How to Trace the Origin of Randomly Generated Virus Files on Windows Server C Drive


2 views

When mysterious files appear on your server's C: drive root directory, it's crucial to identify their origin quickly. These could be malware payloads, temporary files from legitimate processes, or artifacts from scheduled tasks gone wrong.

Start with native Windows tools before resorting to third-party solutions:

# PowerShell command to check recently modified files
Get-ChildItem C:\ -File | Sort-Object LastWriteTime -Descending | Select-Object -First 20

# Audit file creation events (requires enabling audit policy first)
auditpol /set /subcategory:"File System" /success:enable /failure:enable

Sysinternals Process Monitor is invaluable for tracking file operations:

  1. Download Process Monitor from Microsoft
  2. Set filter to "Path contains C:\filename.ext"
  3. Capture operations in real-time

Configure and query security logs for file creation events:

# PowerShell to query security logs for file events
Get-WinEvent -LogName Security | Where-Object {
    $_.Id -eq 4663 -and $_.Message -like "*C:\\*"
} | Select-Object -First 10 | Format-List

When built-in tools aren't sufficient:

  • Windows Defender Advanced Hunting (for enterprise environments)
  • Carbon Black or CrowdStrike for endpoint detection
  • OSSEC for open-source host-based intrusion detection

Here's how you might investigate a mystery DLL:

# Find handles to the suspicious file
handle64.exe C:\malicious.dll

# Cross-reference with process information
tasklist /m malicious.dll

# Check for unsigned binaries in suspicious locations
Get-ChildItem C:\ -Recurse -Include *.dll,*.exe | 
Where-Object { $_.VersionInfo.FileVersion -eq $null } | 
Select-Object FullName

Implement these controls to detect issues earlier:

  • Enable Windows Defender Controlled Folder Access
  • Configure SACLs on critical directories
  • Implement FSRM (File Server Resource Manager) for real-time screening

For persistent monitoring, consider this PowerShell example:

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $false
$watcher.EnableRaisingEvents = $true  

Register-ObjectEvent $watcher "Created" -Action {
    $details = Get-Process -Id $event.SourceEventArgs.SourceIdentifier -ErrorAction SilentlyContinue
    [PSCustomObject]@{
        File = $event.SourceEventArgs.Name
        Time = $event.TimeGenerated
        Process = if($details) { $details.Name } else { "Unknown" }
        PID = $event.SourceEventArgs.SourceIdentifier
    } | Export-Csv -Path "C:\FileCreationLog.csv" -Append
}

Recently I encountered a puzzling case where random executable files kept appearing in the root of my C: drive on a Windows Server 2019 machine. The files had names like update_helper.exe, service_loader.dll, and system_tasks.exe - all classic signs of potential malware.

Before reaching for third-party solutions, let's explore native Windows capabilities:

# PowerShell command to check recently modified files in C:\
Get-ChildItem -Path C:\ -File | 
    Where-Object {$_.LastWriteTime -gt (Get-Date).AddHours(-1)} | 
    Sort-Object LastWriteTime -Descending |
    Format-Table FullName, LastWriteTime, Length -AutoSize

Microsoft's Process Monitor is invaluable for this type of investigation:

  1. Download and run Process Monitor (no installation needed)
  2. Set up filters: Path contains "C:\" AND Operation is "WriteFile"
  3. Capture events and look for suspicious processes

For persistent monitoring, I wrote this PowerShell script that logs file creation events:

# File Creation Monitor Script
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\"
$watcher.Filter = "*.*"
$watcher.IncludeSubdirectories = $false
$watcher.NotifyFilter = [System.IO.NotifyFilters]'FileName, LastWrite'

$action = {
    $details = $event.SourceEventArgs
    $name = $details.Name
    $changeType = $details.ChangeType
    $timeStamp = $event.TimeGenerated
    $logline = "$timeStamp - $changeType - $name"
    Add-Content "C:\file_monitor_log.txt" -Value $logline
}

Register-ObjectEvent $watcher "Created" -Action $action
Register-ObjectEvent $watcher "Changed" -Action $action

When you identify the suspicious process, examine its parent process chain:

wmic process where (name='suspicious.exe') get parentprocessid
wmic process where (processid='PARENT_PID') get parentprocessid,name
  • Sysinternals Suite: Especially Process Explorer and Autoruns
  • Windows Defender ATP: For enterprise environments
  • Carbon Black: Advanced endpoint detection
  • OSSEC: Open-source host-based intrusion detection

Once you identify the culprit, consider these steps:

  1. Isolate the affected system
  2. Capture memory dump of the suspicious process
  3. Analyze the file with VirusTotal or similar services
  4. Implement Group Policy changes to prevent recurrence
# Example GPO to block executables in root
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Explorer" -Name "DisableRootFiles" -Value 1

Implement these security best practices:

  • Enable Windows Defender Controlled Folder Access
  • Configure proper NTFS permissions on root directory
  • Implement software restriction policies
  • Regularly audit scheduled tasks and services

For comprehensive monitoring, consider implementing Windows Event Forwarding and monitoring Event ID 4663 (file system audit).