Is this script safe

  1.    14 Mar 2017 #1

    Is this script safe


    *Warning may cause harm*

    I seen it posted in a forum its supposed to find if any svchost.exe's running on the system contain trojans or malicious backdoors/hidden scripts and viruses.

    PHP Code:
    @echo off
    REM First release on 01
    /03/2017 04:45
    REM Updated on 07
    /03/2017 04:05
    Set 
    "ProcessName=SVCHOST"
    Set "Tmp_Services=%Tmp%\%~n0.txt"
    If Exist "%Tmp_Services%" Del "%Tmp_Services%"
    Set "ProcessLog=%Tmp%\%ProcessName%.log"
    If Exist "%ProcessLog%" Del "%ProcessLog%"
    Set "Legits_Services_SVCHOST=%~dp0Legits_Services_%ProcessName%.txt"
    Set "Legit_Location=%windir%\system32\svchost.exe"
    Set "LogFile=%~dp0%ProcessName%_ProcessList.txt"
    Set "Suspicious_LogFile=%~dp0%ComputerName%_%ProcessName%_Suspicious_Paths.txt"
    Title Finding all instances and paths of "%ProcessName%" by Hackoo 2017
    If Exist "%LogFile%" Del "%LogFile%"
    Set /A Counter=0
    setlocal enableDelayedExpansion
    for /"skip=1" %%a in ('WMIC Path win32_process where "name like '%%%ProcessName%%%'" get commandline') do (
        for /
    "delims=" %%b in ("%%a") do (
            
    Color 0A
            set 
    /A Counter+=1
            set 
    "p=%%b"
            
    for /%%f in ('echo !p! ^|Findstr /LI "%Legit_Location%"') do (
                echo [!
    Counter!] : !p!
            )
                ( echo 
    "!p!" )>>"%LogFile%"
        
    )
    )


    Powershell.exe Get-WmiObject Win32_Process ^| select ProcessID,ProcessName,Handle,commandline,ExecutablePath ^| Out-File -Append "%ProcessLog%" -Encoding ascii
    Type 
    "%ProcessLog%" find /"%Legit_Location%" "%Tmp_Services%"


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>con


    (
        echo(
        echo 
    Those are legitimes services of "%ProcessName%.exe"
        
    Tasklist /SVC /FO TABLE /FI "IMAGENAME eq %ProcessName%.exe" 
    )>> "%Tmp_Services%"
    CMD //C Type "%Tmp_Services%" "%Legits_Services_SVCHOST%"
    echo(
    Echo 
    All instances of "%ProcessName%" in this path "%Legit_Location%" are legitimes services
    echo(
    echo 
    Hit any key to look for a suspicious "%ProcessName%" paths
    Findstr 
    /LVI "%Legit_Location%" "%LogFile%" "%Suspicious_LogFile%"
    pause>nul 
    Start 
    "" "%Suspicious_LogFile%" 
    Start "" "%Legits_Services_SVCHOST%" & exit
    ::********************************************************************************************* 
    code.txt you can view it plainly in the text form I attached
      My ComputerSystem Spec

  2. TairikuOkami's Avatar
    Posts : 3,475
    Home 1809 x64 10.0.17763.134
       14 Mar 2017 #2

    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    Attached Thumbnails Attached Thumbnails capture_03142017_114110.jpg  
      My ComputerSystem Spec

  3.    14 Mar 2017 #3

    TairikuOkami said: View Post
    Not sure, if it is very helpful, it just list processes not located within System32's folder.
    Windows processes are listed separately, so that is a dead giveaway for that one.
    Malware usually use hijacked svchost.exe and this script will not tell you that.
    That is helpful, thank you.
      My ComputerSystem Spec


 

Related Threads
I am using Windows 10 Home on a HP i3 laptop. Just recently I have started receiving an error pop-up which says "Windows Script Host - There is no script engine for file extension ".js"". There doesn't seem to be a pattern to when the error...
how to get rid of script error pop ups in BSOD Crashes and Debugging
how can I get rid of script error pop ups?
Sub-script and Super-script in General Support
Is it possible to use sub-script and super-script when typing emails with Windows 10? I was able to do this when using Windows 7 and typing documents but not for emails. I was expecting that with the major up-grade to from 7 to 10 it would now be...
w10, Script Error in General Support
Why suddenly " Script Error " appears continuously when I try to close an IE page? asking to choose "use script Yes or NO". & either clicked gives an blank page & have difficulty closing it. I tried Tools>Advanced & "disable script errors" is...
I use an old kvm switch without active ddc so I am always having to open screen resolution settings and click detect. I would like to make a script file and then a shortcut to the file to do this for me but I have never written a script and can't...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 06:55.
Find Us