Tracing Windows Boot and Service Init with Sysinternals
After the third “slow login” ticket in a week from one of our managed customers, I went back to Sysinternals boot logging because nothing else was going to give me…
Using Autoruns to Audit Every Windows Autostart Location
A Backdoor Hiding in Plain Sight During a quarterly security review for a client running a 200-seat Windows environment, we found a DLL registered under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls that had been…
AdExplorer: Browsing and Snapshotting Active Directory Offline
The Change Nobody Documented Three service accounts disabled in production. No change ticket. No record of who did it or when. The helpdesk was fielding calls for forty minutes before…