(imported topic written by SteveC91)
I want to write an analysis that will look at all our clients and pull from them the values from HKLM\Microsoft\Windows\CurrentVersion\Run, and select only systems that have RUNDLL32.EXE in the RUN area. In playing around I’ve been able to retrieve the Run values with:
values of key “hklm\software\microsoft\windows\currentversion\run” of registry
which returns:
C:\Program Files\Apoint\Apoint.exe
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz.exe /installquiet
.
.
.
But this is where I get stuck. I’m getting stuck trying to extract the “TRUE” from the existence of RUNDLL32.EXE. Any recommendations on where to go next?
Thanks!
Steve