User guide

ManualsBrandsESET ManualsSoftwareSMART SECURITY

101

102

103

104

105

106

107

108

109

110

102

5.6.4.1 Generating Service script

To generate a script, right-click any item from the menu tree (in the left pane) in the ESET SysInspector main

window. From the context menu, select either Export All Sections To Service Script or Export Selected Sections To

Service Script.

NOTE: It is not possible to export the service script when two logs are being compared.

5.6.4.2 Structure of the Service script

In the first line of the script’s header, you can find information about the Engine version (ev), GUI version (gv) and

the Log version (lv). You can use this data to track possible changes in the .xml file that generates the script and

prevent any inconsistencies during execution. This part of the script should not be altered.

The remainder of the file is divided into sections in which items can be edited (denote those that will be processed

by the script). You mark items for processing by replacing the “-” character in front of an item with a “+” character.

Sections in the script are separated from each other by an empty line. Each section has a number and title.

01) Running processes

This section contains a list of all processes running in the system. Each process is identified by its UNC path and,

subsequently, its CRC16 hash code in asterisks (*).

Example:

01) Running processes:

- \SystemRoot\System32\smss.exe *4725*

- C:\Windows\system32\svchost.exe *FD08*

+ C:\Windows\system32\module32.exe *CF8A*

[...]

In this example a process, module32.exe, was selected (marked by a “+” character); the process will end upon

execution of the script.

02) Loaded modules

This section lists currently used system modules.

Example:

02) Loaded modules:

- c:\windows\system32\svchost.exe

- c:\windows\system32\kernel32.dll

+ c:\windows\system32\khbekhb.dll

- c:\windows\system32\advapi32.dll

[...]

In this example the module khbekhb.dll was marked by a “+”. When the script runs, it will recognize the processes

using that specific module and end them.

03) TCP connections

This section contains information about existing TCP connections.

Example:

03) TCP connections:

- Active connection: 127.0.0.1:30606 -> 127.0.0.1:55320, owner: ekrn.exe

- Active connection: 127.0.0.1:50007 -> 127.0.0.1:50006,

- Active connection: 127.0.0.1:55320 -> 127.0.0.1:30606, owner: OUTLOOK.EXE

- Listening on *, port 135 (epmap), owner: svchost.exe

+ Listening on *, port 2401, owner: fservice.exe Listening on *, port 445 (microsoft-ds), owner:

System

[...]

When the script runs, it will locate the owner of the socket in the marked TCP connections and stop the socket,

freeing system resources.