How to get target path of a process

[ur]

How to retrieve the target executable path from a process.

My system is effected with IMG001.exe virus and I remove the folders created by it daily but still it is creating the folders everytime I login to my PC.

My Antivirus is not detecting it.

 

So I thought to create a process in AutoIT to check for the process name IMG001.exe and retrieve the process target exe to a log file, so that I can track where it is putting these files.

With  ProcessExists ( "process" ) , i can get the process ID.

But how to get the target location of the executable of the process.??

[Deye]

In the help file: _WinAPI_GetProcessFileName()

[ur]

1 hour ago, Deye said:

In the help file: _WinAPI_GetProcessFileName()

Thanks Deye..

I need one more help.

WHen I am trying to delete the file, it is not getting deleted once I kill the process.

So I kept 2 seconds wait at present.

But if I launch multiple copies of the file at the same time, then I am getting the same issue again.

Is there any force delete option??

Below is the copy of my script.

IMG001 Deleter.au3

[Deye]

Something like this..

 

#include <WinAPIProc.au3>

Local $iID, $file, $parentID, $parentFile, $a_process = ProcessList("img001.exe")
For $i = 1 To $a_process[0][0]
    $iID = $a_process[$i][1]
    $parentID = _WinAPI_GetParentProcess($iID)
    $file = _WinAPI_GetProcessFileName($iID)
    ProcessClose($iID)
    FileSetAttrib($file, "-RASHNOT")
    FileDelete($file)
    $parentFile = _WinAPI_GetProcessFileName($parentID)
;~  ProcessClose($parentID)
;~  FileSetAttrib($parentFile, "-RASHNOT")
;~  FileDelete($parentFile)
    MsgBox(0, $parentID, $parentFile)
Next

 

Edited May 31, 2017 by Deye

[ur]

The exe I kept running in the background but still it is not able to track the process which created these folders.

 

Is there any way to get details of which process created a folder???

[jchd]

Once infected by malware a machine is compromized, unsafe and must be regarded as an unreliable liar (about acting as expected).

Please delete this file.
Done! (ROTFL, he believes I'll do that!)
Please kill this process.
Done! (Keep on expecting that!)

When the leader of the armies is known to have agreed with the enemy, you shouldn't be surprised if your guys pityfully loose the war under his leadership, despite reports that they made daily amazing progress.

[ur]

@jchd thanks for the inputs.

I have deleted this file already, but it is getting created daily.

Even the antivirus is not able to delete it.

WIndows Defender is just deleting this file but it is getting regenerated daily.

It seems some other process is generating this file which windows defender also not able to detect.

So is there any possiblity to backtrack the folders by seeing which process created that and delete the malicious file??

[jchd]

If you still want to trust the untrustable, you can use process explorer to do that.

[ur]

Process explorer will show the running processes but I need the process or program which created the folder.Is it possible to get that?

[jchd]

NTFS doesn't keep history of which PID created an entry AFAIK. You need a full-featured journaling file system for that.

PE lets you see which files a process accesses.

[MilesAhead]

I agree with jchd about trying to run programs to handle the virus on a diseased machine.  If anything at least make a bootable USB on a clean machine to scan your system after booting the flash drive.  On a clean PC you can download Avast Trial version and make a bootable flash drive with the current av database.  Boot your infected PC from the flash drive and run the scan.

 

I assume source code backups were made when the PC was still clean?