q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings” and it does not contain “Program Files”)then (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings”) else “Not Detected”
A: C:\Documents and Settings\username\test.exe /r
A: C:\Documents and Settings\username\test1.exe /r
T: 3.119 ms
I need to change this relevance in multiple ways and it is throwing me for a loop as a novice at this stuff…so I apologize and thanks in advance.
I need to take the results and first check for the existence of the file (maybe, depending what happens if I don’t check for it), then return the SHA1 of the file if it exists. In addtion, any switches at the end of the string will need to be removed before checking and returning the hash. I’m guessing some language that removes everything after the first “/”.
See if this works (I added a check for the file itself and also to remove and command line parameters that start with a slash):
q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)whose (it contains “Documents and Settings” and it does not contain “Program Files”)then ((name of it, sha1 of it) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it; it)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string))whose (it contains “Documents and Settings”) else “Not Detected”
Thanks for the response Ben. That relevance returns the same error that I was receiving in my initial attempts.
E: The operator “contains” is not defined.
However, I hadn’t attempted the entire requirement in my testing. I was breaking it down in pieces and getting that error at one point. I don’t have the relevance handy that was generating that error. I will try to post some examples of what i was testing after lunch and a meeting.
I can get rid of the 'The operator “contains” in not defined" by removing the whose clause at the end. But even then, I’m left with ‘Imcompatible Types’:
q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)then ((name of it as string, sha1 of it as string) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it as string)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)) else “Not Detected” as string
“if then else” expressions require that the object returned in the “then” must be the same type as in the “else”. In your expression you have a tuple in the “then” part, so you can fix this by just casting that to a string:
Q: if exists (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)then (((name of it as string, sha1 of it as string) as string) of ((files (it as trimmed string)) of (preceding texts of firsts “/” of it as string)) of (values of key “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” of registry as string)) else “Not Detected” as string
Thanks Zak! That worked…almost perfectly. Is there anyway to strip all double quotes out of the string found in the registry BEFORE checking to see if it exists as a file? I did get results returned; however any of the string values that had quotes around then were not returned. For example:
C:\Documents and Settings\user\test.exe /r - this will produce results
“C:\Documents and Settings\user\test1.exe” /r - does not produce results
I’ve tried and my first issue is how to properly escape the quotation mark I think.