Checking Remote Registries for viruses/spyware

  • Thread starter Thread starter Ken Franklin
  • Start date Start date
K

Ken Franklin

Does anyone know of a method to remotely check registry entries on a
bunch of PC's? I'd like some sort of backup way to check registry
entries for viruses/spyware. I can use regedit to connect to PC's one
at a time but that gets time consuming when there are 25+ PC's to be
checked out. I've found .vbs scripts which will search for a specific
key. What I want is to get a listing of all the entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to
see if anything suspicious resides there.

Thanks,

Ken Franklin
 
Does anyone know of a method to remotely check registry entries on a
bunch of PC's? I'd like some sort of backup way to check registry
entries for viruses/spyware. I can use regedit to connect to PC's one
at a time but that gets time consuming when there are 25+ PC's to be
checked out. I've found .vbs scripts which will search for a specific
key. What I want is to get a listing of all the entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to
see if anything suspicious resides there.

Thanks,

Ken Franklin
Click to expand...

Using REG.EXE from the Support Tools on your CD-ROM, tip 3968 in the 'Tips &
Tricks' at http://www.jsiinc.com

REG QUERY \\JSI001\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI003\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI005\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI007\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI009\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

You can use tip 4195 to run it on all workstations.


REG QUERY KeyName [/v ValueName | /ve] [/s]

KeyName [\Machine\]FullKey
Machine - Name of remote machine, omitting defaults to the current machine
Only HKLM and HKU are available on remote machines
FullKey - in the form of ROOTKEY\SubKey name
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey - The full name of a registry key under the selected ROOTKEY
/v query for a specific registry key
ValueName - The name, under the selected Key, to query
if omitted, all values under the Key are queried
/ve query for the default value or empty value name <no name>
/s queries all subkeys and values

Examples:

REG QUERY HKLM\Software\Microsoft\ResKit /v Version
Displays the value of the registry value Version

REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /s
Displays all subkeys and values under the registry key Setup

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Does anyone know of a method to remotely check registry entries on a
bunch of PC's? I'd like some sort of backup way to check registry
entries for viruses/spyware. I can use regedit to connect to PC's one
at a time but that gets time consuming when there are 25+ PC's to be
checked out. I've found .vbs scripts which will search for a specific
key. What I want is to get a listing of all the entries in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to
see if anything suspicious resides there.

Thanks,

Ken Franklin
Click to expand...

Using REG.EXE from the Support Tools on your CD-ROM, tip 3968 in the 'Tips &
Tricks' at http://www.jsiinc.com

REG QUERY \\JSI001\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI003\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI005\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI007\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
REG QUERY \\JSI009\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

You can use tip 4195 to run it on all workstations.


REG QUERY KeyName [/v ValueName | /ve] [/s]

KeyName [\Machine\]FullKey
Machine - Name of remote machine, omitting defaults to the current machine
Only HKLM and HKU are available on remote machines
FullKey - in the form of ROOTKEY\SubKey name
ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ]
SubKey - The full name of a registry key under the selected ROOTKEY
/v query for a specific registry key
ValueName - The name, under the selected Key, to query
if omitted, all values under the Key are queried
/ve query for the default value or empty value name <no name>
/s queries all subkeys and values

Examples:

REG QUERY HKLM\Software\Microsoft\ResKit /v Version
Displays the value of the registry value Version

REG QUERY HKLM\Software\Microsoft\ResKit\Nt\Setup /s
Displays all subkeys and values under the registry key Setup

Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Back
Top