Explorer is the process that manages; Start menu, Taskbar, desktop, and file manager. This means a lot of the strings in explorer.exe will be from this PC instance (Not 100% of the time but I’ll get onto that).

The few methods you can use in Explorer.exe are “PCACLIENT” and The Executed File Method (there is a few ways to do this).

Firstly: You can search any string you like just in the regular Explorer.exe Properties Window (Through Strings, Minimum Length 4, Image and mapped) And this will show if that has been on their pc ever, it does not necessarily mean it was this PC instance.

“PCACLIENT”, Which a lot of people are familiar with in the screen sharing world, is a method that shows you all executed files in their game instance.

The Executed File Method is a method that shows any and ALL files that have been executed on their PC since bootup.

PCACLIENT

- Firstly you want to find the “explorer.exe” process through Process Hacker 2 (Ran     as administrator) - Type “Explorer.exe” in the search bar and it should look like this:

• Double click and it should bring up a window that looks like this:
  

Next:

• Uncheck “Hide free regions” then click on “Strings…”
  Set the Minimum String Length to 4
  Check “Image” and “Mapped”
  Click “OK”
  Click “Filter”
  Select “Contains (Case-Insensitive)”

Then paste “PCACLIENT” into the search bar.

Select the result that says “Trace,0000” at the start and hit save.

Save it to their desktop
Open the file and go to the suspicious directories.

This list is in chronological order

The Executed File Method

With this method you will be able to see all executed/accessed files from their PC Instance, This guide will show you know methods to find these.

First Method:

Return to the Properties window:


Next:

Uncheck “Hide free regions” then click on “Strings…”
Set the Minimum String Length to 4
Check “Image” and “Mapped”
Click “OK”
Click “Filter”
Select “Contains (Case-Insensitive)”

From here you can either:
Type “File:”
Then Select “Contains (Case-Insensitive)” Again
Return Whichever file type you want to find (.jar, .exe, .dll, .txt)

This will return something that looks like this:



OR

Type “\users\%userspcname%\” (This was “\users\lewis\” for me)
Then Type “.exe”
This will return a lot of files (Not all of which will be in this PC instance but gives you an indication of any real file they might be using to hide their cheats.