From SpybotWiki
Revision as of 10:23, 18 February 2008 by CCRDude (talk | contribs)
Jump to: navigation, search
This SBI command is outdated and will probably not be supported in Spybot-S&D 2.0. As of yet, it is unclear whether an automated conversion path exists. Automated conversion paths may also be less sufficient than a manual upgrade. We recommend that you take a look at RegyKey for a possible alternative command.

If the download of the spyware was done using ActiveX, information may be saved in the Code Store Database. This command identifies those database entries by the used URL.


CodeStoreDB:<part of url>[,advanced build parameters]



This search would identify the following entry in the Code Store Database:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{44332211-00AA-BBCC-DDEE-FF5566778899}\DownloadInformation]


If malware sites use random GUIDs to describe ActiveX components, this command would help you identify them using the URL they were downloaded from by specifying a substring of the URL.

Using the RegyKey SBI Command along with the proper advanced registry parameters would do the same, but also allow you to use Algo-Prefixes to have more control on how to identify the URL. This way is recommended to avoid ambiguous detections (most popular example would be that would also identify, a false positive that happened some years ago).

Take special care when the installer includes newer version of system files, as some badly written DPFs do, since these files would get flagged as well.

Scan Results

  • DPF registry entries that were identified.
  • The associated files mentioned in the registry key (under the \Contains\Files\ subkey).

See also

Similar commands