'Silent Runners.vbs -- find out what starts up with Windows! '(compatible with Windows 95/98/Millennium/NT 4.0/2000 Pro/XP Home & Pro/Vista RC1) ' 'DO NOT REMOVE THIS HEADER! ' 'Copyright Andrew ARONOFF 14 January 2007, http://www.silentrunners.org/ 'This script is provided without any warranty, either express or implied 'It may not be copied or distributed without permission ' '** YOU RUN THIS SCRIPT AT YOUR OWN RISK! ** (END OF HEADER) Option Explicit Dim strRevNo : strRevNo = "R50" Public flagTest : flagTest = False 'True if in testing mode 'flagTest = True 'Uncomment to put in testing mode Public arSecTest : arSecTest = Array() 'array of section numbers to test Public intSection : intSection = 0 'section counter 'This script is divided into 28 sections. 'malware launch points: ' registry keys (1-12, 15) ' INI/INF-files (16-18) ' folders (19) ' enabled scheduled tasks (20) ' Winsock2 service provider DLLs (21) ' IE toolbars, explorer bars, extensions (22) ' started services (26) ' keyboard driver filters (27) ' printer monitors (28) 'hijack points: ' System/Group Policies (14) ' prefixes for IE URLs (23) ' misc IE points (24) ' HOSTS file (25) 'Output is suppressed if deemed normal unless the -all parameter is used 'Section XVIII is skipped unless the -supp/-all parameters are used or 'the first message box is answered "No" and the next message box "Yes" ' 1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx ' HKLM... RunServices/RunServicesOnce ' HKCU/HKLM... Policies\Explorer\Run ' 2. HKLM... Active Setup\Installed Components\ ' HKCU... Active Setup\Installed Components\ ' (StubPath <> "" And HKLM version # > HKCU version #) ' 3. HKLM... Explorer\Browser Helper Objects\ ' 4. HKLM... Shell Extensions\Approved\ ' 5. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks ' 6. HKCU/HKLM... ShellServiceObjectDelayLoad\ ' 7. HKCU/HKLM... Command Processor\AutoRun ' HKCU... Policies\System\Shell (W2K/WXP/WVa only) ' HKCU... Windows\load & run ' HKLM... Windows\AppInit_DLLs ' HKCU/HKLM... Winlogon\Shell ' HKLM... Winlogon\Userinit, System, Ginadll, Taskman ' HKLM... Control\SafeBoot\Option\UseAlternateShell ' HKLM... Control\SecurityProviders\SecurityProviders ' HKLM... Control\Session Manager\BootExecute ' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline ' 8. HKLM... Winlogon\Notify\ (subkey names/DLLName values <> O/S-specific dictionary data) ' 9. HKLM... Image File Execution Options ("Debugger" subkeys) '10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa) '11. HKCU/HKLM Protocols\Filter '12. Context menu shell extensions '13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr) '14. System/Group Policies '15. Enabled Wallpaper & Screen Saver '16. WIN.INI (load/run <> ""), SYSTEM.INI (shell <> explorer.exe, scrnsave.exe), WINSTART.BAT '17. AUTORUN.INF in root directory of local fixed disks '18. DESKTOP.INI in any local fixed disk directory (section skipped by default) '19. %WINDIR%... Startup & All Users... Startup (W98/WMe) or ' %USERNAME%... Startup & All Users... Startup folder contents '20. Enabled Scheduled Tasks '21. Winsock2 Service Provider DLLs '22. Internet Explorer Toolbars, Explorer Bars, Extensions '23. Internet Explorer URL Prefixes '24. Misc. IE Hijack Points '25. HOSTS file '26. Started Services '27. Keyboard Driver Filters '28. Print Monitors Dim Wshso : Set Wshso = WScript.CreateObject("WScript.Shell") Dim WshoArgs : Set WshoArgs = WScript.Arguments Dim intErrNum, intMB, intMB1 'Err.Number, MsgBox return value x 2 Dim strflagTest : strflagTest = "" If flagTest Then strflagTest = "TEST " Wshso.Popup "Silent Runners is in testing mode.",1, _ "Testing, testing, 1-2-3...", vbOKOnly + vbExclamation End If 'Configuration Detection Section ' FileSystemObject creation error (112) ' CScript/WScript (147) ' Dim (161) ' GetFileVersion(WinVer.exe) (VBScript 5.1) (182) ' OS version (223) ' WMI (279) ' Dim (364) ' command line arguments (440) ' supplementary search MsgBox (532) ' startup MsgBox (557) ' CreateTextFile error (583) ' output file header (625) ' WXP SP2 (629) On Error Resume Next Dim Fso : Set Fso = CreateObject("Scripting.FileSystemObject") intErrNum = Err.Number : Err.Clear On Error Goto 0 If intErrNum <> 0 Then strURL = "http://tinyurl.com/7nn6" intMB = MsgBox (Chr(34) & "Silent Runners" & Chr(34) &_ " cannot access file services critical to" & vbCRLF &_ "proper script operation." & vbCRLF & vbCRLF &_ "If you are running Windows XP, make sure that the" &_ vbCRLF & Chr(34) & "Cryptographic Services" & Chr(34) &_ " service is started." & vbCRLF & vbCRLF &_ "You can also try reinstalling the latest version of the MS" &_ vbCRLF & "Windows Script Host." & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser to " &_ "the download site or" & vbCRLF & Space(10) & Chr(34) & "Cancel" &_ Chr(34) & " to quit.", vbOKCancel + vbCritical, _ "Can't access the FileSystemObject!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL WScript.Quit End If Dim oNetwk : Set oNetwk = WScript.CreateObject("WScript.Network") Const HKLM = &H80000002, HKCU = &H80000001 Const REG_SZ=1, REG_EXPAND_SZ=2, REG_BINARY=3, REG_DWORD=4, REG_MULTI_SZ=7 Const REG_QWORD = 11 Const MS = " [MS]" Const DQ = """", LBr = "{" Const IWarn = "<> ", HWarn = "<> " 'determine whether output is via MsgBox/PopUp or Echo Dim flagOut If InStr(LCase(WScript.FullName),"wscript.exe") > 0 Then flagOut = "W" 'WScript ElseIf InStr(LCase(WScript.FullName),"cscript.exe") > 0 Then flagOut = "C" 'CScript Else 'echo and continue if it works flagOut = "C" 'assume CScript-compatible WScript.Echo "Neither " & Chr(34) & "WSCRIPT.EXE" & Chr(34) & " nor " &_ Chr(34) & "CSCRIPT.EXE" & Chr(34) & " was detected as " &_ "the script host." & vbCRLF & Chr(34) & "Silent Runners" & Chr(34) &_ " will assume that the script host is CSCRIPT-compatible and will" & vbCRLF &_ "use WScript.Echo for all messages." End If 'script host Const SysFolder = 1 : Const WinFolder = 0 Dim strOS : strOS = "Unknown" Dim strOSLong : strOSLong = "Unknown" Dim strOSXP : strOSXP = "Windows XP Home" 'XP Home or Pro Public strFPSF : strFPSF = Fso.GetSpecialFolder(SysFolder).Path 'FullPathSystemFolder Public strFPWF : strFPWF = Fso.GetSpecialFolder(WinFolder).Path 'FullPathWindowsFolder Public strExeBareName 'bare file name w/o windows or system folder prefixes Dim strSysVer 'Winver.exe version number Dim intErrNum1, intErrNum2, intErrNum3, intErrNum4, intErrNum5, intErrNum6 'error number Dim intLenValue 'value length Dim strURL 'download URL 'assume Group Policies cannot be set in the O/S Dim flagGP : flagGP = False 'HKCU/HKLM CLSID Lower Limit, default is HKLM for O/S <= NT4 Dim intCLL : intCLL = 1 'Winver.exe is in \Windows under W98, but in \System32 for other O/S's 'trap GetFileVersion error for VBScript version < 5.1 On Error Resume Next If Fso.FileExists (strFPSF & "\Winver.exe") Then strSysVer = Fso.GetFileVersion(strFPSF & "\Winver.exe") Else strSysVer = Fso.GetFileVersion(strFPWF & "\Winver.exe") End If intErrNum = Err.Number : Err.Clear On Error Goto 0 'if GetFileVersion returns error due to old WSH version If intErrNum <> 0 Then 'store dl URL strURL = "http://tinyurl.com/7zh0" 'if using WScript If flagOut = "W" Then 'explain the problem intMB = MsgBox ("This script requires Windows Script Host (WSH) 5.1 " &_ "or higher to run." & vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" &_ Chr(34) & " to direct your browser to the WSH download site or " &_ Chr(34) & "Cancel" & Chr(34) & " to quit." & vbCRLF & vbCRLF &_ "(WMI is also required. If it's missing, download instructions " &_ "will appear later.)", vbOKCancel + vbExclamation, _ "Unsupported Windows Script Host Version!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL 'if using CScript Else 'flagOut = "C" 'explain the problem WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "Windows Script Host 5.1 or higher to run." & vbCRLF & vbCRLF &_ "It can be downloaded at: " & strURL End If 'WScript or CScript? 'quit the script WScript.Quit End If 'VBScript version error encountered? 'use WINVER.EXE file version to determine O/S If Instr(Left(strSysVer,3),"4.1") > 0 Then strOS = "W98" : strOSLong = "Windows 98" ElseIf Instr(Left(strSysVer,5),"4.0.1") > 0 Then strOS = "NT4" : strOSLong = "Windows NT 4.0" ElseIf Instr(Left(strSysVer,8),"4.0.0.95") > 0 Then strOS = "W98" : strOSLong = "Windows 95" ElseIf Instr(Left(strSysVer,8),"4.0.0.11") > 0 Then strOS = "W98" : strOSLong = "Windows 95 SR2 (OEM)" ElseIf Instr(Left(strSysVer,3),"5.0") > 0 Then strOS = "W2K" : strOSLong = "Windows 2000" : : intCLL = 0 : flagGP = True ElseIf Instr(Left(strSysVer,3),"5.1") > 0 Then 'SP0 & SP1 = 5.1.2600.0, SP2 = 5.1.2600.2180 strOS = "WXP" : strOSLong = "Windows XP" : intCLL = 0 If Instr(strSysVer,".2180") > 0 Then strOSLong = "Windows XP SP2" ElseIf Instr(Left(strSysVer,3),"4.9") > 0 Then strOS = "WME" : strOSLong = "Windows Me (Millennium Edition)" ElseIf Instr(Left(strSysVer,3),"5.2") > 0 Then strOS = "WXP" : strOSLong = "Windows Server 2003 (interpreted as Windows XP)" flagGP = True : intCLL = 0 ElseIf Instr(Left(strSysVer,3),"6.0") > 0 Then strOS = "WVA" : strOSLong = "Windows Vista RC1" flagGP = True : intCLL = 0 Else 'unknown strSysVer If flagOut = "W" Then intMB = MsgBox ("The " & Chr(34) & "Silent Runners" & Chr(34) &_ " script cannot determine the operating system." & vbCRLF & vbCRLF &_ "Click " & Chr(34) & "OK" & Chr(34) & " to send an e-mail to the " &_ "author, providing the following information:" & vbCRLF & vbCRLF &_ "WINVER.EXE file version = " & strSysVer & vbCRLF & vbCRLF &_ "or click " & Chr(34) & "Cancel" & Chr(34) & " to quit.", _ 49,"O/S Unknown!") If intMB = 1 Then Wshso.Run "mailto:Andrew%20Aronoff%20" &_ "<%6F%73.%76%65%72.%65%72%72%6F%72@%73%69%6C%65%6E%74%72%75%6E%6E%65%72%73.%6F%72%67>?" &_ "subject=Silent%20Runners%20OS%20Version%20Error&body=WINVER.EXE" &_ "%20file%20version%20=%20" & strSysVer Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_ "determine the operating system." & vbCRLF & vbCRLF & "This script will exit." End If 'flagOut? WScript.Quit End If 'OS id'd from strSysVer? 'use WMI to connect to the registry On Error Resume Next Dim oReg : Set oReg = GetObject("winmgmts:\root\default:StdRegProv") intErrNum = Err.Number : Err.Clear On Error Goto 0 'detect WMI connection error If intErrNum <> 0 Then strURL = "" 'for W98/NT4, assume WMI not installed and direct to d/l URL If strOS = "W98" Or strOS = "NT4" Then If strOS = "W98" Then strURL = "http://tinyurl.com/jbxe" If strOS = "NT4" Then strURL = "http://tinyurl.com/7wd7" 'invite user to download WMI & quit If flagOut = "W" Then intMB = MsgBox ("This script requires " & Chr(34) & "WMI" &_ Chr(34) & ", Windows Management Instrumentation, to run." &_ vbCRLF & vbCRLF & "It can be downloaded at: " & strURL &_ vbCRLF & vbCRLF & "Press " & Chr(34) & "OK" & Chr(34) &_ " to direct your browser to the download site or " &_ Chr(34) & "Cancel" & Chr(34) & " to quit.",_ vbOKCancel + vbCritical,"WMI Not Installed!") If intMB = 1 Then Wshso.Run strURL 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ Chr(34) & "WMI" & Chr(34) & ", Windows Management Instrumentation, " &_ "to run." & vbCRLF & vbCRLF & "It can be downloaded at: " & strURL End If 'for W2K/WXP/WVa, explain how to start the WMI service ElseIf strOS = "W2K" Or strOS = "WXP" or strOS = "WVA" Then If strOS = "W2K" Then strLine = "Settings | Control Panel | " If strOS = "WXP" Then strLine = "Control Panel | " If strOS = "WVA" Then strLine = "Control Panel | Classic View | " 'explain how to turn on WMI service If flagOut = "W" Then MsgBox "This script requires Windows Management Instrumentation" &_ " to run." & vbCRLF & vbCRLF & "Click on Start | " & strLine &_ "Administrative Tools | Services," & vbCRLF &_ "and start the " & Chr(34) & "Windows Management Instrumentation" &_ Chr(34) & " service.",vbOKOnly + vbCritical,"WMI Service not running!" 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "Windows Management Instrumentation to run." & vbCRLF & vbCRLF &_ "Click on Start | " & strLine & "Administrative " &_ "Tools | Services" & vbCRLF & "and start the " & Chr(34) &_ "Windows Management Instrumentation" & Chr(34) & " service." End If 'flagOut? Else 'WMe 'say there's a WMI problem If flagOut = "W" Then MsgBox "This script requires WMI (Windows Management Instrumentation)" &_ " to run," & vbCRLF & "but WMI is not running correctly.", _ vbOKOnly + vbCritical,"WMI problem!" 'at command line, explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " requires " &_ "WMI (Windows Management Instrumentation) to run," & vbCRLF &_ "but WMI is not running correctly." End If 'flagOut? End If 'which O/S? WScript.Quit End If 'WMI execution error 'array of Run keys, counter x 5, hive member, startup folder file, 'startup file shortcut, IERESET.INF file Dim arRunKeys, i, ii, j, k, l, oHiveElmt, oSUFi, oSUSC 'dictionary, keys, items, hard disk collection Dim arSK, arSKk, arSKi, colDisks 'arrays: Run key names, keys, sub-keys, value type, SecurityProviders, ' Protocol filters, values Dim arNames(), arKeys(), arSubKeys(), arType, arSP, arFilter(), arValues 'Sub-Directory DeskTop.Ini array, Sub-Directory Error array, Error array 'Recognized GP names, allowed GP names Public arSDDTI(), arSDErr(), arErr(), arRecNames(), arAllowedNames() 'DeskTop.Ini counter, Error counter x 2, Classes data Hive counter Public ctrArDTI, ctrArErr, ctrErr, ctrCH Public ctrFo : ctrFo = 0 'folder counter 'name member, key array member x 4, O/S, drive root directory, work file Dim oName, oKey, oKey2, strMemKey, strMemSubKey, oOS, oRoot, oFileWk 'values x 7 Dim strValue, strValue1, strValue2, strValue3, strValue4, strValue5, strValue6 Dim strVal, intValue, strCmd 'name, single character, startup folder name, startup folder, array member, temp var Dim strName, strChr, arSUFN, oSUF, strArMember, strTmp, strTmp2 'output string x 3 Public strOut, strOut1, strOut2 'output file msg x 2, warning string, title line Dim strLine, strLine1, strLine2, strWarn, strTitleLine 'infection/hijack warning detection flags -- add footer note if True Public flagIWarn : flagIWarn = False Public flagHWarn : flagHWarn = False Dim strKey, strKey1, strKey2, strKey3, strSubKey 'register key x 4, sub-key 'output file name string (incl. path), file name (wo path), 'PIF path string, single binary character Dim strFN, strFNNP, strPIFTgt, bin1C Public datLaunch : datLaunch = Now 'script launch time Public intCnt 'counter 'ref time, time taken by 2 pop-up boxes Public datRef : datRef = 0 Public datPUB1 : datPUB1 = 0 : Public datPUB2 : datPUB2 = 0 'TRUE if show all output (default values not filtered) Public flagShowAll : flagShowAll = False Dim strRptOutput : strRptOutput = "Output limited to non-default values, " &_ "except where indicated by " & Chr(34) & "{++}" & Chr(34) 'output file string Public strTitle : strTitle = "" Public strSubTitle : strSubTitle = "" Public strSubSubTitle : strSubSubTitle = "" Public flagNVP : flagNVP = False 'existence of name/value pairs in a key Public flagInfect : flagInfect = False 'flag infected condition Dim flagMatch 'flag matching keys Dim flagAllow 'flag key on approved list Dim flagFound 'flag key that exists in Registry Dim flagDirArg : flagDirArg = False 'presence of output directory argument Dim flagIsCLSID : flagIsCLSID = False 'true if argument in CLSID format Dim flagTitle 'True if title has already been written Dim flagAllArg : flagAllArg = False 'presence of all output argument Dim flagArray 'flag array containing elements Public flagSupp : flagSupp = False 'do *not* check for DESKTOP.INI in all 'directories of local fixed disks Dim intLBSP 'Last BackSlash Position in path string Dim intSS 'lowest sort subscript Dim intType 'value type Dim strDLL, strCN 'DLL name, company name 'string to signal all output by default Public strAllOutDefault : strAllOutDefault = "" Dim ScrPath : ScrPath = Fso.GetParentFolderName(WScript.ScriptFullName) If Right(ScrPath,1) <> "\" Then ScrPath = ScrPath & "\" 'initialize Path of Output File Folder to script path Dim strPathOFFo : strPathOFFo = ScrPath 'hive array Public arHives(1,1) arHives(0,0) = "HKCU" : arHives(1,0) = "HKLM" arHives(0,1) = &H80000001 : arHives(1,1) = &H80000002 'set up argument usage message string Dim strLSp, strCSp 'Leading Spaces, Centering Spaces strLSp = Space(4) : strCSp = Space(33) 'WScript spacing If flagOut = "C" Then 'CScript spacing strLsp = Space(3) : strCSp = Space(28) End If Dim strMsg : strMsg = "Only two arguments are permitted:" &_ vbCRLF & vbCRLF &_ "1. the name of an existing directory for the output report" &_ vbCRLF & strLSp & "(embed in quotes if it contains spaces)" &_ vbCRLF & vbCRLF & strCSp & "AND:" & vbCRLF & vbCRLF &_ "2. " & Chr(34) & "-supp" & Chr(34) & " to search " &_ "all directories for DESKTOP.INI DLL" & vbCRLF &_ strLSp & "launch points" &_ vbCRLF & vbCRLF & strCSp & "-OR-" & vbCRLF & vbCRLF &_ "3. " & Chr(34) & "-all" & Chr(34) & " to output all non-empty " &_ "values and all launch" & vbCRLF & strLSp & "points checked" 'check if output directory or "-all" or "-supp" was supplied as argument If WshoArgs.length > 0 And WshoArgs.length <= 2 Then For i = 0 To WshoArgs.length-1 'if directory arg not already passed and arg directory exists If Not flagDirArg And Fso.FolderExists(WshoArgs(i)) Then 'get the path & toggle the directory arg flag Dim oOFFo : Set oOFFo = Fso.GetFolder(WshoArgs(i)) strPathOFFo = oOFFo.Path : flagDirArg = True If Right(strPathOFFo,1) <> "\" Then strPathOFFo = strPathOFFo & "\" Set oOFFo=Nothing 'if -all arg not already passed and is this arg ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-all" Then 'toggle ShowAll flag, toggle the all arg flag, fill report string flagShowAll = True : flagAllArg = True strRptOutput = "Output of all locations checked and all values found." 'if -all arg not already passed and is this arg ElseIf Not flagAllArg And LCase(WshoArgs(i)) = "-supp" Then flagSupp = True : flagAllArg = True strRptOutput = "Search enabled of all directories on local fixed " &_ "drives for DESKTOP.INI" & vbCRLF & " DLL launch points" &_ vbCRLF & strRptOutput 'argument can't be interpreted, so explain & quit Else If flagOut = "W" Then 'pop up a message window Wshso.Popup "The argument:" & vbCRLF &_ Chr(34) & UCase(WshoArgs(i)) & Chr(34) & vbCRLF &_ "... can't be interpreted." & vbCRLF & vbCRLF &_ strMsg,10,"Bad Script Argument", vbOKOnly + vbExclamation Else 'flagOut = "C" 'write the message to the console WScript.Echo vbCRLF & "The argument: " &_ Chr(34) & UCase(WshoArgs(i)) & Chr(34) &_ " can't be interpreted." & vbCRLF & vbCRLF &_ strMsg & vbCRLF End If 'WScript host? WScript.Quit End If 'argument can be interpreted? Next 'argument 'too many args passed ElseIf WshoArgs.length > 2 Then 'explain & quit If flagOut = "W" Then 'pop up a message window Wshso.Popup "Too many arguments (" & WshoArgs.length & ") were passed." &_ vbCRLF & vbCRLF & strMsg,10,"Too Many Arguments",_ vbOKOnly + vbCritical Else 'flagOut = "C" 'write the message to the console WScript.Echo "Too many arguments (" & WshoArgs.length & ") were passed." &_ vbCRLF & vbCRLF & strMsg & vbCRLF End If 'WScript host? WScript.Quit End If 'directory arguments passed? Set WshoArgs=Nothing datRef = Now 'if no cmd line argument for flagSupp and not testing, show popup If Not flagTest And Not flagShowAll And Not flagSupp And flagOut = "W" Then intMB = Wshso.Popup ("Do you want to skip the supplementary search?" &_ vbCRLF & "(It typically takes several minutes.)" & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "Yes" & Chr(34) & Space(5) &_ " to skip the supplementary search (default)" & vbCRLF & vbCRLF &_ Space(10) & Chr(34) & "No" & Chr(34) & Space(6) &_ " to perform it, or" & vbCRLF & vbCRLF &_ Space(10) & Chr(34) & "Cancel" & Chr(34) &_ " to get more information at the web site" & vbCRLF &_ Space(25) & "and exit the script.",_ 15,"Skip supplementary search?",_ vbYesNoCancel + vbQuestion + vbDefaultButton1 + vbSystemModal) If intMB = vbNo Then flagSupp = True intMB1 = MsgBox ("Are you SURE you want to run the supplementary " &_ "search?" & vbCRLF & vbCRLF & "It's _rarely_ necessary " &_ "and it takes a *long* time." & vbCRLF & vbCRLF & "Press " & DQ &_ "Yes" & DQ & " to confirm running the supplementary search, " &_ "or" & vbCRLF & Space(10) & DQ & "No" & DQ & " to run without it.", _ vbYesNo + vbQuestion + vbDefaultButton2 + vbSystemModal,"Are you sure?") If intMB1 = vbNo Then flagSupp = False ElseIf intMB = vbCancel Then Wshso.Run "http://www.silentrunners.org/sr_thescript.html#supp" WScript.Quit End If End If datPUB1 = DateDiff("s",datRef,Now) : datRef = Now 'inform user that script has started If Not flagTest Then If flagOut = "W" Then Wshso.PopUp Chr(34) & "Silent Runners" & Chr(34) & " has started." &_ vbCRLF & vbCRLF & "A message box like this one will appear " &_ "when it's done." & vbCRLF & vbCRLF & "Please be patient...",3,_ "Silent Runners R" & strRevNo & " startup", _ vbOKOnly + vbInformation + vbSystemModal Else WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " has started." &_ " Please be patient..." End If 'flagOut? End If 'flagTest? datPUB2 = DateDiff("s",datRef,Now) 'create output file name with computer name & today's date 'Startup Programs (pc_name_here) yyyy-mm-dd.txt strFNNP = "Startup Programs (" & oNetwk.ComputerName & ") " &_ FmtDate(datLaunch) & " " & FmtHMS(datLaunch) & ".txt" strFN = strPathOFFo & strflagTest & strFNNP On Error Resume Next If Fso.FileExists(strFN) Then Fso.DeleteFile(strFN) Err.Clear Public oFN : Set oFN = Fso.CreateTextFile(strFN,True) intErrNum = Err.Number : Err.Clear On Error Goto 0 'if can't create report file If intErrNum > 0 Then strURL = "http://www.silentrunners.org/Silent%20Runners%20RED.vbs" 'invite user to run RED version & quit If flagOut = "W" Then intMB = MsgBox ("The script cannot create its report file. " &_ "This is a known, intermittent" & vbCRLF & "problem under " &_ strOSLong & "." & vbCRLF & vbCRLF &_ "An alternative script version is available for download. " &_ "After it runs, " & vbCRLF & "the script you're using now will " &_ "run correctly." & vbCRLF & vbCRLF &_ "Press " & Chr(34) & "OK" & Chr(34) & " to direct your browser " &_ "to the alternate script location, or" & vbCRLF & Space(10) &_ Chr(34) & "Cancel" & Chr(34) & " to quit.",49,"CreateTextFile Error!") 'if alternative script wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL 'explain & quit Else 'flagOut = "C" WScript.Echo Chr(34) & "Silent Runners" & Chr(34) & " cannot " &_ "create the report file." & vbCRLF & vbCRLF &_ "An alternative script is available. Run it, then rerun this version." &_ vbCRLF & "The alternative script can be downloaded at: " & vbCRLF &_ vbCRLF & strURL End If WScript.Quit End If 'report file creation error? 'add report header Set oNetwk=Nothing oFN.WriteLine Chr(34) & "Silent Runners.vbs" & Chr(34) &_ ", revision " & strRevNo & ", http://www.silentrunners.org/" &_ vbCRLF & "Operating System: " & strOSLong & vbCRLF & strRptOutput 'test for WMI corruption and use WMI to differentiate between 'WXP Home & WXP Pro 'get the O/S collection Dim colOS : Set colOS = GetObject("winmgmts:\root\cimv2").ExecQuery _ ("Select * from Win32_OperatingSystem") On Error Resume Next Err.Clear For Each oOS in colOS If strOS = "WXP" Then 'modify strOSXP if O/S = Pro If InStr(1,LCase(oOS.Name),"professional",1) > 0 Then strOSXP = "Windows XP Professional" flagGP = True End If 'modify strOSXP if SP2 If Right(strOSLong,3) = "SP2" Then strOSXP = strOSXP & " SP2" End If 'WXP? Next 'oOS If Err.Number <> 0 Then strURL = "http://go.microsoft.com/fwlink/?LinkId=62562" oFN.WriteLine vbCRLF & "FATAL ERROR!" & vbCRLF & String(12,"-") &_ vbCRLF & vbCRLF & DQ & "Silent Runners" & DQ &_ " cannot use WMI to identify the operating system." &_ vbCRLF & "This is caused by corruption of the WMI installation." &_ vbCRLF & vbCRLF &_ "WMI is complex and it is recommended that you use a Microsoft" &_ vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_ "on your system." & vbCRLF & vbCRLF & "It can be downloaded here:" &_ vbCRLF & vbCRLF & strURL intMB = MsgBox (DQ & "Silent Runners" & DQ & " cannot use WMI to " &_ "identify the operating system." & vbCRLF & "This is caused by " &_ "corruption of the WMI installation." &_ vbCRLF & vbCRLF &_ "WMI is complex and it is recommended that you use a Microsoft" &_ vbCRLF & "tool, " & DQ & "WMIDiag.vbs," & DQ & " to diagnose WMI " &_ "on your system." &_ vbCRLF & vbCRLF &_ "Press " & DQ & "OK" & DQ & " to direct your browser to the " &_ "WMIDiag download site or" &_ vbCRLF & Space(10) & DQ & "Cancel" & DQ & " to quit.",_ vbOKCancel + vbCritical + + vbSystemModal + vbDefaultButton2,_ "Can't iterate Win32_OperatingSystem!") 'if dl wanted now, send browser to dl site If intMB = 1 Then Wshso.Run strURL WScript.Quit End If 'Err.Number<>0? On Error Goto 0 Set colOS=Nothing '#1. HKCU/HKLM... Run/RunOnce/RunOnce\Setup/RunOnceEx ' HKLM... RunServices/RunServicesOnce ' HKCU/HKLM... Policies\Explorer\Run intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'write registry header lines to file strTitle = "Startup items buried in registry:" TitleLineWrite 'put keys in array (Key Index 0 - 6) arRunKeys = Array ("Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run", _ "Software\Microsoft\Windows\CurrentVersion\Run", _ "Software\Microsoft\Windows\CurrentVersion\RunOnce", _ "Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup", _ "Software\Microsoft\Windows\CurrentVersion\RunOnceEx", _ "Software\Microsoft\Windows\CurrentVersion\RunServices", _ "Software\Microsoft\Windows\CurrentVersion\RunServicesOnce") 'Key Execution Flag/Subkey Recursion Flag array ' 'first number in the ordered pair in the array immediately below ' pertains to execution of the key: '0: not executed (ignore) '1: may be executed so display with EXECUTION UNLIKELY warning '2: executable ' 'second number in the ordered pair pertains to subkey recursion '0: subkeys not used '1: subkey recursion necessary '0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run '1 Software\Microsoft\Windows\CurrentVersion\Run '2 Software\Microsoft\Windows\CurrentVersion\RunOnce '3 Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup '4 Software\Microsoft\Windows\CurrentVersion\RunOnceEx '5 Software\Microsoft\Windows\CurrentVersion\RunServices '6 Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 'Hive HKCU - 0 HKLM - 1 ' 'Key 0 1 2 3 4 5 6 0 1 2 3 4 5 6 'Index 'O/S: 'W95 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 2,0 2,0 'W98 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 2,0 2,1 2,0 2,0 'WMe 2,1 2,1 2,0 2,0 2,1 0,0 0,0 2,1 2,1 2,0 2,0 2,1 2,0 2,0 'NT4 0,0 2,0 2,0 0,0 2,1 0,0 0,0 0,0 2,0 2,0 0,0 2,1 0,0 0,0 'W2K 2,1 2,1 2,1 0,0 2,1 0,0 0,0 2,1 2,1 2,1 0,0 2,1 0,0 0,0 'WXP 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0 'WS2K3 ??? <-------------------- ??? --------------------> ??? 'WVa 2,0 2,0 2,0 0,0 2,1 0,0 0,0 2,0 2,0 2,0 0,0 2,1 0,0 0,0 'arRegFlag(i,j,k): put flags in array by O/S: 'hive = i (0 or 1), key_# = j (0-6), ' flags (key execution/subkey recursion) = k (0 or 1) ' k = 0 holds key execution value = 0/1/2 ' 1 holds subkey recursion value = 0/1 Dim arRegFlag() ReDim arRegFlag(1,6,1) 'initialize entire array to zero For i = 0 To 1 : For j = 0 To 6 : For k = 0 To 1 arRegFlag(i,j,k) = 0 Next : Next : Next 'add data to array for O/S that's running 'W98 If strOS = "W98" Then arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn 'don't set HKLM,RunOnce\Setup for W95 If strOSLong = "Windows 98" Then _ arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn End If If strOS = "WME" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,3,0) = 2 'HKCU,RunOnce\Setup = no-warn arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,3,0) = 2 'HKLM,RunOnce\Setup = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys arRegFlag(1,5,0) = 2 'HKLM,RunServices = no-warn arRegFlag(1,6,0) = 2 'HKLM,RunServicesOnce = no-warn End If 'NT4 If strOS = "NT4" Then arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'W2K If strOs = "W2K" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,0,1) = 1 'HKCU,Explorer\Run = sub-keys arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,1,1) = 1 'HKCU,Run = sub-keys arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,2,1) = 1 'HKCU,RunOnce = sub-keys (incl. Setup) arRegFlag(0,4,0) = 2 'HKCU,RunOnceEx = no-warn arRegFlag(0,4,1) = 1 'HKCU,RunOnceEx = sub-keys arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,0,1) = 1 'HKLM,Explorer\Run = sub-keys arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,1,1) = 1 'HKLM,Run = sub-keys arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,2,1) = 1 'HKLM,RunOnce = sub-keys (incl. Setup) arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'WXP/WVa If strOs = "WXP" Or strOS = "WVA" Then arRegFlag(0,0,0) = 2 'HKCU,Explorer\Run = no-warn arRegFlag(0,1,0) = 2 'HKCU,Run = no-warn arRegFlag(0,2,0) = 2 'HKCU,RunOnce = no-warn arRegFlag(0,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(0,4,1) = 1 'HKLM,RunOnceEx = sub-keys arRegFlag(1,0,0) = 2 'HKLM,Explorer\Run = no-warn arRegFlag(1,1,0) = 2 'HKLM,Run = no-warn arRegFlag(1,2,0) = 2 'HKLM,RunOnce = no-warn arRegFlag(1,4,0) = 2 'HKLM,RunOnceEx = no-warn arRegFlag(1,4,1) = 1 'HKLM,RunOnceEx = sub-keys End If 'for each hive For i = 0 To 1 'for each key For j = 0 To 6 'if not ShowAll, show all output for Run keys If j = 1 And Not flagShowAll Then strAllOutDefault = " {++}" 'if key is not ignored If arRegFlag(i,j,0) > 0 Then flagNVP = False 'intialize string with warning if necessary strWarn = "" If arRegFlag(i,j,0) = 1 Then strWarn = "EXECUTION UNLIKELY: " 'INFO 'with no name/value pairs (sub-keys are identical) ' IsArray TypeName UBound 'W98 True "Variant()" -1 'WMe True "Variant()" -1 'NT4 True "Variant()" -1 'W2K False "Null" error (--) 'WXP False "Null" error (--) 'WS2K3 True "Variant()" error (--) 'WVa False "Null" error (--) EnumNVP arHives(i,1), arRunKeys(j), arNames, arType If flagNVP Then 'name/value pairs exist 'write the full key name oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" & strAllOutDefault 'for each data type in the names array For k = LBound(arNames) To UBound(arNames) 'use the type to find the value strValue = RtnValue (arHives(i,1), arRunKeys(j), arNames(k), arType(k)) 'write the name & value WriteValueData arNames(k), strValue, arType(k), strWarn Next 'member of names array Else 'no name/value pairs If flagShowAll Then _ oFN.WriteLine vbCRLF & arHives(i,0) & "\" & arRunKeys(j) & "\" End If 'flagNVP? 'recurse subkeys if necessary If arRegFlag(i,j,1) = 1 Then 'put all subkeys into array oReg.EnumKey arHives(i,1),arRunKeys(j),arKeys 'excludes W2K/WXP/WVa with no sub-keys If IsArray(arKeys) Then 'excludes W98/WMe/NT4/WS2K3 with no sub-keys For Each strMemKey in arKeys flagNVP = False strSubKey = arRunKeys(j) & "\" & strMemKey EnumNVP arHives(i,1), arRunKeys(j) & "\" & strMemKey,arNames,arType If flagNVP Then 'if name/value pairs exist 'write the full key name oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey &_ "\" & strAllOutDefault 'for each data type in the names array For k = LBound(arNames) To UBound(arNames) 'use the type to find the value strValue = RtnValue (arHives(i,1), strSubKey, arNames(k), arType(k)) 'write the name & value WriteValueData arNames(k), strValue, arType(k), strWarn Next 'member of names array Else 'no name/value pairs If flagShowAll Then _ oFN.WriteLine vbCRLF & arHives(i,0) & "\" & strSubKey & "\" End If 'flagNVP? Next 'sub-key End If 'sub-keys exist? W2K/WXP/WS2K3/WVa End If 'enum sub-keys? End If 'arRegFlag(i,j,0) > 0 Next 'Run key Next 'Hive strAllOutDefault = "" : flagNVP = False 'recover array memory ReDim arRunKeys(0) ReDim arKeys(0) ReDim arRegFlag(0) End If 'flagTest And SecTest? '#2. HKLM... Active Setup\Installed Components\ ' HKCU... Active Setup\Installed Components\ intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'flags True if only numeric & comma chrs in Version values Dim flagHKLMVer, flagHKCUVer 'StubPath Value string, HKLM Version value, HKCU Version value, HKLM program name Dim strSPV, strHKLMVer, strHKCUVer, strPgmName Dim arHKLMKeys, arHKCUKeys, strHKLMKey, strHKCUKey strKey = "Software\Microsoft\Active Setup\Installed Components" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey HKLM, strKey, arHKLMKeys 'HKLM oReg.EnumKey HKCU, strKey, arHKCUKeys 'HKCU 'enumerate HKLM keys if present If IsArray(arHKLMKeys) Then 'for each HKLM key For Each strHKLMKey In arHKLMKeys 'INFO 'Default Value not set: 'W98/WMe: returns 0, strValue = "" 'NT4/W2K/WXP/WVa: returns non-zero, strValue = Null 'Non-Default name inexistent: 'W98/WMe/NT4/W2K/WXP/WVa: returns non-zero, strValue = Null 'Non-Default Value not set: 'W2K: returns 0, strValue = unwritable string 'W98/WMe/NT4/WXP/WVa: returns 0, strValue = "" 'get the StubPath value intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"StubPath",strSPV) 'if the StubPath name exists And value set (exc for W2K!) If intErrNum = 0 And strSPV <> "" Then flagMatch = False 'if HKCU keys present If IsArray(arHKCUKeys) Then 'for each HKCU key For Each strHKCUKey in arHKCUKeys 'if identical HKLM key exists If LCase(strHKLMKey) = LCase(strHKCUKey) Then 'assume Version fmts are OK flagHKLMVer = True : flagHKCUVer = True 'get HKLM & HKCU Version values intErrNum1 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey, _ "Version",strHKLMVer) 'HKLM Version # intErrNum2 = oReg.GetStringValue (HKCU,strKey & "\" & strHKCUKey, _ "Version",strHKCUVer) 'HKCU Version # 'if HKLM Version name exists And value set (exc for W2K!) If intErrNum1 = 0 And strHKLMVer <> "" Then 'the next two loops check for allowed chars (numeric & comma) ' in returned Version values For i = 1 To Len(strHKLMVer) strChr = Mid(strHKLMVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKLMVer = False Next 'if HKCU Version name exists And value set (exc for W2K!) If intErrNum2 = 0 And strHKCUVer <> "" Then 'check that value consists only of numeric & comma chrs For i = 1 To Len(strHKCUVer) strChr = Mid(strHKCUVer,i,1) If Not IsNumeric(strChr) And strChr <> "," Then flagHKCUVer = False Next End If 'HKCU Version null or MT? 'if HKLM Ver # has illegal fmt (i.e., is not assigned) or doesn't exist (is Null) ' or is empty, match = True 'if HKCU/HKLM Ver # fmts OK And HKCU Ver # >= HKLM Ver #, match = True 'if HKLM Ver # = "0,0" and HKCU Ver # = "", key will output ' but StubPath will not launch If Not flagHKLMVer Then flagMatch = True If flagHKLMVer And flagHKCUVer And strHKCUVer >= strHKLMVer Then flagMatch = True Else 'HKLM Version name doesn't exist Or value not set (exc for W2K!) flagMatch = True End If 'HKLM Version name exists And value set (exc for W2K!)? End If 'HKCU key=HKLM key? Next 'HKCU Installed Components key End If 'HKCU Installed Components subkeys exist? 'if the StubPath will launch If Not flagMatch Then flagAllow = False 'assume StubPath DLL not on approved list strCN = CoName(IDExe(strSPV)) 'test for approved StubPath DLL If LCase(strHKLMKey) = ">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}" And _ (InStr(LCase(strSPV),"wmpocm.exe") > 0 Or _ InStr(LCase(strSPV),"unregmp2.exe") > 0) And _ strCN = MS And Not flagShowAll Then flagAllow = True 'StubPath DLL not approved If Not flagAllow Then 'get the default value (program name) intErrNum3 = oReg.GetStringValue (HKLM,strKey & "\" & strHKLMKey,"",strPgmName) 'enclose pgm name in quotes if name exists and default value isn't empty If intErrNum3 = 0 And strPgmName <> "" Then strPgmName = Chr(34) & strPgmName & Chr(34) Else strPgmName = "(no title provided)" End If TitleLineWrite 'output the CLSID & pgm name oFN.WriteLine strHKLMKey & "\(Default) = " & StringFilter(strPgmName,False) On Error Resume Next 'output the StubPath value oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_ Chr(34) & strSPV & Chr(34) & strCN 'error check for W2K if StubPath value not set If Err.Number <> 0 Then oFN.WriteLine Space(Len(strHKLMKey)+1) & "\StubPath = " &_ "(value not set)" Err.Clear On Error GoTo 0 End If 'flagAllow false? End If 'flagMatch false? End If 'StubPath value exists? Next 'HKLM Installed Components subkey End If 'HKLM Installed Components subkeys exist? If flagShowAll Then TitleLineWrite 'recover array memory ReDim arHKLMKeys(0) ReDim arHKCUKeys(0) strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#3. HKLM... Explorer\Browser Helper Objects intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey HKLM, strKey, arSubKeys 'enumerate data if present If IsArray(arSubKeys) Then 'for each key For Each strSubKey In arSubKeys flagTitle = False CLSIDLocTitle HKLM, strKey & "\" & strSubKey, "", strLocTitle For ctrCH = intCLL To 1 ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then 'output the title line if not already done TitleLineWrite If Not flagTitle Then 'error check for W2K if value not set On Error Resume Next oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle intErrNum = Err.Number : Err.Clear If intErrNum <> 0 Then oFN.WriteLine strSubKey &_ "\(Default) = (no title provided)" flagTitle = True On Error GoTo 0 End If 'output CLSID title, InProcServer32 DLL & CoName oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL)) End If 'strIPSDLL exists? Next 'CLSID hive Next 'BHO subkey End If 'BHO subkeys exist? 'if ShowAll, output the key name if not already done If flagShowAll Then TitleLineWrite strTitle = "" : strSubTitle = "" : strSubSubTitle = "" 'recover array memory ReDim arSubKeys(0) End If 'SecTest? '#4. HKLM... Shell Extensions\Approved\ intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'CLSID value, InProcessServer32 DLL name & output file version, 'CLSID Key Title display flag Dim strCLSID, strIPSDLL, strIPSDLLOut, strCLSIDTitle, strLocTitle 'Shell Extension Approved array Dim arSEA() ReDim arSEA(388,1) 'WXP arSEA(0,0) = "{00022613-0000-0000-C000-000000000046}" : arSEA(0,1) = "mmsys.cpl" arSEA(1,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(1,1) = "icmui.dll" arSEA(2,0) = "{1F2E5C40-9550-11CE-99D2-00AA006E086C}" : arSEA(2,1) = "rshx32.dll" arSEA(3,0) = "{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" : arSEA(3,1) = "docprop.dll" arSEA(4,0) = "{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" : arSEA(4,1) = "ntshrui.dll" arSEA(5,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(5,1) = "themeui.dll" arSEA(6,0) = "{42071712-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(6,1) = "deskadp.dll" arSEA(7,0) = "{42071713-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(7,1) = "deskmon.dll" arSEA(8,0) = "{42071714-76d4-11d1-8b24-00a0c9068ff3}" : arSEA(8,1) = "deskpan.dll" arSEA(9,0) = "{4E40F770-369C-11d0-8922-00A024AB2DBB}" : arSEA(9,1) = "dssec.dll" arSEA(10,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(10,1) = "SlayerXP.dll" arSEA(11,0) = "{56117100-C0CD-101B-81E2-00AA004AE837}" : arSEA(11,1) = "shscrap.dll" arSEA(12,0) = "{59099400-57FF-11CE-BD94-0020AF85B590}" : arSEA(12,1) = "diskcopy.dll" arSEA(13,0) = "{59be4990-f85c-11ce-aff7-00aa003ca9f6}" : arSEA(13,1) = "ntlanui2.dll" arSEA(14,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(14,1) = "icmui.dll" arSEA(15,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(15,1) = "icmui.dll" arSEA(16,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(16,1) = "" arSEA(17,0) = "{77597368-7b15-11d0-a0c2-080036af3f03}" : arSEA(17,1) = "printui.dll" arSEA(18,0) = "{7988B573-EC89-11cf-9C00-00AA00A14F56}" : arSEA(18,1) = "dskquoui.dll" arSEA(19,0) = "{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" : arSEA(19,1) = "" arSEA(20,0) = "{85BBD920-42A0-1069-A2E4-08002B30309D}" : arSEA(20,1) = "syncui.dll" arSEA(21,0) = "{88895560-9AA2-1069-930E-00AA0030EBC8}" : arSEA(21,1) = "hticons.dll" arSEA(22,0) = "{BD84B380-8CA2-1069-AB1D-08000948F534}" : arSEA(22,1) = "fontext.dll" arSEA(23,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(23,1) = "icmui.dll" arSEA(24,0) = "{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}" : arSEA(24,1) = "rshx32.dll" arSEA(25,0) = "{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}" : arSEA(25,1) = "ntshrui.dll" arSEA(26,0) = "{f92e8c40-3d33-11d2-b1aa-080036a75b03}" : arSEA(26,1) = "deskperf.dll" arSEA(27,0) = "{7444C717-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(27,1) = "cryptext.dll" arSEA(28,0) = "{7444C719-39BF-11D1-8CD9-00C04FC29D45}" : arSEA(28,1) = "cryptext.dll" arSEA(29,0) = "{7007ACC7-3202-11D1-AAD2-00805FC1270E}" : arSEA(29,1) = "NETSHELL.dll" arSEA(30,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(30,1) = "NETSHELL.dll" arSEA(31,0) = "{E211B736-43FD-11D1-9EFB-0000F8757FCD}" : arSEA(31,1) = "wiashext.dll" arSEA(32,0) = "{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}" : arSEA(32,1) = "wiashext.dll" arSEA(33,0) = "{905667aa-acd6-11d2-8080-00805f6596d2}" : arSEA(33,1) = "wiashext.dll" arSEA(34,0) = "{3F953603-1008-4f6e-A73A-04AAC7A992F1}" : arSEA(34,1) = "wiashext.dll" arSEA(35,0) = "{83bbcbf3-b28a-4919-a5aa-73027445d672}" : arSEA(35,1) = "wiashext.dll" arSEA(36,0) = "{F0152790-D56E-4445-850E-4F3117DB740C}" : arSEA(36,1) = "remotepg.dll" arSEA(37,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(37,1) = "wuaucpl.cpl" arSEA(38,0) = "{60254CA5-953B-11CF-8C96-00AA00B8708C}" : arSEA(38,1) = "wshext.dll" arSEA(39,0) = "{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" : arSEA(39,1) = "oledb32.dll" arSEA(40,0) = "{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" : arSEA(40,1) = "mstask.dll" arSEA(41,0) = "{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}" : arSEA(41,1) = "mstask.dll" arSEA(42,0) = "{D6277990-4C6A-11CF-8D87-00AA0060F5BF}" : arSEA(42,1) = "mstask.dll" arSEA(43,0) = "{0DF44EAA-FF21-4412-828E-260A8728E7F1}" : arSEA(43,1) = "" arSEA(44,0) = "{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(44,1) = "shdocvw.dll" arSEA(45,0) = "{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(45,1) = "shdocvw.dll" arSEA(46,0) = "{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(46,1) = "shdocvw.dll" arSEA(47,0) = "{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(47,1) = "shdocvw.dll" arSEA(48,0) = "{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(48,1) = "shdocvw.dll" arSEA(49,0) = "{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(49,1) = "shdocvw.dll" arSEA(50,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524152}" : arSEA(50,1) = "shdocvw.dll" arSEA(51,0) = "{D20EA4E1-3957-11d2-A40B-0C5020524153}" : arSEA(51,1) = "shdocvw.dll" arSEA(52,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(52,1) = "shmedia.dll" arSEA(53,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(53,1) = "shmedia.dll" arSEA(54,0) = "{E4B29F9D-D390-480b-92FD-7DDB47101D71}" : arSEA(54,1) = "shmedia.dll" arSEA(55,0) = "{87D62D94-71B3-4b9a-9489-5FE6850DC73E}" : arSEA(55,1) = "shmedia.dll" arSEA(56,0) = "{A6FD9E45-6E44-43f9-8644-08598F5A74D9}" : arSEA(56,1) = "shmedia.dll" arSEA(57,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(57,1) = "shmedia.dll" arSEA(58,0) = "{5E6AB780-7743-11CF-A12B-00AA004AE837}" : arSEA(58,1) = "browseui.dll" arSEA(59,0) = "{22BF0C20-6DA7-11D0-B373-00A0C9034938}" : arSEA(59,1) = "browseui.dll" arSEA(60,0) = "{91EA3F8B-C99B-11d0-9815-00C04FD91972}" : arSEA(60,1) = "browseui.dll" arSEA(61,0) = "{6413BA2C-B461-11d1-A18A-080036B11A03}" : arSEA(61,1) = "browseui.dll" arSEA(62,0) = "{F61FFEC1-754F-11d0-80CA-00AA005B4383}" : arSEA(62,1) = "browseui.dll" arSEA(63,0) = "{7BA4C742-9E81-11CF-99D3-00AA004AE837}" : arSEA(63,1) = "browseui.dll" arSEA(64,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(64,1) = "browseui.dll" arSEA(65,0) = "{32683183-48a0-441b-a342-7c2a440a9478}" : arSEA(65,1) = "browseui.dll" arSEA(66,0) = "{169A0691-8DF9-11d1-A1C4-00C04FD75D13}" : arSEA(66,1) = "browseui.dll" arSEA(67,0) = "{07798131-AF23-11d1-9111-00A0C98BA67D}" : arSEA(67,1) = "browseui.dll" arSEA(68,0) = "{AF4F6510-F982-11d0-8595-00AA004CD6D8}" : arSEA(68,1) = "browseui.dll" arSEA(69,0) = "{01E04581-4EEE-11d0-BFE9-00AA005B4383}" : arSEA(69,1) = "browseui.dll" arSEA(70,0) = "{A08C11D2-A228-11d0-825B-00AA005B4383}" : arSEA(70,1) = "browseui.dll" arSEA(71,0) = "{00BB2763-6A77-11D0-A535-00C04FD7D062}" : arSEA(71,1) = "browseui.dll" arSEA(72,0) = "{7376D660-C583-11d0-A3A5-00C04FD706EC}" : arSEA(72,1) = "browseui.dll" arSEA(73,0) = "{6756A641-DE71-11d0-831B-00AA005B4383}" : arSEA(73,1) = "browseui.dll" arSEA(74,0) = "{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}" : arSEA(74,1) = "browseui.dll" arSEA(75,0) = "{7e653215-fa25-46bd-a339-34a2790f3cb7}" : arSEA(75,1) = "browseui.dll" arSEA(76,0) = "{acf35015-526e-4230-9596-becbe19f0ac9}" : arSEA(76,1) = "browseui.dll" arSEA(77,0) = "{E0E11A09-5CB8-4B6C-8332-E00720A168F2}" : arSEA(77,1) = "browseui.dll" arSEA(78,0) = "{00BB2764-6A77-11D0-A535-00C04FD7D062}" : arSEA(78,1) = "browseui.dll" arSEA(79,0) = "{03C036F1-A186-11D0-824A-00AA005B4383}" : arSEA(79,1) = "browseui.dll" arSEA(80,0) = "{00BB2765-6A77-11D0-A535-00C04FD7D062}" : arSEA(80,1) = "browseui.dll" arSEA(81,0) = "{ECD4FC4E-521C-11D0-B792-00A0C90312E1}" : arSEA(81,1) = "browseui.dll" arSEA(82,0) = "{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}" : arSEA(82,1) = "browseui.dll" arSEA(83,0) = "{ECD4FC4C-521C-11D0-B792-00A0C90312E1}" : arSEA(83,1) = "browseui.dll" arSEA(84,0) = "{ECD4FC4D-521C-11D0-B792-00A0C90312E1}" : arSEA(84,1) = "browseui.dll" arSEA(85,0) = "{DD313E04-FEFF-11d1-8ECD-0000F87A470C}" : arSEA(85,1) = "browseui.dll" arSEA(86,0) = "{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}" : arSEA(86,1) = "browseui.dll" arSEA(87,0) = "{EFA24E61-B078-11d0-89E4-00C04FC9E26E}" : arSEA(87,1) = "shdocvw.dll" arSEA(88,0) = "{0A89A860-D7B1-11CE-8350-444553540000}" : arSEA(88,1) = "shdocvw.dll" arSEA(89,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(89,1) = "shdocvw.dll" arSEA(90,0) = "{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}" : arSEA(90,1) = "shdocvw.dll" arSEA(91,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(91,1) = "shdocvw.dll" arSEA(92,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(92,1) = "shdocvw.dll" arSEA(93,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(93,1) = "shdocvw.dll" arSEA(94,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(94,1) = "shdocvw.dll" arSEA(95,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(95,1) = "shdocvw.dll" arSEA(96,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(96,1) = "shdocvw.dll" arSEA(97,0) = "{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}" : arSEA(97,1) = "shdocvw.dll" arSEA(98,0) = "{67EA19A0-CCEF-11d0-8024-00C04FD75D13}" : arSEA(98,1) = "shdocvw.dll" arSEA(99,0) = "{131A6951-7F78-11D0-A979-00C04FD705A2}" : arSEA(99,1) = "shdocvw.dll" arSEA(100,0) = "{9461b922-3c5a-11d2-bf8b-00c04fb93661}" : arSEA(100,1) = "shdocvw.dll" arSEA(101,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(101,1) = "shdocvw.dll" arSEA(102,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(102,1) = "shdocvw.dll" arSEA(103,0) = "{EFA24E64-B078-11d0-89E4-00C04FC9E26E}" : arSEA(103,1) = "shdocvw.dll" arSEA(104,0) = "{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(104,1) = "sendmail.dll" arSEA(105,0) = "{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(105,1) = "sendmail.dll" arSEA(106,0) = "{88C6C381-2E85-11D0-94DE-444553540000}" : arSEA(106,1) = "occache.dll" arSEA(107,0) = "{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" : arSEA(107,1) = "webcheck.dll" arSEA(108,0) = "{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}" : arSEA(108,1) = "webcheck.dll" arSEA(109,0) = "{F5175861-2688-11d0-9C5E-00AA00A45957}" : arSEA(109,1) = "webcheck.dll" arSEA(110,0) = "{08165EA0-E946-11CF-9C87-00AA005127ED}" : arSEA(110,1) = "webcheck.dll" arSEA(111,0) = "{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}" : arSEA(111,1) = "webcheck.dll" arSEA(112,0) = "{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}" : arSEA(112,1) = "webcheck.dll" arSEA(113,0) = "{7D559C10-9FE9-11d0-93F7-00AA0059CE02}" : arSEA(113,1) = "webcheck.dll" arSEA(114,0) = "{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}" : arSEA(114,1) = "webcheck.dll" arSEA(115,0) = "{D8BD2030-6FC9-11D0-864F-00AA006809D9}" : arSEA(115,1) = "webcheck.dll" arSEA(116,0) = "{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}" : arSEA(116,1) = "webcheck.dll" arSEA(117,0) = "{352EC2B7-8B9A-11D1-B8AE-006008059382}" : arSEA(117,1) = "appwiz.cpl" arSEA(118,0) = "{0B124F8F-91F0-11D1-B8B5-006008059382}" : arSEA(118,1) = "appwiz.cpl" arSEA(119,0) = "{CFCCC7A0-A282-11D1-9082-006008059382}" : arSEA(119,1) = "appwiz.cpl" arSEA(120,0) = "{e84fda7c-1d6a-45f6-b725-cb260c236066}" : arSEA(120,1) = "shimgvw.dll" arSEA(121,0) = "{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}" : arSEA(121,1) = "shimgvw.dll" arSEA(122,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(122,1) = "shimgvw.dll" arSEA(123,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(123,1) = "shimgvw.dll" arSEA(124,0) = "{EAB841A0-9550-11cf-8C16-00805F1408F3}" : arSEA(124,1) = "shimgvw.dll" arSEA(125,0) = "{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}" : arSEA(125,1) = "shimgvw.dll" arSEA(126,0) = "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" : arSEA(126,1) = "netplwiz.dll" arSEA(127,0) = "{add36aa8-751a-4579-a266-d66f5202ccbb}" : arSEA(127,1) = "netplwiz.dll" arSEA(128,0) = "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" : arSEA(128,1) = "netplwiz.dll" arSEA(129,0) = "{58f1f272-9240-4f51-b6d4-fd63d1618591}" : arSEA(129,1) = "netplwiz.dll" arSEA(130,0) = "{7A9D77BD-5403-11d2-8785-2E0420524153}" : arSEA(130,1) = "" arSEA(131,0) = "{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" : arSEA(131,1) = "zipfldr.dll" arSEA(132,0) = "{BD472F60-27FA-11cf-B8B4-444553540000}" : arSEA(132,1) = "zipfldr.dll" arSEA(133,0) = "{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}" : arSEA(133,1) = "zipfldr.dll" arSEA(134,0) = "{f39a0dc0-9cc8-11d0-a599-00c04fd64433}" : arSEA(134,1) = "cdfview.dll" arSEA(135,0) = "{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}" : arSEA(135,1) = "cdfview.dll" arSEA(136,0) = "{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}" : arSEA(136,1) = "cdfview.dll" arSEA(137,0) = "{f3da0dc0-9cc8-11d0-a599-00c04fd64437}" : arSEA(137,1) = "cdfview.dll" arSEA(138,0) = "{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}" : arSEA(138,1) = "cdfview.dll" arSEA(139,0) = "{63da6ec0-2e98-11cf-8d82-444553540000}" : arSEA(139,1) = "msieftp.dll" arSEA(140,0) = "{883373C3-BF89-11D1-BE35-080036B11A03}" : arSEA(140,1) = "docprop2.dll" arSEA(141,0) = "{A9CF0EAE-901A-4739-A481-E35B73E47F6D}" : arSEA(141,1) = "docprop2.dll" arSEA(142,0) = "{8EE97210-FD1F-4B19-91DA-67914005F020}" : arSEA(142,1) = "docprop2.dll" arSEA(143,0) = "{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}" : arSEA(143,1) = "docprop2.dll" arSEA(144,0) = "{6A205B57-2567-4A2C-B881-F787FAB579A3}" : arSEA(144,1) = "docprop2.dll" arSEA(145,0) = "{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}" : arSEA(145,1) = "docprop2.dll" arSEA(146,0) = "{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" : arSEA(146,1) = "dsquery.dll" arSEA(147,0) = "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" : arSEA(147,1) = "dsquery.dll" arSEA(148,0) = "{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}" : arSEA(148,1) = "dsquery.dll" arSEA(149,0) = "{F020E586-5264-11d1-A532-0000F8757D7E}" : arSEA(149,1) = "dsquery.dll" arSEA(150,0) = "{0D45D530-764B-11d0-A1CA-00AA00C16E65}" : arSEA(150,1) = "dsuiext.dll" arSEA(151,0) = "{62AE1F9A-126A-11D0-A14B-0800361B1103}" : arSEA(151,1) = "dsuiext.dll" arSEA(152,0) = "{ECF03A33-103D-11d2-854D-006008059367}" : arSEA(152,1) = "mydocs.dll" arSEA(153,0) = "{ECF03A32-103D-11d2-854D-006008059367}" : arSEA(153,1) = "mydocs.dll" arSEA(154,0) = "{4a7ded0a-ad25-11d0-98a8-0800361b1103}" : arSEA(154,1) = "mydocs.dll" arSEA(155,0) = "{750fdf0e-2a26-11d1-a3ea-080036587f03}" : arSEA(155,1) = "cscui.dll" arSEA(156,0) = "{10CFC467-4392-11d2-8DB4-00C04FA31A66}" : arSEA(156,1) = "cscui.dll" arSEA(157,0) = "{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}" : arSEA(157,1) = "cscui.dll" arSEA(158,0) = "{143A62C8-C33B-11D1-84FE-00C04FA34A14}" : arSEA(158,1) = "agentpsh.dll" arSEA(159,0) = "{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" : arSEA(159,1) = "dfsshlex.dll" arSEA(160,0) = "{60fd46de-f830-4894-a628-6fa81bc0190d}" : arSEA(160,1) = "photowiz.dll" arSEA(161,0) = "{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" : arSEA(161,1) = "mmcshext.dll" arSEA(162,0) = "{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" : arSEA(162,1) = "cabview.dll" arSEA(163,0) = "{32714800-2E5F-11d0-8B85-00AA0044F941}" : arSEA(163,1) = "wabfind.dll" arSEA(164,0) = "{8DD448E6-C188-4aed-AF92-44956194EB1F}" : arSEA(164,1) = "wmpshell.dll" arSEA(165,0) = "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}" : arSEA(165,1) = "wmpshell.dll" arSEA(166,0) = "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}" : arSEA(166,1) = "wmpshell.dll" 'W2K arSEA(167,0) = "{41E300E0-78B6-11ce-849B-444553540000}" : arSEA(167,1) = "plustab.dll" arSEA(168,0) = "{1A9BA3A0-143A-11CF-8350-444553540000}" : arSEA(168,1) = "shell32.dll" arSEA(169,0) = "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" : arSEA(169,1) = "shell32.dll" arSEA(170,0) = "{86747AC0-42A0-1069-A2E6-08002B30309D}" : arSEA(170,1) = "shell32.dll" arSEA(171,0) = "{0AFACED1-E828-11D1-9187-B532F1E9575D}" : arSEA(171,1) = "shell32.dll" arSEA(172,0) = "{12518493-00B2-11d2-9FA5-9E3420524153}" : arSEA(172,1) = "shell32.dll" arSEA(173,0) = "{21B22460-3AEA-1069-A2DC-08002B30309D}" : arSEA(173,1) = "shell32.dll" arSEA(174,0) = "{B091E540-83E3-11CF-A713-0020AFD79762}" : arSEA(174,1) = "shell32.dll" arSEA(175,0) = "{FBF23B41-E3F0-101B-8488-00AA003E56F8}" : arSEA(175,1) = "shell32.dll" arSEA(176,0) = "{C2FBB630-2971-11d1-A18C-00C04FD75D13}" : arSEA(176,1) = "shell32.dll" arSEA(177,0) = "{C2FBB631-2971-11d1-A18C-00C04FD75D13}" : arSEA(177,1) = "shell32.dll" arSEA(178,0) = "{13709620-C279-11CE-A49E-444553540000}" : arSEA(178,1) = "shell32.dll" arSEA(179,0) = "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" : arSEA(179,1) = "shell32.dll" arSEA(180,0) = "{4622AD11-FF23-11d0-8D34-00A0C90F2719}" : arSEA(180,1) = "shell32.dll" arSEA(181,0) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}" : arSEA(181,1) = "shell32.dll" arSEA(182,0) = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" : arSEA(182,1) = "shell32.dll" arSEA(183,0) = "{09799AFB-AD67-11d1-ABCD-00C04FC30936}" : arSEA(183,1) = "shell32.dll" arSEA(184,0) = "{3FC0B520-68A9-11D0-8D77-00C04FD70822}" : arSEA(184,1) = "shell32.dll" arSEA(185,0) = "{75048700-EF1F-11D0-9888-006097DEACF9}" : arSEA(185,1) = "shell32.dll" arSEA(186,0) = "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" : arSEA(186,1) = "shell32.dll" arSEA(187,0) = "{57651662-CE3E-11D0-8D77-00C04FC99D61}" : arSEA(187,1) = "shell32.dll" arSEA(188,0) = "{4657278A-411B-11d2-839A-00C04FD918D0}" : arSEA(188,1) = "shell32.dll" arSEA(189,0) = "{A470F8CF-A1E8-4f65-8335-227475AA5C46}" : arSEA(189,1) = "shell32.dll" arSEA(190,0) = "{568804CA-CBD7-11d0-9816-00C04FD91972}" : arSEA(190,1) = "browseui.dll" arSEA(191,0) = "{5b4dae26-b807-11d0-9815-00c04fd91972}" : arSEA(191,1) = "browseui.dll" arSEA(192,0) = "{8278F931-2A3E-11d2-838F-00C04FD918D0}" : arSEA(192,1) = "browseui.dll" arSEA(193,0) = "{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" : arSEA(193,1) = "browseui.dll" arSEA(194,0) = "{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" : arSEA(194,1) = "browseui.dll" arSEA(195,0) = "{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" : arSEA(195,1) = "browseui.dll" arSEA(196,0) = "{0E5CBF21-D15F-11d0-8301-00AA005B4383}" : arSEA(196,1) = "browseui.dll" arSEA(197,0) = "{7487cd30-f71a-11d0-9ea7-00805f714772}" : arSEA(197,1) = "browseui.dll" arSEA(198,0) = "{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}" : arSEA(198,1) = "thumbvw.dll" arSEA(199,0) = "{EAB841A0-9550-11CF-8C16-00805F1408F3}" : arSEA(199,1) = "thumbvw.dll" arSEA(200,0) = "{1AEB1360-5AFC-11D0-B806-00C04FD706EC}" : arSEA(200,1) = "thumbvw.dll" arSEA(201,0) = "{9DBD2C50-62AD-11D0-B806-00C04FD706EC}" : arSEA(201,1) = "thumbvw.dll" arSEA(202,0) = "{500202A0-731E-11D0-B829-00C04FD706EC}" : arSEA(202,1) = "thumbvw.dll" arSEA(203,0) = "{0B124F8C-91F0-11D1-B8B5-006008059382}" : arSEA(203,1) = "appwiz.cpl" arSEA(204,0) = "{fe1290f0-cfbd-11cf-a330-00aa00c16e65}" : arSEA(204,1) = "dsfolder.dll" arSEA(205,0) = "{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}" : arSEA(205,1) = "dsfolder.dll" arSEA(206,0) = "{450D8FBA-AD25-11D0-98A8-0800361B1103}" : arSEA(206,1) = "mydocs.dll" 'WXP SP2 arSEA(207,0) = "{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(207,1) = "shdocvw.dll" arSEA(208,0) = "{596AB062-B4D2-4215-9F74-E9109B0A8153}" : arSEA(208,1) = "twext.dll" arSEA(209,0) = "{9DB7A13C-F208-4981-8353-73CC61AE2783}" : arSEA(209,1) = "twext.dll" arSEA(210,0) = "{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" : arSEA(210,1) = "extmgr.dll" 'NT4 arSEA(211,0) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}" : arSEA(211,1) = "shcompui.dll" arSEA(212,0) = "{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}" : arSEA(212,1) = "thumbvw.dll" arSEA(213,0) = "{13709620-C279-11CE-A49E-444553540000}" : arSEA(213,1) = "SHDOC401.DLL" arSEA(214,0) = "{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}" : arSEA(214,1) = "SHDOC401.DLL" arSEA(215,0) = "{7BA4C740-9E81-11CF-99D3-00AA004AE837}" : arSEA(215,1) = "SHDOC401.DLL" arSEA(216,0) = "{D969A300-E7FF-11d0-A93B-00A0C90F2719}" : arSEA(216,1) = "SHDOC401.DLL" arSEA(217,0) = "{4622AD11-FF23-11d0-8D34-00A0C90F2719}" : arSEA(217,1) = "SHDOC401.DLL" arSEA(218,0) = "{3AD1E410-AAB9-11d0-89D7-00C04FC9E26E}" : arSEA(218,1) = "SHDOCVW.DLL" arSEA(219,0) = "{57651662-CE3E-11D0-8D77-00C04FC99D61}" : arSEA(219,1) = "SHDOC401.DLL" arSEA(220,0) = "{B091E540-83E3-11CF-A713-0020AFD79762}" : arSEA(220,1) = "SHDOC401.DLL" arSEA(221,0) = "{3FC0B520-68A9-11D0-8D77-00C04FD70822}" : arSEA(221,1) = "SHDOC401.DLL" arSEA(222,0) = "{7D688A77-C613-11D0-999B-00C04FD655E1}" : arSEA(222,1) = "SHELL32.dll" arSEA(223,0) = "{BDEADF00-C265-11d0-BCED-00A0C90AB50F}" : arSEA(223,1) = "MSONSEXT.DLL" arSEA(224,0) = "{C2FBB630-2971-11d1-A18C-00C04FD75D13}" : arSEA(224,1) = "SHDOC401.DLL" arSEA(225,0) = "{C2FBB631-2971-11d1-A18C-00C04FD75D13}" : arSEA(225,1) = "SHDOC401.DLL" arSEA(226,0) = "{75048700-EF1F-11D0-9888-006097DEACF9}" : arSEA(226,1) = "SHDOC401.DLL" arSEA(227,0) = "{6D5313C0-8C62-11D1-B2CD-006097DF8C11}" : arSEA(227,1) = "SHDOC401.DLL" arSEA(228,0) = "{FBF23B41-E3F0-101B-8488-00AA003E56F8}" : arSEA(228,1) = "SHDOC401.DLL" arSEA(229,0) = "{5a61f7a0-cde1-11cf-9113-00aa00425c62}" : arSEA(229,1) = "w3ext.dll" 'WMe arSEA(230,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(230,1) = "THUMBVW.DLL" 'see (122) arSEA(231,0) = "{53C74826-AB99-4d33-ACA4-3117F51D3788}" : arSEA(231,1) = "SHELL32.DLL" arSEA(232,0) = "{992CFFA0-F557-101A-88EC-00DD010CCC48}" : arSEA(232,1) = "rnaui.dll" 'see (30) arSEA(233,0) = "{FEF10FA2-355E-4e06-9381-9B24D7F7CC88}" : arSEA(233,1) = "SHELL32.DLL" 'MS PowerToys arSEA(234,0) = "{AA7C7080-860A-11CE-8424-08002B2CFF76}" : arSEA(234,1) = "SENDTOX.DLL" arSEA(235,0) = "{7BB70120-6C78-11CF-BFC7-444553540000}" : arSEA(235,1) = "SENDTOX.DLL" arSEA(236,0) = "{7BB70122-6C78-11CF-BFC7-444553540000}" : arSEA(236,1) = "SENDTOX.DLL" arSEA(237,0) = "{7BB70121-6C78-11CF-BFC7-444553540000}" : arSEA(237,1) = "SENDTOX.DLL" arSEA(238,0) = "{7BB70123-6C78-11CF-BFC7-444553540000}" : arSEA(238,1) = "SENDTOX.DLL" arSEA(239,0) = "{9E56BE62-C50F-11CF-9A2C-00A0C90A90CE}" : arSEA(239,1) = "SENDTOX.DLL" arSEA(240,0) = "{90A756E0-AFCF-11CE-927B-0800095AE340}" : arSEA(240,1) = "target.dll" arSEA(241,0) = "{afc638f0-e8a4-11ce-9ade-00aa00a42d2e}" : arSEA(241,1) = "TTFExtNT.dll" 'etc arSEA(242,0) = "{1D2680C9-0E2A-469d-B787-065558BC7D43}" : arSEA(242,1) = "mscoree.dll" arSEA(243,0) = "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" : arSEA(243,1) = "wuaueng.dll" 'WXP IE 7 arSEA(244,0) = "{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" : arSEA(244,1) = "ieframe.dll" arSEA(245,0) = "{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" : arSEA(245,1) = "ieframe.dll" arSEA(246,0) = "{205D7A97-F16D-4691-86EF-F3075DCCA57D}" : arSEA(246,1) = "ieframe.dll" arSEA(247,0) = "{3028902F-6374-48b2-8DC6-9725E775B926}" : arSEA(247,1) = "ieframe.dll" arSEA(248,0) = "{30D02401-6A81-11d0-8274-00C04FD5AE38}" : arSEA(248,1) = "ieframe.dll" arSEA(249,0) = "{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" : arSEA(249,1) = "ieframe.dll" arSEA(250,0) = "{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" : arSEA(250,1) = "ieframe.dll" arSEA(251,0) = "{43886CD5-6529-41c4-A707-7B3C92C05E68}" : arSEA(251,1) = "ieframe.dll" arSEA(252,0) = "{44C76ECD-F7FA-411c-9929-1B77BA77F524}" : arSEA(252,1) = "ieframe.dll" arSEA(253,0) = "{4B78D326-D922-44f9-AF2A-07805C2A3560}" : arSEA(253,1) = "ieframe.dll" arSEA(254,0) = "{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" : arSEA(254,1) = "ieframe.dll" arSEA(255,0) = "{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" : arSEA(255,1) = "ieframe.dll" arSEA(256,0) = "{6CF48EF8-44CD-45d2-8832-A16EA016311B}" : arSEA(256,1) = "ieframe.dll" arSEA(257,0) = "{73CFD649-CD48-4fd8-A272-2070EA56526B}" : arSEA(257,1) = "ieframe.dll" arSEA(258,0) = "{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" : arSEA(258,1) = "ieframe.dll" arSEA(259,0) = "{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" : arSEA(259,1) = "ieframe.dll" arSEA(260,0) = "{871C5380-42A0-1069-A2EA-08002B30309D}" : arSEA(260,1) = "ieframe.dll" arSEA(261,0) = "{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" : arSEA(261,1) = "ieframe.dll" arSEA(262,0) = "{9a096bb5-9dc3-4d1c-8526-c3cbf991ea4e}" : arSEA(262,1) = "ieframe.dll" arSEA(263,0) = "{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" : arSEA(263,1) = "ieframe.dll" arSEA(264,0) = "{B31C5FAE-961F-415b-BAF0-E697A5178B94}" : arSEA(264,1) = "ieframe.dll" arSEA(265,0) = "{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" : arSEA(265,1) = "ieframe.dll" arSEA(266,0) = "{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" : arSEA(266,1) = "ieframe.dll" arSEA(267,0) = "{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" : arSEA(267,1) = "ieframe.dll" arSEA(268,0) = "{E6EE9AAC-F76B-4947-8260-A9F136138E11}" : arSEA(268,1) = "ieframe.dll" arSEA(269,0) = "{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" : arSEA(269,1) = "ieframe.dll" arSEA(270,0) = "{F0353E1D-FEEC-474e-A984-1E5C6865E380}" : arSEA(270,1) = "ieframe.dll" arSEA(271,0) = "{F2CF5485-4E02-4f68-819C-B92DE9277049}" : arSEA(271,1) = "ieframe.dll" arSEA(272,0) = "{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" : arSEA(272,1) = "ieframe.dll" arSEA(273,0) = "{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" : arSEA(273,1) = "ieframe.dll" arSEA(274,0) = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" : arSEA(274,1) = "ieframe.dll" arSEA(275,0) = "{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" : arSEA(275,1) = "ieframe.dll" arSEA(276,0) = "{FF393560-C2A7-11CF-BFF4-444553540000}" : arSEA(276,1) = "ieframe.dll" 'WVa arSEA(277,0) = "{00021401-0000-0000-C000-000000000046}" : arSEA(277,1) = "shell32.dll" arSEA(278,0) = "{025A5937-A6BE-4686-A844-36FE4BEC8B6D}" : arSEA(278,1) = "shdocvw.dll" arSEA(279,0) = "{056440FD-8568-48e7-A632-72157243B55B}" : arSEA(279,1) = "browseui.dll" arSEA(280,0) = "{0AFCCBA6-BF90-4A4E-8482-0AC960981F5B}" : arSEA(280,1) = "shell32.dll" arSEA(281,0) = "{0BFCF7B7-E7B6-433a-B205-2904FCF040DD}" : arSEA(281,1) = "appwiz.cpl" arSEA(282,0) = "{11dbb47c-a525-400b-9e80-a54615a090c0}" : arSEA(282,1) = "ExplorerFrame.dll" arSEA(283,0) = "{13D3C4B8-B179-4ebb-BF62-F704173E7448}" : arSEA(283,1) = "wab32.dll" arSEA(284,0) = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}" : arSEA(284,1) = "shell32.dll" arSEA(285,0) = "{15eae92e-f17a-4431-9f28-805e482dafd4}" : arSEA(285,1) = "appwiz.cpl" arSEA(286,0) = "{176d6597-26d3-11d1-b350-080036a75b03}" : arSEA(286,1) = "colorui.dll" arSEA(287,0) = "{17cd9488-1228-4b2f-88ce-4298e93e0966}" : arSEA(287,1) = "shdocvw.dll" arSEA(288,0) = "{1FA9085F-25A2-489B-85D4-86326EEDCD87}" : arSEA(288,1) = "wlanpref.dll" arSEA(289,0) = "{21569614-B795-46b1-85F4-E737A8DC09AD}" : arSEA(289,1) = "browseui.dll" arSEA(290,0) = "{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}" : arSEA(290,1) = "shdocvw.dll" arSEA(291,0) = "{2781761E-28E0-4109-99FE-B9D127C57AFE}" : arSEA(291,1) = "MpOav.dll" arSEA(292,0) = "{289978AC-A101-4341-A817-21EBA7FD046D}" : arSEA(292,1) = "SyncCenter.dll" arSEA(293,0) = "{2BC0DA0E-F1BC-43AB-B4B5-738EB6B51E7E}" : arSEA(293,1) = "fontext.dll" arSEA(294,0) = "{2E9E59C0-B437-4981-A647-9C34B9B90891}" : arSEA(294,1) = "SyncCenter.dll" arSEA(295,0) = "{3080F90D-D7AD-11D9-BD98-0000947B0257}" : arSEA(295,1) = "shdocvw.dll" arSEA(296,0) = "{3080F90E-D7AD-11D9-BD98-0000947B0257}" : arSEA(296,1) = "shdocvw.dll" arSEA(297,0) = "{328B0346-7EAF-4BBE-A479-7CB88A095F5B}" : arSEA(297,1) = "shell32.dll" arSEA(298,0) = "{335a31dd-f04b-4d76-a925-d6b47cf360df}" : arSEA(298,1) = "shdocvw.dll" arSEA(299,0) = "{35786D3C-B075-49b9-88DD-029876E11C01}" : arSEA(299,1) = "wpdshext.dll" arSEA(300,0) = "{36eef7db-88ad-4e81-ad49-0e313f0c35f8}" : arSEA(300,1) = "shdocvw.dll" arSEA(301,0) = "{3c2654c6-7372-4f6b-b310-55d6128f49d2}" : arSEA(301,1) = "shell32.dll" arSEA(302,0) = "{3F30C968-480A-4C6C-862D-EFC0897BB84B}" : arSEA(302,1) = "PhotoMetadataHandler.dll" arSEA(303,0) = "{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}" : arSEA(303,1) = "mediametadatahandler.dll" arSEA(304,0) = "{4336a54d-038b-4685-ab02-99bb52d3fb8b}" : arSEA(304,1) = "shdocvw.dll" arSEA(305,0) = "{437ff9c0-a07f-4fa0-af80-84b6c6440a16}" : arSEA(305,1) = "shell32.dll" arSEA(306,0) = "{44121072-A222-48f2-A58A-6D9AD51EBBE9}" : arSEA(306,1) = "XPSSHHDR.DLL" arSEA(307,0) = "{45670FA8-ED97-4F44-BC93-305082590BFB}" : arSEA(307,1) = "XPSSHHDR.DLL" arSEA(308,0) = "{474C98EE-CF3D-41f5-80E3-4AAB0AB04301}" : arSEA(308,1) = "cscui.dll" arSEA(309,0) = "{4B534112-3AF6-4697-A77C-D62CE9B9E7CF}" : arSEA(309,1) = "SyncCenter.dll" arSEA(310,0) = "{4D1209BD-36E2-4e2f-840D-6C7FB879DD9E}" : arSEA(310,1) = "shdocvw.dll" arSEA(311,0) = "{4E77131D-3629-431c-9818-C5679DC83E81}" : arSEA(311,1) = "cscui.dll" arSEA(312,0) = "{4F58F63F-244B-4c07-B29F-210BE59BE9B4}" : arSEA(312,1) = "wab32.dll" arSEA(313,0) = "{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" : arSEA(313,1) = "acppage.dll" arSEA(314,0) = "{53BEDF0B-4E5B-4183-8DC9-B844344FA104}" : arSEA(314,1) = "mssvp.dll" arSEA(315,0) = "{576C9E85-1300-4EF5-BF6B-D00509F4EDCD}" : arSEA(315,1) = "SyncCenter.dll" arSEA(316,0) = "{58E3C745-D971-4081-9034-86E34B30836A}" : arSEA(316,1) = "shdocvw.dll" arSEA(317,0) = "{596742A5-1393-4e13-8765-AE1DF71ACAFB}" : arSEA(317,1) = "browseui.dll" arSEA(318,0) = "{5DB2625A-54DF-11D0-B6C4-0800091AA605}" : arSEA(318,1) = "colorui.dll" arSEA(319,0) = "{5FA29220-36A1-40f9-89C6-F4B384B7642E}" : arSEA(319,1) = "inetcomm.dll" arSEA(320,0) = "{60632754-c523-4b62-b45c-4172da012619}" : arSEA(320,1) = "shdocvw.dll" arSEA(321,0) = "{640167b4-59b0-47a6-b335-a6b3c0695aea}" : arSEA(321,1) = "audiodev.dll" arSEA(322,0) = "{66742402-F9B9-11D1-A202-0000F81FEDEE}" : arSEA(322,1) = "shell32.dll" arSEA(323,0) = "{675F097E-4C4D-11D0-B6C1-0800091AA605}" : arSEA(323,1) = "colorui.dll" arSEA(324,0) = "{6b33163c-76a5-4b6c-bf21-45de9cd503a1}" : arSEA(324,1) = "shwebsvc.dll" arSEA(325,0) = "{6D8BB3D3-9D87-4a91-AB56-4F30CFFEFE9F}" : arSEA(325,1) = "browseui.dll" arSEA(326,0) = "{708e1662-b832-42a8-bbe1-0a77121e3908}" : arSEA(326,1) = "shell32.dll" arSEA(327,0) = "{71D99464-3B6B-475C-B241-E15883207529}" : arSEA(327,1) = "SyncCenter.dll" arSEA(328,0) = "{71f96385-ddd6-48d3-a0c1-ae06e8b055fb}" : arSEA(328,1) = "shell32.dll" arSEA(329,0) = "{78F3955E-3B90-4184-BD14-5397C15F1EFC}" : arSEA(329,1) = "shdocvw.dll" arSEA(330,0) = "{7b81be6a-ce2b-4676-a29e-eb907a5126c5}" : arSEA(330,1) = "appwiz.cpl" arSEA(331,0) = "{7EFA68C6-086B-43e1-A2D2-55A113531240}" : arSEA(331,1) = "cscui.dll" arSEA(332,0) = "{8082C5E6-4C27-48ec-A809-B8E1122E8F97}" : arSEA(332,1) = "wab32.dll" arSEA(333,0) = "{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" : arSEA(333,1) = "mediametadatahandler.dll" arSEA(334,0) = "{877ca5ac-cb41-4842-9c69-9136e42d47e2}" : arSEA(334,1) = "sdshext.dll" arSEA(335,0) = "{89D83576-6BD1-4c86-9454-BEB04E94C819}" : arSEA(335,1) = "mssvp.dll" arSEA(336,0) = "{8E25992B-373E-486E-80E5-BD23AE417E66}" : arSEA(336,1) = "SyncCenter.dll" arSEA(337,0) = "{8E908FC9-BECC-40f6-915B-F4CA0E70D03D}" : arSEA(337,1) = "shdocvw.dll" arSEA(338,0) = "{90f8c90b-04e0-4e92-a186-e6e9c125d664}" : arSEA(338,1) = "shdocvw.dll" arSEA(339,0) = "{92dbad9f-5025-49b0-9078-2d78f935e341}" : arSEA(339,1) = "inetcomm.dll" arSEA(340,0) = "{96AE8D84-A250-4520-95A5-A47A7E3C548B}" : arSEA(340,1) = "shdocvw.dll" arSEA(341,0) = "{97e467b4-98c6-4f19-9588-161b7773d6f6}" : arSEA(341,1) = "propsys.dll" arSEA(342,0) = "{9C60DE1E-E5FC-40f4-A487-460851A8D915}" : arSEA(342,1) = "shdocvw.dll" arSEA(343,0) = "{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}" : arSEA(343,1) = "SyncCenter.dll" arSEA(344,0) = "{9DBD2C50-62AD-11d0-B806-00C04FD706EC}" : arSEA(344,1) = "shell32.dll" arSEA(345,0) = "{a38b883c-1682-497e-97b0-0a3a9e801682}" : arSEA(345,1) = "PhotoMetadataHandler.dll" arSEA(346,0) = "{a42c2ccb-67d3-46fa-abe6-7d2f3488c7a3}" : arSEA(346,1) = "shell32.dll" arSEA(347,0) = "{a542e116-8088-4146-a352-b0d06e7f6af6}" : arSEA(347,1) = "browseui.dll" arSEA(348,0) = "{add36aa8-751a-4579-a266-d66f5202ccbb}" : arSEA(348,1) = "shwebsvc.dll" arSEA(349,0) = "{b155bdf8-02f0-451e-9a26-ae317cfd7779}" : arSEA(349,1) = "shdocvw.dll" arSEA(350,0) = "{b2952b16-0e07-4e5a-b993-58c52cb94cae}" : arSEA(350,1) = "shell32.dll" arSEA(351,0) = "{B32D3949-ED98-4DBB-B347-17A144969BBA}" : arSEA(351,1) = "SyncCenter.dll" arSEA(352,0) = "{b8cdcb65-b1bf-4b42-9428-1dfdb7ee92af}" : arSEA(352,1) = "zipfldr.dll" arSEA(353,0) = "{b9815375-5d7f-4ce2-9245-c9d4da436930}" : arSEA(353,1) = "inetcomm.dll" arSEA(354,0) = "{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}" : arSEA(354,1) = "shdocvw.dll" arSEA(355,0) = "{BC48B32F-5910-47F5-8570-5074A8A5636A}" : arSEA(355,1) = "SyncCenter.dll" arSEA(356,0) = "{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}" : arSEA(356,1) = "mssvp.dll" arSEA(357,0) = "{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B}" : arSEA(357,1) = "comdlg32.dll" arSEA(358,0) = "{C4EC38BD-4E9E-4b5e-935A-D1BFF237D980}" : arSEA(358,1) = "browseui.dll" arSEA(359,0) = "{c5a40261-cd64-4ccf-84cb-c394da41d590}" : arSEA(359,1) = "mediametadatahandler.dll" arSEA(360,0) = "{C73F6F30-97A0-4AD1-A08F-540D4E9BC7B9}" : arSEA(360,1) = "shdocvw.dll" arSEA(361,0) = "{C7657C4A-9F68-40fa-A4DF-96BC08EB3551}" : arSEA(361,1) = "PhotoMetadataHandler.dll" arSEA(362,0) = "{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1}" : arSEA(362,1) = "oobefldr.dll" arSEA(363,0) = "{CC6EEFFB-43F6-46c5-9619-51D571967F7D}" : arSEA(363,1) = "shwebsvc.dll" arSEA(364,0) = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" : arSEA(364,1) = "appwiz.cpl" arSEA(365,0) = "{d450a8a1-9568-45c7-9c0e-b4f9fb4537bd}" : arSEA(365,1) = "appwiz.cpl" arSEA(366,0) = "{D555645E-D4F8-4c29-A827-D93C859C4F2A}" : arSEA(366,1) = "shdocvw.dll" arSEA(367,0) = "{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" : arSEA(367,1) = "wpdshext.dll" arSEA(368,0) = "{D9EF8727-CAC2-4e60-809E-86F80A666C91}" : arSEA(368,1) = "shdocvw.dll" arSEA(369,0) = "{DBCE2480-C732-101B-BE72-BA78E9AD5B27}" : arSEA(369,1) = "colorui.dll" arSEA(370,0) = "{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7}" : arSEA(370,1) = "comdlg32.dll" arSEA(371,0) = "{DFFACDC5-679F-4156-8947-C5C76BC0B67F}" : arSEA(371,1) = "shdocvw.dll" arSEA(372,0) = "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" : arSEA(372,1) = "dfshim.dll" arSEA(373,0) = "{E413D040-6788-4C22-957E-175D1C513A34}" : arSEA(373,1) = "SyncCenter.dll" arSEA(374,0) = "{E598560B-28D5-46aa-A14A-8A3BEA34B576}" : arSEA(374,1) = "PhotoViewer.dll" arSEA(375,0) = "{e82a2d71-5b2f-43a0-97b8-81be15854de8}" : arSEA(375,1) = "dfshim.dll" arSEA(376,0) = "{E95A4861-D57A-4be1-AD0F-35267E261739}" : arSEA(376,1) = "shdocvw.dll" arSEA(377,0) = "{eb124705-128b-40d4-8dd8-d93ed12589a4}" : arSEA(377,1) = "shdocvw.dll" arSEA(378,0) = "{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60}" : arSEA(378,1) = "gameux.dll" arSEA(379,0) = "{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}" : arSEA(379,1) = "gameux.dll" arSEA(380,0) = "{ed50fc29-b964-48a9-afb3-15ebb9b97f36}" : arSEA(380,1) = "shdocvw.dll" arSEA(381,0) = "{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}" : arSEA(381,1) = "shdocvw.dll" arSEA(382,0) = "{ed9d80b9-d157-457b-9192-0e7280313bf0}" : arSEA(382,1) = "zipfldr.dll" arSEA(383,0) = "{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}" : arSEA(383,1) = "NetworkExplorer.dll" arSEA(384,0) = "{F04CC277-03A2-4277-96A9-77967471BDFF}" : arSEA(384,1) = "SyncCenter.dll" arSEA(385,0) = "{f8b8412b-dea3-4130-b36c-5e8be73106ac}" : arSEA(385,1) = "inetcomm.dll" arSEA(386,0) = "{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}" : arSEA(386,1) = "SyncCenter.dll" arSEA(387,0) = "{fccf70c8-f4d7-4d8b-8c17-cd6715e37fff}" : arSEA(387,1) = "browseui.dll" arSEA(388,0) = "{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A}" : arSEA(388,1) = "PhotoViewer.dll" 'set up key name to query strKey = "Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the names in the key intErrNum1 = oReg.EnumValues (HKLM, strKey, arNames, arType) 'enumerate data if present If intErrNum1 = 0 And IsArray(arNames) Then 'for each CLSID For Each strCLSID in arNames flagTitle = False 'find CLSID title CLSIDLocTitle HKLM, strKey, strCLSID, strLocTitle For ctrCH = intCLL To 1 'assume CLSID unapproved flagMatch = False ResolveCLSID strCLSID, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then strCN = CoName(IDExe(strIPSDLL)) 'for every member of approved shellex array in HKLM hive For i = 0 To UBound(arSEA,1) 'if not ShowAll And CLSID's & DLL's identical And CoName = MS, shellex is known If Not flagShowAll And (LCase(strCLSID) = LCase(arSEA(i,0))) And _ (Fso.GetFileName(LCase(strIPSDLL)) = LCase(arSEA(i,1))) And _ (strCN = MS) And ctrCH = 1 Then 'toggle flag & exit for flagMatch = True : Exit For End If Next 'arSEA member 'for ShowAll Or unknown shellex If flagShowAll Or Not flagMatch Then TitleLineWrite If Not flagTitle Then On Error Resume Next 'output CLSID & title oFN.WriteLine Chr(34) & strCLSID & Chr(34) & " = " & strLocTitle intErrNum = Err.Number : Err.Clear 'error check for W2K if title (Approved CLSID) value not set If intErrNum <> 0 Then _ oFN.WriteLine Chr(34) & strCLSID & Chr(34) & " = (no title provided)" flagTitle = True On Error GoTo 0 End If 'output CLSID title, InProcServer32 DLL & CoName oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL)) End If 'flagMatch Or flagShowAll? End If 'strIPSDLL <> ""? Next 'CLSID Hive Next 'strCLSID Else 'arNames array not returned 'if ShowAll, output key name If flagShowAll Then TitleLineWrite End If 'intErrNum1 = 0 & arNames array exists? strTitle = "" : strSubTitle = "" : strSubSubTitle = "" 'recover array memory ReDim arSEA(0,0) End If 'SecTest? '#5. HKLM... Explorer\SharedTaskScheduler/ShellExecuteHooks intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Dim arAllowedCLSID() ReDim arKeys(1) arKeys(0) = "Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler" arKeys(1) = "Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" 'for each Explorer sub-key For i = 0 To UBound(arKeys) strSubTitle = "HKLM" & "\" & arKeys(i) & "\" 'set up allowed CLSID's & IPS names for each sub-key If i = 0 Then 'SharedTaskScheduler ReDim arAllowedCLSID(2,1) arAllowedCLSID(0,0) = "{438755C2-A8BA-11D1-B96B-00A0C90312E1}" arAllowedCLSID(0,1) = "browseui.dll" arAllowedCLSID(1,0) = "{8C7461EF-2B13-11d2-BE35-3078302C2030}" arAllowedCLSID(1,1) = "browseui.dll" arAllowedCLSID(2,0) = "{553858A7-4922-4e7e-B1C1-97140C1C16EF}" 'IE 7 arAllowedCLSID(2,1) = "ieframe.dll" ElseIf i = 1 Then 'ShellExecuteHooks ReDim arAllowedCLSID(0,1) arAllowedCLSID(0,0) = "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" arAllowedCLSID(0,1) = "shell32.dll" End If 'which Explorer sub-key? 'find all the names in the Explorer key oReg.EnumValues HKLM, arKeys(i), arNames, arType 'enumerate data if present If IsArray(arNames) Then 'for each name For Each strName In arNames flagTitle = False CLSIDLocTitle HKLM, arKeys(i), strName, strLocTitle For ctrCH = intCLL To 1 ResolveCLSID strName, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then flagFound = False strCN = CoName(IDExe(strIPSDLL)) 'for every CLSID 'see if CLSID, IPS filename are allowed & IPS CoName = "MS" & hive = HKLM For j = 0 To UBound(arAllowedCLSID,1) If LCase(strName) = LCase(arAllowedCLSID(j,0)) And _ LCase(Fso.GetFileName(strIPSDLL)) = LCase(arAllowedCLSID(j,1)) And _ strCN = MS And ctrCH = 1 Then flagFound = True : strWarn = "" : Exit For End If Next 'allowed CLSID & IPS file name If Not flagFound Then strWarn = IWarn : flagIWarn = True End If 'if IPS not allowed or ShowAll, output name & value If Not flagFound Or flagShowAll Then 'output the title line if not already done TitleLineWrite If Not flagTitle Then On Error Resume Next oFN.WriteLine strWarn & Chr(34) & strName & Chr(34) &_ " = " & strLocTitle 'error check for W2K if SharedTaskScheduler value not set intErrNum = Err.Number : Err.Clear If intErrNum <> 0 Then oFN.WriteLine Chr(34) & strName & Chr(34) &_ " = (no title provided)" flagTitle = True On Error GoTo 0 End If 'output CLSID title, InProcServer32 DLL & CoName oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & strCN End If 'unexpected data or ShowAll? End If 'IPS exists? Next 'CLSID Hive Next 'arNames array member Else 'arNames array not returned 'if ShowAll, output key name If flagShowAll Then TitleLineWrite End If 'arNames array exists Next 'Explorer sub-key 'reset flags flagFound = False strTitle = "" : strSubTitle = "" : strSubSubTitle = "" 'recover array memory ReDim arAllowedCLSID(0) ReDim arKeys(0) ReDim arNames(0) End If 'SecTest? '#6. HKCU/HKLM... ShellServiceObjectDelayLoad intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then strKey = "Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad" Dim arSSODL() 'array of allowable SSODL values 'flagMatch = TRUE if SSODL value is allowable 'form array of allowable SSODL values ReDim arSSODL(6,1) arSSODL(0,0) = "{35cec8a3-2be6-11d2-8773-92e220524153}" : arSSODL(0,1) = "stobject.dll" arSSODL(1,0) = "{7007accf-3202-11d1-aad2-00805fc1270e}" : arSSODL(1,1) = "netshell.dll" arSSODL(2,0) = "{7849596a-48ea-486e-8937-a2a3009f31a9}" : arSSODL(2,1) = "shell32.dll" arSSODL(3,0) = "{e57ce738-33e8-4c51-8354-bb4de9d215d1}" : arSSODL(3,1) = "upnpui.dll" arSSODL(4,0) = "{e6fb5e20-de35-11cf-9c87-00aa005127ed}" : arSSODL(4,1) = "webcheck.dll" arSSODL(5,0) = "{fbeb8a05-beee-4442-804e-409d6c4515e9}" : arSSODL(5,1) = "shell32.dll" arSSODL(6,0) = "{bcbcd383-3e06-11d3-91a9-00c04f68105c}" : arSSODL(6,1) = "auhook.dll" For i = 0 To 1 'for each hive strSubTitle = arHives(i,0) & "\" & strKey & "\" 'find all the names in the key oReg.EnumValues arHives(i,1), strKey, arNames, arType 'enumerate data if present If IsArray(arNames) Then 'for each text name For Each strName In arNames flagMatch = False 'SSODL entry is not allowable 'get the SSODL value = {CLSID} oReg.GetStringValue arHives(i,1),strKey,strName,strCLSID flagTitle = False For ctrCH = intCLL To 1 ResolveCLSID strCLSID, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL 'if IPS value exists And is not empty If strIPSDLL <> "" Then strCN = CoName(IDExe(strIPSDLL)) strDLL = Fso.GetFileName(strIPSDLL) 'only look for allowable values if output not ShowAll If Not flagShowAll Then 'for every arSSODL member for this O/S For j = 0 To UBound(arSSODL,1) 'check the CLSID, DLL filename, CoName, CLSID hive If LCase(arSSODL(j,0)) = LCase(strCLSID) And _ LCase(arSSODL(j,1)) = LCase(strDLL) And _ LCase(strCN) = " [ms]" And _ ctrCH = 1 Then flagMatch = True 'toggle flag if all four criteria satisfied Exit For End If Next 'arSSODL member End If 'flagShowAll? 'write the quote-delimited name and value to the file if unallowable If Not flagMatch Then 'output title line if not already done TitleLineWrite If Not flagTitle Then 'output SSODL value oFN.WriteLine Chr(34) & strName & Chr(34) & " = " &_ Chr(34) & strCLSID & Chr(34) flagTitle = True End If oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & strCN End If 'flagMatch? End If 'IPS exists? Next 'CLSID hive Next 'SSODL value (strName) in array End If 'arNames array exists 'if ShowAll, output key name If flagShowAll Then TitleLineWrite Next 'hive 'reset flags flagMatch = False strTitle = "" : strSubTitle = "" : strSubSubTitle = "" strLine = "" 'recover array memory ReDim arType(0) ReDim arNames(0) ReDim arSSOLD(0,0) End If 'SecTest? '#7. HKCU/HKLM... Command Processor\AutoRun ' HKCU... Policies\System\Shell (W2K/WXP/WVa only) ' HKCU... Windows\load & run ' HKLM... Windows\AppInit_DLLs ' HKCU/HKLM... Winlogon\Shell ' HKLM... Winlogon\Userinit, System, Ginadll, Taskman ' HKLM... Control\SafeBoot\Option\UseAlternateShell ' HKLM... Control\SecurityProviders\SecurityProviders ' HKLM... Control\Session Manager\BootExecute ' HKLM... Control\Session Manager\WOW\cmdline, wowcmdline intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'value length, pos'n of space/comma in value, member of SecurityProviders array Dim intSpacePosn, intCommaPosn, strSP If strOS <> "W98" And strOS <> "WME" Then 'HKCU\Software\Microsoft\Command Processor\AutoRun strSubTitle = "HKCU\Software\Microsoft\Command Processor\" RegDataChk HKCU, "Software\Microsoft\Command Processor", "AutoRun", strValue, "" If strOS = "W2K" Or strOS = "WXP" Or strOS = "WVA" Then 'HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System '"Shell" = "" strSubTitle = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\" RegDataChk HKCU, "Software\Microsoft\Windows\CurrentVersion\Policies\System", "Shell", strValue, "" End If 'W2K/WXP/WVa? 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load & run strSubTitle = "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\" RegDataChk HKCU, "Software\Microsoft\Windows NT\CurrentVersion\Windows", "load", strValue, "" RegDataChk HKCU, "Software\Microsoft\Windows NT\CurrentVersion\Windows", "run", strValue, "" 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell '"Shell" = "Explorer.exe" strSubTitle = "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" RegDataChk HKCU, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe" 'HKLM\Software\Microsoft\Command Processor\AutoRun strSubTitle = "HKLM\Software\Microsoft\Command Processor\" RegDataChk HKLM, "Software\Microsoft\Command Processor", "AutoRun", strValue, "" 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs strSubTitle = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\" RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Windows", "AppInit_DLLs", strValue, "" 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL '"GinaDLL" = "MSGina.dll" strSubTitle = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "GinaDLL", strValue, "msgina.dll" 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell '"Shell" = "Explorer.exe" RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell", strValue, "explorer.exe" 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman '"Taskman" = "" RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Taskman", strValue, "" 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit '"Userinit" = "%SystemRoot%\system32\userinit.exe," 'find value for "Userinit" name flagInfect = False strKey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon" intErrNum = oReg.GetStringValue (HKLM,strKey,"Userinit",strValue) 'if Userinit name exists And value set (exc for W2K!) If intErrNum = 0 And strValue <> "" Then 'save default output line strOut = Chr(34) & "Userinit" & Chr(34) & " = " & Chr(34) &_ strValue & Chr(34) & LRParse(strValue) 'remove trailing space or comma strValue = Trim(strValue) If InStrRev(strValue,",") = Len(strValue) Then _ strValue = Left(strValue,Len(strValue)-1) 'if NT4 And Userinit value <> expected string, toggle infection flag & fill warning string If strOS = "NT4" And LCase(strValue) <> "userinit,nddeagnt.exe" And _ LCase(strValue) <> "userinit nddeagnt.exe" Then flagInfect = True 'if W2K/WXP/WVa ElseIf strOS <> "NT4" Then 'find pos'n of space & comma in value intLenValue = Len(strValue) intSpacePosn = InStr(strValue," ") If intSpacePosn = 0 Then intSpacePosn = intLenValue intCommaPosn = InStr(strValue,",") If intCommaPosn = 0 Then intCommaPosn = intLenValue 'if string doesn't contain userinit.exe Or extends beyond space or comma If InStr(LCase(strValue),"userinit.exe") = 0 Or _ intLenValue > intSpacePosn + 1 Or intLenValue > intCommaPosn + 1 Then _ flagInfect = True End If 'userinit string test If flagInfect Then strOut = IWarn & strOut : flagIWarn = True End If 'if infected or ShowAll If flagInfect Or flagShowAll Then 'output key name TitleLineWrite 'write name and value to file On Error Resume Next oFN.WriteLine strOut intErrNum = Err.Number : Err.Clear On Error GoTo 0 'error check for W2K if Userinit value not set If intErrNum <> 0 Then _ oFN.WriteLine Chr(34) & "Userinit" & Chr(34) & " = (value not set)" End If 'flagInfect/flagShowAll End If 'Userinit value exists? flagInfect = False 'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System '"System" = "" 'if NT4, check for expected value If strOS = "NT4" Then RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, "lsass.exe" 'if W2K/WXP/WVa, check for empty string Else RegDataChk HKLM, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "System", strValue, "" End If If strOS = "W2K" Or strOS = "WXP" Or strOS = "WVA" Then 'HKLM\System\CurrentControlSet\Control\SafeBoot\Option\UseAlternateShell strKey = "System\CurrentControlSet\Control\SafeBoot\Option" strSubTitle = "HKLM" & "\" & strKey & "\" flagArray = False : flagInfect = False : strValue = "" intType = -1 : strWarn = "" 'enumerate name/value pairs EnumNVP HKLM,strKey,arNames,arType 'check for all OS's (esp WS2K3) if name/value pairs exist If IsArray(arNames) Then For Each strName In arNames flagArray = True : Exit For Next 'arNames member 'if name/value pairs exist If flagArray Then For i = 0 To UBound(arNames) 'check for UseAlternateShell name If Trim(LCase(arNames(i))) = "usealternateshell" Then 'find its type & value, then exit For flagInfect = True : strWarn = IWarn : flagIWarn = True : intType = arType(i) strValue = RtnValue (HKLM, strKey, "UseAlternateShell", intType) Exit For End If 'UseAlternateShell? Next 'arName member End If 'flagArray? End If 'IsArray(arNames)? 'output UseAlternateShell value If flagInfect Then 'write name and value to file On Error Resume Next TitleLineWrite 'output final line WriteValueData "UseAlternateShell", strValue, intType, strWarn intErrNum = Err.Number : Err.Clear On Error GoTo 0 'if write error, output warning If intErrNum <> 0 Then _ oFN.WriteLine DQ & "UseAlternateShell" & DQ & " = (value not set)" strKey = "System\CurrentControlSet\Control\SafeBoot" strSubTitle = "HKLM" & "\" & strKey & "\" TitleLineWrite intErrNum = oReg.GetStringValue (HKLM,strKey,"AlternateShell",strValue) If intErrNum = 0 Then On Error Resume Next oFN.WriteLine DQ & "AlternateShell" & DQ & " = " & DQ & strValue & DQ intErrNum1 = Err.Number : Err.Clear On Error Goto 0 'if write error, output warning If intErrNum1 <> 0 Then oFN.WriteLine Chr(34) &_ "AlternateShell" & Chr(34) & " = ** WARNING -- empty or invalid data! **" Else oFN.WriteLine DQ & "AlternateShell" & DQ & " = (value not set)" End If 'intErrNum=0? ElseIf flagShowAll Then TitleLineWrite oFN.WriteLine DQ & "UseAlternateShell" & DQ & " = (value not found)" End If 'flagInfect Or flagShowAll? flagArray = False : flagInfect = False : strWarn = "" End If 'W2K/WXP/WVa? 'HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders strKey = "System\CurrentControlSet\Control\SecurityProviders" strSubTitle = "HKLM" & "\" & strKey & "\" strWarn = "" 'set the SecurityProviders array per the OS version If strOS = "W2K" Or strOS = "WXP" Or strOS = "NT4" Then arSP = Array ("msapsspc.dll","schannel.dll","digest.dll","msnsspc.dll") ElseIf strOS = "WVA" Then arSP = Array ("credssp.dll") Else arSP = Array ("msapsspc.dll","digest.dll","msnsspc.dll") End IF 'read the value, split into array intErrNum = oReg.GetStringValue (HKLM,strKey,"SecurityProviders",strValue) 'if value exists (except for W2K!) If intErrNum = 0 And strValue <> "" Then 'split the value into an array using comma delimiters arValues = Split(strValue, ",", -1, vbTextCompare) 'vbTextCompare = 1 flagInfect = False 'assume all DLL's allowed 'for every member of the value array For Each strVal In arValues flagFound = False 'assume DLL is not allowed 'for every member of the allowed SP array For Each strSP In arSP 'if names match And CoName is MS If LCase(Trim(strSP)) = LCase(Trim(strVal)) And _ CoName(IDExe(strVal)) = MS Then flagFound = True : Exit For 'toggle flag to allowed for this DLL End If Next 'SP array member 'if this DLL not allowed If Not flagFound Then flagInfect = True 'toggle infected flag for entire value If strWarn = "" Then 'if this is 1st unallowed value strWarn = IWarn & "(" & DQ & Trim(strVal) & DQ & CoName(IDExe(strVal)) flagIWarn = True Else 'not the 1st unallowed value strWarn = strWarn & ", " & DQ & Trim(strVal) & DQ & CoName(IDExe(strVal)) End If End If 'DLL allowed? Next 'value array member 'if infection present, terminate warning message If strWarn <> "" Then strWarn = strWarn & ") " 'output if infected or ShowAll If flagInfect Or flagShowAll Then On Error Resume Next TitleLineWrite oFN.WriteLine strWarn & DQ & "SecurityProviders" & DQ & " = " &_ DQ & strValue & DQ intErrNum = Err.Number : Err.Clear On Error Goto 0 If intErrNum <> 0 Then oFN.WriteLine DQ & "SecurityProviders" & DQ &_ " = (value not set)" End If Else 'value not found TitleLineWrite oFN.WriteLine DQ & "SecurityProviders" & DQ & " = (value not set)" End If 'HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute strKey = "System\CurrentControlSet\Control\Session Manager" intErrNum = oReg.GetMultiStringValue (HKLM,strKey,"BootExecute",arNames) strSubTitle = "HKLM" & "\" & strKey & "\" 'initialize output strings strLine = "" : strCN = "" : flagInfect = False : strWarn = "" If intErrNum = 0 Then 'BootExecute value exists 'alert if autocheck not in every line of multi-string For i = 0 To UBound(arNames) 'if autocheck not in a line, trim, surround in quotes, look for CoName If InStr(LCase(arNames(i)),"autocheck") = 0 Then strWarn = IWarn : flagInfect = True : flagIWarn = True strLine = StrOutSep(strLine,StringFilter(Trim(arNames(i)),True) & CoName(IDExe(arNames(i))),"|") Else 'otherwise, trim and surround in quotes strLine = StrOutSep(strLine,StringFilter(Trim(arNames(i)),True),"|") End If Next 'arNames member Else 'BootExecute value doesn't exist or not set strLine = "(value not set)" End If 'BootExecute value exists? 'output bootexecute value If flagInfect Or flagShowAll Then 'write name and value to file On Error Resume Next TitleLineWrite 'output final line oFN.WriteLine strWarn & DQ & "BootExecute" & DQ & " = " & strLine intErrNum = Err.Number : Err.Clear On Error GoTo 0 'if write error, output warning If intErrNum <> 0 Then oFN.WriteLine DQ & "BootExecute" & DQ &_ " = (value not set)" End If 'flagInfect Or flagShowAll? 'HKLM\System\CurrentControlSet\Control\WOW 'WVa does not contain these values by default If strOS <> "WVA" Then strKey = "System\CurrentControlSet\Control\WOW" strSubTitle = "HKLM" & "\" & strKey & "\" strValue1 = Wshso.ExpandEnvironmentStrings("%SystemRoot%\system32\ntvdm.exe") RegDataChk HKLM, "System\CurrentControlSet\Control\WOW", "cmdline", strValue, strValue1 strValue1 = Wshso.ExpandEnvironmentStrings("%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386") RegDataChk HKLM, "System\CurrentControlSet\Control\WOW", "wowcmdline", strValue, strValue1 End if 'WVa? End If 'not W98/WMe strTitle = "" : strSubTitle = "" : strSubSubTitle = "" strLine = "" : strWarn = "" End If 'SecTest? '#8. Examine HKLM... Winlogon\Notify\ subkey DLLName values intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Set arSK = CreateObject("Scripting.Dictionary") 'key, item If strOS = "W2K" Then arSK.Add "crypt32chain", "crypt32.dll" arSK.Add "cryptnet", "cryptnet.dll" arSK.Add "cscdll", "cscdll.dll" arSK.Add "sclgntfy", "sclgntfy.dll" arSK.Add "senslogn", "wlnotify.dll" arSK.Add "termsrv", "wlnotify.dll" arSK.Add "wzcnotif", "wzcdlg.dll" ElseIf strOS = "WXP" Then arSK.Add "crypt32chain", "crypt32.dll" arSK.Add "cryptnet", "cryptnet.dll" arSK.Add "cscdll", "cscdll.dll" arSK.Add "sccertprop", "wlnotify.dll" arSK.Add "schedule", "wlnotify.dll" arSK.Add "sclgntfy", "sclgntfy.dll" arSK.Add "senslogn", "wlnotify.dll" arSK.Add "termsrv", "wlnotify.dll" arSK.Add "wlballoon", "wlnotify.dll" arSK.Add "wgalogon", "wgalogon.dll" End If arSKk = arSK.Keys arSKi = arSK.Items If strOS <> "W98" And strOS <> "WME" And strOS <> "WVA" Then strKey = "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" strSubTitle = "HKLM" & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey HKLM, strKey, arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each key For Each oKey In arKeys 'initialize variables flagInfect = True : strWarn = IWarn 'get the DLLName data intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & oKey,"DLLName",strValue) 'if sub-key DLLName name exists And value set (exc for W2K!) If intErrNum = 0 And strValue <> "" Then 'check dictionary for allowed entry For i = 0 To arSK.Count-1 'if key = dictionary key & value = dictionary item If LCase(oKey) = arSKk(i) And LCase(strValue) = arSKi(i) Then 'toggle flag & exit -- no output necessary flagInfect = False : strWarn = "" : Exit For End If Next 'dictionary key 'if DLL not allowed, toggle IWarn flag If flagInfect Then flagIWarn = True 'if flag not found in O/S-specific dictionary or ShowAll If flagInfect Or flagShowAll Then 'output title lines if not already done TitleLineWrite On Error Resume Next 'write the key, name and value to a file oFN.WriteLine strWarn & oKey & "\DLLName = " & Chr(34) &_ strValue & Chr(34) & CoName(IDExe(strValue)) intErrNum = Err.Number : Err.Clear On Error GoTo 0 'error check for W2K if DLLName value not set If intErrNum <> 0 Then oFN.WriteLine oKey & "\DLLName" &_ " = (value not set)" End If 'flag not found in dictionary or ShowAll? End If 'value missing? Next 'Notify subkey Else 'Notify subkeys don't exist 'output title line If flagShowAll Then TitleLineWrite End If 'Notify subkeys exist? End If 'not W98/WMe/WVa strTitle = "" : strSubTitle = "" : strSubSubTitle = "" strWarn = "" : strCN = "" 'recover array memory arSK.RemoveAll : Set arSK=Nothing : ReDim arKeys(0) End If 'SecTest? '#9. HKLM... Image File Execution Options ("Debugger" subkeys) intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'ignore W98/WMe/WVa If strOS <> "W98" And strOS <> "WME" And strOS <> "WVA" Then strKey = "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" strSubTitle = "HKLM\" & strKey & "\" 'get executable name sub-keys oReg.EnumKey HKLM,strKey,arSubKeys If IsArray(arSubKeys) Then 'for each sub-key For Each strSubKey in arSubKeys strWarn = "" 'skip allowed sub-key unless ShowAll If LCase(strSubKey) <> LCase("Your Image File Name Here without a path") Or _ flagShowAll Then 'look for Debugger value intErrNum = oReg.GetStringValue (HKLM,strKey & "\" & strSubKey,"Debugger",strValue) 'if Debugger value exists If intErrNum = 0 And strValue <> "" Then 'if sub-key is not allowed, set warning If LCase(strSubKey) <> LCase("Your Image File Name Here without a path") Then strWarn = IWarn : flagIWarn = True End If 'output title line if not already done TitleLineWrite 'output sub-key, warning, Debugger value oFN.WriteLine strWarn & strSubKey & "\Debugger = " &_ Chr(34) & strValue & Chr(34) & CoName(IDExe(strValue)) End If 'Debugger value exists? End If 'not allowed sub-key or ShowAll? Next 'IFEO sub-key 'recover array memory ReDim arSubKeys(0) End If 'IFEO sub-key array exists? End If 'not W98/WMe? strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#10. HKCU/HKLM... Policies... Startup/Shutdown, Logon/Logoff scripts (W2K/WXP/WVa) intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then strCmd = "" 'script command line string Dim arScrName() : ReDim arScrName(1,1) arScrName(0,0) = "Logon" : arScrName(0,1) = "Logoff" arScrName(1,0) = "Startup" : arScrName(1,1) = "Shutdown" 'treat WVa analogously to WXP Dim strOSEq : strOSEQ = strOS If strOS = "WXP" Or strOS = "WVA" Then strOSEq = "WXP-WVA" Dim strScrDir : strScrDir = strFSP & "\Scripts\" If strOS = "WVA" Then strScrDir = strFSP & "\GroupPolicy\" Select Case strOSEq Case "W2K" 'collection flag Dim flagColl : flagColl = False 'for HKCU, then HKLM For i = 0 To 1 strKey = "Software\Policies\Microsoft\Windows\System\Scripts" strSubTitle = arHives(i,0) & "\" & strKey & "\" 'for every script type for the hive For j = 0 To 1 intErrNum = oReg.GetStringValue(arHives(i,1), strKey, arScrName(i,j), strValue) If intErrNum = 0 And strValue <> "" Then 'if value points to SCRIPTS.INI, parse the file If Fso.FileExists(strValue & "\scripts.ini") Then ScrIFP strValue, arScrName(i,j) 'value is not empty, so output a warning, or value is not set ElseIf strValue <> "" Then On Error Resume Next TitleLineWrite oFN.WriteLine "WARNING! Either " & Chr(34) & strValue &_ "\scripts.ini" & Chr(34) & vbCRLF & Space(9) & "doesn't " &_ "exist or there " & "is insufficient permission to " &_ "read it!" intErrNum = Err.Number : Err.Clear On Error Goto 0 If intErrNum <> 0 Then TitleLineWrite oFN.WriteLine strName & " = (value not set)" End If End If 'value points to SCRIPTS.INI or is not empty End If 'HKCU logon/logoff Or HKLM startup/shutdown value exists? Next 'name in Scripts key 'if ShowAll, output title line If flagShowAll Then TitleLineWrite Next 'hive type Case "WXP-WVA" 'Base Key string Dim strBK : strBK = "Software\Policies\Microsoft\Windows\System\Scripts\" 'modify script location for WVa If strOS = "WVA" Then strBK = "Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\" Dim arNKSE 'Numbered (master) Keys containing Script Executable values 'values: DisplayName, FileSysPath, Script, Parameter Dim strSPXP, strDispName, strFSP, strScript, strParam 'for every hive For i = 0 To 1 'for every script type For j = 0 To 1 strSubTitle = arHives(i,0) & "\" & strBK & arScrName(i,j) & "\" 'look for script type subkeys oReg.EnumKey arHives(i,1),strBK & arScrName(i,j),arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each numbered key header (containing numbered script keys) For Each strKey in arKeys strSubTitle = arHives(i,0) & "\" & strBK & arScrName(i,j) &_ "\" & strKey & "\" 'find DisplayName & FileSysPath intErrNum1 = oReg.GetStringValue (arHives(i,1),strBK & arScrName(i,j) &_ "\" & strKey,"DisplayName",strDispName) 'embed existing, non-empty value in quotes If intErrNum1 = 0 And strDispName <> "" Then strDispName = Chr(34) & strDispName & Chr(34) 'for missing or empty value Else strDispName = "(value not set)" End If 'DisplayName exists? intErrNum2 = oReg.GetStringValue (arHives(i,1),strBK & arScrName(i,j) &_ "\" & strKey,"FileSysPath",strFSP) 'if FileSysPath value exists And not empty If intErrNum2 = 0 And strFSP <> "" Then 'look for numbered script subkeys oReg.EnumKey arHives(i,1),strBK & arScrName(i,j) & "\" & strKey,arNKSE 'enumerate data if present If IsArray(arNKSE) Then 'for each numbered script key For Each strKey2 in arNKSE strSPXP = "" 'empty the script path 'find Parameter value intErrNum3 = oReg.GetStringValue (arHives(i,1),strBK & arScrName(i,j) &_ "\" & strKey & "\" & strKey2,"Parameters",strParam) 'if Parameters name doesn't exist, set value to empty string If intErrNum3 <> 0 Then strParam = "" 'find Script value intErrNum4 = oReg.GetStringValue (arHives(i,1),strBK & arScrName(i,j) &_ "\" & strKey & "\" & strKey2,"Script",strScript) 'if Script value exists And not empty If intErrNum4 = 0 And strScript <> "" Then 'form script executable string 'if script string has no backslash, use 'FileSysPath\Scripts\[script type]\ to locate executable 'if executable not found, it will not launch If InStr(strScript,"\") = 0 Then _ strSPXP = strFSP & "\Scripts\" & arScrName(i,j) & "\" strCmd = strSPXP & strScript 'if parameter string is not empty, append it If Trim(strParam) <> "" Then strScript = strScript & " " & strParam 'write title lines if necessary for this master key TitleLineWrite oFN.WriteLine "DisplayName = " & strDispName 'write script executable oFN.WriteLine strKey2 & "\" & " -> launches: " & DQ &_ strCmd & DQ & CoName(IDExe(strCmd)) End If 'Script value exists And not empty? Next 'numbered script executable key End If 'script executable key array exists? End If 'FileSysPath exists? Next 'master key End If 'master key array exists? 'if ShowAll and no prior output, output key If flagShowAll Then TitleLineWrite Next 'script type Next 'hive type 'recover array memory ReDim arScrName(0) End Select 'W2K or WXP-WVA? strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#11. HKCU/HKLM Protocols\Filter intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Dim strSKey 'sub-key '10 x 3 arFilter array: filter title, CLSID value, CLSID\InProcServer32 default value ReDim arFilter(9,2) arFilter(0,0) = "Class Install Handler" arFilter(0,1) = "{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}" arFilter(0,2) = "urlmon.dll" arFilter(1,0) = "deflate" arFilter(1,1) = "{8f6b0360-b80d-11d0-a9b3-006097942311}" arFilter(1,2) = "urlmon.dll" arFilter(2,0) = "gzip" arFilter(2,1) = "{8f6b0360-b80d-11d0-a9b3-006097942311}" arFilter(2,2) = "urlmon.dll" arFilter(3,0) = "lzdhtml" arFilter(3,1) = "{8f6b0360-b80d-11d0-a9b3-006097942311}" arFilter(3,2) = "urlmon.dll" arFilter(4,0) = "text/webviewhtml" arFilter(4,1) = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" arFilter(4,2) = "shell32.dll" arFilter(5,0) = "text/webviewhtml" arFilter(5,1) = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" arFilter(5,2) = "shdoc401.dll" arFilter(6,0) = "text/webviewhtml" arFilter(6,1) = "{733AC4CB-F1A4-11d0-B951-00A0C90312E1}" arFilter(6,2) = "shdocvw.dll" arFilter(7,0) = "application/octet-stream" arFilter(7,1) = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" arFilter(7,2) = "mscoree.dll" arFilter(8,0) = "application/x-complus" arFilter(8,1) = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" arFilter(8,2) = "mscoree.dll" arFilter(9,0) = "application/x-msdownload" arFilter(9,1) = "{1E66F26B-79EE-11D2-8710-00C04F79ED0D}" arFilter(9,2) = "mscoree.dll" strKey = "Software\Classes\PROTOCOLS\Filter" 'for HKCU & HKLM For i = 0 To 1 strSubTitle = arHives(i,0) & "\" & strKey & "\" 'find all the subkeys oReg.EnumKey arHives(i,1), strKey, arKeys 'enumerate data if present If IsArray(arKeys) Then 'for each sub-key For Each strSKey In arKeys 'set default values: 'flagMatch = True if filter name, CLSID, InProcServer32 DLL, & ' DLL CoName match allowed values flagMatch = False 'get the Filter CLSID value intErrNum1 = oReg.GetStringValue (arHives(i,1),strKey & "\" & strSKey, _ "CLSID",strCLSID) 'if CLSID name exists And value set (exc for W2K!) If intErrNum1 = 0 And strCLSID <> "" Then flagTitle = False 'for each CLSID hive For ctrCH = intCLL To 1 'retrieve CLSID title & IPSDLL ResolveCLSID strCLSID, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL 'if IPSDLL retrieved If strIPSDLL <> "" Then strCN = CoName(IDExe(strIPSDLL)) 'find CoName for matching 'check array for allowed entry For j = 0 To UBound(arFilter,1) 'if filter name, CLSID value, DLL match arFilter & CoName = MS & hive = HKLM If LCase(strSKey) = LCase(arFilter(j,0)) And _ LCase(strCLSID) = LCase(arFilter(j,1)) And _ LCase(IDExe(strIPSDLL)) = LCase(strFPSF & "\" & arFilter(j,2)) And _ strCN = MS And ctrCH = 1 Then 'toggle flag, empty warning string flagMatch = True : strWarn = "" : Exit For End If 'filter name & CLSID match arFilter? Next 'arFilter member If Not flagMatch Then strWarn = IWarn : flagIWarn = True End If 'if filter not in allowed array Or ShowAll If Not flagMatch Or flagShowAll Then TitleLineWrite If Not flagTitle Then On Error Resume Next 'write the quote-delimited filter name and CLSID value oFN.WriteLine strWarn & strSKey & "\CLSID = " & DQ & strCLSID & DQ intErrNum = Err.Number : Err.Clear : flagTitle = True On Error Goto 0 End If If intErrNum = 0 Then oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & strCN Else oFN.WriteLine strSKey & "\CLSID = (value not set)" End If End If 'Not flagMatch Or ShowAll? End If 'strIPSDLL exists? Next 'CLSID hive ElseIf flagShowAll Then 'strCLSID doesn't exist & flagShowAll oFN.WriteLine vbCRLF & strSKey & "\CLSID = (value not set)" End If 'strCLSID exists? Next 'Filter subkey End If 'Filter subkeys exist? Next 'PROTOCOLS/Filter hive If flagShowAll Then TitleLineWrite 'reset flag flagMatch = False 'reset strings strTitle = "" : strSubTitle = "" : strSubSubTitle = "" strWarn = "" 'recover array memory ReDim arFilter(0) End If 'SecTest? '#12. Context menu shell extensions intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Dim arClasses() : ReDim arClasses(3) arClasses(0) = "*" : arClasses(1) = "Directory" : arClasses(2) = "Folder" arClasses(3) = "AllFilesystemObjects" Dim arAllowedDlls () 'ColumnHandlers ReDim arAllowedDlls(2) arAllowedDlls(0) = "docprop2.dll" : arAllowedDlls(1) = "faxshell.dll" arAllowedDlls(2) = "shell32.dll" For i = 0 To UBound(arClasses) strSubTitle = "HKLM\Software\Classes\" & arClasses(i) &_ "\shellex\ColumnHandlers\" strKey = "Software\Classes\" & arClasses(i) & "\shellex\ColumnHandlers" intErrNum = oReg.EnumKey(HKLM,strKey,arSubKeys) If intErrNum = 0 And IsArray(arSubKeys) Then For Each strSubKey In arSubKeys flagTitle = False For ctrCH = intCLL To 1 CLSIDLocTitle arHives(ctrCH,1), strKey & "\" & strSubKey, "", strLocTitle ResolveCLSID strSubKey, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then 'IPS exists? flagAllow = False For j = 0 To UBound(arAllowedDlls) strCN = CoName(IDExe(strIPSDLL)) If LCase(Trim(Fso.GetFileName(strIPSDLL))) = LCase(arAllowedDlls(j)) And _ strCN = MS And ctrCH = 1 Then flagAllow = True : Exit For End If Next 'arAllowedDlls element If Not flagAllow Or flagShowAll Then TitleLineWrite If Not flagTitle Then oFN.WriteLine strSubKey & "\(Default) = " & strLocTitle flagTitle = True End If oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL)) End If 'Not flagAllow Or ShowAll? End If 'strIPSDLL not empty? Next 'CLSID hive Next 'sub-key End If 'sub-keys exist? Next 'class 'ContextMenuHandlers ReDim arAllowedDlls(7) arAllowedDlls(0) = "syncui.dll" : arAllowedDlls(1) = "cscui.dll" arAllowedDlls(2) = "shell32.dll" : arAllowedDlls(3) = "runext.dll" arAllowedDlls(4) = "ntshrui.dll" : arAllowedDlls(5) = "msshrui.dll" arAllowedDlls(6) = "shcompui.dll" : arAllowedDlls(7) = "shdoc401.dll" 'layout.dll, CoName = "Microsoft" For i = 0 To UBound(arClasses) strSubTitle = "HKLM\Software\Classes\" & arClasses(i) &_ "\shellex\ContextMenuHandlers\" strKey = "Software\Classes\" & arClasses(i) & "\shellex\ContextMenuHandlers" intErrNum = oReg.EnumKey(HKLM,strKey,arSubKeys) If intErrNum = 0 And IsArray(arSubKeys) Then For Each strSubKey In arSubKeys intErrNum2 = oReg.GetStringValue(HKLM,strKey & "\" & strSubKey,"",strCLSID) If intErrNum2 = 0 And strCLSID <> "" Then flagTitle = False For ctrCH = intCLL To 1 ResolveCLSID strCLSID, arHives(ctrCH,1), strCLSIDTitle, strIPSDLL If strIPSDLL <> "" Then 'IPS exists? flagAllow = False For j = 0 To UBound(arAllowedDlls) strCN = CoName(IDExe(strIPSDLL)) If LCase(Trim(Fso.GetFileName(strIPSDLL))) = LCase(arAllowedDlls(j)) And _ strCN = MS And ctrCH = 1 Then flagAllow = True : Exit For End If Next 'arAllowedDlls element If Not flagAllow Or flagShowAll Then TitleLineWrite If Not flagTitle Then oFN.WriteLine strSubKey & "\(Default) = " & Chr(34) & strCLSID & Chr(34) flagTitle = True End If oFN.WriteLine " -> {" & arHives(ctrCH,0) & "...CLSID} = " &_ strCLSIDTitle & vbCRLF & Space(19) & "\InProcServer32\(Default) = " &_ StringFilter(strIPSDLL,True) & CoName(IDExe(strIPSDLL)) End If 'Not flagAllow Or ShowAll? End If 'strIPSDLL exists? Next 'CLSID hive End If 'CLSID exists? Next 'sub-key End If 'sub-keys exist? Next 'class 'recover array memory ReDim arClasses(0) 'reset strings strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#13. HKCU/HKLM executable file type (bat/cmd/com/exe/hta/pif/scr) intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'set up executables/executable file type/expected value arrays Dim arExeExt, arExeFT, arExpVal If strOS = "W98" Or strOS = "WME" Then arExeExt = Array("bat","com","exe","hta","pif","scr") arExeFT = Array("batfile","comfile","exefile","htafile","piffile","scrfile") arExpVal = Array("""%1"" %*","""%1"" %*","""%1"" %*", _ LCase(Fso.GetSpecialFolder(1)) & "\mshta.exe ""%1"" %*", _ """%1"" %*","""%1"" /s") Else arExeExt = Array("bat","cmd","com","exe","hta","pif","scr") arExeFT = Array("batfile","cmdfile","comfile","exefile","htafile","piffile","scrfile") arExpVal = Array("""%1"" %*","""%1"" %*","""%1"" %*","""%1"" %*", _ LCase(Fso.GetSpecialFolder(1)) & "\mshta.exe ""%1"" %*", _ """%1"" %*","""%1"" /s") End If 'does base key exist?, alternate hive counter Dim flagKeyExists, ctrCH2 'HKCU/HKLM file types Dim arFT : arFT = Array("","") strTitle = "Default executables:" 'for each ext For i = 0 To UBound(arExeExt) strOut = "" 'for each hive For ctrCH = intCLL To 1 'construct ext key strKey = "Software\Classes\." & arExeExt(i) 'look for ext key default value (file type) intErrNum = oReg.GetStringValue (arHives(ctrCH,1),strKey,"",strValue) 'if ext key file type exists If intErrNum = 0 And strValue <> "" Then 'save file type for this hive arFT(ctrCH) = strValue 'output if in HKCU hive or unexpected file type If ctrCH = 0 Or LCase(arFT(ctrCH)) <> LCase(arExeFT(i)) Or flagShowAll Then strOut = StrOutSep(strOut,arHives(ctrCH,0) & "\" & strKey &_ "\(Default) = " & StringFilter(strValue,True),vbCRLF) 'if O/S = W2K/WXP and unexpected file type, check *other* hive If intCLL = 0 And LCase(arFT(ctrCH)) <> LCase(arExeFT(i)) Then 'calculate index of other hive ctrCH2 = ABS(ctrCH-1) 'find file type SOC value in other hive SOCValue arFT(ctrCH),ctrCH2,"",False End If 'W2K/WXP with unexpected file type? End if 'HKCU or unexpected file type? 'look for ext SOC value/key SOCValue "." & arExeExt(i), ctrCH, arExeFT(i), False 'look for file type SOC value/key (current hive)/file type base key SOCValue arFT(ctrCH), ctrCH, arExpVal(i), True 'ext key default value (file type) not set Else 'look for ext key intErrNum = oReg.EnumValues (arHives(ctrCH,1),strKey,arNames,arType) 'if ext key exists If intErrNum = 0 Then 'output ext key strOut = StrOutSep(strOut,arHives(ctrCH,0) & "\" & strKey &_ "\(Default) = (value not set)",vbCRLF) 'look for ext key SOC value/key SOCValue "." & arExeExt(i), ctrCH, "", False Else 'ext key doesn't exist If ctrCH = 1 Then strOut = StrOutSep(strOut,arHives(ctrCH,0) &_ "\" & strKey & "\ = (key not found)",vbCRLF) End If 'ext key? 'look for default file type SOC/file type base key SOCValue arExeFT(i), ctrCH, arExpVal(i), True End If 'ext key file type exists? Next 'Class hive 'write output If strOut <> "" Or flagShowAll Then TitleLineWrite : oFN.WriteLine vbCRLF & strOut End If Next 'ext strTitle = "" 'recover array memory ReDim arExeExt(0) : ReDim arExtFT(0) : ReDim arExpVal(0) End If 'SecTest? '#14. System/Group Policies ' Checked Keys: ' ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Assocations ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments ' HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System ' HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Download ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Main ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions ' HKCU/HKLM\Software\Policies\Microsoft\Internet Explorer\Security ' HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3} ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ' HKCU/HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 ' HKCU\Software\Policies\Microsoft\Windows\Network Connections ' HKCU\Software\Policies\Microsoft\Windows\System ' HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0 ' HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System ' HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Const ATPL = "Administrative Templates|" Const WSSSLP = "Windows Settings|Security Settings|Local Policies|" Const WC = "Windows Components|" Const IEX = "Internet Explorer|" Const MMC = "Microsoft Management Console|" Const WEX = "Windows Explorer|" Const SMTB = "Start Menu and Taskbar|" Const DT = "Desktop|" Const DAD = "Desktop / Active Desktop|" Const CP = "Control Panel|" Const NWK = "Network|" Const SYS = "System|" 'assign System or Group Policy name Dim strPolName : strPolName = "System " If strOS = "W2K" Or strOS = "WXP" Or strOS = "WVA" Then strPolName = "Group " Dim arDisCplNames, strDisCplName, strDisCplValue 'set title line strTitle = strPolName & "Policies {policy setting}:" 'add GPEdit location to title if GP used (W2K, WXP Pro, WVa) If flagGP Then strTitle = "Group Policies {GPedit.msc branch and setting}:" strSubTitle = "Note: detected settings may not have any effect." strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop" ReDim arRecNames(3,2) arRecNames(0,0) = "NoChangingWallPaper" : arRecNames(0,1) = ATPL & CP & "Display|" arRecNames(0,2) = "Disable changing wallpaper}" If strOS = "WXP" Or strOS = "WVA" Then arRecNames(0,2) = "Prevent changing wallpaper}" arRecNames(1,0) = "NoClosingComponents" : arRecNames(1,1) = ATPL & DT & DAD arRecNames(1,2) = "Prohibit closing items}" arRecNames(2,0) = "NoDeletingComponents" : arRecNames(2,1) = ATPL & DT & DAD arRecNames(2,2) = "Prohibit deleting items}" arRecNames(3,0) = "NoEditingComponents" : arRecNames(3,1) = ATPL & DT & DAD arRecNames(3,2) = "Prohibit editing items}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Associations" ReDim arRecNames(0,2) arRecNames(0,0) = "DefaultFileTypeRisk" arRecNames(0,1) = ATPL & WC & "Attachment Manager|" arRecNames(0,2) = "Default risk level for file attachments}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" ReDim arRecNames(0,2) arRecNames(0,0) = "ScanWithAntiVirus" arRecNames(0,1) = ATPL & WC & "Attachment Manager|" arRecNames(0,2) = "Notify antivirus programs when opening attachments}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" ReDim arRecNames(27,2) arRecNames(0,0) = "ClassicShell" : arRecNames(0,1) = ATPL & WC & WEX arRecNames(0,2) = "Enable Classic Shell / Turn on Classic Shell}" arRecNames(1,0) = "ForceActiveDesktopOn" arRecNames(1,1) = ATPL & DT & DAD : arRecNames(1,2) = "Enable Active Desktop}" If strOS = "W98" Or strOS = "NT4" Then arRecNames(1,1) = "" : arRecNames(1,2) = "unrecognized setting}" End If arRecNames(2,0) = "NoActiveDesktop" : arRecNames(2,1) = ATPL & DT & DAD arRecNames(2,2) = "Disable Active Desktop}" arRecNames(3,0) = "NoActiveDesktopChanges" : arRecNames(3,1) = ATPL & DT & DAD arRecNames(3,2) = "Prohibit changes}" 'added by GP, but ignored in practice, presence of DisallowCpl subkey name/value pairs 'sufficient to hide applets, even if this DWORD = 0 or absent arRecNames(4,0) = "DisallowCpl" : arRecNames(4,1) = ATPL & CP arRecNames(4,2) = "Hide specified control panel applets / items}" arRecNames(5,0) = "NoToolbarCustomize" : arRecNames(5,1) = ATPL & WC & IEX & "Toolbars|" arRecNames(5,2) = "Disable customizing browser toolbar buttons}" arRecNames(6,0) = "NoBandCustomize" : arRecNames(6,1) = ATPL & WC & IEX & "Toolbars|" arRecNames(6,2) = "Disable customizing browser toolbars}" arRecNames(7,0) = "NoFolderOptions" : arRecNames(7,1) = ATPL & WC & WEX arRecNames(7,2) = "Removes the Folder Options menu item from the Tools menu}" arRecNames(8,0) = "NoWindowsUpdate" : arRecNames(8,1) = ATPL & SMTB arRecNames(8,2) = "Remove links and access to Windows Update}" arRecNames(9,0) = "NoTrayItemsDisplay" : arRecNames(9,1) = ATPL & SMTB arRecNames(9,2) = "Hide the notification area}" arRecNames(10,0) = "NoSetTaskbar" : arRecNames(10,1) = ATPL & SMTB arRecNames(10,2) = "Prevent changes to Taskbar and Start Menu Settings}" arRecNames(11,0) = "TaskbarLockAll" : arRecNames(11,1) = ATPL & SMTB arRecNames(11,2) = "Lock all taskbar settings}" arRecNames(12,0) = "TaskbarNoAddRemoveToolbar" : arRecNames(12,1) = ATPL & SMTB arRecNames(12,2) = "Prevent users from adding or removing toolbars}" arRecNames(13,0) = "TaskbarNoDragToolbar" : arRecNames(13,1) = ATPL & SMTB arRecNames(13,2) = "Prevent users from rearranging toolbars}" arRecNames(14,0) = "NoStartMenuMorePrograms" : arRecNames(14,1) = ATPL & SMTB arRecNames(14,2) = "Remove All Programs list from the Start menu}" arRecNames(15,0) = "NoSMHelp" : arRecNames(15,1) = ATPL & SMTB arRecNames(15,2) = "Remove Help menu from Start Menu}" arRecNames(16,0) = "NoAutoUpdate" : arRecNames(16,1) = ATPL & SYS arRecNames(16,2) = "Windows Automatic Updates}" arRecNames(17,0) = "NoSecurityTab" : arRecNames(17,1) = ATPL & WC & WEX arRecNames(17,2) = "Remove Security tab}" arRecNames(18,0) = "NoSaveSettings" : arRecNames(18,1) = ATPL & DT arRecNames(18,2) = "Don't save settings at exit}" arRecNames(19,0) = "NoStartBanner" : arRecNames(19,1) = "" arRecNames(19,2) = "Remove " & DQ & "Click here to begin" & DQ & " from Start button}" arRecNames(20,0) = "NoFavoritesMenu" : arRecNames(20,1) = ATPL & SMTB arRecNames(20,2) = "Remove Favorites menu from Start Menu}" arRecNames(21,0) = "NoWinKeys" : arRecNames(21,1) = "" arRecNames(21,2) = "Disable Windows+X hotkeys}" arRecNames(22,0) = "NoSMMyDocs" : arRecNames(22,1) = ATPL & SMTB arRecNames(22,2) = "Remove Documents menu from Start Menu}" arRecNames(23,0) = "NoSMMyPictures" : arRecNames(23,1) = ATPL & SMTB arRecNames(23,2) = "Remove My Pictures icon from Start Menu}" arRecNames(24,0) = "NoNetworkConnections" : arRecNames(24,1) = ATPL & SMTB arRecNames(24,2) = "Remove Network & Dial-up Connections from Start Menu}" If strOS = "WXP" Then arRecNames(24,2) = "Remove Network Connections from Start Menu}" arRecNames(25,0) = "NoSharedDocuments" : arRecNames(25,1) = ATPL & WC & WEX arRecNames(25,2) = "Remove Shared Documents from My Computer}" arRecNames(26,0) = "NoLogoff" : arRecNames(26,1) = ATPL & SYS & "Logon/Logoff|" arRecNames(26,2) = "Disable Logoff}" arRecNames(27,0) = "NoInternetIcon" : arRecNames(27,1) = ATPL & DT arRecNames(27,2) = "Hide Internet Explorer icon on desktop}" ReDim arAllowedNames(2,3) arAllowedNames(0,0) = "NoDriveTypeAutoRun" : arAllowedNames(0,1) = ATPL & WC & "AutoPlay Policies|" arAllowedNames(0,2) = "Turn off Autoplay}" arAllowedNames(0,3) = "***" arAllowedNames(1,0) = "NoDriveAutoRun" : arAllowedNames(1,1) = "" arAllowedNames(1,2) = "Turn off autoplay for drive letter}" arAllowedNames(1,3) = "***" arAllowedNames(2,0) = "MaxRecentDocs" : arAllowedNames(2,1) = ATPL & WC & WEX arAllowedNames(2,2) = "Maximum number of recent documents}" arAllowedNames(2,3) = "***" GPRecognizer HKCU, strKey : ReDimGPOArrays ReDim arAllowedNames(1,3) arAllowedNames(0,0) = "NoDriveTypeAutoRun" : arAllowedNames(0,1) = ATPL & WC & "AutoPlay Policies|" arAllowedNames(0,2) = "Turn off Autoplay}" arAllowedNames(0,3) = "***" arAllowedNames(1,0) = "NoDriveAutoRun" : arAllowedNames(1,1) = "" arAllowedNames(1,2) = "Turn off autoplay for drive letter}" arAllowedNames(1,3) = "***" GPRecognizer HKLM, strKey : ReDimGPOArrays 'omitted Control Panel applets strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\System" ReDim arRecNames(5,2) arRecNames(0,0) = "DisableRegistryTools" : arRecNames(0,1) = ATPL & SYS arRecNames(0,2) = "Disable registry editing tools}" If strOS = "WXP" Or strOS = "WVA" Then arRecNames(0,2) = "Prevent access to " &_ "registry editing tools}" arRecNames(1,0) = "NoDispBackgroundPage" : arRecNames(1,1) = ATPL & CP & "Display|" arRecNames(1,2) = "Hide Background tab}" If strOS = "WXP" Or strOS = "WVA" Then arRecNames(1,2) = "Hide Desktop tab}" arRecNames(2,0) = "NoDispCpl" arRecNames(2,1) = ATPL & CP & "Display|" arRecNames(2,2) = "Disable Display in Control Panel}" If strOS = "WXP" Or strOS = "WVA" Then arRecNames(2,2) = "Remove Display in Control Panel}" arRecNames(3,0) = "Wallpaper" : arRecNames(3,1) = ATPL & DT & DAD arRecNames(3,2) = "Active Desktop Wallpaper|Wallpaper Name:}" If strOS = "WVA" Then arRecNames(3,2) = "Desktop Wallpaper|Wallpaper Name:}" arRecNames(4,0) = "WallpaperStyle" : arRecNames(4,1) = ATPL & DT & DAD arRecNames(4,2) = "Active Desktop Wallpaper|Wallpaper Style:}" If strOS = "WVA" Then arRecNames(4,2) = "Desktop Wallpaper|Wallpaper Style:}" arRecNames(5,0) = "DisableTaskMgr" arRecNames(5,1) = ATPL & SYS & "Ctrl+Alt+Del Options|" If strOS = "W2K" Then arRecNames(5,1) = ATPL & SYS & "Logon/Logoff|" arRecNames(5,2) = "Remove Task Manager}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate" ReDim arRecNames(0,2) arRecNames(0,0) = "DisableWindowsUpdateAccess" arRecNames(0,1) = ATPL & WC & "Windows Update|" arRecNames(0,2) = "Remove access to use all Windows Update features}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Control Panel" ReDim arRecNames(13,2) arRecNames(1,0) = "Advanced" : arRecNames(1,1) = ATPL & WC & IEX arRecNames(1,2) = "Disable changing Advanced page settings}" arRecNames(2,0) = "AdvancedTab" 'HKLM arRecNames(2,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(2,2) = "Disable the Advanced page}" arRecNames(3,0) = "Connection Settings" 'HKLM arRecNames(3,1) = ATPL & WC & IEX arRecNames(3,2) = "Disable changing connection settings}" arRecNames(4,0) = "ConnectionsTab" 'HKLM arRecNames(4,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(4,2) = "Disable the Connections page}" arRecNames(5,0) = "ContentTab" 'HKLM arRecNames(5,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(5,2) = "Disable the Content page}" arRecNames(6,0) = "DisableRIED" 'HKLM arRecNames(6,1) = ATPL & WC & IEX & "Internet Control Panel|Advanced Page|" arRecNames(6,2) = "Do not allow resetting Internet Explorer settings}" arRecNames(7,0) = "GeneralTab" 'HKLM arRecNames(7,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(7,2) = "Disable the General page}" arRecNames(8,0) = "HomePage" : arRecNames(8,1) = ATPL & WC & IEX arRecNames(8,2) = "Disable changing home page settings}" arRecNames(9,0) = "PrivacyTab" 'HKLM arRecNames(9,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(9,2) = "Disable the Privacy page}" arRecNames(10,0) = "Proxy" 'HKLM arRecNames(10,1) = ATPL & WC & IEX arRecNames(10,2) = "Disable changing proxy settings}" arRecNames(11,0) = "ResetWebSettings" : arRecNames(11,1) = ATPL & WC & IEX arRecNames(11,2) = "Disable the Reset Web Settings feature}" arRecNames(12,0) = "SecurityTab" 'HKLM arRecNames(12,1) = ATPL & WC & IEX & "Internet Control Panel|" arRecNames(12,2) = "Disable the Security page}" arRecNames(13,0) = "Settings" : arRecNames(13,1) = ATPL & WC & IEX arRecNames(13,2) = "Prevent the deletion of temporary Internet files and cookies}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Download" ReDim arRecNames(1,2) arRecNames(0,0) = "RunInvalidSignatures" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Advanced Page|" arRecNames(0,2) = "Allow software to run or install even if the signature is invalid}" arRecNames(1,0) = "CheckExeSignatures" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Advanced Page|" arRecNames(1,2) = "Check for signatures on downloaded programs}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions" ReDim arRecNames(1,2) arRecNames(0,0) = "NoChangeDefaultSearchProvider" 'HKLM arRecNames(0,1) = ATPL & WC & IEX arRecNames(0,2) = "Restrict changing the default search provider}" arRecNames(1,0) = "NoSearchCustomization" arRecNames(1,1) = ATPL & WC & IEX arRecNames(1,2) = "Search: Disable Search Customization}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Main" ReDim arRecNames(1,2) arRecNames(0,0) = "Enable Browser Extensions" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Advanced Page|" arRecNames(0,2) = "Allow third-party browser extensions}" arRecNames(1,0) = "Start Page" arRecNames(1,1) = ATPL & WC & IEX arRecNames(1,2) = "Disable changing home page settings -- Home Page imposed by this setting}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS" ReDim arRecNames(0,2) arRecNames(0,0) = "*" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Security Features|Scripted Window Security Restrictions|" arRecNames(0,2) = "Internet Explorer Processes}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\PhishingFilter" ReDim arRecNames(0,2) arRecNames(0,0) = "Enabled" 'HKLM arRecNames(0,1) = ATPL & WC & IEX arRecNames(0,2) = "Turn off Managing Phishing filter}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Restrictions" ReDim arRecNames(2,2) arRecNames(0,0) = "NoExtensionManagement" 'HKLM arRecNames(0,1) = ATPL & WC & IEX arRecNames(0,2) = "Do not allow users to enable or disable add-ons}" arRecNames(1,0) = "NoPopupManagement" 'HKLM arRecNames(1,1) = ATPL & WC & IEX arRecNames(1,2) = "Turn off pop-up management}" arRecNames(2,0) = "NoBrowserOptions" arRecNames(2,1) = ATPL & WC & IEX & "Browser Menus|" arRecNames(2,2) = "Tools menu: Disable Internet Options... menu option}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Internet Explorer\Security" ReDim arRecNames(1,2) arRecNames(0,0) = "DisableFixSecuritySettings" 'HKLM arRecNames(0,1) = ATPL & WC & IEX arRecNames(0,2) = "Do not allow users to enable or disable add-ons}" arRecNames(1,0) = "DisableSecuritySettingsCheck" 'HKLM arRecNames(1,1) = ATPL & WC & IEX arRecNames(1,2) = "Turn off the Security Settings Check feature}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}" ReDim arRecNames(0,2) arRecNames(0,0) = "Restrict_Run" arRecNames(0,1) = ATPL & WC & MMC & "Restricted/Permitted snap-ins|Group Policy|" arRecNames(0,2) = "Group Policy Object Editor}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Trusted Sites Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Trusted Sites Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Internet Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Internet Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Restricted Sites Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Locked-Down Restricted Sites Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Trusted Sites Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Trusted Sites Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Internet Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Internet Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4" ReDim arRecNames(1,2) arRecNames(0,0) = "1004" 'HKLM arRecNames(0,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Restricted Sites Zone|" arRecNames(0,2) = "Download unsigned ActiveX controls}" arRecNames(1,0) = "1201" 'HKLM arRecNames(1,1) = ATPL & WC & IEX & "Internet Control Panel|Security Page|Restricted Sites Zone|" arRecNames(1,2) = "Initialize and script ActiveX controls not marked as safe}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\Network Connections" ReDim arRecNames(5,2) arRecNames(0,0) = "NC_LanProperties" arRecNames(0,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(0,1) = ATPL & NWK & "Network Connections|" arRecNames(0,2) = "Prohibit access to properties of a LAN connection}" arRecNames(1,0) = "NC_LanChangeProperties" arRecNames(1,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(1,1) = ATPL & NWK & "Network Connections|" arRecNames(1,2) = "Prohibit access to properties of components of a LAN connection}" arRecNames(2,0) = "NC_RasChangeProperties" arRecNames(2,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(2,1) = ATPL & NWK & "Network Connections|" arRecNames(2,2) = "Prohibit access to properties of components of a remote access connection}" arRecNames(3,0) = "NC_AddRemoveComponents" arRecNames(3,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(3,1) = ATPL & NWK & "Network Connections|" arRecNames(3,2) = "Prohibit adding and removing components for a LAN or remote access connection}" arRecNames(4,0) = "NC_DeleteConnection" arRecNames(4,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(4,1) = ATPL & NWK & "Network Connections|" arRecNames(4,2) = "Prohibit deletion of remote access connections}" arRecNames(5,0) = "NC_Statistics" arRecNames(5,1) = ATPL & NWK & "Network and Dial-up Connections|" If strOS = "WVA" Then arRecNames(5,1) = ATPL & NWK & "Network Connections|" arRecNames(5,2) = "Prohibit viewing of status for an active connection}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\System" ReDim arRecNames(0,2) arRecNames(0,0) = "DisableCMD" arRecNames(0,1) = ATPL & SYS arRecNames(0,2) = "Disable the command prompt}" If strOS = "WVA" Then arRecNames(0,2) = "Prevent access to the command prompt}" GPRecognizer HKCU, strKey : ReDimGPOArrays strKey = "Software\Policies\Microsoft\Windows\Task Scheduler5.0" ReDim arRecNames(0,2) arRecNames(0,0) = "Task Deletion" 'HKLM arRecNames(0,1) = ATPL & WC & "Task Scheduler|" arRecNames(0,2) = "Prohibit Task deletion}" GPRecognizer HKCU, strKey : GPRecognizer HKLM, strKey : ReDimGPOArrays strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\System" ReDim arAllowedNames(15,3) arAllowedNames(0,0) = "ConsentPromptBehaviorAdmin" : arAllowedNames(0,1) = WSSSLP & "Security Options|" arAllowedNames(0,2) = "User Account Control: Behavior Of The Elevation " &_ "Prompt For Administrators In Admin Approval Mode}" : arAllowedNames(0,3) = "2" arAllowedNames(1,0) = "ConsentPromptBehaviorUser" : arAllowedNames(1,1) = WSSSLP & "Security Options|" arAllowedNames(1,2) = "User Account Control: Behavior Of The Elevation " &_ "Prompt For Standard Users}" : arAllowedNames(1,3) = "1" arAllowedNames(2,0) = "dontdisplaylastusername" : arAllowedNames(2,1) = WSSSLP & "Security Options|" arAllowedNames(2,2) = "Interactive logon: Do not display last user name}" : arAllowedNames(2,3) = "***" arAllowedNames(3,0) = "EnableInstallerDetection" : arAllowedNames(3,1) = WSSSLP & "Security Options|" arAllowedNames(3,2) = "User Account Control: Detect Application " &_ "Installations And Prompt For Elevation}" : arAllowedNames(3,3) = "1" arAllowedNames(4,0) = "EnableLUA" : arAllowedNames(4,1) = WSSSLP & "Security Options|" arAllowedNames(4,2) = "User Account Control: Run All Administrators " &_ "In Admin Approval Mode}" : arAllowedNames(4,3) = "1" arAllowedNames(5,0) = "EnableSecureUIAPaths" : arAllowedNames(5,1) = WSSSLP & "Security Options|" arAllowedNames(5,2) = "User Account Control: Only elevate UIAccess " &_ "applications that are installed in secure locations}" : arAllowedNames(5,3) = "1" arAllowedNames(6,0) = "EnableVirtualization" : arAllowedNames(6,1) = WSSSLP & "Security Options|" arAllowedNames(6,2) = "User Account Control: Virtualize file and registry " &_ "write failures to per-user locations}" : arAllowedNames(6,3) = "1" arAllowedNames(7,0) = "FilterAdministratorToken" : arAllowedNames(7,1) = WSSSLP & "Security Options|" arAllowedNames(7,2) = "User Account Control: Admin Approval Mode for " &_ "the Built-in Administrator Account}" : arAllowedNames(7,3) = "1" arAllowedNames(8,0) = "legalnoticecaption" : arAllowedNames(8,1) = WSSSLP & "Security Options|" arAllowedNames(8,2) = "Interactive logon: Message title for users " &_ "attempting to log on}" : arAllowedNames(8,3) = "***" arAllowedNames(9,0) = "legalnoticetext" : arAllowedNames(9,1) = WSSSLP & "Security Options|" arAllowedNames(9,2) = "Interactive logon: Message text for users " &_ "attempting to log on}" : arAllowedNames(9,3) = "***" arAllowedNames(10,0) = "PromptOnSecureDesktop" : arAllowedNames(10,1) = WSSSLP & "Security Options|" arAllowedNames(10,2) = "User Account Conrol: Switch to the secure " & _ "desktop when prompting for elevation}" : arAllowedNames(10,3) = "1" arAllowedNames(11,0) = "scforceoption" : arAllowedNames(11,1) = WSSSLP & "Security Options|" arAllowedNames(11,2) = "Interactive logon: Require smart card}" : arAllowedNames(11,3) = "***" arAllowedNames(12,0) = "shutdownwithoutlogon" : arAllowedNames(12,1) = WSSSLP & "Security Options|" arAllowedNames(12,2) = "Shutdown: Allow system to be shut down without " &_ "having to log on}" : arAllowedNames(12,3) = "1" arAllowedNames(13,0) = "undockwithoutlogon" : arAllowedNames(13,1) = WSSSLP & "Security Options|" arAllowedNames(13,2) = "Devices: Allow undock without having to log on}" : arAllowedNames(13,3) = "1" arAllowedNames(14,0) = "ValidateAdminCodeSignatures" : arAllowedNames(14,1) = WSSSLP & "Security Options|" arAllowedNames(14,2) = "User Account Control: Only elevate executables " &_ "that are signed and validated}" : arAllowedNames(14,3) = "***" GPRecognizer HKLM, strKey : ReDimGPOArrays 'has no effect in WMe If strOS = "WXP" Or strOS = "WVA" Then strKey = "Software\Policies\Microsoft\Windows NT\SystemRestore" ReDim arRecNames(1,2) arRecNames(0,0) = "DisableSR" : arRecNames(0,1) = ATPL & SYS & "System Restore|" arRecNames(0,2) = "Turn off System Restore}" arRecNames(1,0) = "DisableConfig" : arRecNames(1,1) = ATPL & SYS & "System Restore|" arRecNames(1,2) = "Turn off Configuration}" GPRecognizer HKLM, strKey : ReDimGPOArrays End If 'WXP/WVa? strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#15. Active Desktop, wallpaper & screen saver intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then Dim arBValue() 'title line string strTitle = "Active Desktop and Wallpaper:" 'Active Desktop 'Active Desktop flag key strKey = "Software\Microsoft\Windows\CurrentVersion\Explorer" 'get the ShellState binary array intErrNum = oReg.GetBinaryValue (HKCU,strKey,"ShellState",arBValue) 'if array returned If intErrNum = 0 And IsArray(arBValue) Then 'if array contains Active Desktop flag If UBound(arBValue) >= 4 Then 'if 0-based 4th array element contains 64 (AD flag set) If (arBValue(4) And 64) = 64 Then ReDim arBValue(0) 'recover array memory TitleLineWrite oFN.WriteLine vbCRLF & "Active Desktop may be enabled at this entry:" &_ vbCRLF & "HKCU\" & strKey & "\ShellState" Else TitleLineWrite oFN.WriteLine vbCRLF & "Active Desktop may be disabled at this entry:" &_ vbCRLF & "HKCU\" & strKey & "\ShellState" End If 'AD enabled? End If 'UBound>=4? Else 'binary value not found If flagShowAll Then TitleLineWrite : oFN.WriteLine vbCRLF & "Active Desktop is not enabled." End If End If 'binary value exists? 'Wallpaper 'check for AD wallpaper strKey = "Software\Microsoft\Internet Explorer\Desktop\General" strSubTitle = "Displayed if Active Desktop enabled and wallpaper not set by " &_ strPolName & "Policy:" & vbCRLF & "HKCU\" & strKey & "\" intErrNum = oReg.GetStringValue (HKCU,strKey,"Wallpaper",strValue) 'if AD wallpaper value set If intErrNum = 0 And strValue <> "" Then 'exc for W2K! 'write value On Error Resume Next TitleLineWrite oFN.WriteLine Chr(34) & "Wallpaper" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) intErrNum1 = Err.Number : Err.Clear On Error Goto 0 If intErrNum1 <> 0 Then oFN.WriteLine Chr(34) & "Wallpaper" &_ Chr(34) & " = (value not set)" End If 'AD wallpaper value set? 'retrieve Wallpaper value strKey = "Control Panel\Desktop" strSubTitle = "Displayed if Active Desktop disabled and wallpaper not set by " &_ strPolName & "Policy:" & vbCRLF & "HKCU\" & strKey & "\" intErrNum = oReg.GetStringValue (HKCU,strKey,"Wallpaper",strValue) 'if value set (exc for W2K!) If intErrNum = 0 And strValue <> "" Then 'exc for W2K! TitleLineWrite 'output wallpaper value On Error Resume Next oFN.WriteLine Chr(34) & "Wallpaper" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) intErrNum2 = Err.Number : Err.Clear On Error Goto 0 If intErrNum2 <> 0 Then oFN.WriteLine Chr(34) & "Wallpaper" &_ Chr(34) & " = (value not set)" Else 'WP value not present If flagShowAll Then TitleLineWrite oFN.WriteLine Chr(34) & "Wallpaper" & Chr(34) & " = (value not set)" End If End If 'wallpaper value set? 'web content 'look for web content strKey = "Software\Microsoft\Internet Explorer\Desktop\Components" intErrNum = oReg.EnumKey(HKCU,strKey,arKeys) 'if sub-keys exist If IsArray(arKeys) Then strSubTitle = "Active Desktop web content (hidden if disabled):" 'for each subkey For Each oKey in arKeys strSubSubTitle = "HKCU\" & strKey & "\" & oKey & "\" 'retrieve DWORD containing web content activation flag intErrNum1 = oReg.GetDWORDValue (HKCU,strKey & "\" & oKey,"Flags",intValue) 'if DWORD value set If intErrNum = 0 And intValue <> 0 Then 'if DWORD contains 8192 (web content activation flag set) If (intValue And 8192) = 8192 Then 'get web content descriptive values oReg.GetStringValue HKCU,strKey & "\" & oKey,"FriendlyName",strValue1 oReg.GetStringValue HKCU,strKey & "\" & oKey,"Source",strValue2 oReg.GetStringValue HKCU,strKey & "\" & oKey,"SubscribedURL",strValue3 TitleLineWrite 'write web content descriptive values On Error Resume Next oFN.WriteLine Chr(34) & "FriendlyName" & Chr(34) & " = " &_ Chr(34) & strValue1 & Chr(34) intErrNum2 = Err.Number : Err.Clear If intErrNum2 <> 0 Then oFN.WriteLine Chr(34) & "FriendlyName" &_ Chr(34) & " = (value not set)" oFN.WriteLine Chr(34) & "Source" & Chr(34) & " = " &_ Chr(34) & strValue2 & Chr(34) intErrNum2 = Err.Number : Err.Clear If intErrNum2 <> 0 Then oFN.WriteLine Chr(34) & "Source" &_ Chr(34) & " = (value not set)" oFN.WriteLine Chr(34) & "SubscribedURL" & Chr(34) & " = " &_ Chr(34) & strValue3 & Chr(34) intErrNum2 = Err.Number : Err.Clear If intErrNum2 <> 0 Then oFN.WriteLine Chr(34) & "SubscribedURL" &_ Chr(34) & " = (value not set)" On Error Goto 0 End If 'web content active? End If 'web content DWORD value set? Next 'web content subkey End If 'web content subkeys exist strSubTitle = "" : strSubSubTitle = "" 'Screen Saver If strOS <> "W98" And strOS <> "WME" Then Dim strLFN : strLFN = "" 'screen saver LFN Dim strExt : strExt = "" 'wallpaper file extension strWarn = "" strTitle = "Enabled Screen Saver:" strKey = "Control Panel\Desktop" strSubTitle = "HKCU\" & strKey & "\" 'get the screen saver name intErrNum = oReg.GetStringValue (HKCU,strKey,"Scrnsave.exe",strValue) 'if Scrnsave.exe value exists And value set (exc for W2K!) ' And value <> "(NONE)" (NT4 default) If intErrNum = 0 And strValue <> "" And LCase(strValue) <> "(none)" Then 'get screen saver LFN if file exists If Fso.FileExists(strValue) Then 'create (but don't save) shortcut Dim oSC : Set oSC = Wshso.CreateShortcut("getLFN.lnk") 'set & retrieve target path oSC.TargetPath = strValue strLFN = Fso.GetFile(oSC.TargetPath).Name Set oSC=Nothing 'set up LFN string if SFN <> LFN If LCase(strLFN) = LCase(Fso.GetFileName(strValue)) Then strLFN = "" Else strLFN = " (" & strLFN & ")" End If End If 'screen saver file exists? TitleLineWrite On Error Resume Next oFN.WriteLine Chr(34) & "SCRNSAVE.EXE" & Chr(34) & " = " &_ Chr(34) & strValue & Chr(34) & strLFN & CoName(IDExe(strValue)) intErrNum = Err.Number : Err.Clear On Error Goto 0 If intErrNum <> 0 Then oFN.WriteLine Chr(34) & "SCRNSAVE.EXE" &_ Chr(34) & " = (value not set)" Else 'Scrnsave.exe value doesn't exist 'if ShowAll, output title line If flagShowAll Then TitleLineWrite oFN.WriteLine Chr(34) & "SCRNSAVE.EXE" & Chr(34) & " = (value not set)" End If 'flagShowAll End If 'Scrnsave.exe value exists? End If 'strOS <> W98/WME? strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#16. For W98/WMe, check inside WIN.INI (load=, run=), SYSTEM.INI (shell=) & ' for W98 only, list contents of non-empty WINSTART.BAT intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then If strOS = "W98" Or strOS = "WME" Then strTitle = "WIN.INI & SYSTEM.INI launch points:" Dim oSCF 'System Configuration File 'true if in INI-file section containing targeted lines Dim flagSection : flagSection = False strSubTitle = "WIN.INI" & vbCRLF & "[windows]" 'open WIN.INI Set oSCF = Fso.OpenTextFile (strFPWF & "\WIN.INI",1) 'for each line of WIN.INI Do While Not oSCF.AtEndOfStream 'read a line strLine = oSCF.ReadLine 'if not a blank/comment line And inside [windows] section If Trim(strLine) <> "" And Left(LTrim(strLine),1) <> ";" Then If flagSection Then 'if line is beginning of another section If Left(LTrim(strLine),1) = "[" Then 'toggle flag to false and exit Do flagSection = False : Exit Do End If 'next section? 'input line, verb, expected contents, disk IniInfParse strLine, "load", "", "" IniInfParse strLine, "run", "", "" End If 'flagSection? 'if first 9 chars of line = [windows], then in the right section 'so toggle flagSection to True If LCase(Left(LTrim(strLine),9)) = "[windows]" Then flagSection = True End If 'blank/comment line? Loop 'next line of WIN.INI oSCF.Close 'close WIN.INI flagSection = False strSubTitle = "SYSTEM.INI" & vbCRLF & "[boot]" 'open SYSTEM.INI Set oSCF = Fso.OpenTextFile (strFPWF & "\SYSTEM.INI",1) 'for each line of SYSTEM.INI Do While Not oSCF.AtEndOfStream strLine = oSCF.ReadLine 'if not a blank/comment line And inside [windows] section If Trim(strLine) <> "" And Left(LTrim(strLine),1) <> ";" Then 'if inside [boot] section If flagSection Then If Left(LTrim(strLine),1) = "[" Then 'toggle flagSection and exit flagSection = False : Exit Do End If 'shell line? IniInfParse strLine, "shell", "explorer.exe", "" IniInfParse strLine, "scrnsave.exe", "anything", "" End If 'inside boot section? 'if first 6 chars of line = [boot], then in the right section 'so toggle flagSection to True If LCase(Left(LTrim(strLine),6)) = "[boot]" Then flagSection = True End If 'blank/comment line? Loop oSCF.Close strSubTitle = "" 'for W98 only If strOS = "W98" Then strTitle = "WINSTART.BAT contents:" 'open WINSTART.BAT if it exists If Fso.FileExists(strFPWF & "\WINSTART.BAT") Then Set oSCF = Fso.OpenTextFile (strFPWF & "\WINSTART.BAT",1) 'for each line of WINSTART.BAT Do While Not oSCF.AtEndOfStream strLine = oSCF.ReadLine If strLine <> "" Then 'examine line if it's not a CR If Len(strLine) >= 3 Then 'test against REM if long enough 'if not REM, then output If LCase(Left(LTrim(strLine),3)) <> "rem" Then If strTitle <> "" Then TitleLineWrite : oFN.WriteBlankLines(1) End If oFN.WriteLine strLine End If Else 'len 1-2 TitleLineWrite : oFN.WriteLine strLine End If 'len < 3? End If 'carriage return? Loop 'WINSTART.BAT lines oSCF.Close : Set oSCF=Nothing Else 'WINSTART.BAT doesn't exist 'if ShowAll, write title lines If flagShowAll Then TitleLineWrite : oFN.WriteLine vbCRLF & "(file not found)" End If End If 'WINSTART.BAT exists? End If 'W98? End If 'strOS = W98/WME strTitle = "" : strSubTitle = "" : strSubSubTitle = "" End If 'SecTest? '#17. AUTORUN.INF in root directory of local fixed disks intSection = intSection + 1 'execute section if not in testing mode or (in testing mode And this section selected for testing) If Not flagTest Or (flagTest And SecTest) Then 'WMe & WXP SP2 do not launch AUTORUN.INF on local fixed disks If strOS <> "WME" And strOSLong <> "Windows XP SP2" Then 'fixed disk, DWORD value, binary value array, AutoRun.Inf file, Dim oDisk, hVal, arBVal, oARI strTitle = "Autostart via AUTORUN.INF on local fixed drives:" 'array of fixed disks Public arFixedDisks() 'Disk Letter dictionary (needed to calculate power of 2) 'dictDL.Item(6) returns "G:" Public dictDL : Set dictDL = CreateObject("Scripting.Dictionary") dictDL.Add 0, "A:" : dictDL.Add 1, "B:" : dictDL.Add 2, "C:" dictDL.Add 3, "D:" : dictDL.Add 4, "E:" : dictDL.Add 5, "F:" dictDL.Add 6, "G:" : dictDL.Add 7, "H:" : dictDL.Add 8, "I:" dictDL.Add 9, "J:" : dictDL.Add 10, "K:" : dictDL.Add 11, "L:" dictDL.Add 12, "M:" : dictDL.Add 13, "N:" : dictDL.Add 14, "O:" dictDL.Add 15, "P:" : dictDL.Add 16, "Q:" : dictDL.Add 17, "R:" dictDL.Add 18, "S:" : dictDL.Add 19, "T:" : dictDL.Add 20, "U:" dictDL.Add 21, "V:" : dictDL.Add 22, "W:" : dictDL.Add 23, "X:" dictDL.Add 24, "Y:" : dictDL.Add 25, "Z:" 'assume HKLM NoDriveTypeAutoRun Fixed Disks Enabled Public flagHKLM_NDTAR_FDE : flagHKLM_NDTAR_FDE = True 'assume HKCU NoDriveTypeAutoRun Fixed Disks Enabled Public flagHKCU_NDTAR_FDE : flagHKCU_NDTAR_FDE = True 'assume HKLM NoDriveTypeAutoRun value does NOT exist Public flagHKLM_NDTAR : flagHKLM_NDTAR = False 'assume HKCU NoDriveTypeAutoRun value does NOT exist (unused, passed for consistency) Public flagHKCU_NDTAR : flagHKCU_NDTAR = False 'assume HKLM NoDriveAutoRun value does NOT exist Public flagHKLM_NDAR : flagHKLM_NDAR = False 'assume HKCU NoDriveAutoRun value does NOT exist (unused, passed for consistency) Public flagHKCU_NDAR : flagHKCU_NDAR = False strKey = "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" 'WVa RC1 ignores NDTAR/NDAR values in HKCU/HKLM If strOS <> "WVA" Then 'check NDTAR/NDTAR_FDE values in HKLM, toggle flag if needed NDTAR HKLM, flagHKLM_NDTAR, flagHKLM_NDTAR_FDE 'if HKLM NDTAR value not found, check NDTAR/NDTAR_FDE values in HKCU If Not flagHKLM_NDTAR Then NDTAR HKCU, flagHKCU_NDTAR, flagHKCU_NDTAR_FDE Else 'strOS = "WVA" flagHKLM_NDTAR = True : flagHKCU_NDTAR = True flagHKLM_NDTAR_FDE = True : flagHKCU_NDTAR_FDE = True End If 'if NoDriveTypeAutoRun permits autorun on fixed disks, look at 'individual disks If flagHKLM_NDTAR_FDE And flagHKCU_NDTAR_FDE Then 'enumerate fixed disks Set colDisks = GetObject("winmgmts:\root\cimv2")._ ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3") j = 0 'fmt of DeviceID & Name i