At 14.39 13/01/2003 +0100, Sylvain Petreolle wrote:
We only need to check if the first filename given is a readable EXE/DLL. Then do the appropriate. And you can see that the only executable
that
seems to be called is rundll32.exe.
No, there are also C:\WINDOWS\RegTLib.exe and grpconv.exe...
You misunderstood me. I described this test only for RunOnceEx. RegTLib and grpconv both are in the RunOnce entries.
Unfortunately that's not true: even in RunOnceEx, I can find these entries:
[Software\Microsoft\Windows\CurrentVersion\RunOnceEx\101] 1039630031 @="Browsing Services" ... "034"="C:\WINDOWS\SYSTEM\mshta.exe /register" ...
[Software\Microsoft\Windows\CurrentVersion\RunOnceEx\990] 1038264623 "000"="C:\WINDOWS\SYSTEM\mstinit.exe /setup" "001"="rundll32 msnsspc.dll,SspcCreateSspiReg" "002"="rundll32 msapsspc.dll,SspcCreateSspiReg" "050"="C:\WINDOWS\SYSTEM\odbcconf.exe -E @E:\odbcconf.tmp"
[Software\Microsoft\Windows\CurrentVersion\RunOnceEx\991] 1038264598 "000"="C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\rsaenh.dll"
[Software\Microsoft\Windows\CurrentVersion\RunOnceEx\992] 1039630036 "000"="C:\WINDOWS\SYSTEM\mstinit.exe /setup"
In my opinion, the test should be done on the presence of the "|" character; if the character is present, the file name should be considered to be a DLL (regardless of the extension: e.g.
[Software\Microsoft\Windows\CurrentVersion\RunOnceEx\812] 1038264695 "000"="C:\WINDOWS\SYSTEM\l3codecx.ax|DllRegisterServer" "001"="C:\WINDOWS\SYSTEM\mpg4ds32.ax|DllRegisterServer" "002"="C:\WINDOWS\SYSTEM\msadds32.ax|DllRegisterServer" "003"="C:\WINDOWS\SYSTEM\acelpdec.ax|DllRegisterServer" "004"="C:\WINDOWS\SYSTEM\voxmsdec.ax|DllRegisterServer"
), otherwise is a normal command line.
Alberto