argumentum Posted July 24 Posted July 24 @sl23, do you have a virtual machine ? Hyper-V comes with windows pro. If you don't, I strongly advise to try all this in a VM as otherwise you may find yourself in a PC that don't run and without a PC to ask for help with. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted July 24 Posted July 24 1 minute ago, argumentum said: you may find yourself in a PC that don't run and without a PC to ask for help with. ...just in case the advice would be: re-install the OS and restore from your last backup. PS: make backups. Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
ioa747 Posted July 24 Posted July 24 Do the changes I suggested have ; *** <--- expandcollapse popup#include <File.au3> #include <MsgBoxConstants.au3> #include <Array.au3> Global $sRegistryKey = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" Global $sFolderPath = @StartupDir ; Use the startup directory directly Global $sLogFile = @ScriptDir & "\startup_monitor_log.txt" ; Delete existing log file if it exists If FileExists($sLogFile) Then FileDelete($sLogFile) EndIf ; Initialize previous entries and files Global $aPreviousEntries = _GetRegistryEntries() _ArrayDisplay($aPreviousEntries, "$aPreviousEntries") ; *** <--- Global $aPreviousFiles = _FileListToArray($sFolderPath) _ArrayDisplay($aPreviousFiles, "$aPreviousFiles") ; *** <--- _LogChange("Starting Check for changes") ; *** <--- While True Sleep(5000) ; Check every 5 seconds ; Check for registry changes Local $aCurrentEntries = _GetRegistryEntries() If Not _ArraysEqual($aPreviousEntries, $aCurrentEntries) Then $aPreviousEntries = $aCurrentEntries Local $sNewEntry = _GetNewEntry($aPreviousEntries, $aCurrentEntries) _LogChange("A new startup entry has been detected: " & $sNewEntry) If MsgBox($MB_YESNO, "Startup Entry Detected", "A new startup entry has been detected: " & $sNewEntry & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized entry ; RegDelete($sRegistryKey, $sNewEntry) ConsoleWrite("RegDelete(" & $sRegistryKey & ", " & $sNewEntry & ")" & @CRLF) ; *** <--- _LogChange("Denied startup entry: " & $sNewEntry) EndIf EndIf ; Check for new files in the startup folder Local $aCurrentFiles = _FileListToArray($sFolderPath) If Not _ArraysEqual($aPreviousFiles, $aCurrentFiles) Then $aPreviousFiles = $aCurrentFiles Local $sNewFile = _GetNewFile($aPreviousFiles, $aCurrentFiles) _LogChange("A new file has been detected in the startup folder: " & $sNewFile) If MsgBox($MB_YESNO, "File Detected", "A new file has been detected in the startup folder: " & $sNewFile & ". Do you want to allow it?") = $IDNO Then ; Remove the unauthorized file ; FileDelete($sFolderPath & "\" & $sNewFile) ConsoleWrite("FileDelete(" & $sFolderPath & "\" & $sNewFile & ")" & @CRLF) ; *** <--- _LogChange("Denied file: " & $sNewFile) EndIf EndIf WEnd ; Function to get registry entries Func _GetRegistryEntries() Local $aEntries[0] ; Start with an empty array Local $iIndex = 0 ; Read all values from the registry key While True Local $sValue = RegEnumVal($sRegistryKey, $iIndex) If @error Then ExitLoop ; Exit loop if no more values ReDim $aEntries[$iIndex + 1] ; Resize array to hold new entry $aEntries[$iIndex] = $sValue ; Store the entry $iIndex += 1 WEnd Return $aEntries ; Return the array of entries EndFunc ; Function to compare two arrays Func _ArraysEqual($aArray1, $aArray2) If UBound($aArray1) <> UBound($aArray2) Then Return False For $i = 0 To UBound($aArray1) - 1 If $aArray1[$i] <> $aArray2[$i] Then Return False Next Return True EndFunc ; Function to get the new entry Func _GetNewEntry($aOldEntries, $aNewEntries) For $i = 0 To UBound($aNewEntries) - 1 If Not _ArraySearch($aOldEntries, $aNewEntries[$i]) Then Return $aNewEntries[$i] EndIf Next Return "" EndFunc ; Function to get the new file Func _GetNewFile($aOldFiles, $aNewFiles) For $i = 0 To UBound($aNewFiles) - 1 If Not _ArraySearch($aOldFiles, $aNewFiles[$i]) Then Return $aNewFiles[$i] EndIf Next Return "" EndFunc ; Function to log changes Func _LogChange($sMessage) FileWrite($sLogFile, @YEAR & "-" & @MON & "-" & @MDAY & " " & @HOUR & ":" & @MIN & ":" & @SEC & " - " & $sMessage) ; *** <--- EndFunc I know that I know nothing
Nine Posted July 24 Posted July 24 Be careful, as per help file : Quote The _WinAPI_ReadDirectoryChanges() function works only in synchronous mode. It means it is a blocking function. You can use the unblocking feature but it is a tad more complicated. For an example, search the forum, there are a number of topics about it. “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Debug Messages Monitor UDF Screen Scraping Round Corner GUI UDF Multi-Threading Made Easy Interface Object based on Tag
argumentum Posted July 24 Posted July 24 6 minutes ago, sl23 said: No VM, but I have sandboxie-plus If you are comfortable with it, I guess. But nothing beats a VM. And don't forget to backup. And to backup your backup. Backups are more important than anything else ! 12 minutes ago, sl23 said: Argumentum: _WinAPI_ReadDirectoryChanges($hDirectory, $iFilter, $pBuffer, but I don't know how to test for it or to get it to do what I need. hmm, ..the example in the ZIP should be enough but, like @Nine said, search the forum. At this point it would be easier/faster to code what you want to have, as a birthday gift, why not. What you want to have is not that hard to put together, but very time consuming ( but am busy with other things 🤷♂️ ) Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
sl23 Posted July 24 Author Posted July 24 (edited) I tried VM but that's another beast I wasn't willing to tame due to no reason for learning it. Sandboxie is straightforward. I have plenty backups! I'm also good with reinstalling windows drivers where necessary. All my apps are portable and on D drive, so no installation required. ZIP? I missed that, but can't find it. EDIT: You mean the ForkUDF's? Ok, I'll look into that too. My birthday just gone, so, about this time next year? That's ok, I appreciate you taking time to help out. I'm going to try and read that PDF again see if I can start making sense of the code! Edited Wednesday at 12:55 PM by sl23 argumentum 1
sl23 Posted July 30 Author Posted July 30 (edited) ... Edited Wednesday at 12:55 PM by sl23 Revised code
sl23 Posted July 30 Author Posted July 30 (edited) Ok, so this code seems to be working fine. I've compiled it to it's latest version and it's detecting and deleting entries to the windows start up folders for user and all. It is also detecting and deleting registry entries that appear in the user and machine RUN sections. Here is a test version of StartupMonitor64, source code included, should anyone feel brave enough to test it! EDIT: I added the icon to the above post with the source code! Edited July 30 by sl23
Developers Jos Posted July 30 Developers Posted July 30 (edited) Please do not attach zip files with compiled scripts as some AV/Search companies scan this stuff and sometimes decide to declare this website unsafe! So just publish the source in a code tag. 🙂 Your current attachment is removed. Edited July 30 by Jos SciTE4AutoIt3 Full installer Download page - Beta files Read before posting How to post scriptsource Forum etiquette Forum Rules Live for the present, Dream of the future, Learn from the past.
argumentum Posted July 30 Posted July 30 ..I remember that there were more registry entries and asked google "all registry for Run runonce etc" and the AI thing ppoped up as said: AI Overview Configure a RunOnce task on Windows The Windows Registry contains several keys that execute commands or programs at startup. The most relevant ones are Run, RunOnce, RunServices, and RunServicesOnce, found under both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. Run executes a command each time a user logs in, while RunOnce executes it only once, then deletes the entry. The "Services" keys are used for services that start before the user logs in. Here's a breakdown of the key locations: HKEY_LOCAL_MACHINE (HKLM): HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: Runs commands for all users on the system at each logon. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce: Runs commands for all users once, then deletes them. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices: Starts services before the user logs in, for all users. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce: Starts services once before the user logs in, then deletes them. HKEY_CURRENT_USER (HKCU): HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: Runs commands for the specific logged-in user at each logon. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce: Runs commands for the specific logged-in user once, then deletes them. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices: Starts services before the specific logged-in user logs in. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce: Starts services once for the specific logged-in user before they log in, then deletes them. Additional Keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute: . This key is used to specify commands that run during the very early stages of system boot, before user logon. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load: . This key is used to load specific programs for the currently logged-in user upon logon, according to Super User. Note: The RunOnce keys are often used for installation programs or actions that should only happen once after a system or user-specific change. The RunServices keys are used for services that need to start very early in the boot process. The presence of these keys, and the commands they execute, can significantly impact system behavior and are often targeted by malware for persistence. and I see that you only have 2. And yes, what a mod. said: no exe in the text forum area. But the script and the icon are very welcomed ( and am one to share an icon when I make 'em too ) Also, this is a good read ( https://www.socinvestigation.com/monitor-modified-registry-keys-possible-windows-event-id/ ) and this one too ( https://stackoverflow.com/questions/56274139/task-scheduler-run-on-event-for-a-specific-task-only ) I know that am flooding you with a bunch of info, but I don't want you to get a false sense of security, thinking that is good enough. PS: "Just because you're paranoid doesn't mean they aren't out to get you" Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
sl23 Posted July 30 Author Posted July 30 Apologies, I didn't know that was a thing. Just thought it was standard practice. Sorry... 😟
sl23 Posted July 30 Author Posted July 30 Thanks argumentum. I did wonder how many there were, but never got round to asking that. I've used up 80% of my chat time on github for the month so maybe this won't get sorted for a while. but good to know about those extra entries, thank you. argumentum 1
argumentum Posted July 31 Posted July 31 ... ; ---------------------------------------------------------------------- ; Get Initial Startup Entries ; ---------------------------------------------------------------------- Global $g_oldEntries = _GetAllStartupEntries_Map() ... It would be good to save those entries to an organized file and load from there because, if you run this sporadically or something changes between your script running and something else, on reboot or whatnot, then you'll be able to see that there was a changed. Mostly if you're looking for sneaky things like Edge sl23 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
sl23 Posted August 1 Author Posted August 1 Just to get this right, are you saying that the program should create a second log of all existing and adding future allowed items using that as a basis for it's checks? So, for example, first run checks current state of startup, logs that to a file, adds any new entries that you allow and uses that as a basis for monitoring? But doesn't that leave it open to possible errors? Or do I have it wrong? Could you explain a little please.
argumentum Posted August 1 Posted August 1 (edited) You are comparing what you have now with what you'll have in X seconds, all in memory. When you load your script again, it'll do the same. If you saved the last known state, next time you load the script you will know for a fact if anything changed since you last run the script because you have it in a file with the last known state, and not just what changed while running the script That will necessitate comparing each entry and not just a count of how many. Also, as a bad actor, one could replace an entry to keep the count intact or other reasons to just edit an entry. Spoiler Spoiler ..unless I've got it wrong ( don't remember the code clearly ) Edited August 1 by argumentum sl23 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
sl23 Posted August 1 Author Posted August 1 (edited) ... Edited Wednesday at 12:56 PM by sl23 Revised code
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now