Sign in to follow this  
Followers 0
lionfaggot

is it possible to have autoit not add this registry value?

15 posts in this topic

turns out all autoit exes add the following registry values (im not sure why or how) but here they are:

HKLM\​system\​CurrentControlSet\​control\​NetworkProvider\​HwOrder 0 Value Change 1

this according to anubis scan, and this is all that keeps my autoit programs on the redlist of antiviruses.

but ALL autoit exes apparently edit this key, so right, is it possible to keep autoit from editing these values?

even an exe with JUST sleep(100) in it anubis said it edited these.

anubis.iseclab.org - if one of the developers could solve that issue it'd mean we wouldnt have as much to deal with from antivirus companies

i mean at least not as much. i was just thinking should be an option for an autoit exe to not edit said values

thanks in advance

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

turns out all autoit exes add the following registry values (im not sure why or how) but here they are:

HKLM\​system\​CurrentControlSet\​control\​NetworkProvider\​HwOrder 0 Value Change 1

This statement is certainly not true for me. I've just run several AutoIt exes on my PC and monitored all registry access with sysinternals' RegMon.exe. Nothing under HKLM\​system\​CurrentControlSet\​control\​NetworkProvider was changed or even accessed.

Edit: Put some words in the order I originally intended.

Edited by Bowmore

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to build bigger and better idiots. So far, the universe is winning."- Rick Cook

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

lionfaggot,

I have been running compiled exes from many versions of AutoIt over several years and I do not have that key (or keys, you are imprecise in your post) set at all on my system. :)

All I have in HKLM\system\CurrentControlSet\control\NetworkProvider\HwOrder is the ProviderOrder key which reads: "LanmanWorkstation,RDPNP,webclient".

Are you sure that AutoIt is doing it? According to MS, the NetworkProvider subkey "provides a list of the available network providers that use the Microsoft network-independent APIs". It seems very likely to me that it is something else. :P

M23

Edit: Formatting went all funny. :)

Edited by Melba23

Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

well, according to runtime antivirus scans autoit exes do change values. i have no idea why. scan any of your compiled autoit exes in an online sandbox such as http://anubis.iseclab.org/

no seriously just try it, and thats not the only runtime scan that says autoit exes do this, all runtime scans ive tried say it. i dont know, im no developer, i just know what i see

Share this post


Link to post
Share on other sites

well, according to runtime antivirus scans autoit exes do change values. i have no idea why. scan any of your compiled autoit exes in an online sandbox such as http://anubis.iseclab.org/

no seriously just try it, and thats not the only runtime scan that says autoit exes do this, all runtime scans ive tried say it. i dont know, im no developer, i just know what i see

Are you some sort of rep for this anubis, you keep piping up about them, I've got news for you, no-one cares about a lousey stinking online scan that hardly anyone has heard of, so you might as well give up with your aggressive "no really" "Just do it" "upload" suggestions.

Even it it did write this elusive regkey, so what?, I doubt there is going to be a new release of autoit3 because of you dont like a false posotive from a scrotum scan.

Live long and prosper.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

Funny, JohnOne...

"hit it where they ain't"

kylomas


Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

its not just anubis though, most antiviruses have runtime scans. i was just using anubis as an example. in fact the scans that detect autoit exes arent based on the file before its run. also another online sandbox from sunbelt says autoit exes do something called "checks for debugger" - the point here is that runtime scans have pretty common guidelines in what they check for from an exe. google "online sandbox" i highly advise you guys give this a try.

Share this post


Link to post
Share on other sites

i try to get people to play a game i made in autoit and people complain its a virus. scan it on virustotal and its only detected by k7, none of my friends or no one i know uses k7, theyre detected not because of the file but because of RUNTIME

Share this post


Link to post
Share on other sites

I just reimaged a computer here at work and ran one of my software install scripts on it (compiled .exe) and then I just checked that registry value you mentioned. There is absolutely no difference between the before and after values in that key. I then checked it as the program is running and there is no change there as well. Looks like your AV scanner sucks and is reading things that just aren't there.

This isn't a false positive as I would categorize one, this is the AV scanner being used telling you things that aren't happening. The exe's do not modify, add or remove any entries in that key while running or after being run. Use a different AV program.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

lionfaggot,

Can you post the output form one of these scans that pops on AI?

Also post an image of the reg keys and values that you think are affected.

kylomas


Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

with the site you linked urself... it does no such thing

http://anubis.iseclab.org/?action=result&task_id=10447a47c43d81094e9497d7be5263ea7&format=html

- Monitored Registry Keys:

Key Name: HKLM\​system\​CurrentControlSet\​control\​NetworkProvider\​HwOrder

Watch subtree: 0

Notify Filter: Value Change

Count: 1

This means it checked the value once for a Value Change

it does not mean it changed the value.

tbh sites like that are a load of crap anyways.

there should be a monitor here somewhere thats reliable. http://technet.microsoft.com/en-gb/sysinternals

Edited by Djarlo

Share this post


Link to post
Share on other sites

Here's one for trancexx...

You are familiar with assonance...

Interpret the OP's nick...

Are'nt those "dots" annoying...


Forum Rules         Procedure for posting code

"I like pigs.  Dogs look up to us.  Cats look down on us.  Pigs treat us as equals."

- Sir Winston Churchill

Share this post


Link to post
Share on other sites

i try to get people to play a game i made in autoit and people complain its a virus. scan it on virustotal and its only detected by k7, none of my friends or no one i know uses k7, theyre detected not because of the file but because of RUNTIME

If your compiled files are flagged as a virus then compile them without the UPX packer, this is the most likely part that is being flagged.

Share this post


Link to post
Share on other sites

its not just anubis though, most antiviruses have runtime scans. i was just using anubis as an example. in fact the scans that detect autoit exes arent based on the file before its run. also another online sandbox from sunbelt says autoit exes do something called "checks for debugger" - the point here is that runtime scans have pretty common guidelines in what they check for from an exe. google "online sandbox" i highly advise you guys give this a try.

"checks for debugger"

Yes Autoit has implemented test against debugging EXE files. If it's reason for being flagged as "bad" then replace your scanner by better one.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0