Jump to content
Sign in to follow this  
pudelein

SAS detecting a Process Explorer key as Security.Hijack

Recommended Posts

I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [imageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately).

Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007).

Share this post


Link to post
Share on other sites

I use Sysinternals Process Explorer (actually now a Microsoft product!) as a replacement for the normal Windows Task Manager. In my most recent scan, this morning, using database 5152, trace 2964, SAS detects "Security.Hijack [imageFileExecutionOptions]" as a malicious Registry key (actually two such). The key reported is HKLM\Software\Microsoft\Windows NT\Current Version\ImageFileExtensionOptions\TaskMgr.exe. This key contains the data "Debugger" which contains "C:\Program Files\Sysinternals Tools\ProcessExplorer\procexp.exe". The path is local to my system; I keep a group of Sysinternals tools executables there. It is NOT a hijack and should not be detected as such. It was not detected last week with what is apparently the same database, but with a different Trace (which I did not record, unfortunately).

Further data: I use Windows XP SP3 Home Edition; SAS 4.40.1002; Process Explorer 12.1.0.0 used since November 2007).

I would simply trust that detection as many threats do the exact same thing.

Share this post


Link to post
Share on other sites

I would simply trust that detection as many threats do the exact same thing.

not if what sas is looking at is wrong...

maybe it needs to check and see exactly what is in those keys as opposed to what is assumed.

any scanner worth it's salt should verify the contents or it's pointers and not just by the reg key placement.

one of the aspects of process explorer that i value is it's ability to verify running components.

Please do more than just suspect the key value. :rolleyes:

Share this post


Link to post
Share on other sites

Administrator,

I also have this same message with the same SysInternals, now a part of Microsoft, "procexp.exe" with the option to replace the Task Manager of Windows which I have done. This should NOT be labeled as a threat muchless a CRITICAL one. It is a valid Microsoft software created by Mark Russinovich when he had the company SysInternals, now added to Microsoft.

TIA, CU L8R,

LxCi

Share this post


Link to post
Share on other sites

Administrator,

This is my versions copied from your website as I have just done an update this morning:

Core Definitions 9083 08/18/2012 01:10AM PDT 11584KB Download

Installer Trace Definitions 6895

TIA, CU L8R,

LxCi

P.S. The entry "#Debugger" was entered by Process Explorer and added the path to my copy of SysInternals' program as quoted in previous message.

Here is the log created by SuperAntiSpyware FREE Edition below the asterisk (*) line:

*************************************************************************************************************

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 08/19/2012 at 07:39 AM

Application Version : 5.5.1012

Core Rules Database Version : 9083

Trace Rules Database Version: 6895

Scan type : Quick Scan

Total Scan Time : 00:04:40

Operating System Information

Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)

UAC Off - Limited User

Memory items scanned : 508

Memory threats detected : 0

Registry items scanned : 57490

Registry threats detected : 2

File items scanned : 10313

File threats detected : 0

Security.HiJack[imageFileExecutionOptions]

(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE

(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TASKMGR.EXE#Debugger

Edited by LxCi

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×