Difference between revisions of "AppID"
| Line 1: | Line 1: | ||
| − | |||
| − | |||
Searches for an application ID inside the registry. | Searches for an application ID inside the registry. | ||
==Usage== | ==Usage== | ||
| − | Format: AppID:< | + | Format: AppID:<key name>,<value name> |
===Examples=== | ===Examples=== | ||
AppID:"CNForm.EXE","CNForm" | AppID:"CNForm.EXE","CNForm" | ||
| − | This example detects the entries of the ''CommonName'' malware in | + | This example detects the entries of the ''CommonName'' malware in ''HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\''. |
===Description=== | ===Description=== | ||
This is an outdated command used to detect application IDs. | This is an outdated command used to detect application IDs. | ||
| + | |||
| + | # The name of the key to detect comes as first parameter. [[AlgoPrefix|Algo-Prefixes]] are available in versions later than 1.5.2. {{AlgoPrefix}} | ||
| + | # Additionally, for cases where the key might be random, all ''AppID'' keys are checked whether their default value data (REG_SZ or REG_EXPANDSZ) matches this second parameter. [[AlgoPrefix|Algo-Prefixes]] are available in versions later than 1.5.2. {{AlgoPrefix}} | ||
| + | |||
| + | ===Scan Results=== | ||
| + | Flagged are only registry keys in ''HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\''. | ||
| + | |||
| + | * Any ''AppID'' key identified by ''key name''. | ||
| + | * Any ''AppID'' key that has a default value identified by ''value name''. | ||
==See also== | ==See also== | ||
* [[Advanced registry parameters]] | * [[Advanced registry parameters]] | ||
| + | * [[AlgoPrefix]] | ||
===Similar commands=== | ===Similar commands=== | ||
Revision as of 09:01, 18 February 2008
Searches for an application ID inside the registry.
Usage
Format: AppID:<key name>,<value name>
Examples
AppID:"CNForm.EXE","CNForm"
This example detects the entries of the CommonName malware in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\.
Description
This is an outdated command used to detect application IDs.
- The name of the key to detect comes as first parameter. Algo-Prefixes are available in versions later than 1.5.2. AP
- Additionally, for cases where the key might be random, all AppID keys are checked whether their default value data (REG_SZ or REG_EXPANDSZ) matches this second parameter. Algo-Prefixes are available in versions later than 1.5.2. AP
Scan Results
Flagged are only registry keys in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\.
- Any AppID key identified by key name.
- Any AppID key that has a default value identified by value name.
