Difference between revisions of "AutoRunByFilename"

From SpybotWiki
Jump to: navigation, search
(added info box)
m (Description: fixed reference to AutoRunByValue)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{SbiCmdInfo
 
{{SbiCmdInfo
|SYNTAX =  
+
|SYNTAX = AutoRunByFilename
 
|PENAME = SpybotSD.exe
 
|PENAME = SpybotSD.exe
|PEVERSION = 1.3
+
|PEVERSION = 1.3 or later
 
|GROUP = Registry
 
|GROUP = Registry
 
|MINUPDATE = n/a
 
|MINUPDATE = n/a
Line 12: Line 12:
  
 
==Usage==
 
==Usage==
  AutoRunByFilename:<filename>,<directory>[,advanced parameters]
+
  AutoRunByFilename:<filename(string)>,<directory(string)>[,advanced file parameters]
  
 
===Examples===
 
===Examples===
Line 18: Line 18:
  
 
===Description===
 
===Description===
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory, but, contrary to [[AutoRunByFilename]], it checks the data which contains the target filenames.
+
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory, but, contrary to [[AutoRunByValue]], it checks the data which contains the target filenames.
  
 
# The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} {{PathTemplates}}
 
# The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} {{PathTemplates}}
Line 25: Line 25:
  
 
===Scan Results===
 
===Scan Results===
* Any entries in ''Run'', ''RunServices'', ''RunOnce'' or ''RunServicesOnce'' (from ''\SOFTWARE\Microsoft\Windows\CurrentVersion\'' for both HKEY_LOCAL_MACHINE and all users) that are identified by ''filename''.
+
* Any entries in the supported locations that are identified by ''filename'' and optional parameters.
 
* The files associated with the entries, if they were found.
 
* The files associated with the entries, if they were found.
 
* The directory specified in the second parameter.
 
* The directory specified in the second parameter.
 +
 +
===Locations===
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_CURRENT_USER actually scans the registry of every available user account.
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see [[/allhives]] and [[/nouserhives]]).
  
 
==See also==
 
==See also==

Latest revision as of 11:46, 5 December 2008

AutoRunByFilename
Group Registry
Main Application Version 1.3 or later
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters yes (third)
Special Parameters no

Searches for a registry run entry by the filename.

Usage

AutoRunByFilename:<filename(string)>,<directory(string)>[,advanced file parameters]

Examples

AutoRunByFilename:"spyware.exe","","filesize=10,md5=7303F017FE369F9CE5AF630DA93BA867"

Description

This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory, but, contrary to AutoRunByValue, it checks the data which contains the target filenames.

  1. The first parameter describes the filename to find. Algo-Prefixes are supported only here. AP PT
  2. The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use * (with care) if you want to flag any folder that is associated with files identified by the first parameter.
  3. You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!

Scan Results

  • Any entries in the supported locations that are identified by filename and optional parameters.
  • The files associated with the entries, if they were found.
  • The directory specified in the second parameter.

Locations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_CURRENT_USER actually scans the registry of every available user account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see /allhives and /nouserhives).

See also

Similar commands