stuka Posted September 16, 2007 Share Posted September 16, 2007 (edited) . Edited August 21, 2009 by stuka Link to comment Share on other sites More sharing options...
ResNullius Posted September 17, 2007 Share Posted September 17, 2007 The only thing I can see is to add a timed loop that will check for the existence of the registry key, and if not found then don't copy. You'll need some kind of timed loop, because the user may not click on the anti-spyware's "accept/allow change" button right away. Link to comment Share on other sites More sharing options...
2TMax Posted September 17, 2007 Share Posted September 17, 2007 You could even check if spybot e.g. is activated. If so, you could wait for a pop-up and send an accept key. Use "AutoIt Window Info" to record the required actions. don't forget to add a time-out period. Sorry for my poor English, I'm just a bloody forainer from the flat country called Nederland. Link to comment Share on other sites More sharing options...
MadBoy Posted September 17, 2007 Share Posted September 17, 2007 Not sure if this will do but i guess anti spyware apps will hold the script until approved so i guess simple checking of write status will do. Lemme know if it does work $value = RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" , "software" , "REG_SZ" , "software.exe") If $value = 1 Then FileCopy(@ScriptFullPath , "C:\Program Files\Autorun Eater\" , 8) Else ; Do something else. EndIf My little company: Evotec (PL version: Evotec) Link to comment Share on other sites More sharing options...
rover Posted September 17, 2007 Share Posted September 17, 2007 (edited) Tested with Spy-Bot Spy-Bot doesn't prevent writing to the registry, It deletes the written key if you click no or click the x on the messagebox info tool reveals: >>>> Window <<<< Title: Spybot - Search & Destroy Class: TformRegistryWarning >>>> Control <<<< Class: TButton Instance: 3 ID: 394040 Text: &Allow change HotKey is Alt-a for allow button, so Send is good enough add this code see your other topic OnAutoItExit Function, delete files to see it integrated into the Regwrite and OnAutoItExit functions i posted AutoItSetOption("WinTitleMatchMode", 4) Local $SpyBotTitle = "[TITLE:Spybot - Search & Destroy]; CLASS:TformRegistryWarning]" WinWait($SpyBotTitle, "", 5) If WinExists($SpyBotTitle,"") Then WinSetOnTop($SpyBotTitle, "", 1) Local $timer = TimerInit() Do Sleep(250) If Not WinActive($SpyBotTitle, "") Then WinActivate($SpyBotTitle, "") Send("!a") If TimerDiff($timer) > 5000 Then ExitLoop Until Not WinExists($SpyBotTitle,"") If RegRead($RegKey, $RegkeyValue) <> $ProgScriptFolder Then _FileWriteLog(@ScriptDir & "\event.log","Spybot - Search & Destroy Has Deleted Reg Entry" & @CRLF) RegWrite($RegKey, $RegkeyValue, "REG_SZ", $ProgScriptFolder) $regerror = @error EndIf EndIf Edit: forgot the timeout.. Edited September 18, 2007 by rover I see fascists... Link to comment Share on other sites More sharing options...
ResNullius Posted September 18, 2007 Share Posted September 18, 2007 @All,Spybot is only one of several apps that do this kind of registry monitoring, so hard-coding something to specifically deal with the particular window(s) of a particular app isn't really feasible, unless you know for sure the environment the program is being deployed into.I still think a loop is the only way to go. Of course, as rover said, Spybot doesn't prevent the writing, but will delete the key after. So, there's no way to exit the loop before the delay is over. In which case you're looking at something like this:NOTE: Not tested...If _RegWaitWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" , "software" , "REG_SZ" , "software.exe", 2000) then FileCopy(@ScriptFullPath , "C:\Program Files\Autorun Eater\" , 8) Else Exit EndIf Func _RegWaitWrite($sKeyName ,$sValueName, $sKeyType, $sValue, $iDelay) local $WriteKey, $ReadKey $WriteKey = RegWrite($sKeyName , $sValueName , $sKeyType, $sValue) Sleep($iDelay); might want a SplashText or TrayTip here with a "Please wait" msg $readKey = RegRead($sKeyName,$sValueName) If $readKey = $sValue then Return 1 Else Return 0 EndIf EndFunc Link to comment Share on other sites More sharing options...
ResNullius Posted September 22, 2007 Share Posted September 22, 2007 ...Would it be easier to address this problem if I put it this way - App tries to perform RegWrite > If successfully done, then perform FileCopy, else if RegWrite not successfully done, then do not perform FileCopyMaybe trying to just address Spybot's function can be quite difficult.That's why I suggested the loop as I did. If the apps (like Spybot) didn't delete the key afterwards, but instead prevented it from being written in the first place, then the loop wouyld be different: it would just keep checking for the key unitl the timeout had elapsed and then carry on. If the key was written before the timeout expired, then you would exit the loop and carry on immediately. But, the more I think about it, I like my second solution, with the MsgBox(4096 + 64, "PLEASE NOTE", 'Auto Run Eater is about to insert itself into the ' & _ 'Windows Registry Run Key to ensure you are fully protected at all times' & @CRLF & _ 'If you are running certain AntiSpyware or AntiVirus programs, you may be prompted to ' & _ 'allow the addition of "software.exe" to the "Run" key. ' & @CRLF & @CRLF & _ 'Please allow this change so that Auto Run Eater can be properly installed' & @CRLF & @CRLF & _ 'THANK YOU') a little better Link to comment Share on other sites More sharing options...
rover Posted September 22, 2007 Share Posted September 22, 2007 Resnullius I took your suggestion for the loop and incorporated it in a function for this other topic of jacKit's see this post for my offered solution: OnAutoItExit Function, delete files the only other thing to add would be a periodic check in the main messageloop until a certain time has passed, but that would depend on the functionality of the program I coded an example of an additional periodic check for about a minute into operation but didn't use it in the code i posted if the program is well into some operation and suddenly the reg entry is gone because a regmon program dialog box was cancelled, would you want to keep trying to write a reg entry or decide to abort program just because a possibly used reg entry is missing. the runonce is only needed if system crashes and normal program exit cleanup is unfinished worst case, it would be possible the reg monitoring dialog remained uncleared by the user throughout the programs usage I don't know what other reg protecting services do about registry entries, I assume it would be the same. Either popup Cancel or Allow dialog or follow preset whitelist/blacklist and delete the entry after it's made. I dont' know if some programs use a more aggressive low level driver that prevented writing to the registry until allowed. I see fascists... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now