- Joined
- May 2, 2020
- Messages
- 452
- Points
- 71
- Age
- 19
Hello everyone! This is a guide for people that want to improve at screensharing!
i will show some advanced things that may help you!
This is a method for windows 10 only (some of the methods work for win7 as well)
Firstly, this is an ADVANCED method.
If you don’t know the basics I recommend checking
Unalert
SS guide first! Here
Lets say someone is using an external client, all you need to know is what the file name is. If they’re using like vape , just check pcaclient or go to their antivirus in processhacker process: msmpeng.exe (windows defender)
String 4 , then type ’manthe’ . If something pops up they’re using vape lite / vape.
When MC has been open for 12 minutes , the explorer for 7 , means they restarted explorer before the screenshare.
New clients come with string cleaners in self destruct. It’s kinda useless to check javaw.exe now if someone is on a non-forge client, because
they leave no strings. If they’re using autoclickers just check pcaclient , prefetch , %TEMP% . Now, for the new clients, I recommend typing in their explorer.exe: ms-shellactivity then .exe
That will show up external clients they ran.
This method worked for me finding clients like whiteout, yukio , cucklord and itami etc...
almost all clients show up in that. (This method is good because it will show any weird .exe file someone ran. If something like 4t7khfd.exe is in it, just go to either csrss.exe or explorer and type that file name in. If a file location show up copy , paste in win + R. If it’s a client, means they’re cheating, if not shows up and it shows error, they deleted it.
Type ’downloads’ in explorer to show everything they downloaded.
Don't forget to run processhacker in ADMIN mode
now for even more advanced method, some people may know this.
Go to csrss.exe , strings 4 C: , users , .exe
Most clients show up in that, check for weird file names. Clients can’t really hide from csrss. If someone terminates that process they get bluescreen.
dps: This is my favorite process to check for clients, always when I find out the name of the file their client is disguised in, I always type it in dps: (filename)
If something pops up , I go to either explorer or csrss to find that file by typing it in.
dps is a good process to get strings for clients. Keep in mind that even a client for 100$ can leave strings in dps, but it gets a new string every time you restart the computer.
Dps is good to check for like 2 ”Anydesk”
Notice how there're 2 anydesk's and they do not have the same numbers
If someone ran 2 anydesks you can check that in dps and check the last numbers like this: !2020/05/29:06:27:30!0!, the real anydesk starts with 2021, that means they’re most likely cheating. (That’s koid string)
That was an example if someone ran 2 anydesks before the screenshare.
Smartscreen:
You can type like .exe and check for weird file names. I’m going to give 2 strings. The 1st one is itami, if someone ran itami, it will show up in smartscreen unless they terminated it. String: itami , if .exe pops up , means they’re cheating. Second one is ’Vape’ .
dnscache: This is basically what people’ve searched, (browser). I usually use this to type in things like .gg , .xyz .net
I don’t need to explain why, you can figure that out for yourself
I will be giving old strings that still work for clients:
Koid (pcasvc)
0x268fc8403ce
dps:
!2020/07/22:23:28:56!0! (last version)
!2020/05/29:06:27:30!0! (old version)
Itami:
!2020/09/28:01:13:10!0! (Itami 2.0)
!2016/01/20:08:28:11!27826f2! (Itami 1.4)
!2020/08/24:15:03:39!0! (Itami 1.4.1)
!2020/07/21:00:58:02!0! (Itami 1.3 --> might close dps)
!2017/03/11:13:23:50!151ae54! (older version)
VapeV4: !2020/05/12:04:02:56!67b775!
Vape V4 CRACKED (kangaroo) !2020/11/05:01:42:25!795e78!
MantheClicker Cracked:
DPS: 2020/08/24:18:50:06
Diagtrack: DE0B445F
Explorer: Manthe MANTHE~1
Vape Lite dps:!2019/05/19:20:48:16!751b9d52! (CRACKED VAPE LITE)
I do have a lot more strings but I'd rather keep them private.
Regedit.exe
○ Press Windows Key + R, type in regedit, and press enter.
○ Whenever regedit opens, in the top navigation bar, copy and paste this in:
Computer\HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility\Store
○ Whenever it finishes opening the directory, you will be given a list of programs.
○ Look through all programs and make sure there's nothing suspicious.
Example: C:\Users\Stefan\Downloads\RJVjMswM.exe
○ Type 'dwm.exe', double click it, and click memory.
○ Uncheck the box that says 'hide free regions' and click the 'strings' button.
○ In 'Minimum Length', type 4. - Make sure Image & Mapped are ticked, then press OK.
○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)").
○ Type the following strings: auto click, autoclick, clicker, veneclicker, 7clicker, nacl (look for nacl 32), silent clicker, agent.jar
Recyclebin modified?
Do this:
Click on VIEW^
Copy these settings ^
If you’re going to get strings for clients; I recommend checking pcasvc, csrss, searchindexer and dps.
good luck!
This is my guide on finding EXTERNAL
clients.
If I didn’t explain something very well / you have any questions about this, feel free to DM me on discord: alfred#3598
i will show some advanced things that may help you!
This is a method for windows 10 only (some of the methods work for win7 as well)
Firstly, this is an ADVANCED method.
If you don’t know the basics I recommend checking
Unalert
SS guide first! HereLets say someone is using an external client, all you need to know is what the file name is. If they’re using like vape , just check pcaclient or go to their antivirus in processhacker process: msmpeng.exe (windows defender)
String 4 , then type ’manthe’ . If something pops up they’re using vape lite / vape.
When MC has been open for 12 minutes , the explorer for 7 , means they restarted explorer before the screenshare.
New clients come with string cleaners in self destruct. It’s kinda useless to check javaw.exe now if someone is on a non-forge client, because
they leave no strings. If they’re using autoclickers just check pcaclient , prefetch , %TEMP% . Now, for the new clients, I recommend typing in their explorer.exe: ms-shellactivity then .exe
That will show up external clients they ran.
This method worked for me finding clients like whiteout, yukio , cucklord and itami etc...
almost all clients show up in that. (This method is good because it will show any weird .exe file someone ran. If something like 4t7khfd.exe is in it, just go to either csrss.exe or explorer and type that file name in. If a file location show up copy , paste in win + R. If it’s a client, means they’re cheating, if not shows up and it shows error, they deleted it.
Type ’downloads’ in explorer to show everything they downloaded.
Don't forget to run processhacker in ADMIN mode
now for even more advanced method, some people may know this.
Go to csrss.exe , strings 4 C: , users , .exe
Most clients show up in that, check for weird file names. Clients can’t really hide from csrss. If someone terminates that process they get bluescreen.
dps: This is my favorite process to check for clients, always when I find out the name of the file their client is disguised in, I always type it in dps: (filename)
If something pops up , I go to either explorer or csrss to find that file by typing it in.
dps is a good process to get strings for clients. Keep in mind that even a client for 100$ can leave strings in dps, but it gets a new string every time you restart the computer.
Dps is good to check for like 2 ”Anydesk”
Notice how there're 2 anydesk's and they do not have the same numbers
If someone ran 2 anydesks you can check that in dps and check the last numbers like this: !2020/05/29:06:27:30!0!, the real anydesk starts with 2021, that means they’re most likely cheating. (That’s koid string)
That was an example if someone ran 2 anydesks before the screenshare.
Smartscreen:
You can type like .exe and check for weird file names. I’m going to give 2 strings. The 1st one is itami, if someone ran itami, it will show up in smartscreen unless they terminated it. String: itami , if .exe pops up , means they’re cheating. Second one is ’Vape’ .
dnscache: This is basically what people’ve searched, (browser). I usually use this to type in things like .gg , .xyz .net
I don’t need to explain why, you can figure that out for yourself
I will be giving old strings that still work for clients:
Koid (pcasvc)
0x268fc8403ce
dps:
!2020/07/22:23:28:56!0! (last version)
!2020/05/29:06:27:30!0! (old version)
Itami:
!2020/09/28:01:13:10!0! (Itami 2.0)
!2016/01/20:08:28:11!27826f2! (Itami 1.4)
!2020/08/24:15:03:39!0! (Itami 1.4.1)
!2020/07/21:00:58:02!0! (Itami 1.3 --> might close dps)
!2017/03/11:13:23:50!151ae54! (older version)
VapeV4: !2020/05/12:04:02:56!67b775!
Vape V4 CRACKED (kangaroo) !2020/11/05:01:42:25!795e78!
MantheClicker Cracked:
DPS: 2020/08/24:18:50:06
Diagtrack: DE0B445F
Explorer: Manthe MANTHE~1
Vape Lite dps:!2019/05/19:20:48:16!751b9d52! (CRACKED VAPE LITE)
I do have a lot more strings but I'd rather keep them private.
Regedit.exe
○ Press Windows Key + R, type in regedit, and press enter.
○ Whenever regedit opens, in the top navigation bar, copy and paste this in:
Computer\HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility\Store
○ Whenever it finishes opening the directory, you will be given a list of programs.
○ Look through all programs and make sure there's nothing suspicious.
Example: C:\Users\Stefan\Downloads\RJVjMswM.exe
○ Type 'dwm.exe', double click it, and click memory.
○ Uncheck the box that says 'hide free regions' and click the 'strings' button.
○ In 'Minimum Length', type 4. - Make sure Image & Mapped are ticked, then press OK.
○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)").
○ Type the following strings: auto click, autoclick, clicker, veneclicker, 7clicker, nacl (look for nacl 32), silent clicker, agent.jar
Recyclebin modified?
Do this:
Click on VIEW^
Copy these settings ^
If you’re going to get strings for clients; I recommend checking pcasvc, csrss, searchindexer and dps.
good luck!
This is my guide on finding EXTERNAL
clients.
If I didn’t explain something very well / you have any questions about this, feel free to DM me on discord: alfred#3598
Attachments
Last edited:
