I posted this in the windows forum, but now I'm thinking it should have been in here....

I have a piece of malicious software on my computer... each time it runs I suspect it's running a batch file to do malicious things. Is there any way to have my system monitor what the batch file does? Or to capture it? I've looked everywhere for a tool that would facilitate this and have come up empty.

It's running on Windows XPwhat do you mean you THINK?? do you see a CMD screen pop up and then CLOSE fast? if you do (or you don't) open task manager and watch to see if a little command prompt screen comes up when you run the program. also, what is this malcious program? you MIGHT of been googleing the wrong thing. instead of google-ing something to monitor your computer, google the program and its rating and comments. if might just give you your solution.A) I say I SUSPECT it's running a batch file because in the memory strings for this malware (it starts as an executable) it lists a batch file. That said, I never see a command prompt pop up.

B) I didn't accidentally get this malware. You might say it's part of my job to find out how these little buggers work.

C) I've watched the processes and never see cmd.exe come up. Does that automatically mean that the batch file didn't run? Forgive me for being ignorant about batch files....

Even with this specific piece of malware aside, I'd still like an answer to the question at hand. In the past my technique for CAPTURING a batch file has been much more "basic". To make a long story short, in the past I've found the temp file it pops up in and copied it quickly before it deletes. But my assumption is that it's sometimes more difficult than that.

So... in summary.... I just need to know if there is a way, or a program, to monitor or capture batch files that are automatically (in this case maliciously) executed.no.just because you didn't see a batch file come up in the Task Manager doesn't mean it didn't happen. but i don't see why anyone would go to all that trouble to make a batch file run invisibly, unless they were using it to place a trojan (even still, why would they use a batch file for that?
o and yes it is possible, even using anti-virus will work. in some anti virus settings you can have them catch batch files and other types of files ex. .exe .com ( i use AVG anti-spyware and it can search for them)
and im just curious, but what is this for, a job, school?
It's part of my job.

The problem with anti-virus is that it stops the whole works. If I'm going to test malware and see what it does, I can't have anti-virus running.

Right now I have a cache of tools that I use to analyze these things. By analyze I mean observe, not stop.

So, I need a tool to observe and capture batch files in action.... I'm sure it's possible.its like soap said, the batch file if used with a .vbs file to make it run invisible in Windows XP it will pop up for a second before it becomes invisible, but in windows vista it wont.. one way to tell though is there will be a new instance of rundll32.exe in task manager after it does, but if its an executable file running a batch file its likely a coverted batch file.. bat-exe converters just add a header to the top of a batch file that can interprate the commands. To see whats in the suspected converted batch file, wait till you think its running.. open your %temp% folder, (it will be easyer if you clear it before it runs) and look for an out of the ordinary .tmp file or any file , open them up in notepad.. the one you are looking for will contain a header and then underneith of it the original batch file, oh and if they did use a converter and its really a batch file, it wont use rundll32.exe or a script to make it invisible so you probably wont be able to tell that way, hope this helps.
Well... I APPRECIATE the advice. Unfortunately this is the method I've been using. I was hoping for something a little more automated. Surely someone makes a tool that can monitor just for command line activity or batch files... maybe I'm naive though.