Is this script safe


  1. Posts : 116
    10.1
       #1

    Is this script safe


    *Warning may cause harm*

    I seen it posted in a forum its supposed to find if any svchost.exe's running on the system contain trojans or malicious backdoors/hidden scripts and viruses.

    PHP Code:
    @echo off
    REM First release on 01
    /03/2017 04:45
    REM Updated on 07
    /03/2017 04:05
    Set 
    "ProcessName=SVCHOST"
    Set "Tmp_Services=%Tmp%\%~n0.txt"
    If Exist "%Tmp_Services%" Del "%Tmp_Services%"
    Set "ProcessLog=%Tmp%\%ProcessName%.log"
    If Exist "%ProcessLog%" Del "%ProcessLog%"
    Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
    Set "Legit_Location=%windir%\system32\svchost.exe"
    Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
    Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
    Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
    If Exist "%LogFile%" Del "%LogFile%"
    Set /A Counter=0
    setlocal enableDelayedExpansion
    for /"skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
        for /
    "delims=" %%b in ("%%a") do (
            
    Color 0A
            set 
    /A Counter+=1
            set 
    "p=%%b"
            
    for /%%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
                echo [!
    Counter!] : !p!
            )
                ( echo 
    "!p!" )>>"%LogFile%"
        
    )
    )


    Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
    Type 
    "%ProcessLog%" find /"%Legit_Location%" "%Tmp_Services%"


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>con


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>> "%Tmp_Services%"
    CMD //C Type "%Tmp_Services%" "%Legits_Services_SVCHOST%"
    echo(
    Echo 
    All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
    echo(
    echo 
    Hit any key to look for a suspicious "%ProcessName%" paths
    Findstr 
    /LVI "%Legit_Location%" "%LogFile%" "%Suspicious_LogFile%"
    pause>nul 
    Start 
    "" "%Suspicious_LogFile%" 
    Start "" "%Legits_Services_SVCHOST%" & exit
    ::********************************************************************************************* 
    code.txt you can view it plainly in the text form I attached
      My Computer


  2. Posts : 5,442
    Windows 11 Home
       #2

    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    Attached Thumbnails Attached Thumbnails Is this script safe-capture_03142017_114110.jpg  
      My Computer


  3. Posts : 116
    10.1
    Thread Starter
       #3

    TairikuOkami said:
    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    That is helpful, thank you.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 19:00.
Find Us




Windows 10 Forums