Batch - what is wrong here?

I'd appreciate if someone can take a look at this code and tell me what is causing this error message.

Code:

@echo off

FOR /F "TOKENS=*" %%g IN ( %systemdrive%\CrapRemover\CLSID.dat ) do set "%badCLSID%=%%g"

:: SEARCHSCOPES
 
:: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes :: KEY CLSID
:: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes :: KEY CLSID
:: HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes :: KEY CLSID
:: HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes :: KEY CLSID

%windir%\system32\reg DELETE "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%badCLSID%" /f >%systemdrive%\CrapRemover\temp\searchscopes.txt
%windir%\system32\reg DELETE "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\%badCLSID%" /f >>%systemdrive%\CrapRemover\temp\searchscopes.txt
%windir%\system32\reg DELETE "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%badCLSID%" /f >>%systemdrive%\CrapRemover\temp\searchscopes.txt
%windir%\system32\reg DELETE "HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes\%badCLSID%" /f >>%systemdrive%\CrapRemover\temp\searchscopes.txt

Searchscopes.txt has this in it:

Code:

Permanently delete the registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes" /f (Yes/No)? 

It's like it is not seeing the %badCLSID% that it appears to be properly setting to me.

 

I think I caught it, need to double-check it ..

FOR /F "TOKENS=*" %%g IN ( %systemdrive%\CrapRemover\CLSID.dat ) do set "%badCLSID%=%%g"

Edit: Nope, still having problems. Now it's simply not deleting offending keys even though they are present.

Searchscopes.txt is empty.

 

Code:

ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
Type "REG DELETE /?" for usage.

 

Only use the variable name (without percent signs) if you assign the variable:

Code:

for /f "usebackq delims=" %%g IN ("%systemdrive%\CrapRemover\CLSID.dat") do set "badCLSID=%%g"

Be aware that this command line permanently overwrites the variable badCLSID until the last line of the file is reached. Only the last line of CLSID.dat is content of %badCLSID%.

 

Hi GermanOne,

Thanks for your help. The code you provided seems to work, but now unfortunately I think I've come across another problem. The CLSID.dat has 354 lines in it at the moment. Is it possible that batch isn't able to SET all of them as "badCLSID"? Perhaps maybe only the latest 80 are getting set?

See the attached picture below

 

Hi thisisu

No, the FOR Loop gets all the lines (unless they are empty or they are beginning with a semi colon). Probably the screen buffer of the batch window isn't large enough to display them all.
However it seems that you're trying to apply each of the bad CLSIDs in your file to the REG DELETE commands. In that case you basically have two possibilities to achieve that: either work directly with the FOR variables in a context where it is still valid or you have to call a sub routine for each value.
I would prefer the 1st.

Code:

REM Make things more clear when reading the further code.
set "searchscopes=%systemdrive%\CrapRemover\temp\searchscopes.txt"
set "regdelete="%windir%\system32\reg.exe" DELETE"

REM create an empty searchscopes.txt
>"%searchscopes%" type nul

REM iterate over CLSID.dat
for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  REM output the key to searchscopes.txt
  >>"%searchscopes%" echo * "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  REM output the result of REG DELETE to searchscopes.txt
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f

  >>"%searchscopes%" echo * "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f

  >>"%searchscopes%" echo * "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%%g" /f

  >>"%searchscopes%" echo * "HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f
)

 

GermanOne, that is amazing. Thank you very much! I've given you credit in the batch files too

 

Hi thisisu,

You're welcome and thanks for your credits

You guys do a great job in the malware forum all around the clock. Kudos! Since I guess you will use the batch file in your CrapRemover we should spend some more effort on it ...
If you run it on Vista/Win7 you have to right click "Run As Administrator". Otherwise you wouldn't have access to the HKEY_LOCAL_MACHINE. But there is a potential to fail. If the user belongs to the local admin group it will work fine but if he has to select another (administrator-)account it will fail to remove the keys in HKEY_CURRENT_USER because it points to the administrator account in this case. For that reason I recommend to do user stuff with user permissions and elevated stuff with admin permissions.
I admit it's tricky and actually there is no way to achieve with pure batch. We could use a VBScript one-liner though. This provides the ShellExecute method which allows to invoke the verb "runas". I use the FSUTIL command to check whether or not we need an elevation. That command requires admin rights.
This is a general example how to use it:

Code:

@echo off &setlocal disabledelayedexpansion
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 REM Don't change that line. It changes the working directory to the location 
 REM  of the batch file and checks whether or not the first parameter
 REM  was "~e~" to branch the code. "~e~" is passed if the VBScript calls the
 REM  code elevated. That line also shifts the parameters one step down. 
cd /d "%~dp0"&if "%~1"=="~e~" (shift&goto :elevated)
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 REM ***** Do user stuff here. *****
echo This window runs with user rights.
 REM Preparing space-separated parameters to be passed to the elevated cmd process.
set "param="WITH SPACE" WITHOUTSPACE WITH%%PERCENT WITH!EXCLAM"
echo Attempting to pass the following parameters to an elevated window:
echo %param%
echo(&pause>nul|set /p "=*** Press any key to run as admin ... "

::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 REM Don't change these lines. They check whether or not the current user has
 REM  already elevated rights. If not they write and call a temporary VBScript
 REM  to prompt the user for UAC confirmation. Then they run the code elevated
 REM  and delete the temporary script.
fsutil fsinfo drives|findstr /c:":\\">nul &&(
  cls&setlocal enabledelayedexpansion
  if defined param set "param=!param:%%=%%%%!"
  call :elevated !param!&goto :eof
)
set "vbs=%temp%\uac.vbs"&set "me=%~f0"&setlocal enabledelayedexpansion
if defined param set "param=!param:"=""!"
>"!vbs!" echo CreateObject("Shell.Application").ShellExecute "!comspec!", "/c """"!me!"" ~e~ !param!""", "", "runas", 1
cscript //nologo "!vbs!"&del "!vbs!"&goto :eof
:elevated
if "!"=="" (endlocal&endlocal&setlocal disabledelayedexpansion)
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 REM ***** Do admin stuff here. *****
echo This window runs elevated.
echo These parameters have been received:
echo %1
echo %2
echo %3
echo %4
echo(&pause>nul|set /p "=*** Press any key to exit ... "

And here is the implementation for your project:

Code:

@echo off &setlocal disabledelayedexpansion
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 REM Don't change that line. It changes the working directory to the location 
 REM  of the batch file and checks whether or not the first parameter
 REM  was "~e~" to branch the code. "~e~" is passed if the VBScript calls the
 REM  code elevated. That line also shifts the parameters one step down. 
cd /d "%~dp0"&if "%~1"=="~e~" (shift&goto :elevated)
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 REM ***** Do user stuff here. *****

 REM Get the users SID
set "RegPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
for /f "delims=" %%i in ('reg query "%RegPath%"^|findstr /ibc:"%RegPath%\S-"') do (
  reg query "%%i" /v "ProfileImagePath"|findstr /iec:"%UserProfile%" >nul &&set "SID=%%~nxi"
)

 REM Make things more clear when reading the further code.
set "searchscopes=%systemdrive%\CrapRemover\temp\searchscopes.txt"
set "regdelete="%windir%\system32\reg.exe" DELETE"

 REM create an empty searchscopes.txt
>"%searchscopes%" type nul

 REM iterate over CLSID.dat
for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  >>"%searchscopes%" echo * "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f
)

 REM Preparing space-separated parameters to be passed to the elevated cmd process.
set "param="%searchscopes%" "%regdelete%" %SID%"

::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 REM Don't change these lines. They check whether or not the current user has
 REM  already elevated rights. If not they write and call a temporary VBScript
 REM  to prompt the user for UAC confirmation. Then they run the code elevated
 REM  and delete the temporary script.
fsutil fsinfo drives|findstr /c:":\\">nul &&(
  cls&setlocal enabledelayedexpansion
  if defined param set "param=!param:%%=%%%%!"
  call :elevated !param!&goto :eof
)
set "vbs=%temp%\uac.vbs"&set "me=%~f0"&setlocal enabledelayedexpansion
if defined param set "param=!param:"=""!"
>"!vbs!" echo CreateObject("Shell.Application").ShellExecute "!comspec!", "/c """"!me!"" ~e~ !param!""", "", "runas", 1
cscript //nologo "!vbs!"&del "!vbs!"&goto :eof
:elevated
if "!"=="" (endlocal&endlocal&setlocal disabledelayedexpansion)
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 REM ***** Do admin stuff here. *****

 REM Get the variables back.
set "searchscopes=%~1"
set "regdelete=%~2"
set "SID=%3"

 REM iterate over CLSID.dat
for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  >>"%searchscopes%" echo * "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f

  >>"%searchscopes%" echo * "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\%%g" /f

  >>"%searchscopes%" echo * "HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  >>"%searchscopes%" 2>&1 %regdelete% "HKEY_USERS\%SID%\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f
)

Perhaps it comes in handy

I added some remarks into the code but again I offer to explain more detailed if something isn't clear to you.

 

Code:

REM Get the users SID
set "RegPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
for /f "delims=" %%i in ('reg query "%RegPath%"^|findstr /ibc:"%RegPath%\S-"') do (
  reg query "%%i" /v "ProfileImagePath"|findstr /iec:"%UserProfile%" >nul &&set "SID=%%~nxi"

When I execute this on Windows 7 64 bit, it works fine. However, when I execute this on Windows XP x86, I get the following output: ECHO is off

Any ideas?

 

Hi thisisu,

at home I have a Win7 machine. For that reason I wasn't aware of this bug. My apologies.
Fortunately I'm currently working on a XP machine at work. The reason why it fails on XP is that the ProfileImagePath has a REG_EXPAND_SZ type and begins with expression %SystemDrive% while the value in %UserProfile% begins with C: instead. For that reason FINDSTR doesn't match an equality.
We can fix it easily if we use the variable %UserName%:

Code:

set "RegPath=HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList"
for /f "delims=" %%i in ('reg query "%RegPath%"^|findstr /ibc:"%RegPath%\S-"') do (
  reg query "%%i" /v "ProfileImagePath" |findstr /iec:"\\%UserName%" >nul &&set "SID=%%~nxi"
)

 

No problem.
I appreciate all the help you've given me

Edit:
Do you know some sites that have a lot of examples with batch programming?

Here are a couple that I've found and used to help me a little bit but they have a limited amount of examples to work with IMO.

http://ss64.com/nt/for_f.html
http://www.robvanderwoude.com/ntfor.php

 

Well you will find a couple of batch tutorials in the internet. Most of them are more or less nothing but the Windows help messages converted to HTML. I know some German pages which will probably not help you but have a look at
http://www.commandline.co.uk/lib/treeview/index.php
and
http://www.dostips.com/
The 2nd link has also a great support forum especially for batch related stuff.

 

Can you provide an example of the sub routine?

 

Basically I don't mind if they are separated anymore (searchscopes.txt, bhos.txt, toolbars.txt, activex.txt, etc.) I really only want the detected items (of all categories) logged / appended to a \temp\registry.txt file. Then later on I'll just type the \temp\registry.txt as part of the Registry section of the final output log.

I hope that makes sense.

 

Hi thisisu

Of course.

Code:

@echo off &setlocal

echo(&echo  -1- Pass the FOR variable as parameter:
for %%i in (a b c) do (
  call :sub1 %%i
)

echo(&echo  -2- Assign a variable:
for %%i in (x y z) do (
  set "var=%%i"
  call :sub2
)

echo(&pause
goto :eof

This line was never seen ;-)

:sub1
echo %1
goto :eof

:sub2
echo %var%
goto :eof

I strongly recommend to use the 2nd possibility to avoid failures caused by spaces or percent signs.
You will notice that calling a sub routine hundreds of times is slowing down your batch process tremendously.
The goto :eof jumps to the end of file. That lets either quit the main code or it lets the sub routine resume on the point where it was called.

Whatever you prefer.
You could also copy them to the final log file:

Code:

copy /b "a.txt"+"b.txt"+"c.txt" "final.txt"

or you can redirect/append always to the same file.

 

The subroutine method is something I may try out later.

Can you review this latest code? I feel like I'm very close to making it work:

Code:

@echo off

set "registryjunk=%systemdrive%\CrapRemover\temp\registryjunk.txt
set "found_registry=%systemdrive%\CrapRemover\temp\found_registry.txt"
set "regdelete="%windir%\system32\reg.exe" DELETE"
set "regquery="%windir%\system32\reg.exe" QUERY"

REM create empty text files first
>"%registryjunk%" type nul
>"%found_registry%" type nul

REM iterate over CLSID.dat

for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
>>"%registryjunk%" echo "hkey_current_user\software\microsoft\internet explorer\searchscopes\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\internet explorer\searchscopes\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\microsoft\internet explorer\searchscopes\%%g"
>>"%registryjunk%" echo "hkey_users\%sid%\software\microsoft\internet explorer\searchscopes\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\explorer\browser helper objects\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\internet explorer\toolbar\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\microsoft\internet explorer\toolbar\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\code store database\distribution units\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\microsoft\code store database\distribution units\%%g"
>>"%registryjunk%" echo "hkey_current_user\software\microsoft\internet explorer\urlsearchhooks" /v %%g
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\internet explorer\urlsearchhooks" /v %%g
>>"%registryjunk%" echo "hkey_users\s-1-5-19\software\microsoft\internet explorer\urlsearchhooks" /v %%g
>>"%registryjunk%" echo "hkey_users\s-1-5-20\software\microsoft\internet explorer\urlsearchhooks" /v %%g
>>"%registryjunk%" echo "hkey_users\%sid%\software\microsoft\internet explorer\urlsearchhooks" /v %%g
>>"%registryjunk%" echo "hkey_classes_root\appid\%%g"
>>"%registryjunk%" echo "hkey_classes_root\interface\%%g"
>>"%registryjunk%" echo "hkey_classes_root\clsid\%%g"
>>"%registryjunk%" echo "hkey_classes_root\typelib\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\clsid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\interface\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\wow6432node\clsid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\wow6432node\interface\%%g"
>>"%registryjunk%" echo "hkey_classes_root\wow6432node\appid\%%g"
>>"%registryjunk%" echo "hkey_classes_root\wow6432node\clsid\%%g"
>>"%registryjunk%" echo "hkey_classes_root\wow6432node\interface\%%g"
>>"%registryjunk%" echo "hkey_classes_root\wow6432node\typelib\%%g"
>>"%registryjunk%" echo "hkey_current_user\software\microsoft\windows\currentversion\ext\settings\%%g"
>>"%registryjunk%" echo "hkey_current_user\software\microsoft\windows\currentversion\ext\stats\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\appid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\typelib\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\classes\wow6432node\appid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\classes\appid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\classes\clsid\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\classes\typelib\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\wow6432node\microsoft\internet explorer\extensions\%%g"
>>"%registryjunk%" echo "hkey_local_machine\software\microsoft\internet explorer\low rights\elevationpolicy\%%g"
)

For %%g in ("%registryjunk%") do (
                                   >>"%found_registry%" echo Deleted: %%g
                                  %regdelete% %%g /f
                                 )
                            )

 

I think I may have found a workaround though since this batch file basically adds all the bad keys targetted into registry junk

For example, I could use this:

Code:

for %%g in (
"hkey_current_user\software\microsoft\internet explorer\searchscopes\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\microsoft\internet explorer\searchscopes\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\microsoft\internet explorer\searchscopes\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_users\\software\microsoft\internet explorer\searchscopes\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\microsoft\windows\currentversion\explorer\browser helper objects\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\explorer\browser helper objects\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\microsoft\internet explorer\toolbar\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\microsoft\internet explorer\toolbar\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\microsoft\code store database\distribution units\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\microsoft\code store database\distribution units\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_current_user\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}
"hkey_local_machine\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}
"hkey_users\s-1-5-19\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}
"hkey_users\s-1-5-20\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}
"hkey_users\\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}
"hkey_classes_root\appid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\interface\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\clsid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\typelib\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\clsid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\interface\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\wow6432node\clsid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\wow6432node\interface\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\wow6432node\appid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\wow6432node\clsid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\wow6432node\interface\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_classes_root\wow6432node\typelib\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_current_user\software\microsoft\windows\currentversion\ext\settings\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_current_user\software\microsoft\windows\currentversion\ext\stats\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\appid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\typelib\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\classes\wow6432node\appid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\classes\appid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\classes\clsid\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\classes\typelib\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\wow6432node\microsoft\internet explorer\extensions\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
"hkey_local_machine\software\microsoft\internet explorer\low rights\elevationpolicy\{000f18f2-09eb-4a59-82b2-5ae4184c39c3}"
            ) do (
                  %regquery% %%g >nul 2>&1 &&(
                  REM output these detected keys to found_registry.txt
                  >>"%found_registry%" echo Deleted: %%g
                  REM Now carry out deletion
                  %regdelete% %%g /f
                 )

 

Realizing now that I also need to set the SID in this batch file.

 

True

Regarding your first code you have to use a FOR /F loop to read the content of a file. For that reason your 2nd loop only processes the file name.
Further more your assumption "echo Deleted: %%g" is not guaranteed since you didn't check

• if it exists
• if the user has access

Your 2nd code will fail with lines like

Code:

"hkey_current_user\software\microsoft\internet explorer\urlsearchhooks" /v {000f18f2-09eb-4a59-82b2-5ae4184c39c3}

because the loop splits it into 3 tokens (where spaces are the separators).

 

You lost me.
The first file is using for /f

Can you go into more detail of what I need to do?

 

Never mind I understand what you were conveying to me now (I think :-D ).
Now I simply do not how to achieve what I'm wanting achieve :-D (That is, having the full path of the key AND/OR value outputted in the very final log only if it was found and deleted.)

 

This code works: http://forums.majorgeeks.com/showpost.php?p=1771364&postcount=6
But in the output log, it will only show stuff like "The operation completed successfully." or something like "<key name> does not exist"

From here I can count how many lines out of the file have that string in it (successful) and output them to a final log but what I'd really prefer is to have the full key listed instead of the number.

I hope that makes sense.

And thanks once again for all your help

 

This is what I'm able to achieve with the log so far but I want it to be more detailed. I'm just not sure how to do that.

Here is an sample from registryFOUND.txt

Code:

ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.
[COLOR="Red"]The operation completed successfully.[/COLOR]

ERROR: The system was unable to find the specified registry key or value.
ERROR: The system was unable to find the specified registry key or value.

I'm hoping there is some way to find out which which key (full path of it) was deleted successfully.

Here is the code used:

Code:

REM Make things more clear when reading the further code.
set "registryjunk=%systemdrive%\CrapRemover\temp\registryjunk.txt"
set "registryFOUND=%systemdrive%\CrapRemover\temp\registryFOUND.txt"
set "regdelete="%windir%\system32\reg.exe" DELETE"
set "regquery="%windir%\system32\reg.exe" QUERY"

REM create empty text files first
>"%registryjunk%" type nul
>"%registryFOUND%" type nul

REM iterate over CLSID.dat

for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  REM The line below outputs ALL the keys to registryjunk.txt. This makes our tool smaller but creates a ~1MB+ log file on the user's machine. Delete later.
  >>"%registryjunk%" echo "hkey_current_user\software\microsoft\internet explorer\searchscopes\%%g"
  REM Now we want to delete the keys that are actually present on the users machine and then output the full key to a log which we'll read later on.
  >>"%registryFOUND%" 2>&1 %regdelete% "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f
)

The issue now isn't whether the keys are being deleted or not (they are). My goal now is to provide a more professional looking final log to show the user /helper which key was actually deleted.

 

[OT]
Sorry for my late response. My PC at home broke (no bootable device found :confused ) immediately after I answered you yesterday. Seems to be a hardware problem. Since I have no idea whether or not I'm able to fix it I try to give you a short answer from my PC at work.
[/OT]

In #20 you mentioned that you already used a for /f loop. Only true for the 1st loop but not for the 2nd

Well, trying to fix your log problem.
In the code above only the messages of REG DELETE are redirected. These don't contain the path. You need to ECHO them depending on success or fail of the command. Remember what I told you about && in #14 of the other thread. There is also an || to concatenate commands if the first command failed.

Try:

Code:

for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  REM The line below outputs ALL the keys to registryjunk.txt. This makes our tool smaller but creates a ~1MB+ log file on the user's machine. Delete later.
  >>"%registryjunk%" echo "hkey_current_user\software\microsoft\internet explorer\searchscopes\%%g"
  REM Now we want to delete the keys that are actually present on the users machine and then output the full key to a log which we'll read later on.
  %regdelete% "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f >nul 2>&1 && (
    >>"%registryFOUND%" echo Deleted: "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  ) || (
    >>"%registryFOUND%" echo Failed to delete: "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  )
)

or without the failing lines

Code:

for /f "usebackq delims=" %%g in ("%systemdrive%\CrapRemover\CLSID.dat") do (
  REM The line below outputs ALL the keys to registryjunk.txt. This makes our tool smaller but creates a ~1MB+ log file on the user's machine. Delete later.
  >>"%registryjunk%" echo "hkey_current_user\software\microsoft\internet explorer\searchscopes\%%g"
  REM Now we want to delete the keys that are actually present on the users machine and then output the full key to a log which we'll read later on.
  %regdelete% "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g" /f >nul 2>&1 && (
    >>"%registryFOUND%" echo Deleted: "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\%%g"
  )
)

 

Very interesting. Thanks once again for all your help

 

The tool I've been working on (and that you've helped me so much on!) can now be downloaded for free at: Junkware Removal Tool

I hope that it does some good in the Malware Removal forum

 

Hi thisisu

Thank's for sharing!
That's a lot of work on the registry. I'm pretty impressed.
I tried to follow the messages displayed in the batch window. Often I read that access is denied. I guess it's because I didn't run as admin. Do you recommend to run as admin on Win7 / Vista?

 

Yes.

 

:-D Yeah sorry for kidding. I just asked because you didn't mention it.

Some proposals:

• Make sure the command line interpreter works with the right sittings (once in the beginning of get.bat):

Code:

setlocal enableextensions disabledelayedexpansion

• Change the size of the window (once in the beginning of get.bat):

Code:

mode con cols=100 lines=60

• Let the user know what currently happens:

Code:

title JRT by Thisisu - Initializing

You can change the title several times during the run time.

 

Thanks, I'm going to try this

 

So I wouldn't need this in the other batch files if it's in get.bat?

I took you up on your other suggestions, thank you

__

Different subject: I'm trying to remove certain lines from a file called prefs.js (it's related to FireFox).

I've created a .dat file with the strings I want to search for (that are bad), and if those strings match up. Delete the entire line containing them. And I would like to log the lines that were removed.

Here is what I have so far.. any suggestions on how I can make this work?

Code:

@echo off

if exist %systemdrive%\JRT\temp\badprefs.txt del /a/f/q %systemdrive%\JRT\temp\badprefs.txt
if exist %systemdrive%\JRT\temp\clean.js del /a/f/q %systemdrive%\JRT\temp\clean.js

cd /D "%appdata%\Mozilla\Firefox\Profiles"
cd *.default
set ProfilePath=%cd%
for /f "usebackq delims=" %%g in ("%systemdrive%\JRT\prefs.dat") do (
                                                                     type %ProfilePath%\test.js | findstr "%%g" >> %systemdrive%\JRT\temp\badprefs.txt
                                                                    )
for /f "usebackq delims=" %%g in ("%systemdrive%\JRT\prefs.dat") do (
                                                                     type %ProfilePath%\test.js | findstr /v "%%g" >> %systemdrive%\JRT\temp\clean.js
                                                                    )
copy /y %systemdrive%\JRT\temp\clean.js %ProfilePath%\test.js >nul

if exist %systemdrive%\JRT\temp\badprefs.txt (
                                              type %systemdrive%\JRT\temp\badprefs.txt >"%userprofile%\desktop\testlog.txt"
                                             )

notepad "%userprofile%\desktop\testlog.txt"

Here are the current contents of prefs.dat:

Code:

extensions.Babylon
CommunityToolbar
CT2790392
CT3072253
extensions.incredibar
isearch.claro
Claro Search

 

Feels good when you figure something out on your own

I got the logging part working now. Now I just need to add the deletion part which was previously working.

Code used (so far):

Code:

cd /D "%appdata%\Mozilla\Firefox\Profiles"
cd *.default
set ProfilePath=%cd%
findstr /g:%systemdrive%\JRT\prefs.dat %ProfilePath%\test.js >%systemdrive%\JRT\temp\badprefs.txt
pause

Then I can type these badprefs lines in the final log to let the user know what was deleted

<stoked>

 

Success!

Code:

@echo off

if exist %systemdrive%\JRT\temp\badprefs.txt del /a/f/q %systemdrive%\JRT\temp\badprefs.txt
if exist %systemdrive%\JRT\temp\prefs.js del /a/f/q %systemdrive%\JRT\temp\prefs.js

cd /D "%appdata%\Mozilla\Firefox\Profiles"
cd *.default
set ProfilePath=%cd%
%windir%\system32\findstr.exe /g:%systemdrive%\JRT\FFprefs.dat %ProfilePath%\test.js >%systemdrive%\JRT\temp\badprefs.txt
Type %ProfilePath%\test.js | findstr /I /V /g:%systemdrive%\JRT\FFprefs.dat >> %systemdrive%\JRT\temp\prefs.js

copy /y %systemdrive%\JRT\temp\prefs.js %ProfilePath%\test.js >nul

notepad %ProfilePath%\test.js

 

These settings are inherited from the calling batch file. Since you call each of the other batch files from get.bat it's suffucient to write it once there.
BTW: These are the default settings but the user can change them in the registry ... Eventually you don't know the user defined defaults

 

Good to know, thanks. I added it to get.bat as suggested.

 

Hi GermanOne,

Regarding what you posted here ; Is there a way I can have the program automatically take Administrative rights (if Run as Administrator was not used) without user intervention :confused

 

Hi Thisisu,

actually you should be lucky to hear that the answer is NO! Think about the potential possibilities for malware developers :guns I'm glad that M$ made their best effort to avoid that.
Though I wrote it in a way that the script will not prompt for UAC confirmation in case the user already has administrative rights

 

Thanks again

 

Code:

  if defined param set "param=!param:%%=%%%%!"

What does this do? From this post.

I need help on elevating privileges with the current state of JRT. Do you mind taking a look and helping me? I'll credit you and it would be VERY much appreciated

Latest version is here.

I'm still calling everything from get.bat so I would only need this VBS one liner in this file right? Or do I need it in every file?

Thank you for all your help on this

 

Found this but isn't working for me once I compile.exe (only works with standalone batch files)

Code:

@echo off

:: BatchGotAdmin
:-------------------------------------
REM  --> Check for permissions
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"

REM --> If error flag set, we do not have admin.
if '%errorlevel%' NEQ '0' (
    echo Requesting administrative privileges...
    goto UACPrompt
) else ( goto gotAdmin )

:UACPrompt
    echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
    echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"

    "%temp%\getadmin.vbs"
    exit /B

:gotAdmin
    if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
    pushd "%CD%"
    CD /D "%~dp0"
:--------------------------------------

<YOUR BATCH SCRIPT HERE>

Haven't found a work around yet..

 

I tried an edited version of the script which you posted earlier (need to have enableextensions included)

Code:

@echo off &setlocal enableextensions disabledelayedexpansion
cd /d "%~dp0"&if "%~1"=="~e~" (shift&goto :elevated)
fsutil fsinfo drives|findstr /c:":\\">nul &&(
  cls&setlocal enableextensions enabledelayedexpansion
  if defined param set "param=!param:%%=%%%%!"
  call :elevated !param!&goto :eof
)
set "vbs=%temp%\uac.vbs"&set "me=%~f0"&setlocal enabledelayedexpansion
if defined param set "param=!param:"=""!"
>"!vbs!" echo CreateObject("Shell.Application").ShellExecute "!comspec!", "/c """"!me!"" ~e~ !param!""", "", "runas", 1
cscript //nologo "!vbs!"&del "!vbs!"&goto :eof
:elevated
if "!"=="" (endlocal&endlocal&setlocal enableextensions disabledelayedexpansion)
::~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Basically a continuous cycle of batch windows open once compiled as .exe.

I'll attach it so you can see it first hand. I'm on Windows 7 x 64 with UAC turned on. It works fine as standalone batch which probably means what i'm using to compile (ZIP 2 Secure EXE) is at fault.

Here it is:

 

Please disregard the above post as problem has been rectified..

 

This is what ended up working for me:

Code:

@echo off &setlocal enableextensions disabledelayedexpansion

REM ~~~~~~~~~~~~~~~~~~~~~~~~~~~START OF ELEVATION~~~~~~~~~~~~~~~~~~~~~~~~~~~

REM ~~~~~~~~~~~~~~~~~~~~~~~~~~Credits to GermanOne~~~~~~~~~~~~~~~~~~~~~~~~~~

cd /d "%~dp0"&if "%~1"=="~e~" (shift&goto :elevated)
fsutil fsinfo drives|findstr /c:":\\">nul &&(
  cls&setlocal enableextensions enabledelayedexpansion
  if defined param set "param=!param:%%=%%%%!"
  call :elevated !param!
)
set "vbs=%temp%\uac.vbs"&set "me=%~f0"&setlocal enableextensions enabledelayedexpansion
if defined param set "param=!param:"=""!"
>"!vbs!" echo CreateObject("Shell.Application").ShellExecute "!comspec!", "/c """"!me!"" ~e~ !param!""", "", "runas", 1
cscript //nologo "!vbs!"&del "!vbs!"&goto :eof
:elevated
if "!"=="" (endlocal&endlocal&setlocal enableextensions disabledelayedexpansion)

REM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~END OF ELEVATION~~~~~~~~~~~~~~~~~~~~~~~~~~~

Newest version is posted here.

Thanks so much for your help

 

Hi Thisisu

Well, in case you would have a variable param and it would contain percent signs this line simply doubles them. Otherwise they would be removed automatically if you try to pass them to the elevated process. Nevermind, in your current version you don't use this variable.

You got it. A called batch file will inherit the elevation.

Batch files can't be compiled. You packed it into a container/selfexstractor/installer (some kind of software using CHILKAT library). A batch file must be unpacked first before you can execute it.
However, you found the main reason why I NEVER use things like bat2exe. Each of those tools have side effects (even if I understand the reason why you have to use it anyway).

BTW: Also calling a batch file via VBS can cause similar side effects. You should replace each echo. with echo( to avoid messages like file not found (even if a single left parenthesis looks a bit odd - it always works fine).
http://www.dostips.com/forum/viewtopic.php?p=4554#p4554

_____________________________________________________


Perhaps I should have explained the reason why I told you to do user stuff unelevated more detailed than I actually did (forgive my bad English) ...

First of all the current version of your tool is NOT EXECUTABLE by a user who neither belongs to the local administrator group nor does know the administrators password. (E.g. the "Guest" account under Win7 or a normal user in a company network.)

In my opinion it would be always a good idea to run your tool unelevated in case the user has no rights to run as admin. Of course the keys in HKLM etc. are left untouched in that case, though also the maleware was probably not able to create those keys if the computer was infected under the same account.

In case the current user has no permissions to run elevated stuff under his own account the UAC prompt shows a list of accounts where one can select the administrator account. If he knows the administrator password the batch file would be executed under the admin account. But in this case the HKCU points to the administrator account and the keys of the user are left untouched. Also you can imagine what SID would be found

Again I recommend to divide your activities. First do user stuff, after that prompt for UAC confirmation and do elevated stuff. This way you make sure that all things where the user has enough rights are done and the job will be applied to the right keys.

Regards
GermanOne

 

Do you have any recommendations for what would be better to use in my case? Also noticed that the compiled .exe runs significantly slower than when I'm just testing via batch (and calling everything from the one batch file I ran).

Very interesting! So I could replace every echo with echo( throughout every .bat file and it should be OK?

If I recall correctly, sUBs, the author of ComboFix, does this too. I never understood why although your explanation puts some sense into it.
_____________________________________________________

Thanks for the explanation.

I need to look into this. Currently, as you probably noticed, I combine the HLKM keys and all the other targeted keys (non HKLM) in a file to be cycled through via for loop (e.g. regkey_x64.dat).

I hope that makes sense.

Thanks again for your help.

 

Hi Thisisu

You're welcome. I'm always glad to help the malware fighter

Unfortunately I don't. It's the best way in your case since you have to unzip the files into a (probably not existing) particular folder because you always use absolute pathes in your code. You could change everything if you use %~dp0 instead which expands to the path of the batch file (including the trailing backslash). Now you could use a simple zip archive and it doesn't matter where the user extracts its contents. It's up to you ... but actually you can leave it as is since it seems to work perfectly.
I can't imagine why it runs slower this way. Of course the exe file has to create the folder, extract the files and run the get.bat. For that reason it's normal to have a short delay.

Basically, yes. You don't need it where echo<space> workes. Only echo. causes such side effects (and it slows down your process since it always searches for a file named echo. each time you call this command).

If you want to divide it the way I suggested then you have to distinguish between HKCU and HKU\<User SID> which you can delete unelevated and all the other keys which require to be deleted in elevated mode.

Hope that helps.