Microsoft, PowerShell

Kapothi System Hygiene Checklist

Leave a comment
Kapothi System Hygiene Checklist

🧹 Kapothi System Hygiene Checklist

This guide shows how to detect and remove impostor executables like the fake Windows Driver Foundation (WDF.exe), while also cleaning up unwanted startup entries to save RAM and CPU usage.

🔍 Detect Suspicious Files

Look for oversized or unsigned executables in C:\Windows\. Example: Windows Driver Foundation (WDF).exe (fake, 672 MB).

📋 Export Services & Tasks


  # Export all services with paths
  Get-CimInstance Win32_Service |
  Select-Object Name, DisplayName, StartMode, PathName |
  Out-File C:\services_with_paths.txt

🛠️ Alternative: Export to CSV

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Export-Csv C:\services_with_paths.csv -NoTypeInformation

This produces a clean spreadsheet‑friendly file with all service details, perfect for filtering and analysis.

⚠️ Quick PowerShell Filter

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Where-Object { $_.PathName -and $_.PathName -notlike "C:\Windows\System32\*" } |
Export-Csv C:\suspicious_services.csv -NoTypeInformation

This highlights only services whose executables are outside the standard C:\Windows\System32\ directory, helping you spot anomalies quickly.


  # Export all scheduled tasks with full paths
  Get-ScheduledTask | ForEach-Object {
      foreach ($action in $_.Actions) {
          [PSCustomObject]@{
              TaskName   = $_.TaskName
              Path       = $_.TaskPath
              Execute    = $action.Execute
              Arguments  = $action.Arguments
          }
      }
  } | Out-File C:\tasks_with_full_paths.txt -Width 4096

🕵️ Process Explorer

Process Explorer is part of Microsoft’s Sysinternals Suite. It shows detailed information about running processes, including parent processes, command lines, and loaded DLLs. Download it from Microsoft Sysinternals.

Use it to trace suspicious executables:

  • Right‑click the process → Properties
  • Check Parent process to see who launched it
  • Check Command line for hidden scripts
  • Use DLLs tab to inspect loaded modules

🗝️ Registry Check


  # Winlogon Shell should only be explorer.exe
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  Shell = explorer.exe

📑 Autoruns

Autoruns is another Sysinternals tool that shows every program configured to run at startup. It covers Logon, Services, Scheduled Tasks, Drivers, and more. Download it from Microsoft Sysinternals.

Check these tabs carefully:

  • Logon — suspicious scripts/executables
  • Scheduled Tasks — hidden triggers
  • Services — verify only legitimate system services
  • Image Hijacks — ensure no debugger hijacks
  • Winlogon — confirm Shell is only explorer.exe

🧹 Cleanup Ritual

  • Restore registry values to defaults (explorer.exe)
  • Disable/remove unwanted Autoruns entries
  • Delete malicious files (WDF.exe, wtime.cmd, wudf.exe)
  • Reboot and confirm clean startup
  • Run full malware scans (Windows Defender, Malwarebytes)

⚡ Benefits

  • Freed up RAM 💾
  • Reduced CPU usage ⚡
  • Faster startup 🚀
  • Cleaner shrine‑home 🕊️

🕯️ Kapothi Insight

Every impostor exe is a hidden chant. Trace the scroll, silence the ritual, and the shrine runs serene.

Leave a Reply

Your email address will not be published. Required fields are marked *

Are you human? Please solve:Captcha