Sign in to follow this  
Followers 0
stuka

...

8 posts in this topic

#1 ·  Posted (edited)

.

Edited by stuka

Share this post


Link to post
Share on other sites



The only thing I can see is to add a timed loop that will check for the existence of the registry key, and if not found then don't copy.

You'll need some kind of timed loop, because the user may not click on the anti-spyware's "accept/allow change" button right away.

Share this post


Link to post
Share on other sites

You could even check if spybot e.g. is activated. If so, you could wait for a pop-up and send an accept key.

Use "AutoIt Window Info" to record the required actions. don't forget to add a time-out period.


Sorry for my poor English, I'm just a bloody forainer from the flat country called Nederland.

Share this post


Link to post
Share on other sites

Not sure if this will do but i guess anti spyware apps will hold the script until approved so i guess simple checking of write status will do. Lemme know if it does work :)

$value = RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" , "software" , "REG_SZ" , "software.exe")
If $value = 1 Then 
   FileCopy(@ScriptFullPath , "C:\Program Files\Autorun Eater\" , 8)
Else
   ; Do something else. 
EndIf

My little company: Evotec (PL version: Evotec)

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Tested with Spy-Bot

Spy-Bot doesn't prevent writing to the registry,

It deletes the written key if you click no or click the x on the messagebox

info tool reveals:

>>>> Window <<<<

Title: Spybot - Search & Destroy

Class: TformRegistryWarning

>>>> Control <<<<

Class: TButton

Instance: 3

ID: 394040

Text: &Allow change

HotKey is Alt-a for allow button, so Send is good enough

add this code

see your other topic

OnAutoItExit Function, delete files

to see it integrated into the Regwrite and OnAutoItExit functions i posted

AutoItSetOption("WinTitleMatchMode", 4)
        Local $SpyBotTitle = "[TITLE:Spybot - Search & Destroy]; CLASS:TformRegistryWarning]"

        WinWait($SpyBotTitle, "", 5)
        If WinExists($SpyBotTitle,"") Then
            WinSetOnTop($SpyBotTitle, "", 1)
                        Local $timer = TimerInit()
            Do
                Sleep(250)
                If Not WinActive($SpyBotTitle, "") Then WinActivate($SpyBotTitle, "")
                Send("!a")
                        If TimerDiff($timer) > 5000 Then ExitLoop
            Until Not WinExists($SpyBotTitle,"")
            If RegRead($RegKey, $RegkeyValue) <> $ProgScriptFolder Then
                _FileWriteLog(@ScriptDir & "\event.log","Spybot - Search & Destroy Has Deleted Reg Entry" & @CRLF)
                RegWrite($RegKey, $RegkeyValue, "REG_SZ", $ProgScriptFolder)
                $regerror = @error
            EndIf
        EndIf

Edit: forgot the timeout..

Edited by rover

I see fascists...

Share this post


Link to post
Share on other sites

@All,

Spybot is only one of several apps that do this kind of registry monitoring, so hard-coding something to specifically deal with the particular window(s) of a particular app isn't really feasible, unless you know for sure the environment the program is being deployed into.

I still think a loop is the only way to go. Of course, as rover said, Spybot doesn't prevent the writing, but will delete the key after. So, there's no way to exit the loop before the delay is over. In which case you're looking at something like this:

NOTE: Not tested...

If _RegWaitWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" , "software" , "REG_SZ" , "software.exe", 2000) then 
    FileCopy(@ScriptFullPath , "C:\Program Files\Autorun Eater\" , 8)
Else
    Exit
EndIf

Func _RegWaitWrite($sKeyName ,$sValueName, $sKeyType, $sValue, $iDelay)
    local $WriteKey, $ReadKey
    $WriteKey = RegWrite($sKeyName , $sValueName , $sKeyType, $sValue)
    Sleep($iDelay); might want a SplashText or TrayTip here with a "Please wait" msg
    $readKey = RegRead($sKeyName,$sValueName)
    If $readKey = $sValue then 
        Return 1
    Else
        Return 0
    EndIf
EndFunc

Share this post


Link to post
Share on other sites

...

Would it be easier to address this problem if I put it this way -

App tries to perform RegWrite > If successfully done, then perform FileCopy, else if RegWrite not successfully done, then do not perform FileCopy

Maybe trying to just address Spybot's function can be quite difficult.

That's why I suggested the loop as I did. If the apps (like Spybot) didn't delete the key afterwards, but instead prevented it from being written in the first place, then the loop wouyld be different: it would just keep checking for the key unitl the timeout had elapsed and then carry on. If the key was written before the timeout expired, then you would exit the loop and carry on immediately.

But, the more I think about it, I like my second solution, with the

MsgBox(4096 + 64, "PLEASE NOTE", 'Auto Run Eater is about to insert itself into the ' & _
        'Windows Registry Run Key to ensure you are fully protected at all times' & @CRLF & _
        'If you are running certain AntiSpyware or AntiVirus programs, you may be prompted to ' & _
        'allow the addition of "software.exe" to the "Run" key. ' & @CRLF & @CRLF & _
        'Please allow this change so that Auto Run Eater can be properly installed' & @CRLF & @CRLF & _
        'THANK YOU')
a little better

Share this post


Link to post
Share on other sites

Resnullius

I took your suggestion for the loop

and incorporated it in a function for this other topic of jacKit's

see this post for my offered solution:

OnAutoItExit Function, delete files

the only other thing to add would be a periodic check in the main messageloop

until a certain time has passed, but that would depend on the functionality of the program

I coded an example of an additional periodic check for about a minute into operation but didn't use it in the code i posted

if the program is well into some operation and suddenly the reg entry is gone because a regmon program dialog box was cancelled,

would you want to keep trying to write a reg entry or decide to abort program just because a possibly used reg entry is missing.

the runonce is only needed if system crashes and normal program exit cleanup is unfinished

worst case, it would be possible the reg monitoring dialog remained uncleared by the user throughout the programs usage

I don't know what other reg protecting services do about registry entries, I assume it would be the same.

Either popup Cancel or Allow dialog or follow preset whitelist/blacklist and delete the entry after it's made.

I dont' know if some programs use a more aggressive low level driver that prevented writing to the registry until allowed.


I see fascists...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0