�� (PR-��)

�� (PR-Parser). �� PR:

�� 
Microsoft Windows �� 
�� 
��

�� (PR-Parser). PR �� . �� PR �� . �� PR �� , �� . �� PR �� .

�� PR, �� Microsoft �� Web:

http://Download.Microsoft.com/Download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe (http://download.microsoft.com/download/2/8/8/28810043-0e21-4004-89a3-2f477a74186f/PRParser.exe)

��

�� Windows Microsoft ��, �� Windows �� inflict �� . �� TCP �� UDP � �� . �� Windows, � �� , �� . ��, �� .

�� Microsoft Windows Server 2003, Microsoft Windows XP � �� Windows 2000. � �� TCP �� UDP. �� Windows Server 2003 �� Windows XP, � �� :

��
��
��
�� (.dll, .drv, ��.) � ��
��

�� . �� , �� .

PR �� .�� , �� Microsoft:

837243� (http://support.microsoft.com/kb/837243/ ) ��

�� PR �� :

�� PR �� Windows �� User Interface (GUI) �� . �� GUI, �� .
�� PR �� . �� :
- ��
- ��
- Identifies the modules, such as .dll and .drv, that are loaded on a computer
- Helps determine the time when the Internet Protocol (IP) addresses, fully qualified domain names (FQDNs), or computer names that you are interested in are communicating with a computer
- Identifies the ports that are used on a computer
- Helps determine when the user accounts are active on a computer
The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:
- A ranked list of local Transmission Control Protocol (TCP) port usage
- A ranked list of local process usage
- A ranked list of remote IP address usage
- A ranked list of user context usage
- Svchost.exe service enumeration
- Port usage by hour of the day
- Microsoft Internet Explorer usage by user

��

Windows GUI to review the logs

The Port Reporter tool creates the following three log files when the tool runs:

PR-PORTS-�� .log
PR-PIDS-�� .log
PR-INITIAL-�� .log

The name of each log file uses the date and the time in 24-hour format that is based on the time when the file was created. The format of the date and time stamp is year-month-day-hour-minute-second. For example, the following three files were created on January 24, 2004, at 8:49:30 A.M.:

PR-PORTS-04-01-24-8-49-30.log
PR-PIDS-04-01-24-8-49-30.log
PR-INITIAL-04-01-24-8-49-30.log

When you open a log file with the PR-Parser tool, the Windows GUI of the PR-Parser tool provides the following information:

The title bar of the main form mentions the file name of the log file that is currently open.
The timestamps of the first and last records in the log file are displayed.
The number of records that are currently displayed is listed.
The log entries are displayed in a grid on the main form.

��In the grid on the main form, you may not see the columns that are related to process details if the PR-Parser tool is running from a computer that does not support port-to-process mapping. �� PID,ModuleAND��are the columns that are related to process details. Windows 2000 does not support port-to-process mapping. Therefore, on a Windows 2000-based computer, you cannot see those columns.

The Windows GUI of the PR-Parser tool provides the following features:

Details of a log entry appear in a grid. If you double-click a row in the grid on the main form or right-click a row, and then click�� (Properties), the details of the log entry are displayed. This feature is only available when you examine log files on a computer whose operating system supports port-to-process mapping. As of September 2004, only Windows Server 2003 and Windows XP support this feature.
You can sort the data in the grid on the main form in ascending or descending order by any column. If you click a column header, the tool sorts the data in the grid on the main form in ascending order by that column. If you click the column header again, the tool sorts the data in descending order. An arrow appears in a column header when data is sorted by that column. The arrow also indicates the sort order. If you want to restore the grid to its original sort order, clickReset grid to default sort�� �� �� (Menu).
You can use either of the following methods to filter the data in the grid on the main form:
- �� �� ��, ����, �� Filter data. �� Filter Grid Data�� . You can select a column as the filter data and provide a filter criterion. After you select and apply the criteria, the filtered data appears in the data grid.
- Right-click a cell whose value is the criteria for the filter in the grid on the main form, point to��: (IKE security association ended. Mode: Key Exchange (Main mode) Filter: %1), and then click the appropriate filter, based on whether you want to filter all the rows without this value or all the rows with this value.
You can copy the contents of a cell or copy the contents of all the cells in a row. To copy the contents of a cell, right-click a cell, and then click��. To copy the contents of all the cells in a row, right-click the row-header, and then click��.
You can resolve remote IP addresses that appear in theRemote IPcolumn to their corresponding names. A list of all IP addresses and their associated names is displayed in the grid after the PR-Parser tool finishes the operation. This list does not contain duplicates. You can use either of the following methods to resolve remote IP addresses:
- �� ����, �� Resolve all remote IPsto resolve all the remote IP addresses.
- Right-click a cell, and then clickResolve Remote IP Addressto resolve the IP address that is selected.
Depending on the number of IP addresses that you resolve, this operation can take several minutes to complete. The DNS cache on the client is used to avoid sending queries to the network that have already been answered.

��� �� . � �� IP.
�� Portqry.exe. �� Portqry.exe �� TCP �� UDP.

�� PR �� Portqry.exe. �� . �� , �� �� IP PortQry.�� Portqry.exe, �� Microsoft:
310099� (http://support.microsoft.com/kb/310099/ ) �� Portqry.exe
���� PR, �� Portqry.exe �� Prparser.exe.

��

�� PR �� , �� , �� IP, ��, �� . �� PR, �� PR �� . �� GUI �� PR �� .

�� , ��, � �� , �� �� �� �� �� (Menu).

The following are the six criteria that can be set in the PR-Parser tool to identify suspicious data or data that you are interested in.

Tracking known modules

Tracking known modules lets you identify executable files that use the names of legitimate binary files and that run or are loaded from a wrong folder. For example, a popular name for malicious software is Svchost.exe. The legitimate Svchost.exe runs from the %windir%\System32 folder. When malicious software is named Svchost.exe and is copied to the %windir% folder, it can be difficult to see that this binary file is running from the wrong folder. If Svchost.exe is running from a folder other than the System32 folder, the computer may be vulnerable to attack. The PR-Parser tool identifies this kind of problem.

Note that, generally, some modules run from more than one location. You must review any PR-Parser warnings to determine whether the warning is a false positive or whether something irregular has been found. When you want to examine Port Reporter log files from different computers, you may have to override the local computer's folder settings because the computers may have different folder structures. For example, %systemroot% and %windir% point to different locations on different computers. In this case the PR-Parser tool may identify many files running in the wrong folder because the PR-Parser tool resolves these variables using the folder structure in the local computer where the PR-Parser tool is running. To compensate for this kind of difference between computers, you can override this behavior and set the PR-Parser tool to resolve these environmental variables. �� , �� : (Use the tools in the Windows Recovery Environment to repair Windows Vista. To do this, follow these steps:):

�� �� ��, �� Criteria Settings.
�� Known Modules��, �� �� .
�� Override local system's directory settings.

This lets you override the way that the PR-Parser tool resolves the environmental variables.

��

The PR-Parser tool can quickly determine whether the modules that you are interested in are found in the Port Reporter log files. To add modules to the list of modules that you are interested in, follow these steps:

�� �� ��, �� Criteria Settings.
�� �� TAB.
�� ADD.
Type the name of the module that you are interested in, and then clickOkto add the module to theModules to Look For�� (List).

Similarly, you can delete the modules that are added to theModules to Look For�� (List).

When the PR-Parser tool finds a module in a log file that you are interested in, it displays the entry in red in the grid on the main form. For example, the Netcat.exe tool is a tool that administrators may or may not want users to use on their network. It can be identified in Port Reporter logs if the Netcat.exe tool is run by using its original name.

Double-click a line that is selected to see the details. �Port Reporter Parser - Log Entry Detailsdialog box opens and provides the details about the process, about the ports that are used, and about the modules that are loaded. The PR-Parser also provides a warning. �� Port Reporter Parser - Log Entry Detailsdialog box, if you right-click the process name, the PR-Parser tool provides options for researching the "interesting" or suspicious process.

��You cannot see the details of a log entry on a Windows 2000-based computer.

IP addresses

The PR-Parser tool can identify IP addresses that you are interested in in Port Reporter log files. To specify the IP addresses, follow these steps:

�� �� ��, �� Criteria Settings.
�� IP AddressesTAB.
�� ADD.
Type the IP address that you are interested in, and then clickOkto add the IP address to theIP Addresses to Look For�� (List).

Similarly, you can also delete the IP addresses that are added to theIP Addresses to Look For�� (List).

After you add an IP address in the IP Addresses criteria and then apply the criteria, the specified IP address is displayed in the grid on the main form.

��

Network administrators use firewall logs to determine which programs are running on their networks and which endpoints are used when the programs communicate. The PR-Parser tool can help you determine which ports are being used by a program and can quickly identify the ports that you are interested in. Many viruses, worms, malicious programs, and tools that are used by malicious users use the same ports every time they run. The PR-Parser tool can identify any ports that are listed in the ports criteria list.

To modify this list, follow these steps:

�� �� ��, �� Criteria Settings.
�� ��TAB.
�� ADD.
Type the name of the port and the protocol that you are interested in, and then clickOkto add the port information to thePorts to Look For�� (List).

Similarly, you can delete the ports that are added to thePorts to Look For�� (List).

Note that legitimate programs may use the same ports that malicious programs use. You must investigate each warning that the PR-Parser tool generates to determine whether the warning is generated because of an operation that is not regular.

User accounts

The PR-Parser tool lets you identify user accounts that you are interested in in Port Reporter log files. To specify the user accounts, follow these steps:

�� �� ��, �� Criteria Settings.
�� �� (User Accounts)TAB.
�� ADD.
Type the user account that you are interested in, and then clickOkto add the user account to theUser Accounts to Look For�� (List).

Similarly, you can delete the user accounts that are added to theUser Accounts to Look For�� (List).

After you add a user in the user accounts criteria, the specified user account is displayed in the grid on the main form.

Host names

The PR-Parser tool tries to resolve remote IP addresses that are found in the logs to host names. The success of the resolution depends on factors such as correctly configured TCP/IP settings, DNS settings, an operational name resolution infrastructure, and IP addresses to name mappings. To reduce the number of queries that are sent to the network, the PR-Parser tool has a name cache and also uses the name caches of the client. To specify these names, follow these steps:

�� �� ��, �� Criteria Settings.
�� Host NamesTAB.
�� ADD.
Type the host name that you are interested in, and then clickOk�� �� �� (List).

�� PR �� IP �� , �� .

��

�� , �� �� �� ���� (Menu). �� PR �� . �� , �� PR �� . ��, �� , �� . �� .

�� PR �� , �� . �� PR �� . �� , �� , �� . �� , ������ �� �� �� "��". �� . � �� , �� , �� . �� �� "��"� �� . �� �� �� ����, ���� "��"� �� .

��

�� PR �� . �� Windows Server 2003 � �� Windows XP. �� Windows 2000, �� . �� , �� �� �� ���� (Menu).

�� PR:

�� TCP

�� TCP �� . �� Internet. �� . �� �� � �� . � �� .

� ��

�� . �� , �� , �� . �� �� � �� . � �� , �� . This data is not available for Windows 2000-based computers.

Svchost.exe enumeration

The PR-Parser tool can identify all services that are hosted by the Svchost.exe process. This information is required to determine the programs that are running on a computer.

Remote IP address usage

This data set shows the IP addresses and may show the host names that the computer has been communicating with. The list is ranked so that you can see which computers communicate frequently.

You can right-click the grid and then select an option to resolve the IP addresses to their corresponding host names. The PR-Parser tool tries to resolve the names by using the network and DNS settings on the computer where the PR-Parser tool is running.

User context usage

This data set shows a ranked list of user accounts that were used in the Port Reporter log file. You can use this to determine which user accounts have been used on a computer. This data is not available for Windows 2000-based computers.

Port usage by hour

This data set provides a breakdown of port usage per hour over the time that the Port Reporter log file data was collected. You can use this data to understand the peak times for a computer and to understand whether ports are used at unexpected times.

��By default, the Port Reporter collects data for 24 hours.

Iexplore.exe usage

This data set enumerates the endpoints that Microsoft Internet Explorer visited. This data is broken down on a user-by-user basis so that the usage of Internet Explorer for each user can be profiled. You can use this data to determine which sites users visited or which firewalls the computer used to access the Internet.

You can right-click the form to see related information. Each IP address that is listed can be resolved to a host name. Therefore, the corresponding name of each site or firewall can be identified.

You can also use the Portqry.exe utility to query the ports on the computers that are identified in this list. To save the log analysis data to a text file, click�� (Save)��Log Analysis Data for log�� .

��

This site in other countries/regions:

�� (PR-��)

��

��

��

��

��

Windows GUI to review the logs

��

Tracking known modules

��

IP addresses

��

User accounts

Host names

��

��

�� TCP

� ��

Svchost.exe enumeration

Remote IP address usage

User context usage

Port usage by hour

Iexplore.exe usage

�� :

��-��:�

T��

��

��

��

��

This site in other countries/regions:

��������� ��� ��������� �������� �������� ����� (PR-��������)

�� ����� �� ������

��������

��������

������������ �����������

������� �����������

Windows GUI to review the logs

���������� ������� �������� � �������� ��� ��� �����������

Tracking known modules

������������ �������

IP addresses

�����

User accounts

Host names

������������ �� ��������

������� ��� ������� ���������� ��� �� ���������� ���������

������ ����� ��� ����� TCP

� ���������� ������

Svchost.exe enumeration

Remote IP address usage

User context usage

Port usage by hour

Iexplore.exe usage

�� ����������� �� ���� �� ����� ������� ���:

������-�������:�

T��������� �����������

���������

����� ���� ��������

����������� ������

������� ������ �����������

�� (PR-��)

��

��

��

��

��

��

��

��

��

��

�� TCP

� ��

�� :

��-��:�

T��

��

��

��

��