# Why Does Windows Allow Hidden Processes and Files?



## Marlin Guy (Apr 8, 2009)

I posed this question in the thread about rootkit infections, but received no answers.
We seem to get a steady stream of propaganda here from the Microsoft machine, so it would only stand to reason to conclude that some here are well-connected enough to provide an answer to this simple question.

Rootkit infections effectively hide themselves in the file system, registry, and so on to the point that they are nearly impossible to, pardon the pun, root out.

So, why is it that MS operating systems allow processes and files to be hidden from view in this manner?
Is it something they have embedded in the OS to hide some of their own work, or is it simply a matter of them putting together a shoddy OS?


----------



## Fontano (Feb 7, 2008)

My guess, based on Microsoft's usage of that feature.

Is to hide areas, that General Users don't need to be messing around with.
Such as the Application Data sub-folders in their user directories. 
There is typically nothing in there that a user can read or manipulate, but they are files important to the system/programs.

Basically a decent idea, that was identified, and then exploited by those that want to cause headaches.

This is not part of a "shoddy" OS, but simply part of the overall complexities involved in trying to support old, add new, keep it simple, and try to limit the damage that people just poking around can do to their system.

I remember windows 3.0, on my first PC about 20 years ago. Really didn't know what I was doing, and nuked autoexec.bat and config.sys. and broke the new computer.

My dad had to take it back, and they replaced it because they didn't even know how to fix it. (And yes, obviously 20 years later, we all know how to fix it, but it was just a case of someone doing something, what they are doing).

Really no different then someone going into their linux or even a mac system, with system priviledges and just messing around. Linux and Mac have their own methods for hiding things from the GUI level, and making it very difficult on the terminal level.


----------



## harsh (Jun 15, 2003)

The hidden processes are typically about things that simply cannot be adjusted or stopped. "Wedging" has always been an important tool to provide patches and upgraded functionality without losing existing functionality.

See more at "ring 0".


----------



## Stewart Vernon (Jan 7, 2005)

In the beginning... the hidden and "system" files were a combination of files that you couldn't change and files that you generally shouldn't change.

I always choose the "show hidden/system files" option so they are never hidden to me... and I actually understand the attempt to try and protect some users from themselves.


----------



## Marlin Guy (Apr 8, 2009)

Stewart Vernon said:


> In the beginning... the hidden and "system" files were a combination of files that you couldn't change and files that you generally shouldn't change.
> 
> I always choose the "show hidden/system files" option so they are never hidden to me... and I actually understand the attempt to try and protect some users from themselves.


I do the same, but even with all of the options turned off, rootkit files and processes remain hidden.
Yeah, it makes sense to hide some things from certain people, but to allow third parties to drop unsigned files in and hide them makes no sense.
Furthermore, a user with Administrative rights should be able to see and stop anything from the processes list in task manager.

It's irresponsible of MS to not address this and clean up behind themselves.
It is absurd that one can't stop a malicious process from task manager and deal with it.
It is beyond absurd that we have to employ third party utilities to get at these things and stop them.


----------



## Tom Robertson (Nov 15, 2005)

The whole purpose of rootkits is to hide themselves. And every operating system where things can be hidden--at least from normal tools and inspection. Some viruses have been known to hide in the spare space at the end of files without changing the filesize. 

So are there things Microsoft might consider doing to prevent some of this? Yes--but what functionality do they give up along the way?

To your points: Stopping some things in the taskmanager is dangerous. So even admins can be denied stopping those things via that route. But a good admin knows how to use tasklist and kill (and where to find those tools) so they can stop even more things. 

Again a balance between protecting the system and the system from the user.

As for dropping unsigned things into an OS... with a reboot anything can be dropped into any OS. There are many ways to bypass security on a reboot. 

There are BIOS (and some firmware) features that can be enabled but like any security system, all they do is slow people down. Even they do not stop anyone who is determined to hack into a secure area. 

Cheers,
Tom


----------



## Shades228 (Mar 18, 2008)

Marlin Guy said:


> I do the same, but even with all of the options turned off, rootkit files and processes remain hidden.
> Yeah, it makes sense to hide some things from certain people, but to allow third parties to drop unsigned files in and hide them makes no sense.
> Furthermore, a user with Administrative rights should be able to see and stop anything from the processes list in task manager.
> 
> ...


You also have to define hidden. There is nothing truly hidden if you know where to look. There are some programs that intentionally hide themself from the common areas, task manager and service manager, but they can still be seen in other ways. Many of these are security programs and processes that are referanced by programs but not used.

Any operating system will always have exploits as long as they allow people to have the access that they want. The key is what is tollerant and what isn't. My kids computers, running win 7, actually load the XP VM up before they can do anything. Then they do everything in the VM and it shuts down when they turn it off. So far none of their machines have needed to be fixed since I went to this solution. For school work and reports I make them use the online office now, before it was google docs.

It doesn't take a lot to not get infected with something and most of it is comon sense now days. The problem with this is the same as everything else. Comon sense is not so comon.


----------



## puckwithahalo (Sep 3, 2007)

Fontano said:


> I remember windows 3.0, on my first PC about 20 years ago. Really didn't know what I was doing, and nuked autoexec.bat and config.sys. and broke the new computer.


I did something similar about that time and almost cost my mom part of her PHD work. Thankfully someone at the university knew how to fix it or I'm not sure I'd have survived the incident.


----------



## Tom Robertson (Nov 15, 2005)

puckwithahalo said:


> I did something similar about that time and almost cost my mom part of her PHD work. Thankfully someone at the university knew how to fix it or I'm not sure I'd have survived the incident.


Whew!


----------



## Fontano (Feb 7, 2008)

Stewart Vernon said:


> In the beginning... the hidden and "system" files were a combination of files that you couldn't change and files that you generally shouldn't change.
> 
> I always choose the "show hidden/system files" option so they are never hidden to me... and I actually understand the attempt to try and protect some users from themselves.


I believe the OP is referring to the other methods to hide directory's in Windows. Not just a simple attribute flag.

I believe he is referring to some of the naming structures and other tricks, that the OS identifies and doesn't display in the explorer, or even in the command line mode.


----------



## Marlin Guy (Apr 8, 2009)

Shades228 said:


> It doesn't take a lot to not get infected with something and most of it is comon sense now days.


I can't agree with that at all.
When these ransomware exploits run from flash ads on legitimate websites like CNN and Netflix, you can't really blame that on a lack of common sense.
The computer can be completely up to date and running the latest antivirus from the big makers. All they have to do is load the page and Boom!, they've got it.
The antivirus may pick up a part of it, but more than likely it won't be stopped.
The good ones even shut down the antiviurs and prevent the user from accessing information and resources to get themselves straightened back out.

Sure, one could employ common sense and simply leave the PC turned off, but common sense and practicality are two very different things. :nono2:


----------



## Fontano (Feb 7, 2008)

Marlin Guy said:


> I do the same, but even with all of the options turned off, rootkit files and processes remain hidden.
> Yeah, it makes sense to hide some things from certain people, but to allow third parties to drop unsigned files in and hide them makes no sense.
> Furthermore, a user with Administrative rights should be able to see and stop anything from the processes list in task manager.
> 
> ...


Killing any process at any time, is dangerous if you don't know what you are doing. And that goes for any OS, not just Microsoft ones.

Irresponsible of MS? How?
Because people found a way a way to exploit a function of the system?
As I noted it earlier, it was a good intention idea, that was used for something else.

And Microsoft has in their later versions, attempted to make it more difficult for some of these methods to be used for negative things. But unless you go the route of having to certify and approve (and thus digitally sign) each and every application... a bad program, looks the same as a valid program.

Windows strength (it relatively open and easily coded for) platform, is also one of it's weakness. It's give and take.

What is absurd is the notion that MS products are the only one impacted by these things. Macs are NOT immune to this, it just isn't as common. Linux systems can EASILY be tanked, if someone not knowing what they are doing runs something they shouldn't.

You have people out there that make a business out of destroying your computer. They are just as smart as the people building the OS. 
What was one of the #1 complaints about VISTA when it first came out.

The nag screens, that made you enter your login password every time you wanted to run something, or do an action that could cause an issue. There were thousands of blogs and posts, asking how to shut that off.

And yes, Microsoft and other third parties are actively trying to stop these attacks, but it is a cat and mouse game. The cat builds a better trap, and fills the holes. The mouse always find another way, and a way that is stronger/sneaker and even harder to stop.


----------



## Fontano (Feb 7, 2008)

Marlin Guy said:


> I can't agree with that at all.
> When these ransomware exploits run from flash ads on legitimate websites like CNN and Netflix, you can't really blame that on a lack of common sense.
> The computer can be completely up to date and running the latest antivirus from the big makers. All they have to do is load the page and Boom!, they've got it.
> The antivirus may pick up a part of it, but more than likely it won't be stopped.
> ...


Which part didn't you agree with? The part that he said, it isn't that hard to get infected? Or that it is common sense?

Common sense stops the VAST majority of these attacks and infections.

And that is what is amazing at the attacks now adays. Is that they utilize social skills, to make these things look so legit, that even the most experienced people get caught.

And guess what, the moment that state of the art anti-virus program comes out, those people making the infections study it, and find out how to beat it.

Then the anti-virus guys study the new changes, and beat that. And the cycle repeats.

Where common sense comes into play now adays, is simply to know to keep your stuff backed up. And don't assume that a pop-up window, or a flash add saying it can fix your computer for $30 is a good thing.

So please excuse me know, as I need to go find some wood to knock on, as my computers have been infection free for many of years now, and I would like that to continue.


----------



## Marlin Guy (Apr 8, 2009)

Fontano said:


> Which part didn't you agree with? The part that he said, it isn't that hard to get infected?


You misread his statement.



Shades228 said:


> It doesn't take a lot to *not* get infected with something


----------



## SayWhat? (Jun 7, 2009)

Marlin Guy said:


> When these ransomware exploits run from flash ads on legitimate websites like CNN and Netflix, you can't really blame that on a lack of common sense.
> The computer can be completely up to date and running the latest antivirus from the big makers. All they have to do is load the page and Boom!, they've got it.


Which is one of the reasons I have Flash disabled and blocked every way I can find.


----------



## Tom Robertson (Nov 15, 2005)

Indeed, I've watched McAfee update their signature files while I was cleaning someone's computer. So new, McAfee didn't stop it--tho it almost caught it. (Social aspects might have come into play.)

What has Microsoft done? They've recently taken these people to court. I hope they win. 

Cheers,
Tom


----------



## Marlin Guy (Apr 8, 2009)

I am not speaking on my own behalf. I have no problems with Flash ads and the like.
I am speaking in terms of the average user who buys a PC, connects to the net, and begins using it.

They get an infection of some unknown type and then call me to fix it.

When I get it, I have to figure what they have and how to get rid of it.
I'm just saying, that at this particular point in time, it would be nice if I could see all of the processes and be able to manage them in order to gain some control over the machine.


----------



## HIPAR (May 15, 2005)

Some rootkits patch the op system files and do not spawn additional processes.

--- CHAS


----------



## Marlin Guy (Apr 8, 2009)

HIPAR said:


> Some rootkits patch the op system files and do not spawn additional processes.


Which raises a revised question: 
Why would they allow unsigned third party patches to their OS?


----------



## Tom Robertson (Nov 15, 2005)

Marlin Guy said:


> Which raises a revised question:
> Why would they allow unsigned third party patches to their OS?


You seem to think these are permitted activities when they are really bypasses of the security system. Once security is bypassed, all bets are off.

Even with updated anti-virus and malware security, new viruses find new ways to hack the system. As soon as the virus writers find a new avenue, anti-virus programmers find it or plug it. Then a new attack vector is abused. Round and round it goes.

Cheers,
Tom


----------



## Shades228 (Mar 18, 2008)

The more security we put on things the less user friendly they are. So there will always be these issues as Tom has pointed out until someone decides that security is more important than the initial user experience.


----------



## HIPAR (May 15, 2005)

Marlin Guy said:


> Which raises a revised question:
> Why would they allow unsigned third party patches to their OS?


I seem to remember that 'secret' interface hooks into VISTA were not being disclosed to trusted developers. The ability to modify the kernel is evidently indispensable for design of applications that integrate with the op system rather than running on it. Microsoft relented providing developers like Symantec with the information.

--- CHAS


----------



## kevinwmsn (Aug 19, 2006)

Another thing not mentioned so far is don't run your box as admin unless you need to be. If you are running as a limited user you don't have access to entire filesystem and neither would the malicous software you would acquire being it would have the same crediantials and rights that the signed on user has.


----------



## Ron Barry (Dec 10, 2002)

Might want to check out windows sys internals. They have some cool tools at getting more process related info. 

As for Security vs. Experience. MS has lead the way in terms of adding Experience at the cost of security. ActiveX is a great example of doing just that and at the same time causing apps built on that technology to be single platform when the key benefit of such technologies is cross platform. 

If my company is any indication, security is definitely starting to make it into large enterprises as companies that we work with and our company push for more secure deployment. The tricky thing is as someone indicated that you juggle security, features, user experience, and cost. Security is a tough sell until you get bit. 

Security should never be an afterthought and too often it is the last thing teams discuss.


----------



## Marlin Guy (Apr 8, 2009)

kevinwmsn said:


> Another thing not mentioned so far is don't run your box as admin unless you need to be. If you are running as a limited user you don't have access to entire filesystem and neither would the malicious (sp) software you would acquire being it would have the same credentials (sp) and rights that the signed on user has.


One of the machines I fixed last weekend was infected while a Limited User was logged on.
It came from a corporate environment.
The user said she wanted to pay me to fix it, rather than deal with the IT Admin., because he was such an arrogant prick.

In order to gain the proper access to fix the machine, I had to crack the Admin's password, which took all of five minutes.

I wrote it down for her, in case she needed it in the future. :lol:


----------



## dpeters11 (May 30, 2007)

kevinwmsn said:


> Another thing not mentioned so far is don't run your box as admin unless you need to be. If you are running as a limited user you don't have access to entire filesystem and neither would the malicous software you would acquire being it would have the same crediantials and rights that the signed on user has.


This is good practice but still things can happen. If, for example, something gets in that uses a privilege escalation vulnerability, then all bets are off. There's actually an unpatched one for Vista right now. Now in this case, a good firewall would mitigate the issue, but running as a limited user isn't a cureall. It's part of safe computing, but you still need to be careful.


----------



## itguy05 (Oct 24, 2007)

Fontano said:


> Killing any process at any time, is dangerous if you don't know what you are doing. And that goes for any OS, not just Microsoft ones.


But UNIXes let you do that. I should be able to control how my computer operates. If that includes killing a necessary process, so be it. Many viruses hook into these "necessary processes" (BHO's come to mind) and that's how they avoid removal.



> Windows strength (it relatively open and easily coded for) platform, is also one of it's weakness. It's give and take.


By that token, Open Source would be the lease insecure as anyone can see the source code. Yet most are not (Linux for example).



> What is absurd is the notion that MS products are the only one impacted by these things. Macs are NOT immune to this, it just isn't as common. Linux systems can EASILY be tanked, if someone not knowing what they are doing runs something they shouldn't.


DOS attacks, while nuisances are not the same as infestations. Apache and Linux run most of the Web servers and are some of the most reliable web hosts out there (www.netcraft.com). Yet Windows gets hacked the most.

Marketshare helps the Mac and Linux avoid some of the infestations. The better fundamental architecture of UNIX is the other thing. It's just plain harder to write code that infests a decently configured UNIX box. Most of the Mac exploits start from the user running something. Most Windows exploits are automatic.... That right there should tell you something.



> You have people out there that make a business out of destroying your computer.


It will be interesting to see what the new "bounty" on Macs does to the infestation rates. My guess is it won't change a thing.


----------



## Tom Robertson (Nov 15, 2005)

itguy05 said:


> But UNIXes let you do that. I should be able to control how my computer operates. If that includes killing a necessary process, so be it. Many viruses hook into these "necessary processes" (BHO's come to mind) and that's how they avoid removal.


And Windows does too. Taskkill lets you kill any process.


itguy05 said:


> By that token, Open Source would be the lease insecure as anyone can see the source code. Yet most are not (Linux for example).


 I've watched the security alerts for years, there are just as many security warnings/alerts for Unix/Linux system as there are for Windows. 


itguy05 said:


> DOS attacks, while nuisances are not the same as infestations. Apache and Linux run most of the Web servers and are some of the most reliable web hosts out there (www.netcraft.com). Yet Windows gets hacked the most.


Might have something to do with the relative number of Windows computers and newbie users... Think many, many millions. And poorly administered...


itguy05 said:


> Marketshare helps the Mac and Linux avoid some of the infestations. The better fundamental architecture of UNIX is the other thing. It's just plain harder to write code that infests a decently configured UNIX box. Most of the Mac exploits start from the user running something. Most Windows exploits are automatic.... That right there should tell you something.


Automatic--if the user runs something or accepts something.

Oh, and the Unix TCP/IP stack (and libraries) have also been known for their weaknesses over the years. Including hacks without a user doing a thing...


itguy05 said:


> It will be interesting to see what the new "bounty" on Macs does to the infestation rates. My guess is it won't change a thing.


Over the years, no OS has proven itself immune. Some are more attractive, Windows has definitely had its fair share of attack vectors. It would have been nice had Microsoft realized that with millions and millions served, they should have done more to protect their brand if nothing else. 

Cheers,
Tom


----------



## itguy05 (Oct 24, 2007)

Tom Robertson said:


> And Windows does too. Taskkill lets you kill any process. I've watched the security alerts for years, there are just as many security warnings/alerts for Unix/Linux system as there are for Windows.


A serious question - Will Taskkill kill ANYHTHING, including those nasty viruses that start processes that just won't be killed?

Warnings are nice but I'm talking about actual exploits. Many of the security warnings never lead to actual exploits.



> Over the years, no OS has proven itself immune.


Nothing is 100% immune. It's like computing with Swiss Cheese (Windows) or something a little more robust. Neither are 100% secure but you should choose the one with less holes.


----------



## Tom Robertson (Nov 15, 2005)

itguy05 said:


> A serious question - Will Taskkill kill ANYHTHING, including those nasty viruses that start processes that just won't be killed?
> 
> Warnings are nice but I'm talking about actual exploits. Many of the security warnings never lead to actual exploits.
> 
> Nothing is 100% immune. It's like computing with Swiss Cheese (Windows) or something a little more robust. Neither are 100% secure but you should choose the one with less holes.


The only reason the warnings don't turn into actual exploits is lack of interest. If everyone took your suggestion and switched to Mac or Linux, Windows would suddenly be safe. 

And I hope you know, killing viruses doesn't stop them. In any OS.  Especially when they infect the various shared libraries or OS components themselves.

But yes, I haven't found anything taskkill can't kill--tho I haven't been so stupid to kill some of the core processes.

Cheers,
Tom


----------



## itguy05 (Oct 24, 2007)

Tom Robertson said:


> The only reason the warnings don't turn into actual exploits is lack of interest. If everyone took your suggestion and switched to Mac or Linux, Windows would suddenly be safe.


 I've been hearing that for years, and always say it's BS. Why? Again, the most widely used Web server is Apache. The most hacked is IIS. Corporate e-mail is about 40% Exchange, 40% IBM Lotus Notes, and 20% other. Yet the bulk of the exploits are on Exchange.

It's all about how easy it is to exploit. Windows is pretty much a point and click infect. UNIX takes brains and time, something the virus writers don't necessarily want to do....

Anyway, it's an interesting topic and debate!


----------



## phat78boy (Sep 12, 2007)

itguy05 said:


> I've been hearing that for years, and always say it's BS. Why? Again, the most widely used Web server is Apache. The most hacked is IIS. Corporate e-mail is about 40% Exchange, 40% IBM Lotus Notes, and 20% other. Yet the bulk of the exploits are on Exchange.
> 
> It's all about how easy it is to exploit. Windows is pretty much a point and click infect. UNIX takes brains and time, something the virus writers don't necessarily want to do....
> 
> Anyway, it's an interesting topic and debate!


What your missing is that since workstations and servers started using pretty much the same core with Windows 2000, a hack on a workstation OS can sometimes be easily ported to the server OS. So if you take that into consideration, more then 80% of machines can be targeted. Whereas Apache, for example, would only net you a ~2% target area. Probably smaller actually.


----------

