Difference between revisions of "AutoRunByFilename"
(→Description) |
m (→Description: fixed reference to AutoRunByValue) |
||
(10 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{SbiCmdInfo |
− | Searches for a registry run entry by the filename | + | |SYNTAX = AutoRunByFilename |
+ | |PENAME = SpybotSD.exe | ||
+ | |PEVERSION = 1.3 or later | ||
+ | |GROUP = Registry | ||
+ | |MINUPDATE = n/a | ||
+ | |ADVFILEPARAMS = yes (third) | ||
+ | |ADVREGPARAMS = no | ||
+ | |ADVBUILDPARAMS = yes (third) | ||
+ | |ADVSPECIALPARAMS = no | ||
+ | }}Searches for a registry run entry by the filename. | ||
==Usage== | ==Usage== | ||
− | AutoRunByFilename: | + | AutoRunByFilename:<filename(string)>,<directory(string)>[,advanced file parameters] |
===Examples=== | ===Examples=== | ||
Line 9: | Line 18: | ||
===Description=== | ===Description=== | ||
− | This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory, but, contrary to [[ | + | This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory, but, contrary to [[AutoRunByValue]], it checks the data which contains the target filenames. |
− | # The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} | + | # The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} {{PathTemplates}} |
− | # The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. | + | # The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use ''*'' (with care) if you want to flag any folder that is associated with files identified by the first parameter. |
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | # You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | ||
+ | |||
+ | ===Scan Results=== | ||
+ | * Any entries in the supported locations that are identified by ''filename'' and optional parameters. | ||
+ | * The files associated with the entries, if they were found. | ||
+ | * The directory specified in the second parameter. | ||
+ | |||
+ | ===Locations=== | ||
+ | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | ||
+ | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ | ||
+ | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ | ||
+ | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\ | ||
+ | Where HKEY_CURRENT_USER actually scans the registry of every available user account. | ||
+ | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | ||
+ | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ | ||
+ | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ | ||
+ | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\ | ||
+ | Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see [[/allhives]] and [[/nouserhives]]). | ||
==See also== | ==See also== | ||
+ | * [[Advanced file parameters]] | ||
* [[AlgoPrefix]] | * [[AlgoPrefix]] | ||
− | |||
===Similar commands=== | ===Similar commands=== |
Latest revision as of 11:46, 5 December 2008
AutoRunByFilename | |
Group | Registry |
Main Application | Version 1.3 or later |
Required Update | n/a |
File Parameters | yes (third) |
Registry Parameters | no |
Build Parameters | yes (third) |
Special Parameters | no |
Searches for a registry run entry by the filename.
Contents
Usage
AutoRunByFilename:<filename(string)>,<directory(string)>[,advanced file parameters]
Examples
AutoRunByFilename:"spyware.exe","","filesize=10,md5=7303F017FE369F9CE5AF630DA93BA867"
Description
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory, but, contrary to AutoRunByValue, it checks the data which contains the target filenames.
- The first parameter describes the filename to find. Algo-Prefixes are supported only here. AP PT
- The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use * (with care) if you want to flag any folder that is associated with files identified by the first parameter.
- You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
Scan Results
- Any entries in the supported locations that are identified by filename and optional parameters.
- The files associated with the entries, if they were found.
- The directory specified in the second parameter.
Locations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
Where HKEY_CURRENT_USER actually scans the registry of every available user account.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see /allhives and /nouserhives).