At 14.39 13/01/2003 +0100, Sylvain Petreolle wrote:
We only need to check if the first filename given is a readable EXE/DLL. Then do the appropriate. And you can see that the only executable that seems to be called is rundll32.exe.
No, there are also C:\\WINDOWS\\RegTLib.exe and grpconv.exe...
You misunderstood me. I described this test only for RunOnceEx. RegTLib and grpconv both are in the RunOnce entries.
Unfortunately that's not true: even in RunOnceEx, I can find these entries: [Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\101] 1039630031 @="Browsing Services" ... "034"="C:\\WINDOWS\\SYSTEM\\mshta.exe /register" ... [Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\990] 1038264623 "000"="C:\\WINDOWS\\SYSTEM\\mstinit.exe /setup" "001"="rundll32 msnsspc.dll,SspcCreateSspiReg" "002"="rundll32 msapsspc.dll,SspcCreateSspiReg" "050"="C:\\WINDOWS\\SYSTEM\\odbcconf.exe -E @E:\\odbcconf.tmp" [Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\991] 1038264598 "000"="C:\\WINDOWS\\SYSTEM\\regsvr32.exe /s C:\\WINDOWS\\SYSTEM\\rsaenh.dll" [Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\992] 1039630036 "000"="C:\\WINDOWS\\SYSTEM\\mstinit.exe /setup" In my opinion, the test should be done on the presence of the "|" character; if the character is present, the file name should be considered to be a DLL (regardless of the extension: e.g. [Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\812] 1038264695 "000"="C:\\WINDOWS\\SYSTEM\\l3codecx.ax|DllRegisterServer" "001"="C:\\WINDOWS\\SYSTEM\\mpg4ds32.ax|DllRegisterServer" "002"="C:\\WINDOWS\\SYSTEM\\msadds32.ax|DllRegisterServer" "003"="C:\\WINDOWS\\SYSTEM\\acelpdec.ax|DllRegisterServer" "004"="C:\\WINDOWS\\SYSTEM\\voxmsdec.ax|DllRegisterServer" ), otherwise is a normal command line. Alberto