MORE INFORMATION

Background information

When a Microsoft Windows-based computer becomes vulnerable, an attacker typically uses the resources of the Windows-based computer to inflict more damage or to attack other computers. This kind of attack typically involves activities such as starting one or more processes, or using TCP and UDP ports, or both. Unless an attacker hides this activity from the Windows-based computer itself, you can capture and identify this activity. Therefore, looking for indications of this kind of activity can help you determine whether a system is vulnerable.

The Port Reporter tool is a program that can run as a service on a computer that is running Microsoft Windows Server 2003, Microsoft Windows XP, or Microsoft Windows 2000. The Port Reporter service logs TCP and UDP port activity. On Windows Server 2003-based and Windows XP-based computers, the Port Reporter service can log the following information:

• The ports that are used
• The processes that use the port
• Whether a process is a service
• The modules (.dll, .drv, and so on) that a process loads
• The user accounts that start a process

The data that is captured by the Port Reporter service may help you determine whether a computer is vulnerable. The same data is also useful for troubleshooting, for gaining an understanding of a computer's port usage, and for auditing the behavior of a computer.

PR-Parser is a tool that parses the logs that the Port Reporter service generates. For additional information about the Port Reporter service, click the following article number to view the article in the Microsoft Knowledge Base:

The PR-Parser tool provides the following three basic functions:

• The PR-Parser tool has a Windows Graphical User Interface (GUI) that makes it easier to review the logs. By using the GUI, you can sort and filter the data in a number of ways.
• The PR-Parser tool helps you identify and filter the data that you are interested in. The tool provides the following functionalities:
  • Identifies processes that you are interested in that are running on a computer
  • Tries to identify when a process that uses the name of a legitimate process is run from the wrong folder on a computer
  • Identifies the modules, such as .dll and .drv, that are loaded on a computer
  • Helps determine the time when the Internet Protocol (IP) addresses, fully qualified domain names (FQDNs), or computer names that you are interested in are communicating with a computer
  • Identifies the ports that are used on a computer
  • Helps determine when the user accounts are active on a computer
• The PR-Parser tool provides some log analysis data also. This data can help you understand the usage of a computer. This data includes the following:
  • A ranked list of local Transmission Control Protocol (TCP) port usage
  • A ranked list of local process usage
  • A ranked list of remote IP address usage
  • A ranked list of user context usage
  • Svchost.exe service enumeration
  • Port usage by hour of the day
  • Microsoft Internet Explorer usage by user

Windows GUI to review the logs

The Port Reporter tool creates the following three log files when the tool runs:

• PR-PORTS-timestamp.log
• PR-PIDS-timestamp.log
• PR-INITIAL-timestamp.log

The name of each log file uses the date and the time in 24-hour format that is based on the time when the file was created. The format of the date and time stamp is year-month-day-hour-minute-second. For example, the following three files were created on January 24, 2004, at 8:49:30 A.M.:

• PR-PORTS-04-01-24-8-49-30.log
• PR-PIDS-04-01-24-8-49-30.log
• PR-INITIAL-04-01-24-8-49-30.log

When you open a log file with the PR-Parser tool, the Windows GUI of the PR-Parser tool provides the following information:

• The title bar of the main form mentions the file name of the log file that is currently open.
• The timestamps of the first and last records in the log file are displayed.
• The number of records that are currently displayed is listed.
• The log entries are displayed in a grid on the main form.

Note In the grid on the main form, you may not see the columns that are related to process details if the PR-Parser tool is running from a computer that does not support port-to-process mapping. For example, PID, Module, and Account are the columns that are related to process details. Windows 2000 does not support port-to-process mapping. Therefore, on a Windows 2000-based computer, you cannot see those columns.

The Windows GUI of the PR-Parser tool provides the following features:

• Details of a log entry appear in a grid. If you double-click a row in the grid on the main form or right-click a row, and then click Properties, the details of the log entry are displayed. This feature is only available when you examine log files on a computer whose operating system supports port-to-process mapping. As of September 2004, only Windows Server 2003 and Windows XP support this feature.
• You can sort the data in the grid on the main form in ascending or descending order by any column. If you click a column header, the tool sorts the data in the grid on the main form in ascending order by that column. If you click the column header again, the tool sorts the data in descending order. An arrow appears in a column header when data is sorted by that column. The arrow also indicates the sort order. If you want to restore the grid to its original sort order, click Reset grid to default sort on the Edit menu.
• You can use either of the following methods to filter the data in the grid on the main form:
  • On the Edit menu, point to Filters, and then click Filter data. The Filter Grid Data dialog box appears. You can select a column as the filter data and provide a filter criterion. After you select and apply the criteria, the filtered data appears in the data grid.
  • Right-click a cell whose value is the criteria for the filter in the grid on the main form, point to Filter, and then click the appropriate filter, based on whether you want to filter all the rows without this value or all the rows with this value.
• You can copy the contents of a cell or copy the contents of all the cells in a row. To copy the contents of a cell, right-click a cell, and then click Copy. To copy the contents of all the cells in a row, right-click the row-header, and then click Copy.
• You can resolve remote IP addresses that appear in the Remote IP column to their corresponding names. A list of all IP addresses and their associated names is displayed in the grid after the PR-Parser tool finishes the operation. This list does not contain duplicates. You can use either of the following methods to resolve remote IP addresses:
  • On the Tools menu, click Resolve all remote IPs to resolve all the remote IP addresses.
  • Right-click a cell, and then click Resolve Remote IP Address to resolve the IP address that is selected.

  Depending on the number of IP addresses that you resolve, this operation can take several minutes to complete. The DNS cache on the client is used to avoid sending queries to the network that have already been answered.
  
  

  Note The speed and success of this operation depends on the name resolution infrastructure on the network. The speed and success of this operation also depends on whether reverse lookup records are available for each IP address.
• You can port scan a remote computer by using the Portqry.exe command-line utility. Portqry.exe is a powerful command-line connectivity testing tool that can generate useful information about TCP and UDP ports.
  
  The PR-Parser tool provides a user interface to use the Portqry.exe utility. This feature can help you determine the type of remote computer and which services that the remote computer provides. To port scan a remote computer, right-click a cell and then click PortQry Remote IP Address. For additional information about the Portqry.exe command-line utility, click the following article number to view the article in the Microsoft Knowledge Base:

  310099 Description of the Portqry.exe command-line utility

  Note When the PR-Parser tool is installed, the Portqry.exe file is copied to the same folder where the Prparser.exe file is stored.

Identifying suspicious data or data that you are interested in

You can use the PR-Parser tool to track several data points, including modules, IP addresses, ports, users, and host names. By using the PR-Parser tool, you can quickly determine whether any log entries in a Port Reporter log file match any criteria that the PR-Parser tool is configured to search for. You can configure these criteria in the GUI of the PR-Parser tool and then update it to include characteristics of new conditions that you choose.

To view, add, or delete criteria, click Criteria settings on the Edit menu.

The following are the six criteria that can be set in the PR-Parser tool to identify suspicious data or data that you are interested in.

Tracking known modules

Tracking known modules lets you identify executable files that use the names of legitimate binary files and that run or are loaded from a wrong folder. For example, a popular name for malicious software is Svchost.exe. The legitimate Svchost.exe runs from the %windir%\System32 folder. When malicious software is named Svchost.exe and is copied to the %windir% folder, it can be difficult to see that this binary file is running from the wrong folder. If Svchost.exe is running from a folder other than the System32 folder, the computer may be vulnerable to attack. The PR-Parser tool identifies this kind of problem.

Note that, generally, some modules run from more than one location. You must review any PR-Parser warnings to determine whether the warning is a false positive or whether something irregular has been found. When you want to examine Port Reporter log files from different computers, you may have to override the local computer's folder settings because the computers may have different folder structures. For example, %systemroot% and %windir% point to different locations on different computers. In this case the PR-Parser tool may identify many files running in the wrong folder because the PR-Parser tool resolves these variables using the folder structure in the local computer where the PR-Parser tool is running. To compensate for this kind of difference between computers, you can override this behavior and set the PR-Parser tool to resolve these environmental variables. To do this, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. On the Known Modules tab, click Configuration.
3. Click Override local system's directory settings.

This lets you override the way that the PR-Parser tool resolves the environmental variables.

Modules

The PR-Parser tool can quickly determine whether the modules that you are interested in are found in the Port Reporter log files. To add modules to the list of modules that you are interested in, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. Click the Modules tab.
3. Click Add.
4. Type the name of the module that you are interested in, and then click OK to add the module to the Modules to Look For list.

Similarly, you can delete the modules that are added to the Modules to Look For list.

When the PR-Parser tool finds a module in a log file that you are interested in, it displays the entry in red in the grid on the main form. For example, the Netcat.exe tool is a tool that administrators may or may not want users to use on their network. It can be identified in Port Reporter logs if the Netcat.exe tool is run by using its original name.

Double-click a line that is selected to see the details. A Port Reporter Parser - Log Entry Details dialog box opens and provides the details about the process, about the ports that are used, and about the modules that are loaded. The PR-Parser also provides a warning. On the Port Reporter Parser - Log Entry Details dialog box, if you right-click the process name, the PR-Parser tool provides options for researching the "interesting" or suspicious process.

Note You cannot see the details of a log entry on a Windows 2000-based computer.

IP addresses

The PR-Parser tool can identify IP addresses that you are interested in in Port Reporter log files. To specify the IP addresses, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. Click the IP Addresses tab.
3. Click Add.
4. Type the IP address that you are interested in, and then click OK to add the IP address to the IP Addresses to Look For list.

Similarly, you can also delete the IP addresses that are added to the IP Addresses to Look For list.

After you add an IP address in the IP Addresses criteria and then apply the criteria, the specified IP address is displayed in the grid on the main form.

Ports

Network administrators use firewall logs to determine which programs are running on their networks and which endpoints are used when the programs communicate. The PR-Parser tool can help you determine which ports are being used by a program and can quickly identify the ports that you are interested in. Many viruses, worms, malicious programs, and tools that are used by malicious users use the same ports every time they run. The PR-Parser tool can identify any ports that are listed in the ports criteria list.

To modify this list, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. Click the Ports tab.
3. Click Add.
4. Type the name of the port and the protocol that you are interested in, and then click OK to add the port information to the Ports to Look For list.

Similarly, you can delete the ports that are added to the Ports to Look For list.

Note that legitimate programs may use the same ports that malicious programs use. You must investigate each warning that the PR-Parser tool generates to determine whether the warning is generated because of an operation that is not regular.

User accounts

The PR-Parser tool lets you identify user accounts that you are interested in in Port Reporter log files. To specify the user accounts, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. Click the User Accounts tab.
3. Click Add.
4. Type the user account that you are interested in, and then click OK to add the user account to the User Accounts to Look For list.

Similarly, you can delete the user accounts that are added to the User Accounts to Look For list.

After you add a user in the user accounts criteria, the specified user account is displayed in the grid on the main form.

Host names

The PR-Parser tool tries to resolve remote IP addresses that are found in the logs to host names. The success of the resolution depends on factors such as correctly configured TCP/IP settings, DNS settings, an operational name resolution infrastructure, and IP addresses to name mappings. To reduce the number of queries that are sent to the network, the PR-Parser tool has a name cache and also uses the name caches of the client. To specify these names, follow these steps:

1. On the Edit menu, click Criteria Settings.
2. Click the Host Names tab.
3. Click Add.
4. Type the host name that you are interested in, and then click OK to add the host name to the Host Names to Look For list.

If the PR-Parser tool successfully resolves the IP addresses to host names, the tool identifies the host names that match the names that are found on the host names criteria list and then displays the host names.

Applying the criteria

If you want to specify the criteria for the log file that is opened, you can use the Apply Criteria option on the Tools menu. The PR-Parser tool parses the log file to search for entries that match the criteria. If a match is found, the PR-Parser tool displays the field that is matched. Details, such as loaded modules, are not listed in the grid on the main form. These details are only available when you view the record details.

When the PR-Parser tool finds that a module that you are interested in was loaded or that a module that uses a legitimate name was loaded from the wrong folder, the tool does not display this information in the main form grid. This is because the PR-Parser tool does not display the fields. To identify all rows that contain data that match the criteria, even in the details of an entry, you must filter the data. To do this, point to Filters on the Edit menu, and then click Show only rows with "interesting" data. This feature lets you determine whether any log entries match the criteria that you set. The resulting list that may be empty contains all the rows where data matches the criteria, including details such as modules. The Show only rows with "interesting" data option is unavailable until a criterion is applied to the data. After you click Apply Criteria on the Tools menu, the Show only rows with "interesting" data option is available.

Analyzing the logs and generating data

The PR-Parser tool can also generate log analysis data that can be useful for computer administrators and network administrators. Seven sets of data are generated from the Port Reporter logs of Windows Server 2003-based or Windows XP-based computers. Because the Port Reporter tool does not perform port-to-process mapping on Windows 2000-based computers, some of these statistics cannot be generated from the logs from those computers. To analyze the logs and generate output, click Log analysis data on the Tools menu.

The following are the seven sets of data that are generated by the PR-Parser tool:

Local TCP port usage

This data set includes the number of times each TCP port has been logged by the Port Reporter tool. This kind of data can be helpful when you want to determine which ports will be opened between subnets or out to the Internet. This data gives you an idea of how frequently the ports are used by each computer. The data contains a Percentage of Total value against each entry. This value is calculated by dividing the number of times each port is used by the total number of times all the ports are used.

Process usage

You can use this data to analyze process usage on computers. For example, the programs that the computer uses, how frequently they are logged by the Port Reporter tool, and the programs that are most generally used. The data contains a Percentage of Total value for each entry. This value is calculated by dividing the number of times each process is logged by the total number of times all the processes are logged. This data is not available for Windows 2000-based computers.

Svchost.exe enumeration

The PR-Parser tool can identify all services that are hosted by the Svchost.exe process. This information is required to determine the programs that are running on a computer.

Remote IP address usage

This data set shows the IP addresses and may show the host names that the computer has been communicating with. The list is ranked so that you can see which computers communicate frequently.

You can right-click the grid and then select an option to resolve the IP addresses to their corresponding host names. The PR-Parser tool tries to resolve the names by using the network and DNS settings on the computer where the PR-Parser tool is running.

User context usage

This data set shows a ranked list of user accounts that were used in the Port Reporter log file. You can use this to determine which user accounts have been used on a computer. This data is not available for Windows 2000-based computers.

Port usage by hour

This data set provides a breakdown of port usage per hour over the time that the Port Reporter log file data was collected. You can use this data to understand the peak times for a computer and to understand whether ports are used at unexpected times.

Note By default, the Port Reporter collects data for 24 hours.

Iexplore.exe usage

This data set enumerates the endpoints that Microsoft Internet Explorer visited. This data is broken down on a user-by-user basis so that the usage of Internet Explorer for each user can be profiled. You can use this data to determine which sites users visited or which firewalls the computer used to access the Internet.

You can right-click the form to see related information. Each IP address that is listed can be resolved to a host name. Therefore, the corresponding name of each site or firewall can be identified.

You can also use the Portqry.exe utility to query the ports on the computers that are identified in this list. To save the log analysis data to a text file, click Savein the Log Analysis Data for log dialog box.