Need help making a script to check strings in a REGISTRY key and execute commands if matches are found

[utaeladil]

I am trying to help develop some kind of script to fight spyware for my company's tech support area. We are seeing a variant that creates a key in the registry that renders CMD.exe and REGEDIT.exe useless until it is removed.

I am fairly new to AutoIT and have only had limited experience with the REGREAD and REGWRITE commands...

Can someone give me an example of what I would need to do the following:

Look at a specific KEY and evaluate all STRINGS within it. If a certain value is found (it is either "\..\filename.ext" or "\\..\\filename.ext") and if the value is there, run a few commands. One command will probably be to re-write that key (or delete it) and the other commands will be performed on the filename.ext, like deleting the file for example.

The FILENAME.EXT part of this variant appears to change every time, but we can find it by the "\\..\\" before the filename, so something that could account for changing filenames would be great.

I am not really sure where to start on the registry portion to look for a string value inside of a key, but once it is found, as long as its clear in the script where the commands are being run on them once they are located, I should be able to work with in getting all programs to run on them that we need.

If the script could capture the matching registry string as a script variable, and possibly the FILENAME.EXT portion of that string as a seperate script variable, I could probably figure out how to manipulate it further from there.

Any help is greatly appreciated. Thanks in advance!

Edited April 3, 2009 by utaeladil

[PsaltyDS]

I am trying to help develop some kind of script to fight spyware for my company's tech support area. We are seeing a variant that creates a key in the registry that renders CMD.exe and REGEDIT.exe useless until it is removed.

I am fairly new to AutoIT and have only had limited experience with the REGREAD and REGWRITE commands...

Can someone give me an example of what I would need to do the following:

Look at a specific KEY and evaluate all STRINGS within it. If a certain value is found (it is either "\..\filename.ext" or "\\..\\filename.ext") and if the value is there, run a few commands. One command will probably be to re-write that key (or delete it) and the other commands will be performed on the filename.ext, like deleting the file for example.

The FILENAME.EXT part of this variant appears to change every time, but we can find it by the "\\..\\" before the filename, so something that could account for changing filenames would be great.

I am not really sure where to start on the registry portion to look for a string value inside of a key, but once it is found, as long as its clear in the script where the commands are being run on them once they are located, I should be able to work with in getting all programs to run on them that we need.

If the script could capture the matching registry string as a script variable, and possibly the FILENAME.EXT portion of that string as a seperate script variable, I could probably figure out how to manipulate it further from there.

Any help is greatly appreciated. Thanks in advance!

Check the Reg* functions in the file. Like RegEnum(), RegRead(), etc.

For a recursive registry search, this is an oldie but a goodie: _RegSearch()