You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description of the feature, modification, idea or suggestion
Hello,
How about a feature that allows SystemInformer to connect to a remote computer and view processes/system information remotely like one would do with WinDbg? It could be a daemon hosted by the kernel-mode driver or by the user-mode process. Having it in kernel-mode would even allow to check for processes, modules and drivers that are being loaded while the system is booting (Process Monitor does it with its boot logging feature).
For example, a remote computer used for malware analysis could have the SystemInformer service. Computers would then connect to it remotely. It would have some potential like investigating a locked-up system, see a ransomware/malware in action, check for drivers or services that start during system boot.
Of course as a current alternative, one could use mstsc in another session and start SystemInformer. However on client computers only 1 terminal service session is allowed at a time (unless the terminal server is patched).
WinDbg is another one but it requires some though configuration for kernel-mode debugging and it requires disabling Secure Boot to debug.
This is my two cents, I'm aware about the redesign, time and work it would need for such feature to be introduced.
Proposed implementation details (optional)
An user-mode server could use gRPC or MIDL
Kernel-mode server could use gRPC, even though it's risky and prone to kernel crashes.
All of this may need a redesign. Maybe Kph functions could check if a remote connection is established, if so, forward all calls to the target system.
To connect to a remote computer, the user would click on: System -> Connect to... (the button would be above Computer), it would be password protected, or it could use Kerberos/NTLM authentication.
The text was updated successfully, but these errors were encountered:
Description of the feature, modification, idea or suggestion
Hello,
How about a feature that allows SystemInformer to connect to a remote computer and view processes/system information remotely like one would do with WinDbg? It could be a daemon hosted by the kernel-mode driver or by the user-mode process. Having it in kernel-mode would even allow to check for processes, modules and drivers that are being loaded while the system is booting (Process Monitor does it with its boot logging feature).
For example, a remote computer used for malware analysis could have the SystemInformer service. Computers would then connect to it remotely. It would have some potential like investigating a locked-up system, see a ransomware/malware in action, check for drivers or services that start during system boot.
Of course as a current alternative, one could use mstsc in another session and start SystemInformer. However on client computers only 1 terminal service session is allowed at a time (unless the terminal server is patched).
WinDbg is another one but it requires some though configuration for kernel-mode debugging and it requires disabling Secure Boot to debug.
This is my two cents, I'm aware about the redesign, time and work it would need for such feature to be introduced.
Proposed implementation details (optional)
An user-mode server could use gRPC or MIDL
Kernel-mode server could use gRPC, even though it's risky and prone to kernel crashes.
All of this may need a redesign. Maybe Kph functions could check if a remote connection is established, if so, forward all calls to the target system.
To connect to a remote computer, the user would click on: System -> Connect to... (the button would be above Computer), it would be password protected, or it could use Kerberos/NTLM authentication.
The text was updated successfully, but these errors were encountered: