Difference between revisions of "AutoRunByValue"

From SpybotWiki
Jump to: navigation, search
m (Scan Results: added more details on locations)
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Outdated SBI|AutoRun}}
+
{{SbiCmdInfo
 
+
|SYNTAX = AutoRunByValue
Searches for a registry run entry by the registry value name. If the directory parameter is set, a directory of the given name will be detected too, if the file resided inside it.
+
|PENAME = SpybotSD.exe
 +
|PEVERSION = 1.3 or later
 +
|GROUP = Registry
 +
|MINUPDATE = n/a
 +
|ADVFILEPARAMS = yes (third)
 +
|ADVREGPARAMS = no
 +
|ADVBUILDPARAMS = yes (third)
 +
|ADVSPECIALPARAMS = no
 +
}}Searches for a registry run entry by the registry value name.
  
 
==Usage==
 
==Usage==
  AutoRunByValue:[Value name],[Directory],<advanced file parameters>
+
  AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters]
  
 
===Examples===
 
===Examples===
Line 14: Line 22:
  
 
===Description===
 
===Description===
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory. Again, you may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)! You may also keep the directory parameter empty, but you may not obmit it. [[AlgoPrefix|Algo-Prefixes]] are supported only for the value name.
+
This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like [[AutoRun]], and also an associated directory.  
 +
 
 +
# The first parameter describes the value to find. [[AlgoPrefix|Algo-Prefixes]] are supported only here. {{AlgoPrefix}}
 +
# The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard ''*'' (with care) to flag any folder that belongs to identified entries.
 +
# You may specify [[Advanced file parameters|advanced file parameters]] to limit detection in case of ambigious value names (which nearly all are, so make use of this)!
 +
 
 +
===Scan Results===
 +
* Any entries in the supported locations that are identified by ''value'' and optional parameters.
 +
* The files associated with the entries, if they were found.
 +
* The directory specified in the second parameter.
 +
 
 +
===Locations===
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_CURRENT_USER actually scans the registry of every available user account.
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
 +
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\
 +
Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see [[/allhives]] and [[/nouserhives]]).
  
 
==See also==
 
==See also==
Line 26: Line 55:
  
 
[[Category:SBI Commands]]
 
[[Category:SBI Commands]]
 +
[[Category:SBI Commands supporting AlgoPrefix]]

Latest revision as of 15:03, 26 June 2008

AutoRunByValue
Group Registry
Main Application Version 1.3 or later
Required Update n/a
File Parameters yes (third)
Registry Parameters no
Build Parameters yes (third)
Special Parameters no

Searches for a registry run entry by the registry value name.

Usage

AutoRunByValue:<value(string)>,<directory(string)>[,advanced file parameters]

Examples

AutoRunByValue:"Spyware","Spyware"

This would detect the following entry inside the registry, and will add both the registry value and the directory Spyware to the results list.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware"="C:\\Program files\\Spyware\\spyware.exe"

Description

This command is only to be used in rare cases where the autorun entry might be the only lead to a totally random directory name. It detects a Run value, much like AutoRun, and also an associated directory.

  1. The first parameter describes the value to find. Algo-Prefixes are supported only here. AP
  2. The second parameter means an additional folder that might get flagged if the run entry points to a file inside a folder of that name. You may also keep this directory parameter empty, but you may not obmit it. Use the wildcard * (with care) to flag any folder that belongs to identified entries.
  3. You may specify advanced file parameters to limit detection in case of ambigious value names (which nearly all are, so make use of this)!

Scan Results

  • Any entries in the supported locations that are identified by value and optional parameters.
  • The files associated with the entries, if they were found.
  • The directory specified in the second parameter.

Locations

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_CURRENT_USER actually scans the registry of every available user account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServiceOnce\

Where HKEY_LOCAL_MACHINE actually scans the global registry hive of every detected and loaded Windows installations (see /allhives and /nouserhives).

See also

Similar commands