AutoRunByValue: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
m (→Scan Results: added more details on locations) |
||
| (6 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{ | {{SbiCmdInfo | ||
Searches for a registry run entry by the registry value name | |SYNTAX = AutoRunByValue | ||
|PENAME = SpybotSD.exe | |||
|PEVERSION = 1.3 or later | |||
|GROUP = Registry | |||
|MINUPDATE = n/a | |||
|ADVFILEPARAMS = yes (third) | |||
|ADVREGPARAMS = no | |||
|ADVBUILDPARAMS = yes (third) | |||
|ADVSPECIALPARAMS = no | |||
}}Searches for a registry run entry by the registry value name. | |||
==Usage== | ==Usage== | ||
AutoRunByValue: | AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters] | ||
===Examples=== | ===Examples=== | ||
| Line 13: | Line 22: | ||
===Description=== | ===Description=== | ||
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory. | This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory. | ||
# The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} | |||
# The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard ''*'' (with care) to flag any folder that belongs to identified entries. | |||
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | |||
===Scan Results=== | |||
* Any entries in the supported locations that are identified by ''value'' and optional parameters. | |||
* The files associated with the entries, if they were found. | |||
* The directory specified in the second parameter. | |||
===Locations=== | |||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | |||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ | |||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ | |||
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\ | |||
Where HKEY_CURRENT_USER actually scans the registry of every available user account. | |||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ | |||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ | |||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ | |||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\ | |||
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see [[/allhives]] and [[/nouserhives]]). | |||
==See also== | ==See also== | ||
| Line 25: | Line 55: | ||
[[Category:SBI Commands]] | [[Category:SBI Commands]] | ||
[[Category:SBI Commands supporting AlgoPrefix]] | |||
Latest revision as of 15:03, 26 June 2008
| AutoRunByValue | |
| Group | Registry |
| Main Application | Version 1.3 or later |
| Required Update | n/a |
| File Parameters | yes (third) |
| Registry Parameters | no |
| Build Parameters | yes (third) |
| Special Parameters | no |
Searches for a registry run entry by the registry value name.
Usage
AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters]
Examples
AutoRunByValue:"Spyware","Spyware"
This would detect the following entry inside the registry, and will add both the registry value and the directory Spyware to the results list.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Spyware"="C:\\Program files\\Spyware\\spyware.exe"
Description
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory.
- The first parameter describes the value to find. Algo-Prefixes are supported only here. AP
- The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard * (with care) to flag any folder that belongs to identified entries.
- You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
Scan Results
- Any entries in the supported locations that are identified by value and optional parameters.
- The files associated with the entries, if they were found.
- The directory specified in the second parameter.
Locations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
Where HKEY_CURRENT_USER actually scans the registry of every available user account.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see /allhives and /nouserhives).