RE: running process

From: Mark L. Jackson (codewizard@hotpop.com)
Date: 09/27/02 

From: "Mark L. Jackson" <codewizard@hotpop.com>
To: "'baba ali'" <cavallycom@hotmail.com>, <security-basics@securityfocus.com>
Date: Fri, 27 Sep 2002 00:42:35 -0700

My first suggestion is to get off of Win95/98/ME.

Second - do what the webpage for handle suggest
http://www.sysinternals.com/ntw2k/freeware/handle.shtml
Read about object managers in Inside Windows 2000, and/or use winobj.

As you don't say where you picked up 'handle', I can only assume this
is
the one you are referring to in your email.

// I am new to security and I am apologizing if my question
// has been posted
// and answered already on this forum.
// I have installed "Handle" on my computer and how would I
// interpret the
// output so I can find which process is good and which one is
// not... Anyone can help with a begunning of explanation.
//
// Eg: MSGSRV32.EXE PID :ffc07435
// 4:Process MSGSRV32.EXE (FFC07435)

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q138708&

// 8:Mutex MPRMutex

http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci214353,0
0.
html

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmeot
he
r/hh/wmeother/kernel_994i.asp - might wrap.

More than likely this is the program setting up the 'share' (aka
mutex)
of the object MSGSRV.DLL or MPREXE.DLL. Off the top of my head.

// 10:Process <Non-existant Process> (FFC03E75)
// 14:Process MPREXE.EXE(FFC062A5)
// 18:Thread MPREXE.EXE(FFC062A5 ):FFC06495

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q155857&

// 1C:Thread <Non-existant
Process>(FFC03E75):FFC0205D
//

Just a guess at this point as I have never used 'handle'. My guess is
that the 'non-existant process' is a thread that opened and closed
faster than the program could get the owner info, and then rescanned
to
find the thread or process that spawned the thread gone.