Key of key

(imported topic written by Don65)

The following relevancy checks for the existance of a key within HKCU.

exists key whose (name of it starts with “##” and (exists key “Shell\AutoRun\command” of it)) of key “Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” of key “HKCU” of registry

I’m attempting to check for the existance of the above key across all profiles. E.g. merge in the following relevancy -

exists key whose (name of it starts with “S-1-5-21” AND name of it does not end with “lasses”) of key “HKU” of registry

Any assistance greatly appreciated.

(imported comment written by jessewk)

Please see this post on dealing with the HKCU branch:

http://forum.bigfix.com/viewtopic.php?id=1909

(imported comment written by Don65)

Thanks Jesse, that was very helpful.

One more question for the forum. The property below provides the names of the values within the corresponding keys, however, how do I instead obtain just a list of the values.

if exists key whose (name of it starts with “##” and (exists key “Shell\AutoRun\command” of it)) of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” of keys of key “HKEY_USERS” of registry then names of values of keys “Shell\AutoRun\command” of keys whose (name of it starts with “##” and (exists key “Shell\AutoRun\command” of it)) of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” of keys of key “HKEY_USERS” of registry else “N/A”

Again, any assistance greatly appreciated.

(imported comment written by Don65)

As a side note, we’ll be using this property to identify all network shares that have had an autorun.inf file placed on them in turn causing workstations to autorun a virus / trojan when a user accesses a mapped drive connected to one of these shares. Seems Symantec Endpoint Protection hasn’t been detecting / cleaning all of the viruses. I’ll post more data as it becomes available in case anyone else has been having this problem.

(imported comment written by BenKus)

Is this what you are looking for (just take out the “names of”):

if exists key whose (name of it starts with “##” and (exists key “Shell\AutoRun\command” of it)) of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” of keys of key “HKEY_USERS” of registry then values of keys “Shell\AutoRun\command” of keys whose (name of it starts with “##” and (exists key “Shell\AutoRun\command” of it)) of keys “Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” of keys of key “HKEY_USERS” of registry else “N/A”

Ben

(imported comment written by Don65)

Thanks Ben,

Circling back on this.

In short, it appears there’s a bug of sorts in the MS autoplay feature that is allowing viruses to propagate from USB media and network shares to MS workstations and servers. I’m referring to it as a bug as disabling autorun via group policy does not disable autoplay.

The solution is to delpoy the KB971029 patch to the environment. This patch will essentially disable autoplay on removable media and network shares. Microsoft has not listed this patch as a critical update, though I suspect it probably should be.

Most people do not appear to use or know about the autoplay feature. In addition, the autorun feature will continue to work correctly and most folks do use this feature. Latest virus defs and full virus scans appear to be cleaning up the remainder of the infection.

Here’s some additional information that might be helpful.