Difference between revisions of "AutoRunByFilename"
(→Description) |
|||
| Line 1: | Line 1: | ||
| − | |||
Searches for a registry run entry by the filename. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it. | Searches for a registry run entry by the filename. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it. | ||
| Line 12: | Line 11: | ||
# The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} {{PathTemplates}} | # The first parameter describes the filename to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}} {{PathTemplates}} | ||
| − | # The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. | + | # The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use ''*'' (with care) if you want to flag any folder that is associated with files identified by the first parameter. |
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | # You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! | ||
| + | |||
| + | ===Scan Results=== | ||
| + | * Any entries in ''Run'', ''RunServices'', ''RunOnce'' or ''RunServicesOnce'' (from ''\SOFTWARE\Microsoft\Windows\CurrentVersion\'' for both HKEY_LOCAL_MACHINE and all users) that are identified by ''filename''. | ||
| + | * The files associated with the entries, if they were found. | ||
| + | * The directory specified in the second parameter. | ||
==See also== | ==See also== | ||
| + | * [[Advanced file parameters]] | ||
* [[AlgoPrefix]] | * [[AlgoPrefix]] | ||
| − | |||
===Similar commands=== | ===Similar commands=== | ||
Revision as of 09:25, 18 February 2008
Searches for a registry run entry by the filename. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it.
Usage
AutoRunByFilename:[Filename],[Directory],<advanced parameters>
Examples
AutoRunByFilename:"spyware.exe","","filesize=10,md5=7303F017FE369F9CE5AF630DA93BA867"
Description
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory, but, contrary to AutoRunByFilename, it checks the data which contains the target filenames.
- The first parameter describes the filename to find. Algo-Prefixes are supported only here. AP PT
- The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use * (with care) if you want to flag any folder that is associated with files identified by the first parameter.
- You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
Scan Results
- Any entries in Run, RunServices, RunOnce or RunServicesOnce (from \SOFTWARE\Microsoft\Windows\CurrentVersion\ for both HKEY_LOCAL_MACHINE and all users) that are identified by filename.
- The files associated with the entries, if they were found.
- The directory specified in the second parameter.
