How To Tell If Your PC Is Hacked (Windows 11)
- Biohazard

- 17 hours ago
- 6 min read

How To See If Your Windows 11 PC Is Compromised
Here's a structured approach to checking for compromise on a Windows 11 system, organized from the most reliable forensic artifacts down to subtle behavioral indicators. Run through these in order. This is a guide on how to tell if your PC is hacked (Windows 11).
Tier 1: High Confidence - These Prove Compromise
1. Check for Autoruns (Persistence Mechanisms)
This is where most attackers live. Use Autoruns from Sysinternals (run as Administrator) — it shows every persistence point on the system. The built-in msconfig or Task Manager only show a fraction.
powershell
# Download and run Autoruns
curl -L -o autoruns.zip https://live.sysinternals.com/autoruns.zip
expand-archive autoruns.zip .
.\Autorunsc64.exe -a -h -s -v -o autoruns.csv
# Or check persistence points manually via PowerShell:
Get-CimInstance Win32_StartupCommand | Select Name, Command, Location
# Check scheduled tasks — very common persistence
schtasks /query /fo LIST /v | findstr /i "payload beacon update maintenance"
# Check WMI event subscriptions (fileless persistence)
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
What to look for: Entries in unusual locations — HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, Startup folders, scheduled tasks named to look like Windows services (WindowsUpdateTask, SecurityHealth, AdobeUpdater), WMI event subscriptions (almost never legitimate on a workstation).
2. Network Connections to C2
powershell
# Active connections with process mapping (run as admin)
netstat -ano -p TCP | findstr ESTABLISHED
# Resolve remote IPs to check against known bad ranges
Get-NetTCPConnection | Where State -eq Established | Select-Object -Property `
@{Name="LocalAddress";Expression={$_.LocalAddress}},
@{Name="LocalPort";Expression={$_.LocalPort}},
@{Name="RemoteAddress";Expression={$_.RemoteAddress}},
@{Name="RemotePort";Expression={$_.RemotePort}},
@{Name="OwningProcess";Expression={Get-Process -Id $_.OwningProcess | Select -ExpandProperty ProcessName}}
Cross-reference remote IPs against:
Known C2 infrastructure ranges: DigitalOcean, Hetzner, OVH, BuyVM, Contabo
Common malware ports: 4444, 5555, 8080, 8443, 9001, 31337
Connections to IPs on non-standard ports that persist after browser closes
Beaconing check — if you can observe over time (e.g., check netstat every 30 seconds for 10 minutes), look for connections that appear periodically every 30-60 seconds to the same IP.
powershell
# Quick beacon check — run this every 30s in a loop
while(1) {
Get-NetTCPConnection -State Established | Where RemotePort -notin @(80,443,22) | Format-Table RemoteAddress,RemotePort
Start-Sleep 30
}
3. Check for Unusual Drivers (Kernel-Level Compromise)
powershell
# List loaded kernel drivers
Get-WmiObject Win32_SystemDriver | Where State -eq Running | Select DisplayName,PathName,Started,StartMode
# Check for Microsoft names + third-party publishers
driverquery /si | findstr /v "Microsoft"
Watch for: Drivers loaded from %TEMP%, drivers signed by unknown publishers, unsigned drivers (Windows 11 blocks these by default, but an attacker with admin access can install them), drivers named to look like real drivers but are actually malicious (ntfs.sys is legitimate; ntfs64.sys is suspicious).
4. Check Security Event Logs for Tampering
powershell
# Check if security log was cleared — this is a massive red flag
Get-WinEvent -LogName "Security" -MaxEvents 1 | Select TimeCreated,Id
# If no events or only recent events, log was likely cleared
# Compare with:
(Get-WinEvent -ListLog "Security").RecordCount
# Check event 1102 (Security log cleared)
Get-WinEvent -FilterHashtable @{LogName="Security";Id=1102} -MaxEvents 5
An attacker who clears the security log is running with admin privileges and expects to be caught. If the security log has been wiped, you're dealing with someone who knows what they're doing.
5. Check Account Anomalies
powershell
# List all local users, including hidden ones
Get-LocalUser | Select Name,Enabled,PasswordLastSet,LastLogon,Description
# Check for accounts with last logon but user doesn't recognize
# Check the Administrators group
net localgroup Administrators
# Look for accounts added recently
Get-LocalUser | Where PasswordLastSet -gt (Get-Date).AddDays(-30)
# Check for RDP access being enabled unexpectedly
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections
Watch for: Unknown user accounts (especially with generic names like Support, Admin, Backup, Temp), familiar user accounts with a recent password change the user didn't make, guest accounts enabled.
Tier 2: Moderate Confidence - Suspicious Behavior
6. Process Anomalies
powershell
# Processes with no parent (orphan processes)
Get-WmiObject Win32_Process | Where {$_.ParentProcessId -eq 0} | Select Name,ProcessId
# Processes running from temp directories
Get-Process | Where {$_.Path -match "\\Temp\\"} | Select ProcessName,Id,Path
# Processes with suspicious names (typosquatting)
Get-Process | Where { $_.ProcessName -match "^(svch0st|expl0rer|scvhost|lsasss|winlog0n)$" }
# Check for hidden processes (visible to kernel not userspace) — requires driver
The most common trick: malware named svchost.exe running from C:\Users\<user>\AppData\ or C:\Windows\Temp\. Real svchost.exe lives in C:\Windows\System32\ and is started by services.exe (parent PID is the services control manager).
7. File System Anomalies
powershell
# Check common malware drop locations for recently created executables
Get-ChildItem -Path "$env:TEMP" -Recurse -Include *.exe,*.dll,*.ps1,*.vbs,*.js | Where LastWriteTime -gt (Get-Date).AddDays(-14)
# Check AppData for unusual executables
Get-ChildItem -Path "$env:LOCALAPPDATA" -Recurse -Include *.exe,*.dll -Depth 2 | Where LastWriteTime -gt (Get-Date).AddDays(-14)
# Check for ADS (Alternate Data Streams) — NTFS hiding technique
Get-ChildItem C:\ -Recurse -ea 0 | ForEach { Get-Item $_.FullName -Stream * } | Where Stream -ne ':$DATA'
# Hidden files in unusual locations
Get-ChildItem -Path C:\ -Hidden -Filter *.exe -ErrorAction SilentlyContinue
Common hiding spots: C:\Users\<user>\AppData\Local\Temp, C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Templates, C:\Windows\Temp, C:\PerfLogs, recycle bin artifacts, C:\ProgramData\ subdirectories.
8. DNS Query Anomalies
powershell
# View DNS cache for suspicious domains
Get-DnsClientCache | Where Name -notmatch "(microsoft|google|apple|facebook|amazon|cloudflare|windows|office|akamai|azure)\.com$" | Sort-Object Name -Unique
What to look for: Domains using DGA patterns (random-looking strings), subdomains that look like encoded data (a1b2c3d4.malware-c2.com), connections to registered-soon domains (if you check WHOIS and the domain was created 2 months ago, that's suspicious).
Tier 3: Behavioral Indicators
9. Strange System Behavior
High CPU/Disk/Network when idle — open Task Manager, sort by CPU and Disk, see what's active when you're doing nothing. C2 beaconing, crypto mining, or data exfiltration.
Unexplained data usage — check Data Usage in Windows Settings or via PowerShell:
powershell
Get-NetAdapterStatistics | Select Name,ReceivedBytes,SentBytes
Webcam/mic LED turning on unexpectedly — check Device Manager → Cameras or run:
powershell
# Check camera and mic access logs
Get-WinEvent -FilterHashtable @{LogName="Microsoft-Windows-Camera/Camera";Id=1010} -MaxEvents 10
Mouse moving on its own / random clicks / windows closing without input
Firewall rules being disabled or new allow rules appearing:
powershell
netsh advfirewall firewall show rule name=all dir=in | findstr /i "allow"
netsh advfirewall firewall show rule name=all dir=out | findstr /i "allow"
Windows Defender being disabled — this is a massive red flag:
powershell
Get-MpComputerStatus | Select RealTimeProtectionEnabled,AntispywareEnabled,NISEnabled
Tier 4: Deep Forensic Collection (If You Suspect A Breach)
If any of the above flags came up, escalate to full forensic acquisition:
powershell
# 1. Memory dump (the most valuable artifact)
# Requires procdump from Sysinternals
.\procdump64.exe -accepteula -ma lsass.exe lsass.dmp # Credential theft investigation
.\procdump64.exe -accepteula -r -ma -n 3 -s 5 -c 50 svchost.exe # Dump process hitting 50% CPU
# Or full memory capture (use winpmem or Magnet RAM Capture)
.\winpmem_mini_x64_rc2.exe memory.raw
# 2. Collect prefetch files (execution history)
Copy-Item C:\Windows\Prefetch\* $env:TEMP\forensic\prefetch\
# 3. Collect recent file execution (MRU)
# RecentDocs
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" $env:TEMP\forensic\recentdocs.reg
# RunMRU
reg export "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" $env:TEMP\forensic\runmru.reg
# 4. Collect USN journal (file change journal)
fsutil usn readjournal C: > $env:TEMP\forensic\usn_journal.txt
# 5. Collect event logs
wevtutil epl Security $env:TEMP\forensic\security.evtx
wevtutil epl System $env:TEMP\forensic\system.evtx
wevtutil epl Application $env:TEMP\forensic\application.evtx
wevtutil epl "Windows PowerShell" $env:TEMP\forensic\powershell.evtx
wevtutil epl "Microsoft-Windows-TaskScheduler/Operational" $env:TEMP\forensic\taskscheduler.evtx
Automated Triage Script
powershell
# Save as triage.ps1, run as Administrator
$out = "$env:TEMP\forensic_$(Get-Date -Format yyyyMMdd_HHmmss)"
New-Item -ItemType Directory -Path $out -Force
# System info
systeminfo | Out-File "$out\systeminfo.txt"
Get-Service | Format-Table -AutoSize | Out-File "$out\services.txt"
# Network
Get-NetTCPConnection | Format-Table -AutoSize | Out-File "$out\netstat.txt"
Get-DnsClientCache | Format-Table -AutoSize | Out-File "$out\dns_cache.txt"
netsh advfirewall firewall show rule name=all dir=in | Out-File "$out\firewall_in.txt"
# Processes
Get-Process | Format-Table Id,ProcessName,Path,CPU,PM -AutoSize | Out-File "$out\processes.txt"
Get-WmiObject Win32_StartupCommand | Format-Table -AutoSize | Out-File "$out\startup.txt"
# Accounts
Get-LocalUser | Format-Table -AutoSize | Out-File "$out\local_users.txt"
net localgroup Administrators | Out-File "$out\admin_group.txt"
# Persistence
Get-ScheduledTask | Where State -eq Ready | Format-Table TaskName,TaskPath,State | Out-File "$out\tasks.txt"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Out-File "$out\run_local_machine.txt"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | Out-File "$out\run_current_user.txt"
# Security
Get-MpComputerStatus | Format-List | Out-File "$out\defender_status.txt"
# Browser extensions (Chrome-based)
if (Test-Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions") {
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Directory |
ForEach { (Get-Item "$_\*manifest.json" | Get-Content | ConvertFrom-Json).name } |
Out-File "$out\chrome_extensions.txt"
}
# Suspicious file locations
Get-ChildItem -Path "$env:TEMP" -Recurse -Include *.exe,*.dll,*.ps1,*.vbs,*.js -File -ErrorAction SilentlyContinue |
Select FullName,LastWriteTime,CreationTime,Length | Out-File "$out\temp_executables.txt"
Write-Host "[+] Forensic data saved to $out"Quick Triage Decision Guide
You Found This | Likelihood |
Established C2 connection to known malicious IP | Compromised, active |
Unknown admin account | Compromised |
Security log cleared | Compromised, skilled attacker |
Device admin EDR/Defender disabled | Compromised |
WMI event subscription | Compromised, fileless persistence |
Scheduled task with base64-encoded payload | Compromised |
Unusual driver from Temp directory | Rootkit / kernel compromise |
Process from %TEMP% named svchost.exe | Compromised |
High outbound traffic when idle | Exfiltration or C2 beaconing |
Just a weird popup or browser redirect | Adware / potentially unwanted |
Only one strange registry entry | Investigate further |


Comments