Author: David Zimmer
Date: 10.15.10 - 3:58pm
I dont know why i never thought of this before..
So often you get a little nasty which injects code into explorer.exe Debugging explorer can be annoying because it will freeze the desktop when you might want to do something on it like open a file or browse a directory or whatever.
Usually i have to ctrl alt delete to bring up the task manager to use its run command to launch notepad for notes, or use alt tab to bring up the switch process dialog.
so today I am working on one which has a userland rootkit, so I let it install under a guest account so I am free to hose with it from the admin desktop without any rootkit stuff to bog me down. (this is a nice trick in itself) then i have ot take a look at the guests explorer.exe and I realize this trick also works great for this circumstance too.
one little note worth mentioning though..if you have to go over to the infected guest account to do some interaction to try to trigger an action, and you hit a breakpoint from olly on the admin desktop..you can ctrl alt delete to bring up the task manager, and then choose switch user from the shutdown menu.
that makes life a little bit nicer