DEEPSAFE® System Inspector Inspector

DeepSAFE® System Inspector is a public companion to the DeepSAFE commercial security platform, which uses kernel-mode drivers and virtualization-based security (VBS) technology to protect enterprise and government systems. We built this free tool to bring the same security expertise to every Windows user.

A single scan examines twelve security domains: running processes, loaded DLL modules, network connections and listeners, startup persistence, user accounts, firewall rules, recently modified system files, the DNS resolver cache, process hollowing, WMI and registry persistence, and credential access indicators.

The result is a timestamped plain-text report on your Desktop, written in clear language, with actionable findings and an overall risk level of LOW, MEDIUM, HIGH, or CRITICAL.

• Process Scanner Detects processes running from suspicious locations, unsigned executables masquerading as Windows system components, and processes with unusual memory footprints.

• DLL Module Analysis Inspects every loaded DLL for unsigned code outside trusted system directories, AppInit injection, and anonymous executable memory regions that signal code injection.

• Network Threat Analysis Maps every active connection and listener to its owning process with signature status. Flags known backdoor ports, rogue DNS servers, and processes using plaintext HTTP for outbound data.

• Process Hollowing Detection Compares executable code sections in memory against the on-disk image for every running process. A mismatch on an unsigned process is a strong indicator of process-replacement malware.

• Persistence Analysis Checks BootExecute, Winlogon, LSA packages, auto-start services, WMI subscriptions, and scheduled tasks for unauthorized entries that survive reboot.

• Credential Access Detection Identifies processes holding read access to LSASS memory (the Mimikatz pattern), non-service accounts with SeDebugPrivilege, and suspicious access to browser credential databases.

• DNS Cache Inspection Reads the Windows DNS resolver cache and flags high-entropy domain names used by malware command-and-control, IDN homoglyph phishing domains, and DNS tunneling patterns.

• Firewall Rule Auditing Checks for rules that block Windows Defender or Windows Update, orphaned rules for applications that no longer exist, and overly permissive inbound rules.

• System File Integrity Reports files in System32 modified within the last seven days, with intelligent classification of benign Windows Update markers, MRT completion files, and performance counter updates.

• Startup Item Review Enumerates all four standard Run key locations and flags entries that point to suspicious directories such as Temp or Downloads.

• User Account Audit Lists all local accounts with administrator status and flags unexpected additional administrator accounts.

• Plain-English Report Every finding is written in plain language with the file path, process name, or registry key involved. An executive summary and overall risk level appear at the top of the Risk Assessment section.

Step 1: Download Click the download button. One .exe file, approximately 300 KB. No installer, no dependencies, no .NET or Java required.

Step 2: Run as Administrator Right-click the file and select Run as administrator. The scan runs automatically. 60–90 seconds depending on how many programs are running.

Step 3: Read Your Report A plain-text report appears on your Desktop. The Risk Assessment Summary at the bottom gives the overall verdict. Every finding includes the file path or process name involved.

================================================================

  SECTION 6b: FIREWALL RULE ANOMALIES

================================================================

  No firewall rule anomalies detected.

================================================================

  SECTION 9: PROCESS HOLLOWING DETECTION

================================================================

  No process hollowing detected.

================================================================

  SECTION 10: PERSISTENCE MECHANISMS

================================================================

  --- Extended Registry Persistence ---

  BootExecute: default (clean).

  --- WMI Persistent Event Subscriptions ---

  No WMI persistent event subscriptions found.

  --- Loaded Kernel Drivers ---

  No suspicious kernel drivers detected.

  --- Scheduled Tasks (Security Relevant) ---

  No suspicious scheduled tasks detected.

  No persistence anomalies detected.

================================================================

  SECTION 11: CREDENTIAL ACCESS INDICATORS

================================================================

  --- LSASS Handle Monitoring ---

  No unexpected LSASS handle access detected.

  --- Unexpected SYSTEM Processes ---

  --- SeDebugPrivilege Monitoring ---

  --- Browser Credential Store Access ---

  No credential access indicators detected.

Q: Is the tool really free?

A: Yes. DeepSAFE System Inspector is provided free of charge with no registration, no subscription, and no time limit. It is a public companion to the DeepSAFE commercial security platform.

Q: Does it require installation?

A: No. It is a single .exe file. Download it, right-click, Run as administrator, and it runs. Nothing is written to the registry or Program Files.

Q: Will my antivirus block it?

A: Some antivirus products flag security diagnostic tools because they use the same process-memory APIs used by security research software. If yours does, add DeepSAFE_Inspector_v1_2.exe to the exclusion list, or contact us at info@deepsafe.tech. The tool is Authenticode-signed by DeepSAFE Technology LLC and does not modify any files or processes.

Q: Does it send my data anywhere?

A: No. The tool does not connect to the internet. It writes only to a plain-text report on your Desktop. No telemetry, no cloud upload, no registration.

Q: Why does it need to run as Administrator?

A: Several checks require elevated privileges: reading the LSASS process token (credential theft detection), enumerating all system handles (credential access monitoring), inspecting kernel drivers, and reading scheduled task configurations. Running without administrator rights produces a partial result. The tool will still run but will silently skip the privileged checks.

Q: Why does my scan show MEDIUM even though my machine looks clean?

A: MEDIUM is the normal result on a clean machine. It is almost always driven by two Windows defaults: LLMNR (Link-Local Multicast Name Resolution) is enabled by default on all Windows machines and is exploitable on shared networks. A second administrator account may also be present. These are configuration notes, not indicators of compromise.

Q: How long does the scan take?

A: Typically 60–90 seconds. On a heavily loaded machine with many processes, it may take up to two minutes. The process hollowing check reads code sections from every running process and is the primary time consumer.

Q: Can I run it more than once?

A: Yes. Each run produces a new report file with a timestamp in the name, so reports do not overwrite each other. Running weekly, or after installing new software, lets you compare results over time.

Q: What should I do if I get a CRITICAL or HIGH result?

A: Do not panic, but do act promptly. Note which section flagged and what it said. Contact your IT team or email us at info@deepsafe.tech with the report attached. For CRITICAL findings (process hollowing on an unsigned process, WMI persistence consumer, LSASS credential access handle), consider isolating the machine from the network until it can be investigated.

• Questions about the tool or your scan results: info@deepsafe.tech

• Commercial platform inquiries (enterprise VBS security): info@deepsafe.tech

• Report a false positive or a bug: info@deepsafe.tech – attach the report file

• Website: www.deepsafetechnology.com

• DEEPSAFE Inspector v 1.2 Readme file.

• DEEPSAFE Inspector v 1.2 Executable file.