Windows 7 Guest Account: Stop Screen Capture Software

TL;DR

An attacker installed screen capture software in a Windows 7 guest account. This guide shows how to remove the software, harden the account against future attacks, and monitor for suspicious activity.

Solution Guide

1. Identify the Software

• Check Task Manager (Ctrl+Shift+Esc) for running processes with unusual names or high resource usage.
• Look in Control Panel > Programs and Features for recently installed software you don’t recognise.
• Use a tool like Autoruns (from Sysinternals Suite – https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns) to find programs that start automatically with Windows. Pay attention to entries with unknown publishers or locations.
• Scan the system with a reputable antivirus and anti-malware program (e.g., Malwarebytes).

Remove the Software

• Uninstall via Control Panel > Programs and Features if possible.
• If uninstallation fails, use Autoruns to disable any startup entries related to the software.
• Delete any associated files from the following locations (after backing up important data):
  • C:Program Files
  • C:ProgramData (hidden folder – enable ‘Show hidden files and folders’ in File Explorer options)
  • %TEMP% (type this into the Run dialog box – Win+R)

Harden the Guest Account

1. Limit User Privileges: Ensure the guest account has minimal privileges. It should *not* be an administrator account.
   • Right-click ‘Computer’ on the desktop or in File Explorer, select ‘Properties’.
   • Click ‘Advanced system settings’.
   • In the ‘User Profiles’ section, click ‘Properties’.
   • Select the guest account and review its profile type. It should be a standard user.
2. Disable Scripting: Guest accounts are often targeted via malicious scripts.
   • Open Group Policy Editor (gpedit.msc). Note: This is not available on Windows 7 Home edition. If you have Home edition, skip to step 3.
   • Navigate to User Configuration > Administrative Templates > System.
   • Double-click ‘Prevent execution of batch files’. Enable this policy.
   • Double-click ‘Prevent the execution of installation applications’. Enable this policy.
3. Firewall Rules: Configure Windows Firewall to restrict network access for the guest account.
   • Open Windows Firewall with Advanced Security (wf.msc).
   • Create an outbound rule blocking all connections from the guest account’s user profile. This is complex and may break functionality; test carefully. A simpler approach is to block specific ports commonly used by remote access tools.
4. Disable Remote Desktop: If not needed, disable Remote Desktop for the guest account.
   • System Properties > Remote tab. Uncheck ‘Allow connections from computers running any version of Remote Desktop’.
5. Strong Password (if applicable): If a password is used, ensure it’s strong and unique. Consider disabling the account entirely if it’s not actively needed.

Monitor for Suspicious Activity

• Regularly review Event Viewer (eventvwr.msc) for unusual events, especially in the Security and Application logs.
  • Look for failed login attempts, new process creations, or unexpected system modifications.
• Monitor network traffic using a tool like Wireshark to identify any suspicious connections originating from the guest account.
• Schedule regular antivirus/anti-malware scans.