TipRadar.com - Forums and community

Full Version: unlocking your system volume to expose viruses and logs.
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
on the root of your Windows drive normally C: you will see a folder
called System Volume Information,
This folder on the root of your Windows drive is normally locked, even
if you are the main Administrator! Upon trying to open this "System
Volume Information folder, you will get a message saying:
C:\System Volume Information is not accessible.
Access is denied.

This folder is the perfect place for virus makers to store a virus on
your system! All they would have to do is use an unlock command, put a
file in the folder and lock the folder again, even your anti-virus
scanner cannot scan inside this folder if it is locked.

most of you are still unaware of it, and i would be willing to bet there is a surprise in there of some sort. with mine i found a serious tracking log file. it had every computer name i used for the computer i was useing. and why would it lock that?? hummmm?

What is the System Volume Information used for?
It is used for storing System Restore points but it also has
stuff in there related to Task Scheduler and Indexing Service.

The whole point of unlocking this folder is to be able to at least scan
it for viruses. below is the needed bat file for you to unlock the folder and peek inside. also the lock bat file is included for you to re-lock after looking.

simply copy these seperately into notepad and save it with a .bat extension. meaning at the very end. example below.

this is your unlock.bat file.

cacls "%SYSTEMDRIVE%\System Volume Information" /E /G "%USERNAME%":F

save this special entry above into notepad and name it as follows
unlock-system volume.bat

this is your lock bat file below. to restore it back to default after peeking inside for viruses and log files.

cacls "%SYSTEMDRIVE%\System Volume Information" /E /R "%USERNAME%"

save this also special entry above and name it as follows
lock-system volume.bat

i really hope you dont find anything, but alot of people do find nastys in there. kaspersky, malwarebytes all are useless againest this folder unless you do as i describe here.. good luck, the skittles

P.S make sure you have gone to control panel and under folder options you selected and unchecked hide protected operateing system files. this way you can at least view the locked folder itself.

¸.•´¸.•*´¨) ¸.•*¨)
(¸.•´ (¸.•` SKITTLES
the above trick helps in discovering hideing places, but it does not help with the actual command shell the hacker is useing..for newbies i highly suggest this program.

link below

Guests cannot see links. Registration or Login is required.

if you need some help on it, just shoot me a p.m..

¸.•´¸.•*´¨) ¸.•*¨)
(¸.•´ (¸.•` SKITTLES
Thanks Skittles. Will try it out soon.
Thanks Skittles Good info Thumb
Thanks for the information. I created the batch files. Even though I have administrator privileges, I had to use the "run as administrator" command to unlock the System Volume Directory in a Windows 7 64 bit OS.

I see a tracking.log file that looks to have been last modified several years ago. There's also a Syscache.hve. and two associated logs. When I try to open the logs with Notepad, I get an "access denied" message.

Has anyone else created the bat file and if so, what are your results?
windows 7 is tricky sometimes. the purpose of this is to be able to scan it. that has been achieved i notice since your actually reading the content headers of each file inside. you might need to disable system restore, reboot. then go back and look.. then you can set restore back if you wish after looking. also check uac settings and see what you got it adjusted too.. then try right clicking the log file itself and run as administrator. lastly you can do this below.

1) Go to "System Volume Information" folder
2) Right-click "_restore{xxx-xxx-xxx-xxx-xxx}"
3) Select "Properties" then select "Sharing" tab
4) Click "Share" button, then select a user
(You will notice at first there is no "Administrators")
Then select "Share" button again then "Done"
5) After Done, the folder now shows a padlock icon

you should be able to view now. after trying all the above im sure your reading the logs. please dont mess with anything in win 7 unless your antivirus flags it. its not as user friendly and tweakable as xp.. good luck.
Worked on Win8 however tracking.log is locked, took ownership able to open in notepad but its encrypted. Other folders are locked also.
This is really good information for every home and professional user thanks for this information
Pages: 1 2