AutoRunByValue: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Searches for a registry run entry by the registry value name. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it. | Searches for a registry run entry by the registry value name. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it. | ||
==Usage== | ==Usage== | ||
AutoRunByValue: | AutoRunByValue:<value name>,<directory>[,advanced file parameters] | ||
===Examples=== | ===Examples=== | ||
| Line 16: | Line 15: | ||
# The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} | # The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} | ||
# The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. | # The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard ''*'' (with care) to flag any folder that belongs to identified entries. | ||
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | # You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | ||
===Scan Results=== | |||
* Any entries in ''Run'', ''RunServices'', ''RunOnce'' or ''RunServicesOnce'' (from ''\SOFTWARE\Microsoft\Windows\CurrentVersion\'' for both HKEY_LOCAL_MACHINE and all users) that are identified by ''value''. | |||
* The files associated with the entries, if they were found. | |||
* The directory specified in the second parameter. | |||
==See also== | ==See also== | ||
Revision as of 09:26, 18 February 2008
Searches for a registry run entry by the registry value name. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it.
Usage
AutoRunByValue:<value name>,<directory>[,advanced file parameters]
Examples
AutoRunByValue:"Spyware","Spyware"
This would detect the following entry inside the registry, and will add both the registry value and the directory Spyware to the results list.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Spyware"="C:\\Program files\\Spyware\\spyware.exe"
Description
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory.
- The first parameter describes the value to find. Algo-Prefixes are supported only here. AP
- The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard * (with care) to flag any folder that belongs to identified entries.
- You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
Scan Results
- Any entries in Run, RunServices, RunOnce or RunServicesOnce (from \SOFTWARE\Microsoft\Windows\CurrentVersion\ for both HKEY_LOCAL_MACHINE and all users) that are identified by value.
- The files associated with the entries, if they were found.
- The directory specified in the second parameter.