sl23 Posted Thursday at 01:18 PM Author Posted Thursday at 01:18 PM Quote put an _ArrayDisplay to see the results (Common debugging practice) ; Initialize previous entries and files Global $aPreviousEntries = _GetRegistryEntries() _ArrayDisplay($aPreviousEntries, "$aPreviousEntries") Great suggestion, but I'm a bit confused why you posted that. Argumentum stated earlier that "there is no "_GetRegistryEntries() " to be found" so how come you added it? I'm also clueless where to add it! The Global line is used at the top with the other "Globals" yes? But the other line, where does that go?
sl23 Posted Thursday at 01:20 PM Author Posted Thursday at 01:20 PM Quote and a friendly tip replace the real deletes with virtual ones e.g. ConsoleWrite("RegDelete(" & $sRegistryKey & ", " & $sNewEntry & ")" & @CRLF) ; RegDelete($sRegistryKey, $sNewEntry) ... ConsoleWrite("FileDelete(" & $sFolderPath & "\" & $sNewFile & ")" & @CRLF) ; FileDelete($sFolderPath & "\" & $sNewFile) until you are sure it will delete the right files Otherwise, you risk deleting everything except what you don't want. This makes sense, but... how do I know if it's actually doing anything? Thanks for the tips though
argumentum Posted Thursday at 01:26 PM Posted Thursday at 01:26 PM @sl23, do you have a virtual machine ? Hyper-V comes with windows pro. If you don't, I strongly advise to try all this in a VM as otherwise you may find yourself in a PC that don't run and without a PC to ask for help with. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted Thursday at 01:28 PM Posted Thursday at 01:28 PM 1 minute ago, argumentum said: you may find yourself in a PC that don't run and without a PC to ask for help with. ...just in case the advice would be: re-install the OS and restore from your last backup. PS: make backups. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
ioa747 Posted Thursday at 01:33 PM Posted Thursday at 01:33 PM Do the changes I suggested have ; *** <--- expandcollapse popup#include <File.au3> #include <MsgBoxConstants.au3> #include <Array.au3> Global $sRegistryKey = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" Global $sFolderPath = @StartupDir ; Use the startup directory directly Global $sLogFile = @ScriptDir & "\startup_monitor_log.txt" ; Delete existing log file if it exists If FileExists($sLogFile) Then FileDelete($sLogFile) EndIf ; Initialize previous entries and files Global $aPreviousEntries = _GetRegistryEntries() _ArrayDisplay($aPreviousEntries, "$aPreviousEntries") ; *** <--- Global $aPreviousFiles = _FileListToArray($sFolderPath) _ArrayDisplay($aPreviousFiles, "$aPreviousFiles") ; *** <--- _LogChange("Starting Check for changes") ; *** <--- While True Sleep(5000) ; Check every 5 seconds ; Check for registry changes Local $aCurrentEntries = _GetRegistryEntries() If Not _ArraysEqual($aPreviousEntries, $aCurrentEntries) Then $aPreviousEntries = $aCurrentEntries Local $sNewEntry = _GetNewEntry($aPreviousEntries, $aCurrentEntries) _LogChange("A new startup entry has been detected: " & $sNewEntry) If MsgBox($MB_YESNO, "Startup Entry Detected", "A new startup entry has been detected: " & $sNewEntry & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized entry ; RegDelete($sRegistryKey, $sNewEntry) ConsoleWrite("RegDelete(" & $sRegistryKey & ", " & $sNewEntry & ")" & @CRLF) ; *** <--- _LogChange("Denied startup entry: " & $sNewEntry) EndIf EndIf ; Check for new files in the startup folder Local $aCurrentFiles = _FileListToArray($sFolderPath) If Not _ArraysEqual($aPreviousFiles, $aCurrentFiles) Then $aPreviousFiles = $aCurrentFiles Local $sNewFile = _GetNewFile($aPreviousFiles, $aCurrentFiles) _LogChange("A new file has been detected in the startup folder: " & $sNewFile) If MsgBox($MB_YESNO, "File Detected", "A new file has been detected in the startup folder: " & $sNewFile & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized file ; FileDelete($sFolderPath & "\" & $sNewFile) ConsoleWrite("FileDelete(" & $sFolderPath & "\" & $sNewFile & ")" & @CRLF) ; *** <--- _LogChange("Denied file: " & $sNewFile) EndIf EndIf WEnd ; Function to get registry entries Func _GetRegistryEntries() Local $aEntries[0] ; Start with an empty array Local $iIndex = 0 ; Read all values from the registry key While True Local $sValue = RegEnumVal($sRegistryKey, $iIndex) If @error Then ExitLoop ; Exit loop if no more values ReDim $aEntries[$iIndex + 1] ; Resize array to hold new entry $aEntries[$iIndex] = $sValue ; Store the entry $iIndex += 1 WEnd Return $aEntries ; Return the array of entries EndFunc ; Function to compare two arrays Func _ArraysEqual($aArray1, $aArray2) If UBound($aArray1) <> UBound($aArray2) Then Return False For $i = 0 To UBound($aArray1) - 1 If $aArray1[$i] <> $aArray2[$i] Then Return False Next Return True EndFunc ; Function to get the new entry Func _GetNewEntry($aOldEntries, $aNewEntries) For $i = 0 To UBound($aNewEntries) - 1 If Not _ArraySearch($aOldEntries, $aNewEntries[$i]) Then Return $aNewEntries[$i] EndIf Next Return "" EndFunc ; Function to get the new file Func _GetNewFile($aOldFiles, $aNewFiles) For $i = 0 To UBound($aNewFiles) - 1 If Not _ArraySearch($aOldFiles, $aNewFiles[$i]) Then Return $aNewFiles[$i] EndIf Next Return "" EndFunc ; Function to log changes Func _LogChange($sMessage) FileWrite($sLogFile, @YEAR & "-" & @MON & "-" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & " - " & $sMessage) ; *** <--- EndFunc I know that I know nothing
sl23 Posted Thursday at 02:03 PM Author Posted Thursday at 02:03 PM (edited) No VM, but I have sandboxie-plus, is that good enough to test this out? ie, will it work with the registry and creating manual shortcuts in the sandboxed startup folder? @ioa747: Thanks for the help, you were too quick! I've just changed the code to adapt to use the first suggestion by Argumentum: _WinAPI_ReadDirectoryChanges($hDirectory, $iFilter, $pBuffer, but I don't know how to test for it or to get it to do what I need. $hDirectory A handle to the directory to be monitored. This directory must be opened with the $FILE_LIST_DIRECTORY access right. First off, do I put the drive/path/folder there, or do I use a variable? And what does the last part mean? Sorry for the noob questions! I won't be offended if you leave me to it! lol New code for file monitoring: expandcollapse popup#include <File.au3> #include <MsgBoxConstants.au3> #include <Array.au3> #include <WinAPI.au3> ; Include the necessary library for WinAPI functions Global $sRegistryKey = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" Global $sFolderPath = @StartupDir ; Use the startup directory directly Global $sLogFile = @ScriptDir & "\- startup_monitor_log.txt" ; Delete existing log file if it exists If FileExists($sLogFile) Then FileDelete($sLogFile) EndIf ; Initialize previous entries and files Global $aPreviousEntries = _GetRegistryEntries() _ArrayDisplay($aPreviousEntries, "$aPreviousEntries") ; *** <--- Global $aPreviousFiles = _FileListToArray($sFolderPath) _ArrayDisplay($aPreviousFiles, "$aPreviousFiles") ; *** <--- _LogChange("Starting Check for changes") ; *** <--- ; Initialize previous entries and files Global $aPreviousEntries = _GetRegistryEntries() Global $aPreviousFiles = _FileListToArray($sFolderPath) ; Open the directory handle Global $hDirectory = FileOpen($sFolderPath, 0) Global $pBuffer = DllStructCreate("byte[" & 1024 & "]") ; Create a buffer for change notifications Global $iFilter = $FILE_NOTIFY_CHANGE_FILE_NAME + $FILE_NOTIFY_CHANGE_DIR_NAME ; Set the filter for file and directory name changes While True ; Check for registry changes Local $aCurrentEntries = _GetRegistryEntries() If Not _ArraysEqual($aPreviousEntries, $aCurrentEntries) Then $aPreviousEntries = $aCurrentEntries Local $sNewEntry = _GetNewEntry($aPreviousEntries, $aCurrentEntries) _LogChange("A new startup entry has been detected: " & $sNewEntry) If MsgBox($MB_YESNO, "Startup Entry Detected", "A new startup entry has been detected: " & $sNewEntry & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized entry ; RegDelete($sRegistryKey, $sNewEntry) ConsoleWrite("RegDelete(" & $sRegistryKey & ", " & $sNewEntry & ")" & @CRLF) ; *** <--- _LogChange("Denied startup entry: " & $sNewEntry) EndIf EndIf ; Monitor the startup folder for changes Local $iBytesReturned = _WinAPI_ReadDirectoryChanges($hDirectory, $iFilter, $pBuffer, DllStructGetSize($pBuffer), 0) If $iBytesReturned > 0 Then ; Process the changes Local $sNewFile = DllStructGetData($pBuffer, 1) ; Get the new file name from the buffer _LogChange("A new file has been detected in the startup folder: " & $sNewFile) If MsgBox($MB_YESNO, "File Detected", "A new file has been detected in the startup folder: " & $sNewFile & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized file ; FileDelete($sFolderPath & "\" & $sNewFile) ConsoleWrite("FileDelete(" & $sFolderPath & "\" & $sNewFile & ")" & @CRLF) ; *** <--- _LogChange("Denied file: " & $sNewFile) EndIf EndIf Sleep(5000) ; Check every 5 seconds WEnd ; Close the directory handle when done FileClose($hDirectory) ; Function to get registry entries Func _GetRegistryEntries() Local $aEntries[0] ; Start with an empty array Local $iIndex = 0 ; Read all values from the registry key While True Local $sValue = RegEnumVal($sRegistryKey, $iIndex) If @error Then ExitLoop ; Exit loop if no more values ReDim $aEntries[$iIndex + 1] ; Resize array to hold new entry $aEntries[$iIndex] = $sValue ; Store the entry $iIndex += 1 WEnd Return $aEntries ; Return the array of entries EndFunc ; Function to compare two arrays Func _ArraysEqual($aArray1, $aArray2) If UBound($aArray1) <> UBound($aArray2) Then Return False For $i = 0 To UBound($aArray1) - 1 If $aArray1[$i] <> $aArray2[$i] Then Return False Next Return True EndFunc ; Function to get the new entry Func _GetNewEntry($aOldEntries, $aNewEntries) For $i = 0 To UBound($aNewEntries) - 1 If Not _ArraySearch($aOldEntries, $aNewEntries[$i]) Then Return $aNewEntries[$i] EndIf Next Return "" EndFunc ; Function to get the new file Func _GetNewFile($aOldFiles, $aNewFiles) For $i = 0 To UBound($aNewFiles) - 1 If Not _ArraySearch($aOldFiles, $aNewFiles[$i]) Then Return $aNewFiles[$i] EndIf Next Return "" EndFunc ; Function to log changes Func _LogChange($sMessage) ; FileWriteLine($sLogFile, @YEAR & "-" & @MON & "-" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & " - " & $sMessage) FileWrite($sLogFile, @YEAR & "-" & @MON & "-" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & " - " & $sMessage) ; *** <--- EndFunc EDIT: Updated the code with suggestions. Edited Thursday at 02:15 PM by sl23
Nine Posted Thursday at 02:11 PM Posted Thursday at 02:11 PM Be careful, as per help file : Quote The _WinAPI_ReadDirectoryChanges() function works only in synchronous mode. It means it is a blocking function. You can use the unblocking feature but it is a tad more complicated. For an example, search the forum, there are a number of topics about it. “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Debug Messages Monitor UDF Screen Scraping Round Corner GUI UDF Multi-Threading Made Easy Interface Object based on Tag
argumentum Posted Thursday at 02:23 PM Posted Thursday at 02:23 PM 6 minutes ago, sl23 said: No VM, but I have sandboxie-plus If you are comfortable with it, I guess. But nothing beats a VM. And don't forget to backup. And to backup your backup. Backups are more important than anything else ! 12 minutes ago, sl23 said: Argumentum: _WinAPI_ReadDirectoryChanges($hDirectory, $iFilter, $pBuffer, but I don't know how to test for it or to get it to do what I need. hmm, ..the example in the ZIP should be enough but, like @Nine said, search the forum. At this point it would be easier/faster to code what you want to have, as a birthday gift, why not. What you want to have is not that hard to put together, but very time consuming ( but am busy with other things 🤷♂️ ) Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
sl23 Posted Thursday at 03:56 PM Author Posted Thursday at 03:56 PM (edited) I tried VM but that's another beast I wasn't willing to tame due to no reason for learning it. Sandboxie is straightforward. I have plenty backups! I'm also good with reinstalling windows drivers where necessary. All my apps are portable and on D drive, so no installation required. ZIP? I missed that, but can't find it. EDIT: You mean the ForkUDF's? Ok, I'll look into that too. My birthday just gone, so, about this time next year? That's ok, I appreciate you taking time to help out. I'm going to try and read that PDF again see if I can start making sense of the code! Edited Thursday at 03:57 PM by sl23 argumentum 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now