dll

 I tried to dump out the headers and data sections of notepad.exe and ntdll.dll to figure out what are their dependents and what are the functions and services provided by ntdll.dll along with service numbers which are used in kernel mode.  Microsoft (R) COFF/PE Dumper Version 7.10.2179Copyright (C) Microsoft Corporation.  All rights reserved. Dump of…

1

Configuring bitlocker

I thought of giving everyone feel of how easy it is to configure bitlocker on your machine. I picked a test Lenovo T60p machine and opened bitlocker drive encryption applet from control panel. You will get option to turn on bitlocker but before you do that you first need to prepare your machine for bitlocker…

2

Group Policies regarding Bitlocker and TPM

    Last time we talked about what TPM is and how it works and also about clean boot of pcr’s. This time I will like to throw some light on group policies involved with bitlocker. I will only talk about a few and not all. There is a group policy which if enabled makes…

2

Starter for someone who is not familiar with bitlocker part III

  Last time we talked about TPM and what exactly it is. This time I will continue from where I left last time. As mentioned TPM is nothing but a device to store the secret or *blob and release it when it has measured and verified the integrity of the boot components.   As I…

0

Behavior of Bit locker when windows vista based computer resumes from sleep mode

Neither Bitlocker drive encyption feature nor TPM chip provide protection against online attacks against the operating system when resuming from sleep mode (sleep = suspend to memory). The standard Windows protections take care of this if they are enabled. If the machine was set to require a password upon resume, then the thief will have…

1

Starter for someone who is not familiar with bitlocker part II

  Last time i gave a lay man’s overview about bit locker and i stopped at the point why we need a TPM device and what does it do! Basically a TPM device is measuring the integrity of boot components…it’s like i trust A…completely  and i asked A to measure B and then B measures…

3

Starter for someone who is not familiar with bitlocker

    This is my first entry for Digging in blog of mine. I thought of giving a brief description of bitlocker as a starter for someone who is not familiar with bitlocker. I will lay down the principle of its working in as simple language as I can. Bitlocker provides protection against offline data capture…

1