Updated - 02/03/19 Screenshare Guide open to everyone, not everything is in this as I like to keep some stuff private. AnyDesk ○ Whenever you open AnyDesk and connect to their session, click on the lightning bolt at the top right and select ''request elevation''. ○ Doing this allows you Administrator permissions and allows you to use Task Manager and other applications launched in Administrator Mode. Minecraft ○ Once you're in the AnyDesk, open their Minecraft game. Go onto your account and temporarily unfreeze the player so you can use the Main Menu. (Only do this if the server you're staff on has a Freeze GUI which prevents them from pressing ESC/Chatting). ○ Once they're unfrozen press ESCAPE - Options - Snooper Settings. Scroll all the way near the bottom until you see 'launched_version'. If anything suspicious appears, ban them. Recording ○ Click the UP Arrow at the bottom right of their taskbar. ○ Hover over every application & look at their names. Open Nvidia GeForce Experience (check if they have it, not only by hovering over everything, just go through their pc and search for it). Open it, click on the InGame Overlay at the top (or press Alt + Z for ShadowPlay) and make sure the recording is off. ○ If they have RADEON (which is for AMD), open it and click on the ''RELIVE'' button and make sure its off. Task Manager ○ When you've opened their task manager, check for anything suspicious. ○ Look for recording softwares that could still be opened. ○ Look for 'ClickyGone', 'WinHide', 'HocusPocus' too. ○ If you find anything sketchy, contact me if you're curious as to what it is. Recycle Bin ○ Press Win + R on your keyboard to open RUN ○ Type in: C:\$Recycle.Bin ○ If nothing shows up, click on view at the top, click on Options at the right, go to the View tab, click on 'Show hidden files, folders and drives' and also uncheck 'Hide protected operating system files (Recommened)' ○ If they have modified their Recycle Bin before the screenshare or near the same time, you may ban them under any circumstances. .minecraft folder ○ Go to their .minecraft folder and open their mods folder (this is only if they're on Forge). ○ Check the file size of all mods, and make sure they are correct. Batty's Coordinates PLUS Mod for Forge-1.7.10_1.6.0 (18kb) ReiMinimap without Entity/Player Radar (179kb) VoxelMap-No-Radar-Mod-1.7.10 (455kb) OptiFine_1.7.10_HD_U_D6 (1,194kb) Batty’s Coordinates (13 kb) ArmorStatusHUD (25-26kb) StatusEffectHUD (23-24kb) ShinyPots-1.1 (5kb) MotionBlurMod (7kb) Keystrokes Mod (11kb) DirectionHUD (23-24kb) bspkrsCore (193-194kb) TcpNoDelayMod (5-6kb) ToggleSneak (20-24kb) PlayerAPI (276kb) CPS Mod (9kb) All of the mods have to be around this size. ○ If any mods are way different sizes, decompile the mod with 'Luyten' and go through all packages to look for suspicious code, unless you're 100% sure; you can ban them. ○ If bspkrsCore is corrupted when you try to open it, you may ban them too. ○ After checking the mods folder, go back to the .minecraft folder ○ IMPORTANT: Open launcher_profiles.json - CTRL + F - Search for displayName People who cheat on alts with VPN and people who have a banned account or have a Dynamic IP will be caught this way. (Those people bypass /alts), which is why you ALWAYS want to do this. ○ Go in-game and /history all of the account names you found with the previous step and check if any of them are banned, if so; ban them for Ban Evasion. ○ If they have a gc.txt file in their .minecraft, check the date modified. If it was recent, you may ban them for Cringed Client. Minecraft Launcher ○ Open a new minecraft launcher (like you would do when you want to play Minecraft), and navigate to 'Launch Options', Click on their current ran version (that you looked at in Snooper Settings), and if they have '-noverify' in the JVM Arguments, you may ban them. Recent Files ○ Press Windows Key + R, type in %appdata% and press enter. ○ Scroll down to Microsoft, then click Windows and then click Recent Items. ○ Look through their recently opened items and search for anything suspicious. ○ If you find something used recently, ban them. Razer Synapse ○ Press Windows Key + R, type in C:\ProgramData and press enter. ○ Go to 'Razer', then 'Synapse', then 'Accounts', then click on their account folder. ○ Once in the accounts folder, check the date modified on the Macros folder. ○ If it was edited before or near the screenshare, you may ban them. Last Activity Viewer ○ Download LastActivityViewer on their computer. ○ Open the program and look through their recently opened files; ban for anything suspicious found. UserAssistViewer ○ Download UserAssistViewer on their computer. ○ Open the program and look through their recently opened files; ban for anything suspicious found. WinRar Recent Files ○ Go to their desktop, Right-Click and press 'New', click on WinRar Archive. ○ Once open, right click on the program on their taskbar. ○ If they have opened anything suspicious on that list, you may ban them. Downloads and Desktop ○ Go to their downloads folder first, scroll through all of their downloads and search for any suspicious programs (example: hG402.exe etc), check the date modified and if it was recent you may ban them. ○ Go to their desktop, look at the files on it and look for any suspicious programs or items on their desktop. Search Everything ○ Download Search Everything on their computer. ○ Let everything load and then search this suggested list, if anything appears, check the date modified and if it was recent you can ban them. Search for the following: ○ Clicker, AutoClicker, XRay, Vape, Incognito, Vea, Kurium, OneTap, Nero, Demon, Fusk, Merge, Misplace, Drek. ○ If anything is found and used recently, ban them. Process Hacker 1. Smartscreen.exe ○ Download Process Hacker 2 on their computer. ○ Type 'smartscreen.exe', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type Vape in the text box and click ok. (If something pops up, ban them). 2. MsMpEng ○ Type 'msmpeng', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type Manthe Industries, LLC in the text box and click ok. (If something pops up, ban them). ○ Also copy and paste the following string: 1AC14E77-02E7-4E5D-B7442EB1AE5198B7)RUNDLL32.EXEd3dx9.dll,EntryPointlaunch 3. Explorer.exe ○ Type 'explorer.exe', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type the following string: Oshi-core-1.1.jar (if it pops up, ban them). ○ Type the following string: C:\users\(account name on their pc). ○ After typing the string above, create a new filter and type .exe, then .jar, then .zip. ○ If you find anything suspicious in these 3 searches and is used recently/can't be found back, ban them. ○ Now enter the following string: PcaClient ○ Double Click on the one that starts with ''TRACE, ....'' ○ A whole list will appear highlighted in BLUE, search through all the programs listed in blue for anything suspicious. Example: C:\users\Stefan\Desktop\hgKGE.exe - if you find anything like this, ban them. 4. Javaw.exe ○ Type 'javaw.exe', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type in whatever string you may have - I'm not going to give you strings. ○ Go back to Process Hacker 2, type in javaw.exe again, then click on 'Find Handles or DLLs' and copy and paste the following: reflective_dll.x64.dll 5. chrome.exe ○ Type 'msmpeng', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. - Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type the following strings: vape.gg, clicker, autoclicker, demon.gg, drek.io, tap.wtf, apolloclicker.pw, cdn.apolloclicker.pw 6. dwm.exe ○ Type 'dwm.exe', double click it, and click memory. ○ Uncheck the box that says 'hide free regions' and click the 'strings' button. ○ In 'Minimum Length', type 4. - Make sure Image & Mapped are ticked, then press OK. ○ Click filter in the bottom left corner of the window that popped up (Click "contains (case-insensitive)"). ○ Type the following strings: auto click, autoclick, clicker, veneclicker, 7clicker, nacl (look for nacl 32), silent clicker, agent.jar ○ IMPORTANT: When you finish the last step with Process Hacker, make sure to clear your strings! - On the top bar, click Options, then press the 'Reset' button Regedit.exe ○ Press Windows Key + R, type in regedit, and press enter. ○ Whenever regedit opens, in the top navigation bar, copy and paste this in: Computer\HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\AppCompatFlags\Compatibility\Store ○ Whenever it finishes opening the directory, you will be given a list of programs. ○ Look through all programs and make sure there's nothing suspicious. Example: C:\Users\Stefan\Downloads\RJVjMswM.exe