Quick SS by Ice
This guide is not a rigid set of steps to be followed blindly, but an optimized outline for conducting SS and Log checks quickly and effectively.
Following these procedures will allow you to identify most cheaters in a short amount of time. However, no two checks are identical: varying your approach and adapting to the traces you find is not only normal, but absolutely necessary.
Warning: As you likely already know, an "ULTIMATE UNBYPASSABLE GUIDE" does not exist. What this document provides are the fundamental steps that prove useful in almost every screenshare. While these steps are your primary tools, your intuition is just as important. You must be ready to go beyond this guide and perform any additional checks you deem necessary.
Windows Defender Manager
Temporary disablement for tool usage.
This command toggles Windows Defender. Since many tools are unsigned and trigger false positives, disabling it is required for the check. Clearly explain this necessity to the user; if they refuse to cooperate, proceed with a punishment according to your server rules.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/ChxAuDpF)
Note: For some tools (like BAM Parser and Path Parser) i have included less effective alternative PowerShell versions, which you can use as an extreme last resort if you cannot or do not want to download the original tool.
1.8 ScreenShare
Section dedicated 1.8 ScreenShare.
1.8 Checks Info
Check Preparation
- VPN (Recommended): Turn on a VPN to protect your IP address from possible IP-Grabbers.
- Recording (Mandatory): Start recording your screen right before sending them the AnyDesk connection request.
Hack Checks Steps
📜 Generic Checks Script
🎯 Overview
This script is an automated first-look tool. It quickly scans the system for common red flags and anti-forensic activity, saving you time at the start of a check.
What It Checks
The script provides a rapid analysis of key system areas:
- Critical Services: Verifies that essential logging services are running.
- Registry Integrity: Looks for system policies that have been modified to disable core tools or suppress logging features.
- Evidence Tampering: Scans Event Logs for flags, including USN Journal deletion (ID 3079), audit log clearing (ID 1102), and recent system time changes (ID 4616).
- Prefetch Folder: Inspects
.pffiles for signs of manipulation, such as read-only attributes or duplicate file hashes, which point to bypass techniques. - Persistence Mechanisms: Checks common auto-start locations like the
Runkeys and recent Task Scheduler modifications to find programs set to launch automatically.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/HGLwy7XA)
Reference link: Ice's Quick SS Script (Source)
🤖 Automatic SS Tool (Recommended)
🎯 Overview
Automatic SS Tools are designed to support and accelerate your manual investigation. They perform a wide range of automated checks in seconds / minutes, providing a quick, broad-spectrum analysis of the system's state.
What It Does
These tools are built to handle the most common checks efficiently:
- Rapid Scanning: Performs dozens of automated checks, scanning for known cheat, analyzing critical system artifacts, and checking for common bypass techniques.
- Known Cheats / Bypass Detections: Excellent at detecting common, well-known cheats and widely used bypass methods.
- Information Aggregation: Gathers and presents key system information in a consolidated, easy-to-read report, saving you the time.
🚨 Why It's Important
Its primary benefit is efficiency. By automating the most repetitive and standard checks, an SS tool frees you to focus your attention on the tool's findings, or to perform deeper manual analysis where needed.
To speed up the check and save time for both you and the player, it is highly recommended to use an Automatic SS Tool.
While the tool is scanning, proceed with the check, and analyze the results once the scan is finished.
🧰 RedLotus Tool Downloader
🎯 Overview
The RedLotus Tool Downloader is a centralized utility designed to streamline the setup process of a screenshare. It acts as a "Central Hub," allowing you to quickly and reliably download the entire suite of approved forensic tools in seconds, eliminating the need to manually search for and download each program individually.
What It Does
The tool provides an efficient, one-stop solution for preparing your forensic environment:
- Presets for Efficiency: It offers one-click presets like "Quick SS" and "Full SS" that automatically download a curated collection of essential or comprehensive tools, respectively. This ensures you have everything you need without any wasted time.
- Organized Environment: All downloaded tools are automatically organized into a clean, structured folder system (defaulting to
C:\SS1), keeping your workspace tidy and professional. - Up-to-Date and Secure: The download links are not hard-coded. The tool fetches an up-to-date list of URLs from a secure online repository at runtime. This ensures you always get the latest, official versions of each tool and are protected from broken or outdated links.
🚨 Why It's Important
In a screenshare, every minute counts. Manually downloading 10-15 different tools is slow, prone to errors, and looks unprofessional.
- Speed: This tool reduces your setup time from several minutes to under 30 seconds.
- Consistency: It ensures every staff member on your team is using the exact same approved versions of each tool, standardizing your procedures.
- Reliability: It eliminates the risk of downloading outdated versions or from unofficial sources, which could be compromised or simply not work correctly.
🧊 RedLotus Mod Analyzer
🎯 Overview
The RedLotus Mod Analyzer is a specialized tool designed to detect cheats hidden inside Minecraft mods.
What It Checks
This tool performs a multi-layered analysis to provide a complete picture of the player's mod setup:
- Memory Scanning: Its primary function automatically identifies the running
javaw.exeprocess and scans the mods loaded directly in memory. This is crucial for detecting cheats that have been deleted or "unloaded" from themodsfolder after the game has started. - Bytecode Analysis: Searches for known cheat modules (like KillAura, Velocity, Reach, AutoClicker) and suspicious code structures.
- Integrity Verification: It automatically checks the hash of each mod against trusted databases (Modrinth) to verify if the file is an official, untampered version.
- Anti-Evasion Monitoring: It integrates with the filesystem's USN Journal to detect if mods have been modified.
- Native Code Detection: It identifies if a
.jarmod is attempting to load native libraries (.dllor.sofiles), a technique sometimes used to hide more advanced cheat functions from Java-level analysis.
🚨 Why It's Important
This analyzer is essential for any Minecraft screenshare because it directly counters the most common mod-based bypasses.
This tool automatically performs many checks to verify whether certain mods are legitimate or not. It is always mandatory to manually inspect any suspicious mod.
It is also recommended to use the "Memory Scan" function so that the tool itself retrieves the exact list of mods currently loaded by the process.
🔎 Spok's BAM Parser & Deleted Keys
🎯 Overview
Spok's BAM Parser is an essential tool for analyzing the Background Activity Moderator (BAM), a Windows artifact that logs program executions. This tool doesn't just list the programs; it enriches the data with critical forensic checks, making it one of the most effective ways to find recent execution evidence.
What It Checks (BAM Parser)
This tool provides a multi-layered analysis of every program logged by BAM:
- Execution Time: It shows the exact time an activity was made on that program. (Opening / Touching / Closing the program is for example an activity)
- Digital Signature Verification: It automatically checks the digital signature of each file. It will flag files as
Signed,Not Signed, or with specific warnings likeInvalid Signature,Fake Signature, or knownCheatsignatures. - Heuristic Analysis (Generics): The tool runs a set of proprietary rules ("Generics") against each file to detect characteristics commonly found in cheats, such as packers, obfuscation, or specific code patterns.
- File Replacement Detection: It integrates with the USN Journal to check if a file has been replaced. If it detects a replacement, it will flag the entry, exposing a common bypass technique.
🚨 Why It's Important
BAM Parser is a massive time-saver and evidence-gatherer. It automates several key checks at once, allowing you to quickly identify suspicious programs that were recently active.
- It provides high-precision timestamps that can definitively prove "in instance" execution.
- It immediately flags unsigned executables, which are the primary target of any investigation.
- Its integrated Journal check can catch a "replace" bypass without you having to manually parse the Journal yourself.
An unrecommended alternative meant only for specific cases where the main tool cannot be used.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)
🧠 Spok's Prefetch Parser
🎯 Overview
Spok's Prefetch Parser is a tool designed to analyze Windows Prefetch (.pf) files. This tool integrates digital signature verification, YARA scanning, and Journal checks into a single, streamlined interface to instantly highlight suspicious activity.
What It Checks
This tool extracts and enriches the metadata left behind every time an application is launched:
- Execution History: Retrieves the exact timestamp of the last execution, alongside the previous 8 run times and the total run count.
- Referenced Files (Indexes): Extracts the complete list of files the application loaded.
- Signature Verification: Automatically checks if the executed file has a valid, fake, or missing digital signature.
- Smart Filtering: Features quick-toggles like "Show Unsigned Only" and "Only In Instance" (since the last boot) to eliminate system noise and isolate recently run, untrusted files.
🚨 Why It's Important
Prefetch is the gold standard for proving when a program was run. This specific tool drastically cuts down analysis time. By applying the Unsigned and In Instance filters, you avoid analyzing hundreds of legitimate Windows PFs and are immediately presented with a short list of custom, recently executed files.
🖥️ NVIDIA Control Panel
🎯 Overview
The NVIDIA Control Panel is a frequently underestimated yet exceptional forensic resource. While most bypassers focus heavily on clearing or bypassing standard artifacts like Prefetch and BAM, very few realize that NVIDIA graphics drivers maintain an independent, resilient history of executed applications.
What It Checks
This method doesn't use an external script; it leverages the native NVIDIA driver interface to reveal:
- Independent Execution History: A chronological list of recently launched applications that interacted with the GPU.
- Original File Icons: Crucial for identifying cheats that use spoofed names.
- Original File Paths: Hovering over an entry reveals the exact location from which the file was launched, even if the file itself has since been deleted.
- Spoofed Extensions/Extensionless Files: Because the driver registers processes based on their graphical activity and resource requests rather than their file extension, it successfully logs
.exefiles disguised with fake extensions or no extension at all.
🚨 Why It's Important
The true power of this method lies in its persistence and isolation from standard cleanup tools.
Every time an executable initializes a graphical context (even a simple UI for an autoclicker), the NVIDIA driver "hooks" the process to determine if specific settings (like anti-aliasing) should be applied. To do this, it maintains a "Recently Used Applications" list.
Even if a cheater completely wipes their Prefetch, clears their BAM registry keys, and deletes the cheat file, this NVIDIA driver cache remains intact. It provides a reliable "second opinion" that often catches bypassers off-guard.
- Step 1: Right-Click on Desktop -> NVIDIA Control Panel.
- Step 2: Go to "3D Settings" -> "Manage 3D settings" -> "Program Settings".
- Step 3: Click "Add" and sort the list by "Recently used".
- Step 4: Analyze the results.
Limitations: if a cheat is purely terminal-based and has no GUI of its own, it will not be logged.
🕵️♂️ System Informer & Path Parser Analysis
🎯 Overview
First, we use System Informer to find file paths that are currently loaded into the memory of critical system processes. Second, we feed this raw list of paths into Path Parser to automatically analyze each one.
What It Checks
Part 1: We target specific processes that act as rich sources for execution history.
Part 2: After extracting the paths from System Informer into a paths.txt file, Path Parser analyzes each one for:
- Digital Signature: Flags files that are
Not Signed, have anInvalid Signature, or are knownCheats. - File Existence: Instantly confirms if a file found in memory has since been deleted / renamed from the disk.
- Heuristic Analysis (Generics): Scans the file's for suspicious patterns, flagging it with "Generics" if it behaves like an autoclicker, injector, or is heavily obfuscated.
- Replacement Detection: Cross-references the USN Journal to detect if the file was replaced to hide the original version.
- Execution Check(.exe): CSRSS with less Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+\.exe$
- DLL Check(.dll): CSRSS with more Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+$
- Spoofed Extensions Control: CSRSS with more Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+$
- Jar Check(Filters): PlugPlay: jar — PcaSvc: jar
An unrecommended alternative to run alongside Path Parser if the main tool is unavailable.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1)
🖱️ Macro Check (Software & On-Board)
🎯 Overview
This procedure is designed to identify whether a player is using macros to inflate their click speed (CPS). It investigates both software-based macros (saved on the PC) and hardware-level macros (saved directly onto the mouse's internal memory).
What It Checks
This is a two-step investigation focusing on the mouse's configuration and its actual physical output:
Part 1: Software Macro Analysis
- Configuration Files: Before opening any official mouse software, you must navigate to the specific hidden directories where the mouse brand (Logitech, Razer, Glorious, etc.) saves its profiles and macro files (
.xml,.json,.db,.dat). - Modification Dates: The primary check here is the "Date Modified" timestamp of these files. A very recent modification time (just before the screenshare) is a major red flag indicating potential tampering or deletion of a macro.
- Official Software Inspection: If the files appear untouched, you then open the official mouse software GUI to visually inspect the assigned bindings and macro lists.
Part 2: The "Double Test" (On-Board Macros)
This is the physical testing phase using a reliable online mouse tester (like xbitlabs.com/test-mouse/).
- Test A (Software Open): The player physically presses every single button on their mouse while their official software is running. You observe if all the physical button presses match the input registered on the screen, and if the player is able to press them all.
- Test B (Software Closed): The player repeats the exact same physical test, but only after the official mouse software has been completely terminated (killed via Task Manager or exited from the system tray).
- Step 1: Identify the mouse brand and model (Logitech, Razer, Glorious, etc.).
- Step 2: Navigate to the directories where the mouse saves configurations and check the files. Do this before opening the mouse software.
- Step 3: If the files have not been recently modified, open the official mouse software and check for macros.
- Step 4: Have the player open the site https://www.xbitlabs.com/test-mouse/. Ask them to physically press all mouse buttons.
- Step 5 (Double Test): Repeat Step 4 with the mouse software completely closed (terminate the process from Task Manager and close it from the Tray Icon).
📋 Hayabusa Analysis (EventLog)
🎯 Overview
Hayabusa is a high-speed, command-line forensic tool for analyzing Windows Event Logs. It is designed for threat hunting, using a powerful rule engine to automatically detect suspicious activity across thousands of log entries in seconds.
What It Checks
Hayabusa scans the entire directory of Windows Event Log files (.evtx). Instead of just listing events, it applies a large set of detection rules (known as Sigma rules) to identify patterns of malicious behavior.
The tool generates a clear report (CSV for Timeline Explorer or a summary HTML) that highlights only the high-risk events, saving you from manually reviewing system noise.
🚨 Why It's Important
The main advantage is speed and depth. Manually filtering Event Viewer for dozens of different suspicious IDs is slow and impractical during a live screenshare. Hayabusa automates this process, correlating events and applying complex detection logic that goes beyond simple keyword searches. It doesn't just show you an event; it flags why that event is suspicious in a specific context, providing you with high-quality leads for your manual investigation.
-
Step 1: Extract Hayabusa. Open CMD as Administrator and use the
cdcommand to enter the Hayabusa folder. -
Step 2: Run this command (replace
[executable name]with the exact name of the .exe file):
[executable name] csv-timeline --output CSVOutput.csv -d C:\Windows\System32\winevt\Logs --HTML-report HTMLOutput.html --ISO-8601
-
Step 3: Open the generated
CSVOutput.csvfile using Timeline Explorer. - Step 4: Analyze the results.
🧠 Kernel Live Dump Analyzer
🎯 Overview
The Kernel Live Dump Analyzer is a forensic tool for scanning a snapshot of the Windows kernel memory (.dmp file). Its purpose is to find volatile evidence, such as recently executed commands or script fragments, that exists only in memory.
What It Checks
This tool automates the search for high-value traces within the raw memory dump:
- Command-Line History: It is effective at finding commands executed via
cmd.exeorpowershell.exe, including those used for fileless execution or to run cleanup scripts. - Anti-Forensic Commands: It specifically hunts for traces of commands used to delete / modify evidence, such as
reg delete,type,echo. - Fileless Execution Indicators: It looks for traces of bypass techniques, including commands that use
wmic process call create,powershell -e(encoded commands), or download strings (IEX,IWR). - Suspicious File Paths & Keywords: It can be used to perform targeted searches for any string, such as the name of a known cheat or a suspicious file path.
🚨 Why It's Important
This is one of the most powerful tools for catching sophisticated cheaters who attempt to "live off the land" by using built-in Windows tools to hide their tracks.
- It Finds Deleted History: A cheater can close a Command Prompt window or clear the PowerShell / eventlog history, but traces of their commands often linger in the kernel's memory buffers for a short time. This tool finds aims to find that evidence.
- Step 1: Open System Informer as Administrator (make sure to have the Kernel-Mode Driver enabled in the options).
- Step 2: In the top bar click Tools -> Create kernel memory dump -> Live kernel dump Full.
- Step 3: Place the RedLotus Kernel Live Dump Analyzer tool in the exact same folder as the .dmp file and run it.
- Step 4: Analyze the results.
📓 Journal Trace
🎯 Overview
Journal Trace is a powerful graphical tool for analyzing the NTFS USN Journal, which acts as a near-immutable diary of all file system activity. It provides a detailed, time-stamped log of every file creation, deletion, rename, and modification, making it the perfect tool for detecting evidence tampering.
What It Checks
This tool turns the raw data of the USN Journal into a readable timeline, allowing you to filter for specific, high-value events:
- File Deletions (
FILE_DELETE): The most common use. It shows you exactly what files were deleted and when. - File Renames (
RENAME_OLD_NAME,RENAME_NEW_NAME): This explicitly shows a file being renamed from X to Y or being moved from PATH A to PATH B. - Attribute Manipulation (
BASIC_INFO_CHANGE): This event is triggered when a file's attributes are changed. It is the proof for two key bypass techniques:- Prefetch Freezing: A player sets a file to "Read-Only" to stop its timestamp from updating.
- Timestomping: A player alters a file's "Date Modified" timestamp to make it look old.
- Content Modification (
DATA_OVERWRITE): This can indicate that the contents of a file were directly altered, a potential sign of hex editing.
🚨 Why It's Important
Journal Trace is the ScreenSharer's best defense against a cheater who tries to cover their tracks. It turns the act of hiding evidence into the evidence itself.
- It is Conclusive: The USN Journal is managed at the kernel level and is difficult to manipulate without leaving obvious traces. Its logs are considered ground truth for file system activity.
- It Exposes Intent: Finding a suspicious file is one thing. Using Journal Trace to prove that the player deleted files or renamed their cheat to
homework.docxjust before the check is what proves clear, undeniable intent to bypass.
This check should have already been done through Spok's tools, but just to be sure, I would recheck any deleted or replaced/modified files.
What to look for: Deleted, Overwritten, Data Truncation, Data Overwrite, Basic Info Change.
⭐ Bonus: Spok Utility Tool
This tool allows you to run a few checks in a small amount of time and can be useful during some investigations.
1.9+ ScreenShare
Section dedicated to checks and investigations in ScreenShare on the user's PC for modern versions.
1.9+ Checks Info
Check Preparation
- VPN (Recommended): Turn on a VPN to protect your IP address from possible IP-Grabbers.
- Recording (Mandatory): Start recording your screen right before sending them the AnyDesk connection request.
Hack Checks Steps
📜 Generic Checks Script
🎯 Overview
This script is an automated first-look tool. It quickly scans the system for common red flags and anti-forensic activity, saving you time at the start of a check.
What It Checks
The script provides a rapid analysis of key system areas:
- Critical Services: Verifies that essential logging services are running.
- Registry Integrity: Looks for system policies that have been modified to disable core tools or suppress logging features.
- Evidence Tampering: Scans Event Logs for flags, including USN Journal deletion (ID 3079), audit log clearing (ID 1102), and recent system time changes (ID 4616).
- Prefetch Folder: Inspects
.pffiles for signs of manipulation, such as read-only attributes or duplicate file hashes, which point to bypass techniques. - Persistence Mechanisms: Checks common auto-start locations like the
Runkeys and recent Task Scheduler modifications to find programs set to launch automatically.
🚨 Why It's Important
This script immediately flags attempts to cover tracks. Cheaters often try to delete or manipulate evidence before a screenshare begins. This script is designed to catch these common actions.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/HGLwy7XA)
Reference link: Ice's Quick SS Script (Source)
🤖 Automatic SS Tool (Recommended)
🎯 Overview
Automatic SS Tools are designed to support and accelerate your manual investigation. They perform a wide range of automated checks in seconds / minutes, providing a quick, broad-spectrum analysis of the system's state.
What It Does
These tools are built to handle the most common checks efficiently:
- Rapid Scanning: Performs dozens of automated checks, scanning for known cheat, analyzing critical system artifacts, and checking for common bypass techniques.
- Known Cheats / Bypass Detections: Excellent at detecting common, well-known cheats and widely used bypass methods.
- Information Aggregation: Gathers and presents key system information in a consolidated, easy-to-read report, saving you the time.
🚨 Why It's Important
Its primary benefit is efficiency. By automating the most repetitive and standard checks, an SS tool frees you to focus your attention on the tool's findings, or to perform deeper manual analysis where needed.
To speed up the check and save time for both you and the player, it is highly recommended to use an Automatic SS Tool.
While the tool is scanning, proceed with the check, and analyze the results once the scan is finished.
💎 Check Xray Texturepack
🎯 Overview
This check involves inspecting the player's resource pack folder for Xray texture packs. On many servers, the mere possession of an Xray pack on the in use client folder is a bannable offense, regardless of whether it was actived during the game session.
🚨 Why It's Important
Xray packs provide a clear, unfair advantage by making valuable resources (like diamonds, gold, and ancient debris) visible through solid blocks.
Even if a server's rules are focused on a specific game mode where mining is not relevant (e.g., competitive PvP), Xray packs are sometime still considered bannable. Their ability to render other blocks transparent often allows a player to see other players through walls, functioning as a form of "ESP" that provides an unfair tactical advantage in combat.
In these cases, it is usually paired with a mod that makes ResourcePack switching Toggleable.
Check if the player has Xray in their texture pack folder or if they recently removed it.
The ban for possessing Xray applies whether the player is playing Survival or other modes.
🧰 RedLotus Tool Downloader
🎯 Overview
The RedLotus Tool Downloader is a centralized utility designed to streamline the setup process of a screenshare. It acts as a "Central Hub," allowing you to quickly and reliably download the entire suite of approved forensic tools in seconds, eliminating the need to manually search for and download each program individually.
What It Does
The tool provides an efficient, one-stop solution for preparing your forensic environment:
- Presets for Efficiency: It offers one-click presets like "Quick SS" and "Full SS" that automatically download a curated collection of essential or comprehensive tools, respectively. This ensures you have everything you need without any wasted time.
- Organized Environment: All downloaded tools are automatically organized into a clean, structured folder system (defaulting to
C:\SS1), keeping your workspace tidy and professional. - Up-to-Date and Secure: The download links are not hard-coded. The tool fetches an up-to-date list of URLs from a secure online repository at runtime. This ensures you always get the latest, official versions of each tool and are protected from broken or outdated links.
🚨 Why It's Important
In a screenshare, every minute counts. Manually downloading 10-15 different tools is slow, prone to errors, and looks unprofessional.
- Speed: This tool reduces your setup time from several minutes to under 30 seconds.
- Consistency: It ensures every staff member on your team is using the exact same approved versions of each tool, standardizing your procedures.
- Reliability: It eliminates the risk of downloading outdated versions or from unofficial sources, which could be compromised or simply not work correctly.
🧊 RedLotus Mod Analyzer
🎯 Overview
The RedLotus Mod Analyzer is a specialized tool designed to detect cheats hidden inside Minecraft mods.
What It Checks
This tool performs a multi-layered analysis to provide a complete picture of the player's mod setup:
- Memory Scanning: Its primary function automatically identifies the running
javaw.exeprocess and scans the mods loaded directly in memory. This is crucial for detecting cheats that have been deleted or "unloaded" from themodsfolder after the game has started. - Bytecode Analysis: Searches for known cheat modules (like KillAura, Velocity, Reach, AutoClicker) and suspicious code structures.
- Integrity Verification: It automatically checks the hash of each mod against trusted databases (Modrinth) to verify if the file is an official, untampered version.
- Anti-Evasion Monitoring: It integrates with the filesystem's USN Journal to detect if mods have been modified.
- Native Code Detection: It identifies if a
.jarmod is attempting to load native libraries (.dllor.sofiles), a technique sometimes used to hide more advanced cheat functions from Java-level analysis.
🚨 Why It's Important
This analyzer is essential for any Minecraft screenshare because it directly counters the most common mod-based bypasses.
This tool will automatically perform several checks to verify whether certain mods are legitimate or not. It's always mandatory to manually check the suspect mod. I also recommend using the "Memory Scan" function so that the tool itself retrieves the exact list of mods currently in use by the process.
🔎 Spok's BAM Parser & Deleted Keys
🎯 Overview
Spok's BAM Parser is an essential tool for analyzing the Background Activity Moderator (BAM), a Windows artifact that logs program executions. This tool doesn't just list the programs; it enriches the data with critical forensic checks, making it one of the most effective ways to find recent execution evidence.
What It Checks (BAM Parser)
This tool provides a multi-layered analysis of every program logged by BAM:
- Execution Time: It shows the exact time an activity was made on that program. (Opening / Touching / Closing the program is for example an activity)
- Digital Signature Verification: It automatically checks the digital signature of each file. It will flag files as
Signed,Not Signed, or with specific warnings likeInvalid Signature,Fake Signature, or knownCheatsignatures. - Heuristic Analysis (Generics): The tool runs a set of proprietary rules ("Generics") against each file to detect characteristics commonly found in cheats, such as packers, obfuscation, or specific code patterns.
- File Replacement Detection: It integrates with the USN Journal to check if a file has been replaced. If it detects a replacement, it will flag the entry, exposing a common bypass technique.
🚨 Why It's Important
BAM Parser is a massive time-saver and evidence-gatherer. It automates several key checks at once, allowing you to quickly identify suspicious programs that were recently active.
- It provides high-precision timestamps that can definitively prove "in instance" execution.
- It immediately flags unsigned executables, which are the primary target of any investigation.
- Its integrated Journal check can catch a "replace" bypass without you having to manually parse the Journal yourself.
An unrecommended alternative meant only for specific cases where the main tool cannot be used.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)
🧠 Spok's Prefetch Parser
🎯 Overview
Spok's Prefetch Parser is a tool designed to analyze Windows Prefetch (.pf) files. This tool integrates digital signature verification, YARA scanning, and Journal checks into a single, streamlined interface to instantly highlight suspicious activity.
What It Checks
This tool extracts and enriches the metadata left behind every time an application is launched:
- Execution History: Retrieves the exact timestamp of the last execution, alongside the previous 8 run times and the total run count.
- Referenced Files (Indexes): Extracts the complete list of files the application loaded.
- Signature Verification: Automatically checks if the executed file has a valid, fake, or missing digital signature.
- Smart Filtering: Features quick-toggles like "Show Unsigned Only" and "Only In Instance" (since the last boot) to eliminate system noise and isolate recently run, untrusted files.
🚨 Why It's Important
Prefetch is the gold standard for proving when a program was run. This specific tool drastically cuts down analysis time. By applying the Unsigned and In Instance filters, you avoid analyzing hundreds of legitimate Windows PFs and are immediately presented with a short list of custom, recently executed files.
🖥️ NVIDIA Control Panel
🎯 Overview
The NVIDIA Control Panel is a frequently underestimated yet exceptional forensic resource. While most bypassers focus heavily on clearing or bypassing standard artifacts like Prefetch and BAM, very few realize that NVIDIA graphics drivers maintain an independent, resilient history of executed applications.
What It Checks
This method doesn't use an external script; it leverages the native NVIDIA driver interface to reveal:
- Independent Execution History: A chronological list of recently launched applications that interacted with the GPU.
- Original File Icons: Crucial for identifying cheats that use spoofed names.
- Original File Paths: Hovering over an entry reveals the exact location from which the file was launched, even if the file itself has since been deleted.
- Spoofed Extensions/Extensionless Files: Because the driver registers processes based on their graphical activity and resource requests rather than their file extension, it successfully logs
.exefiles disguised with fake extensions or no extension at all.
🚨 Why It's Important
The true power of this method lies in its persistence and isolation from standard cleanup tools.
Every time an executable initializes a graphical context (even a simple UI for an autoclicker), the NVIDIA driver "hooks" the process to determine if specific settings (like anti-aliasing) should be applied. To do this, it maintains a "Recently Used Applications" list.
Even if a cheater completely wipes their Prefetch, clears their BAM registry keys, and deletes the cheat file, this NVIDIA driver cache remains intact. It provides a reliable "second opinion" that often catches bypassers off-guard.
- Step 1: Right-Click on Desktop -> NVIDIA Control Panel.
- Step 2: Go to "3D Settings" -> "Manage 3D settings" -> "Program Settings".
- Step 3: Click "Add" and sort the list by "Recently used".
- Step 4: Analyze the results.
Limitations: if a cheat is purely terminal-based and has no GUI of its own, it will not be logged.
🕵️♂️ System Informer & Path Parser Analysis
🎯 Overview
First, we use System Informer to find file paths that are currently loaded into the memory of critical system processes. Second, we feed this raw list of paths into Path Parser to automatically analyze each one.
What It Checks
Part 1: We target specific processes that act as rich sources for execution history.
Part 2: After extracting the paths from System Informer into a paths.txt file, Path Parser analyzes each one for:
- Digital Signature: Flags files that are
Not Signed, have anInvalid Signature, or are knownCheats. - File Existence: Instantly confirms if a file found in memory has since been deleted / renamed from the disk.
- Heuristic Analysis (Generics): Scans the file's for suspicious patterns, flagging it with "Generics" if it behaves like an autoclicker, injector, or is heavily obfuscated.
- Replacement Detection: Cross-references the USN Journal to detect if the file was replaced to hide the original version.
- Execution Check(.exe): CSRSS with less Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+\.exe$
- DLL Check(.dll): CSRSS with more Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+$
- Spoofed Extensions Control: CSRSS with more Private Bytes with Regex: ^(?:\\\\\?\\)?[A-Za-z]:\\.+$
- Jar Check(Filters): PlugPlay: jar — PcaSvc: jar
An unrecommended alternative to run alongside Path Parser if the main tool is unavailable.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1)
📋 Hayabusa Analysis (EventLog)
🎯 Overview
Hayabusa is a high-speed, command-line forensic tool for analyzing Windows Event Logs. It is designed for threat hunting, using a powerful rule engine to automatically detect suspicious activity across thousands of log entries in seconds.
What It Checks
Hayabusa scans the entire directory of Windows Event Log files (.evtx). Instead of just listing events, it applies a large set of detection rules (known as Sigma rules) to identify patterns of malicious behavior.
The tool generates a clear report (CSV for Timeline Explorer or a summary HTML) that highlights only the high-risk events, saving you from manually reviewing system noise.
🚨 Why It's Important
The main advantage is speed and depth. Manually filtering Event Viewer for dozens of different suspicious IDs is slow and impractical during a live screenshare. Hayabusa automates this process, correlating events and applying complex detection logic that goes beyond simple keyword searches.
-
Step 1: Extract Hayabusa. Open CMD as Administrator and use the
cdcommand to enter the Hayabusa folder. -
Step 2: Run this command (replace
[executable name]with the exact name of the .exe file):
[executable name] csv-timeline --output CSVOutput.csv -d C:\Windows\System32\winevt\Logs --HTML-report HTMLOutput.html --ISO-8601
-
Step 3: Open the generated
CSVOutput.csvfile using Timeline Explorer. - Step 4: Analyze the results.
🧠 Kernel Live Dump Analyzer
🎯 Overview
The Kernel Live Dump Analyzer is a forensic tool for scanning a snapshot of the Windows kernel memory (.dmp file). Its purpose is to find volatile evidence, such as recently executed commands or script fragments, that exists only in memory.
What It Checks
This tool automates the search for high-value traces within the raw memory dump:
- Command-Line History: It is effective at finding commands executed via
cmd.exeorpowershell.exe, including those used for fileless execution or to run cleanup scripts. - Anti-Forensic Commands: It specifically hunts for traces of commands used to delete / modify evidence, such as
reg delete,type,echo. - Fileless Execution Indicators: It looks for traces of bypass techniques, including commands that use
wmic process call create,powershell -e(encoded commands), or download strings (IEX,IWR). - Suspicious File Paths & Keywords: It can be used to perform targeted searches for any string, such as the name of a known cheat or a suspicious file path.
🚨 Why It's Important
This is one of the most powerful tools for catching sophisticated cheaters who attempt to "live off the land" by using built-in Windows tools to hide their tracks.
- It Finds Deleted History: A cheater can close a Command Prompt window or clear the PowerShell / Eventlog history, but traces of their commands often linger in the kernel's memory buffers for a short time. This tool finds aims to find that evidence.
- Step 1: Open System Informer as Administrator (make sure to have the Kernel-Mode Driver enabled in the options).
- Step 2: In the top bar click Tools -> Create kernel memory dump -> Live kernel dump Full.
- Step 3: Place the RedLotus Kernel Live Dump Analyzer tool in the exact same folder as the .dmp file and run it.
- Step 4: Analyze the results.
📓 Journal Trace
🎯 Overview
Journal Trace is a powerful graphical tool for analyzing the NTFS USN Journal, which acts as a near-immutable diary of all file system activity. It provides a detailed, time-stamped log of every file creation, deletion, rename, and modification, making it the perfect tool for detecting evidence tampering.
What It Checks
This tool turns the raw data of the USN Journal into a readable timeline, allowing you to filter for specific, high-value events:
- File Deletions (
FILE_DELETE): The most common use. It shows you exactly what files were deleted and when. - File Renames (
RENAME_OLD_NAME,RENAME_NEW_NAME): This explicitly shows a file being renamed from X to Y or being moved from PATH A to PATH B. - Attribute Manipulation (
BASIC_INFO_CHANGE): This event is triggered when a file's attributes are changed. It is the proof for two key bypass techniques:- Prefetch Freezing: A player sets a file to "Read-Only" to stop its timestamp from updating.
- Timestomping: A player alters a file's "Date Modified" timestamp to make it look old.
- Content Modification (
DATA_OVERWRITE): This can indicate that the contents of a file were directly altered, a potential sign of hex editing.
🚨 Why It's Important
Journal Trace is the ScreenSharer's best defense against a cheater who tries to cover their tracks. It turns the act of hiding evidence into the evidence itself.
- It is Conclusive: The USN Journal is managed at the kernel level and is difficult to manipulate without leaving obvious traces. Its logs are considered ground truth for file system activity.
- It Exposes Intent: Finding a suspicious file is one thing. Using Journal Trace to prove that the player deleted files or renamed their cheat to
homework.docxjust before the check is what proves clear, undeniable intent to bypass.
This check should have already been done through Spok's tools, but just to be sure, I would recheck any deleted or replaced/modified files.
What to look for: Deleted, Overwritten, Data Truncation, Data Overwrite, Basic Info Change.
⭐ Bonus: Spok Utility Tool
This tool allows you to run a few checks in a small amount of time and can be useful during some investigations.
Log Checks
Section dedicated to Log checks and related tools.
Log Checks Info
Check Preparation
- Preliminary Checks: Before asking for AnyDesk, trace the DupeIP, the StaffNotes, and/or similar.
-
Environment Setup: Turn on a VPN to protect yourself, start Recording, request elevated privileges on AnyDesk, and create an
SSfolder on their desktop for the tools.
Log Checks Steps
🌐 VPN Check
🎯 Overview
This check is designed to determine if the player is using a Virtual Private Network (VPN).
What It Checks
The script analyzes the system's current network configuration for common indicators of a VPN connection:
- Network Adapters: It scans for virtual network adapters commonly installed by VPN clients.
- DNS Servers: It checks if the system's DNS servers are pointing to known public or VPN-specific DNS providers instead of the user's internet service provider (ISP).
- Running Processes: It looks for active processes associated with well-known VPN client software.
Run this script immediately to check if the user's VPN is currently on.
powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/pa5dMLAM)
👥 RedLotus Alt Checker
🎯 Overview
The RedLotus Alt Checker is a powerful, privacy-first tool designed to automate the detection of ban evasion. It scans the entire system to identify alternate accounts ("alts") across multiple platforms and exposes recent cleanup attempts by analyzing USN Journal.
What It Checks
The tool performs a comprehensive, multi-layered scan:
- Multi-Platform Account Scanning: It automatically extracts public usernames and account identifiers from:
- Minecraft: All major launchers (Vanilla, Lunar, Feather, CurseForge, etc.) and their log/configuration files.
- Steam, Discord, and Hytale: Launcher data and logs.
- Windows: Local system user accounts.
- Intelligent Username Search: When using the "Target Scan," it employs a "fuzzy search" algorithm to find variations and typos of a username, catching players who try to hide by using slightly different names.
- Forensic USN Journal Analysis: It analyzes the NTFS Journal status of all connected drives to immediately flag if logs have been wiped recently. It also specifically targets deleted or modified Minecraft-related files from the last 14 days, directly exposing any attempt to delete account history or client files before the check.
An automated tool that enables you to do log checks in just a few seconds.
Open the tool, run a scan with your preferred function and obtain information about the player's alternate accounts.
📂 Manual Results Check
🎯 Overview
This step involves the critical human element of the investigation. After the RedLotus Alt Checker provides its automated findings, your role is to manually review the source files to verify the evidence and, most importantly, understand its context.
What It Checks
Your goal is to confirm the tool's findings by:
- Using the "Open" Button: The Alt Checker provides a direct "Open" button for each trace it finds. Use this to immediately navigate to the exact file and line where an account was identified.
- Keyword Searching (
Ctrl+F): Within the opened log or configuration files, manually search for the suspect's nickname, UUID, and common data labels to understand how the account information is stored. Key labels to search for include:"username"--uuidTokenSetting user:Logged in as
- Verifying File Type: Confirm the nature of the file where the trace was found.
🚨 Why It's Important
An automated tool provides leads; a human investigator provides context and confirmation. This step is crucial to avoid false positives and build an undeniable case.
Always use the native "Open" button in RedLotus Alt Checker to directly open the suspicious trace and explore it.
Alternative: Use the Search Everything tool to track down any moved or hidden folders (use only if the Open button fails or the tool doesn't locate custom directories).
Press
Ctrl+F and search for specific terms inside Config and Log files. Ignore harmless public chat logs unless they indicate blatant confessions.
-
Key Terms:
Exact Nicknames UUID (36 or 32 char) -
Common Labels (Config / Log):
"username" --uuid Token Setting user: Setting account Logged in as Connection established as
📓 JournalTrace Check (if necessary)
🎯 Overview
This is a deeper, secondary check performed only when you have a strong suspicion of evidence tampering that needs further investigation.
What It Checks
JournalTrace analyzes the raw data of the NTFS USN Journal. In this specific context, you will filter it to find evidence of recent tampering with log files. You will look for:
- Targeted File Extensions: Filter the
Namecolumn for extensions like.log,.json, or.gz(for compressed logs). - Suspicious Operations: Filter the
Reasoncolumn for key indicators of manipulation:FILE_DELETE: Proves a log file was deleted.DATA_OVERWRITE/DATA_TRUNCATION: Proves a log file's contents were altered or wiped.BASIC_INFO_CHANGE: Can indicate that a log file's timestamps were manipulated (timestomping).
In case of suspected Anti-Forensics manipulations, open JournalTrace and filter by extensions like .log, .json or .gz.
Any operations of
Deleted, Overwritten, Data Truncation, Data Overwrite or Basic Info Change that could indicate a voluntary attempt to hide or destroy evidence.
After the check
Section dedicated to trace cleanup, and punishment logging.
Cleanup and Report
Delete the different tools you downloaded and any possible files you created. Hence, leave the PC in the exact same state as it was prior to your connection. Once this is done, fill out the report in accordance with your server rules.