Jump to content
Sign in to follow this  

FileCopy Help

Recommended Posts


Hi There,

I am trying to write a script that will call all files of a particular file type (.exe, .dll etc) from the following directories:

<User Profile>\Application data\

<User Profile>\Local Settings\Application Data\

I was able to author a script that reads and copies the files if I specify the users profile, but would like it to cycle through all users on the target machine.

I am new to scripting and came up with something like:

FileCopy("C:\Documents and Settings\Administrator\Application Data\*.exe", $MWFolder & $Machine & "\")
FileCopy("C:\Documents and Settings\Administrator\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\")

And that works, but I need it to cycle through all users profiles on the target PC.

I wont know the profile names so I cannot specify in the script, and the amount will vary from machine to machine, so I will need it to cycle through all

I tried a "For/If/Then", but that failed..

Thoughts, suggestions?

Thanks in advance,


Share this post

Link to post
Share on other sites

OK, I think I figured this out... I used the registry key of: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" as a guide.

$MWFolder = "C:\MALWARE\"
$Machine = "Destination Folder Name"
Opt("ExpandEnvStrings", 1)
DirCreate($MWFolder & $Machine)

For $i = 1 to 100
    $Profile = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", $i)
    $UserFolder = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & $Profile, "ProfileImagePath")
    If @error <> 0 then ExitLoop
    FileCopy($UserFolder & "\Application Data\*.exe", $MWFolder & $Machine & "\")
    FileCopy($UserFolder & "\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\")
FileCopy("C:\Documents and Settings\All Users\Application Data\*.exe", $MWFolder & $Machine & "\")

So what I did was read through the reg key, find the users profile path under each SID, and use that as a variable to use in my FileCopy statement.

When this is done, it will copy .exe's & .Dll's from the above locations on remote PC's (which I have permissions on).

I can analyze these files locally to see if they are Malware. I have not found in my experience any legitimate reason for .exe's to exist in these locations, 9/10 its malware.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.