Difference between revisions of "AutoRun"

From SpybotWiki
Jump to: navigation, search
m (Examples: more generic)
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
Autorun helps you detect registrx autorun settings.
+
{{SbiCmdInfo
 +
|SYNTAX = AutoRun
 +
|PENAME = SpybotSD.exe
 +
|PEVERSION = 1.4 or later
 +
|GROUP = Registry
 +
|MINUPDATE = n/a
 +
|ADVFILEPARAMS = yes (third)
 +
|ADVREGPARAMS = no
 +
|ADVBUILDPARAMS = no
 +
|ADVSPECIALPARAMS = [[flagifnofile]]
 +
}}Autorun helps you detect registry autorun settings.
  
 
==Usage==
 
==Usage==
  AutoRun:[value],[filename data],<advanced file parameters>
+
  AutoRun:<value(string)>,<filename(string)>[,advanced file parameters]
  
 
===Examples===
 
===Examples===
  AutoRun:"AdRoarUpdate","<$WINDIR>\ARUpdate.exe","filesize=86016,md5=5F45E52554D022A757BA637E4E03B0A5"
+
  AutoRun:"MalwareEntry","<$WINDIR>\MyMalware.exe","filesize=86016,md5=1234567890ABCDEFFEDCBA0987654321"
  
This example searches registry Run keys (global and for all users) for entries named ''AdRoarUpdate'', pointing to a file ''ARUpdate.exe'' inside the Windows folder, that matches the specified [[Advanced file parameters|advanced file parameters]].
+
This example searches registry Run keys (global and for all users) for entries named ''MalwareEntry'', pointing to a file ''MyMalware.exe'' inside the Windows folder, that matches the specified [[Advanced file parameters|advanced file parameters]].
  
 
===Description===
 
===Description===
 
This parameter takes two to three parameters, with the third one highly recommended.
 
This parameter takes two to three parameters, with the third one highly recommended.
# The first parameter specifies the name of the registry value to look for; this parameter can be used with [[AlgoPrefix|Algo-Prefixes]].
+
 
# The second parameters takes a file path and name. It understands both [[AlgoPrefix|Algo-Prefixes]] and [[Path templates|path templates]].
+
# The first parameter specifies the name of the registry value to look for; this parameter can be used with [[AlgoPrefix|Algo-Prefixes]]. {{AlgoPrefix}}
# The third parameter allows you to specify [[Advanced file parameters|advanced file parameters]] to limit the scan to entries that point to files that have specific contents. Since file names can be misleading and ambiguous, it is highly recommend to specify them.
+
# The second parameters takes a file path and name. It understands both [[AlgoPrefix|Algo-Prefixes]] and [[Path templates|path templates]]. {{AlgoPrefix}} {{PathTemplates}}
 +
# The third parameter allows you to specify [[Advanced file parameters|advanced file parameters]] to limit the scan to entries that point to files that have specific contents. Since file names can be misleading and ambiguous, it is highly recommend to specify them. Also, a special advanced parameter [[flagifnofile]] can be used here, in case you specified advanced file parameters, but the associated file does not exist.
 +
 
 +
===Scan Results===
 +
* Any entries in ''Run'', ''RunServices'', ''RunOnce'' or ''RunServicesOnce'' (from ''\SOFTWARE\Microsoft\Windows\CurrentVersion\'' for both HKEY_LOCAL_MACHINE and all users) that are identified by both ''value name'' and ''filename data''.
 +
* The files associated with the entries, if they were found.
  
 
==See also==
 
==See also==
 +
* [[Advanced file parameters]]
 
* [[AlgoPrefix]]
 
* [[AlgoPrefix]]
* [[Advanced file parameters]]
 
 
* [[Path templates]]
 
* [[Path templates]]
 
* [[Description templates]]
 
* [[Description templates]]
Line 27: Line 42:
  
 
[[Category:SBI Commands]]
 
[[Category:SBI Commands]]
[[Category:SBI Commands (current)]]
 
 
[[Category:SBI Commands supporting AlgoPrefix]]
 
[[Category:SBI Commands supporting AlgoPrefix]]

Latest revision as of 17:36, 23 February 2008

AutoRun
Group Registry
Main Application Version 1.4 or later
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters no
Special Parameters flagifnofile

Autorun helps you detect registry autorun settings.

Usage

AutoRun:<value(string)>,<filename(string)>[,advanced file parameters]

Examples

AutoRun:"MalwareEntry","<$WINDIR>\MyMalware.exe","filesize=86016,md5=1234567890ABCDEFFEDCBA0987654321"

This example searches registry Run keys (global and for all users) for entries named MalwareEntry, pointing to a file MyMalware.exe inside the Windows folder, that matches the specified advanced file parameters.

Description

This parameter takes two to three parameters, with the third one highly recommended.

  1. The first parameter specifies the name of the registry value to look for; this parameter can be used with Algo-Prefixes. AP
  2. The second parameters takes a file path and name. It understands both Algo-Prefixes and path templates. AP PT
  3. The third parameter allows you to specify advanced file parameters to limit the scan to entries that point to files that have specific contents. Since file names can be misleading and ambiguous, it is highly recommend to specify them. Also, a special advanced parameter flagifnofile can be used here, in case you specified advanced file parameters, but the associated file does not exist.

Scan Results

  • Any entries in Run, RunServices, RunOnce or RunServicesOnce (from \SOFTWARE\Microsoft\Windows\CurrentVersion\ for both HKEY_LOCAL_MACHINE and all users) that are identified by both value name and filename data.
  • The files associated with the entries, if they were found.

See also

Similar commands