AutoRunByFilename: Difference between revisions

Searches for a registry run entry by the filename.

Usage

AutoRunByFilename:<filename>,<directory>[,advanced parameters]

Examples

AutoRunByFilename:"spyware.exe","","filesize=10,md5=7303F017FE369F9CE5AF630DA93BA867"

Description

This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory, but, contrary to AutoRunByFilename, it checks the data which contains the target filenames.

1. The first parameter describes the filename to find. Algo-Prefixes are supported only here. AP PT
2. The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use * (with care) if you want to flag any folder that is associated with files identified by the first parameter.
3. You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!

Scan Results

• Any entries in Run, RunServices, RunOnce or RunServicesOnce (from \SOFTWARE\Microsoft\Windows\CurrentVersion\ for both HKEY_LOCAL_MACHINE and all users) that are identified by filename.
• The files associated with the entries, if they were found.
• The directory specified in the second parameter.

See also

• Advanced file parameters
• AlgoPrefix

Similar commands

• AutoRun
• AutoRunByValue
• AutoStart