Check for files referenced in registry and return hash

(imported topic written by hmkjr91)

Hello,

I have existing relevance that reads:

q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings” and it does not contain “Program Files”)then (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings”) else “Not Detected”

A: C:\Documents and Settings\username\test.exe /r

A: C:\Documents and Settings\username\test1.exe /r

T: 3.119 ms

I need to change this relevance in multiple ways and it is throwing me for a loop as a novice at this stuff…so I apologize and thanks in advance.

I need to take the results and first check for the existence of the file (maybe, depending what happens if I don’t check for it), then return the SHA1 of the file if it exists. In addtion, any switches at the end of the string will need to be removed before checking and returning the hash. I’m guessing some language that removes everything after the first “/”.

Any help is appreciated.

Thanks!

(imported comment written by BenKus)

See if this works (I added a check for the file itself and also to remove and command line parameters that start with a slash):

q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings” and it does not contain “Program Files”)then ((name of it, sha1 of it) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it; it)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string))whose (it contains “Documents and Settings”) else “Not Detected”

(imported comment written by hmkjr91)

Thanks for the response Ben. That relevance returns the same error that I was receiving in my initial attempts.

E: The operator “contains” is not defined.

However, I hadn’t attempted the entire requirement in my testing. I was breaking it down in pieces and getting that error at one point. I don’t have the relevance handy that was generating that error. I will try to post some examples of what i was testing after lunch and a meeting.

Thanks again!

(imported comment written by hmkjr91)

Hi Ben,

I can get rid of the 'The operator “contains” in not defined" by removing the whose clause at the end. But even then, I’m left with ‘Imcompatible Types’:

q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)then ((name of it as string, sha1 of it as string) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it as string)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)) else “Not Detected” as string

E: Incompatible types.

Any further help is greatly appreciated.

Thanks!

(imported comment written by SystemAdmin)

“if then else” expressions require that the object returned in the “then” must be the same type as in the “else”. In your expression you have a tuple in the “then” part, so you can fix this by just casting that to a string:

Q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)then (((name of it as string, sha1 of it as string) as string) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it as string)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)) else “Not Detected” as string

A: w32maing.exe, 3e09c0da197675063039b085eee53817202e8517

(imported comment written by hmkjr91)

Thanks Zak! That worked…almost perfectly. Is there anyway to strip all double quotes out of the string found in the registry BEFORE checking to see if it exists as a file? I did get results returned; however any of the string values that had quotes around then were not returned. For example:

C:\Documents and Settings\user\test.exe /r - this will produce results

“C:\Documents and Settings\user\test1.exe” /r - does not produce results

I’ve tried and my first issue is how to properly escape the quotation mark I think.

Thanks very much for the help!