Difference between revisions of "AutoRunByValue"

From SpybotWiki
Jump to: navigation, search
m (Scan Results: added more details on locations)
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
{{Outdated SBI|AutoRun}}
+
{{SbiCmdInfo
Searches for a registry run entry by the registry value name. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it.
+
|SYNTAX = AutoRunByValue
 +
|PENAME = SpybotSD.exe
 +
|PEVERSION = 1.3 or later
 +
|GROUP = Registry
 +
|MINUPDATE = n/a
 +
|ADVFILEPARAMS = yes (third)
 +
|ADVREGPARAMS = no
 +
|ADVBUILDPARAMS = yes (third)
 +
|ADVSPECIALPARAMS = no
 +
}}Searches for a registry run entry by the registry value name.
  
 
==Usage==
 
==Usage==
  AutoRunByValue:[Value name],[Directory],<advanced file parameters>
+
  AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters]
  
 
===Examples===
 
===Examples===
Line 16: Line 25:
  
 
# The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}}
 
# The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}}
# The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it.
+
# The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard ''*'' (with care) to flag any folder that belongs to identified entries.
 
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
 
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
 +
 +
===Scan Results===
 +
* Any entries in the supported locations that are identified by ''value'' and optional parameters.
 +
* The files associated with the entries, if they were found.
 +
* The directory specified in the second parameter.
 +
 +
===Locations===
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_CURRENT_USER actually scans the registry of every available user account.
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see [[/allhives]] and [[/nouserhives]]).
  
 
==See also==
 
==See also==

Latest revision as of 15:03, 26 June 2008

AutoRunByValue
Group Registry
Main Application Version 1.3 or later
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters yes (third)
Special Parameters no

Searches for a registry run entry by the registry value name.

Usage

AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters]

Examples

AutoRunByValue:"Spyware","Spyware"

This would detect the following entry inside the registry, and will add both the registry value and the directory Spyware to the results list.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware"="C:\\Program files\\Spyware\\spyware.exe"

Description

This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory.

  1. The first parameter describes the value to find. Algo-Prefixes are supported only here. AP
  2. The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard * (with care) to flag any folder that belongs to identified entries.
  3. You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!

Scan Results

  • Any entries in the supported locations that are identified by value and optional parameters.
  • The files associated with the entries, if they were found.
  • The directory specified in the second parameter.

Locations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_CURRENT_USER actually scans the registry of every available user account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see /allhives and /nouserhives).

See also

Similar commands