![]() ![]() In the 'MaintenanceSettings' section you can see two fields. The field named 'UseUnifiedSchedulingEngine' has a value of 'true' and indicates that, according to Microsoft's site, the unified programming engine will be used to perform the task. The field named 'ExecutionTimeLimit' has a value of 'PT1H' and indicates that, according to the Microsoft site, the task will be executed for a maximum time of one hour. ![]() The field named 'RunLevel', has a value of 'HighestAvailable' and indicates that, according to the Microsoft site, the task will be executed with the highest user permissions available, ( System user). The version of this task corresponds to 1.0. %SystemRoot%\system32\pnpclean.dll According to the Microsoft site, there are two versions of tasks: 1.0 and 2.0. The first thing you can see is that it refers to a file called 'pnpclean.dll', ( which I will tell you a little later), which is in: How? A new anti-forensics feature in Windows? That's against my curiosity. I thought it appropriate to give you this brief chronology so that you can see that, at times, there are great works, projects and ideas, which arise from a mere observation, from a small comment.Īpparently, this is a scheduled task that will remove all devices that haven't been connected for 30 days. there is no evil that for good does not come, because Adam Harrison did an excellent job publishing a resolution to the challenge, in his Blog, ( on July 30, 2018), with the article " Windows Plug and Play Cleanup". I didn't consider the hard disk space needed for upgrades and fell short of assigning an appropriate disk size. For this challenge, document which versions of Windows 10 have the task enabled and whether it survives the upgrade." In the most recent versions of Windows 10 this seems to be disabled. In Windows 8.1 and the first versions of Windows 10 there was the task of removing plug and play devices that had not been connected for 30 days. Shortly after, ( July 29, 2018), David posted a new challenge in his Blog, with a very clear question: " Windows 10 keeps changing and with it its behavior. Once these tests were finished, I let David know by means of another message, ( on June 7, 2018), because this 'new' feature of Windows had me completely confused. I lifted some virtual machines, installed several versions of Windows and made the relevant tests. So I set to work and announced it in another tweet, ( May 4, 2018). David also refers to the source of the news but, unfortunately, is no longer available, ( ). In that article, David says that: " Windows, by itself and without the user's request, is systematically removing some unused device entries from the Registry, driven by the task scheduler". Accompanying this tweet is a link to an article by David Cowen, ( published on April 19, 2018), under the title " Windows, Now with built in anti forensics!". In that tweet, Alexis mentions that it seems that Windows likes to remove entries from USB devices if they are not connected in 30 days. ![]() After my presentation at the CONPilar Cybersecurity Congress, ( April 28, 2018), under the title " Think twice before you insert it", and after the corresponding publication of a very brief article in ' Follow the White Rabbit', ( May 1, 2018), Alexis Brignoni was kind enough to make an observation that same day, by means of a tweet, which perplexed me. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |