SSGuide made by15q1
- Prefetch is the evidence of execution, in other words, it logs the actual execution time of files. For example - executing FILE.exe at 04:32 will not update that time on the file’s properties themselves, however, that execution will be logged in prefetch with Date Modified showing execution time.
To Access Prefetch you must press Win+R and type Prefetch in the Run Box. Sort by Date Modified.
The top part is where you look for Conhost or Consent and the bottom part of the tool is what shows which DLLs were loaded or .exes were launched. Note that in Conhost and Consent, we’re only looking for executables and their directories.
\VOLUME refers to the device path, or Disks to be exact (C:\, D:\, E:\, and so on).
Regsvr and RunDLL services usually are never issued by the system itself, and even if they were to be issued by the system - they’d never load anything from users directories.
That's it for prefetch.
Recent Items is one of the most useful targets on Windows, not only can they show virtual disk launches, .bat cheats and so on, but it also shows recently visited directories. It’s located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent
You may access the folder with Win+R then typing shell:recent
From here, you can view last accessed folders, zip files and so on. Note that data collected here derives from RecentDocs registry path which can be cleared. If that happens, rest assured that the whole directory will be blank, you can then check the deletion of Link files (later explained)
Powershell Commands
You can see a person's executed powershell commands simply by opening the powershell console host history. All executed/typed in powershell commands are stored there. For example if someone had something in there like java - jar (and jar cheat) u can be pretty sure he executed a jar cheat recently. Location to console host history:
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine
This is very important in screenshares, to be able to prove file deletion, truncation or any file that was renamed. All of that is based on the USN Journal ($J). The USN Journal is a feature of the NTFS file system (windows) it logs all file modifications like mentioned above. We have two useful versions of a USN Journal parser, one is Journal-Trace(https://github.com/ponei/JournalTrace/releases/tag/1.0) and the other one Journal Tool https://dl.echo.ac/tool/journal
Made by Echo. We’ll start with Journal Tool by Echo to cover deleted Macros, Prefetch and Executables. Open the tool, mark “Deleted” and type .exe or .pf for executables and .prefetch.
Example:
List of Stuff a cheater would delete before ss:
.exe
.pf
.lnk
.jar
.dll
Before we proceed, you must first know what FAT32 deletions mean.
- FAT32 is a File System mechanism, a data organizer. There’s NTFS File System which is Windows specific - it includes USN Journal traces (see above). FAT32 on the other hand, does not include USN Journal, which makes it one of the most complicated file systems.
As example someone has a FAT32 USB drive plugged in,
he can put his cheat onto the USB Drive and replace the cheat with a legit file and it wont leave traces in the usn journal because a fat32 drive doesn't have a usn journal, that's why we use FTK Imager.
You can download FTK Imager here:
https://d1kpmuwb7gvu1i.cloudfront.net/AccessData_FTK_Imager_4.7.1.exe
Open the FTK Imager as Administrator and load all attached Devices:
Navigate to the root of the attached FAT32 USB Drive and check the results:
Here as an example I deleted/replaced test1.bat, testing22.bat and some other stuff and you can clearly see that i deleted them.
Note that this does NOT show the date of deletion, so you’ll need to find evidence that the file had been executed after the last system boot / restart. Sometimes you might also be able to recover the deleted files from FTK Imager by right clicking on them, if you perform this process right away in the SS, there’s a higher chance you can potentially recover an executable properly. However, that isn’t a guarantee.
Analyzing prefetch traces is the easiest with the help of WinPrefetchView. Can be downloaded from View the content of Windows Prefetch (.pf) files (nirsoft.net)
Last Activity Viewer can be used as a side-tool with WinPrefetch, since it also checks data from registry entries. LAV can be downloaded from LastActivityView - View the latest computer activity in Windows operating system (nirsoft.net)
- WinPrefetchView is split into two separate windows. The top part - which shows a prefetch trace and the bottom half - which shows the loaded contents of the prefetch trace. It can show if a recorder is currently in use and so on.
- It can also prove executions, simply analyze prefetch traces like DllHost, Conhost, Consent, even FiveM’s prefetch trace can show what files were loaded into the game - in case they’re placed in the FiveM's directory.
Searching everything will be the most useful tool you can utilize for ScreenSharing, it is basically a 100 times better version of the default windows search.
Can be downloaded here:
https://www.voidtools.com/Everything-1.4.1.1026.x86-Setup.exe
You can find any file that is on the user's pc even if hidden. Also you can find hidden/read-only files like mods or prefetch files.
Those are tools that help you monitor system resources, debug software and detect malware. But you can also use those tools to dump processes memory which is very useful for screen sharing.
Under the services category you can see all running services as example DcomLaunch, its a service that logs .jar executions as example Doomsday Client.
You would dump the process with the minimum length from 4 and check image and mapped. We would filter in this case for .jar and analyze the results.
you can see here that i executed the file ou75pg48i.jar with javaw.exe
we would normally check what that file is via everything and then check if the file got deleted or renamed via Usn Journal (look above).
Like I already mentioned above there are many useful services/processes that are used for ssing.
as example:
DcomLaunch(filter for .jar)
Msmpeng (you can check the players cmd commands with it)
Pcasvc (logs any kind of extension)
csrss (filter for .exes/.dlls)
dps (filter for .exes)
dnscache (used to check that website he visited like doomsdayclient.com)
Initially meant for 1.9+ tier list communities, apparently, this free Mod Analysis tool is pretty useful for almost every other Mod Client.
https://github.com/SherlockHolmesv/RedLotus_ModAnalyzerFREE/releases/tag/Minecraft
Although popular in 2019, the Alternate Data Stream method is probably the most undetected bypass even today.
The whole purpose of this method is to hide the file itself on NTFS, if utilized with directory junctions (view the article above), as well as using a Unicode character invisible to System Informer, a smart bypass can be created, making cheats practically impossible to detect if an SSer is unaware of such possibilities or doesn’t understand it at all.
In my opinion alternate data streams are too advanced for you currently and it makes no sense to know how to detect it since u wouldnt understand. I just wanted to let you know it exists.
To find mod clients generally, as well as to analyze .jar files further, use https://github.com/Konloch/bytecode-viewer/releases/tag/v2.12
you can drag any mod you want to analyze into the box and filter for strings like “Hitboxes” “Aim assist” “Reach” and check the results.
That's all the stuff u need to know to start ssing, if u want to learn more and really want to know everything there is to know you would need to buy lessons from me or sum cause i aint writing all of that.
With this guide you should be able to catch 90% of cheaters prolly 100% tho.
15q1 ss guide
