jorbays.dev

Manual Screenshare

A guide to every tool used during a manual SS, what each one does, and what to look for.

Each tool page covers its purpose, the specific fields or outputs to check, and red flags that indicate something suspicious.
Tools
01
WinLiveInfo
system info
02
Meow Doomsday Fucker
memory scanner
03
TasksParser
scheduled tasks
04
RedLotus Mod Analyzer
mod scanner
05
RedLotus Alt Checker
account scanner
06
BAM Parser
execution history
07
BAMReveal
execution history
08
Espouken
multi-purpose
09
Fileless
memory / powershell
10
InjGen
injection detector

10 tools documented

system info tool

WinLiveInfo

Collects a full hardware and software snapshot of the target PC to verify the machine is real, consistent, and not a VM or spoofed setup.

What to check
[ok]HyperVisorPresent must be False - confirms no VM is running
[ok]HyperVRequirementVirtualizationFirmwareEnabled must be False
[ok]OS install date - note if Windows was installed suspiciously recently
[ok]Network adapters - check CsNetworkAdapters for VPN or virtual adapters
[ok]Last boot time via OsLastBootUpTime - fresh reboots right before a check are suspicious
[ok]Motherboard and BIOS serials to verify machine consistency across checks
Red flags
[!]HyperVisorPresent: True - person is likely running a VM to hide cheats
[!]VPN or virtual adapter present, e.g. x-ovpn-tap in the adapter list
[!]Windows installed the same day as the screenshare
[!]Machine rebooted within minutes before the check started
memory scanner

Meow Doomsday Fucker

Scans the memory of running Java processes to detect the Doomsday cheat client. Has two tabs: Memory Scanner and JAR Parser.

What to check
[ok]Run the Memory Scanner tab while Minecraft is open - it will list all detected Java processes
[ok]Output should say All processes clean. if nothing is found
[ok]Each process will show as javaw [PID] -> clean or -> DETECTED
Red flags
[!]Any process showing DETECTED in the output means Doomsday was found in memory
[!]Output says Doomsday Detected in red next to the Stop button
[!]Output line reads Doomsday sucks. - this is the tool confirming a positive detection
scheduled tasks

TasksParser

Parses all Windows scheduled tasks and flags suspicious ones based on signature status, static analysis, registry mismatches, IFEO hijacks, and heuristics.

What to check
[ok]Signed column - most legitimate tasks will show Signed in green
[ok]Use the filter buttons at the top to isolate: On logon only, Static analysis only, Heur checker only, Registry mismatch only, IFEO only
[ok]Check the Task Path column - legitimate tasks run from %windir% or known program folders
[ok]On Logon column shows tasks that auto-run at login - pay extra attention to these
Red flags
[!]Any task showing Not signed in orange, especially ones set to run On Logon
[!]Tasks running from unusual paths like AppData, Temp, or a custom folder
[!]IFEO Hijack column populated - Image File Execution Options hijacks can redirect or intercept program launches
[!]Registry Mismatch flagged - the task on disk does not match what is registered
mod scanner

RedLotus Mod Analyzer

Scans the player's Minecraft mods folder (via memory scan or disk scan) and checks each mod against Modrinth to verify it is a known, legitimate mod.

What to check
[ok]Use Memory Scan to automatically detect the running Minecraft process and its mod folder
[ok]Each mod should show Verified in green under the Modrinth column
[ok]Status column should say Found - the mod file exists where it should
[ok]Check the mod folder path shown under Generic Information - verify it matches what the player says they use
Red flags
[!]Any mod showing Unverified - not found on Modrinth, could be a private or cheat mod
[!]Mod status showing Not Found - the mod was in memory but not on disk, suspicious
[!]Mod path pointing to an unexpected location outside the normal profile folder
[!]Mod folder modified after Minecraft launch - shown in red next to the path
account scanner

RedLotus Alt Checker

Scans the system for logged-in Minecraft, Discord, Steam, and other accounts to identify alts or secondary accounts the player may not have disclosed.

What to check
[ok]Use Target Scan with the player's username to search across all platforms at once
[ok]Minecraft Scan will show all Java and Bedrock accounts cached on the machine
[ok]Review the Accounts Found tab - cross-reference every account shown with the player's known alts
[ok]Check the Forensics tab for deeper evidence of account activity
Red flags
[!]Accounts found that the player has not disclosed or claims not to own
[!]Multiple Minecraft accounts on the same machine - could indicate ban evasion alts
[!]Discord or Steam accounts with different usernames that do not match the player's known identity
execution history

BAM Parser

Reads the Windows Background Activity Monitor (BAM) registry to show every executable that has been run on the machine, with timestamps, signatures, and flagged rules.

What to check
[ok]Review the Last Execution timestamps - focus on anything run around the time of the SS or recently before it
[ok]Signature column - most legitimate programs will show Signed
[ok]Rules column shows flagged rule codes (e.g. A, F, G4) - these indicate suspicious patterns
[ok]Use the Not Signed Only and Flagged Only filters to narrow down suspicious entries quickly
[ok]Check for any entries from C:\SS1\ or other SS tool folders to confirm the player ran the tools correctly
Red flags
[!]Unsigned executables run from AppData, Temp, Desktop, or non-standard paths
[!]Entries marked Deleted in the Signature column - the file was run then removed, classic cleanup behavior
[!]Rule codes like E, F, G4 next to unfamiliar executables
[!]Known cheat-related filenames in the path (e.g. injector, loader, client names)
execution history

BAMReveal

Similar to BAM Parser but with additional detection capabilities - shows generics tags, fake signatures, and cheat labels alongside execution history.

What to check
[ok]Signature column - look for Signed, Unsigned, Fake Signature, or Cheat labels
[ok]Generics column shows tags like HE1, HE4, OB1, AC2 indicating heuristic matches
[ok]Use Post-Logon, Show Untrusted, and Show Not Found filters to narrow results
[ok]Check Registry BAM and Deleted BAM tabs for historical and removed entries
Red flags
[!]Any entry labelled Cheat in the Signature column - direct detection
[!]Entries with Fake Signature - the executable was signed with an invalid or spoofed cert
[!]Generics tags on unfamiliar executables, especially HE (heuristic) or OB (obfuscation) tags
[!]Unsigned executables run from Downloads, Desktop, or temp locations shortly before the SS
multi-purpose

Espouken

A multi-function tool with several scan modes including time change detection, unicode string scanning, MC alt checking, HWID display, and service start time analysis.

What to check
[ok]Show services start times - compare service start times against the system boot time to detect anything that started unexpectedly late
[ok]Scan for time changes - detects if the system clock was manipulated
[ok]Scan for unicode strings - can surface obfuscated or hidden text in memory
[ok]Show HWID - use to verify hardware ID consistency across multiple checks
Red flags
[!]Services that started significantly later than boot time with no clear reason
[!]DPS service stopped or disabled - this logs diagnostic activity and is commonly disabled by cheaters
[!]Evidence of clock manipulation from the time change scan
memory / powershell

Fileless

Scans for fileless execution techniques - PowerShell commands that were run entirely in memory and never saved to disk, which cheats sometimes use to avoid leaving traces.

What to check
[ok]The tool outputs any suspicious PowerShell commands it finds in memory after the logon time
[ok]Review each flagged command - check what URL or script it was trying to run
[ok]Logon time is shown at the top - only events after this are relevant
Red flags
[!]PowerShell commands using -ExecutionPolicy Bypass and iex (irm 'url') to download and run scripts from the internet
[!]Commands referencing known cheat or screenshare-bypass GitHub repos
[!]Multiple suspicious commands found - indicates the player ran several in-memory scripts
injection detector

InjGen

Scans the running Minecraft process for injected DLLs, suspicious native modules, and known cheat client strings loaded into memory.

What to check
[ok]Tool automatically finds the javaw.exe PID and scans it
[ok]Suspicious Modules section lists any DLLs loaded into the process that are not standard
[ok]Client strings section shows any known cheat client identifiers found in memory
Red flags
[!]Output says Injection detected in untested game client - a DLL was injected into the process
[!]Known cheat client strings found, e.g. Doomsday-specific identifiers in the client strings section
[!]Unexpected DLLs with JNI flags loaded from non-standard paths inside the Minecraft process
made by jorbay