Kixtart – a newbie perspective
May 25, 2006
Recently i discovered that where i’m working, the administrators runs a software and hardware asset management script every time i log in to my system. Upon logon, i could see a folder being created under C:\sam containing a few files:
- SAMHW.exe
- Kixtart.exe
- samv3.kix
- and other dll files
After some investigation i managed to find out that
- SAMHW.exe is a hardware asset management tool. It will scan your PC for new or suspicious hardware
- Kixtart is an executable that is run upon logon but before the desktop is launched. This means that it is the first thing that runs on your PC whenever you log on to your domain. You cannot stop it from running else you will be log out of your system due to the BREAK command.
- samv3.kix is the a software auditing script that is run by Kixtart.exe
What the script usually does is to scan your registry for new / suspicious / pirated softwares, and log those in a file stored in a shared / networked directory name after your machine id / user name / computer name.
How to stop it from running? You can’t. By design kixtart cannot be stopped from running the moment you log on to your domain.
So what can you do?
- Delete the folder c:\sam
- Before bootup, remove all network connections from your laptop
- Bootup up and log in as per normal
- If you need to access domain folders etc, you should still be able to access since your IP address will reflect that you are eligible to access
- Remove network connections before you log off.
Reference: www.kixtart.org, ars technica forum
