Jump to content

Recommended Posts

Hi There,

I am trying to write a script that will call all files of a particular file type (.exe, .dll etc) from the following directories:

<User Profile>\Application data\

<User Profile>\Local Settings\Application Data\

I was able to author a script that reads and copies the files if I specify the users profile, but would like it to cycle through all users on the target machine.

I am new to scripting and came up with something like:

FileCopy("C:\Documents and Settings\Administrator\Application Data\*.exe", $MWFolder & $Machine & "\")
FileCopy("C:\Documents and Settings\Administrator\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\")

And that works, but I need it to cycle through all users profiles on the target PC.

I wont know the profile names so I cannot specify in the script, and the amount will vary from machine to machine, so I will need it to cycle through all

I tried a "For/If/Then", but that failed..

Thoughts, suggestions?

Thanks in advance,


Link to post
Share on other sites

OK, I think I figured this out... I used the registry key of: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" as a guide.

$MWFolder = "C:\MALWARE\"
$Machine = "Destination Folder Name"
Opt("ExpandEnvStrings", 1)
DirCreate($MWFolder & $Machine)

For $i = 1 to 100
    $Profile = RegEnumKey("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList", $i)
    $UserFolder = RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" & $Profile, "ProfileImagePath")
    If @error <> 0 then ExitLoop
    FileCopy($UserFolder & "\Application Data\*.exe", $MWFolder & $Machine & "\")
    FileCopy($UserFolder & "\Local Settings\Application Data\*.exe", $MWFolder & $Machine & "\")
FileCopy("C:\Documents and Settings\All Users\Application Data\*.exe", $MWFolder & $Machine & "\")

So what I did was read through the reg key, find the users profile path under each SID, and use that as a variable to use in my FileCopy statement.

When this is done, it will copy .exe's & .Dll's from the above locations on remote PC's (which I have permissions on).

I can analyze these files locally to see if they are Malware. I have not found in my experience any legitimate reason for .exe's to exist in these locations, 9/10 its malware.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...