ScriptingNoob Posted July 18, 2011 Share Posted July 18, 2011 Hi There, I am trying to write a script that will call all files of a particular file type (.exe, .dll etc) from the following directories: <User Profile>\Application data\ <User Profile>\Local Settings\Application Data\ I was able to author a script that reads and copies the files if I specify the users profile, but would like it to cycle through all users on the target machine. I am new to scripting and came up with something like: FileCopy("C:\Documents and Settings\Administrator\Application Data\*.exe", $MWFolder & $Machine & "\") FileCopy("C:\Documents and Settings\Administrator\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\") And that works, but I need it to cycle through all users profiles on the target PC. I wont know the profile names so I cannot specify in the script, and the amount will vary from machine to machine, so I will need it to cycle through all I tried a "For/If/Then", but that failed.. Thoughts, suggestions? Thanks in advance, -Newb Link to comment Share on other sites More sharing options...
ScriptingNoob Posted July 18, 2011 Author Share Posted July 18, 2011 OK, I think I figured this out... I used the registry key of: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" as a guide. $MWFolder = "C:\MALWARE\" $Machine = "Destination Folder Name" Opt("ExpandEnvStrings", 1) DirCreate($MWFolder & $Machine) For $i = 1 to 100 $Profile = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", $i) $UserFolder = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & $Profile, "ProfileImagePath") If @error <> 0 then ExitLoop FileCopy($UserFolder & "\Application Data\*.exe", $MWFolder & $Machine & "\") FileCopy($UserFolder & "\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\") Next FileCopy("C:\Documents and Settings\All Users\Application Data\*.exe", $MWFolder & $Machine & "\") So what I did was read through the reg key, find the users profile path under each SID, and use that as a variable to use in my FileCopy statement. When this is done, it will copy .exe's & .Dll's from the above locations on remote PC's (which I have permissions on). I can analyze these files locally to see if they are Malware. I have not found in my experience any legitimate reason for .exe's to exist in these locations, 9/10 its malware. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now