Silent Runners
The purpose of “Silent Runners” is to identify the programs that start up with Windows.
It was first made available to members of the NTBugTraq mailing list
in a post on 12 May 2004. The first version posted was actually revision 10.
An updated version is available for download here. The revision history is found in comments
at the bottom of the script file. Old versions are archived here.
“Silent Runners” is not an anti-virus, an anti-trojan, or a spyware scanner.
It only pinpoints how programs start up — it does not scan the system to identify
every trace of malware. The text file it creates can be removed for study or stored as a benchmark.
It runs under Windows 95, Windows 98 (Standard Edition and Second Edition),
Windows Me (Millennium Edition), Windows NT 4.0 Workstation, Windows NT 4.0 Server,
Windows 2000 Professional, Windows 2000 Server, Windows XP Home, Windows XP Professional x86 & x64,
Windows Server 2003 x86 & x64, Windows Vista x86 & x64, Windows 7 x86 & x64,
Windows Server 2008 R2 (x64), Windows 8 Home & Professional x86 & x64, Windows 10 Home & Professional x86 & x64,
and Windows 11 Home & Professional x64.
It is written in VBScript (version 5.1 or greater) and relies on WMI to query
the registry. WMI is installed by default on every Windows version since “Me”.
It is not installed by default on Windows 95/98 or Windows NT 4.0 and,
unfortunately, it is no longer offered for download by Microsoft for those systems.
If you’re running Windows XP and a compatible version of VBScript isn’t installed,
the script will direct your browser to the appropriate Microsoft download site.
The script changes absolutely nothing on your system (other than adding its report file).
It has no option to change anything and no such option will ever be added.
However, it is offered without any warranty of any kind, either express or implied. You use it, then,
at your own risk.
“Silent Runners” can be run simply by double-clicking it. It can also be run from
the command line under CScript.exe, in which case output will be directed to the console.
It creates a (Unicode) text file readable by any recent text editor (Notepad works fine) and places it,
by default, in the same directory as the script. To store the file somewhere else, provide the directory as a command line parameter.
If the output directory name contains spaces, embed it in quotes. To specify an output directory with WScript.exe,
create a shortcut to the script and then add the output directory to the Target field.
See this procedure to compare two versions of the text file.
The output file name is Startup Programs followed by the name of your PC
in parentheses, the date in year-month-day format and the
time in hour.minute.second format
and then the extension .txt.
Thus, the file created by the script launched at 15:34:10 (3:34:10 p.m.)
on a PC named “Foo” on 10 June 2004 would be:
Startup Programs (Foo) 2004-06-10 15.34.10.txt
The output file summarizes everything the script thinks you ought to know.
What does ought to know mean? It means that the script will report any non-default
value it finds anywhere it looks. What’s a default value? It’s something that’s put
there by Microsoft when Windows is installed. For instance, in every Windows installation,
the default shell is explorer.exe. If the script finds explorer.exe
listed as the shell, it won’t add that to the output file.
Does that mean that everything in the output file is suspicious? No. It means that
the script, based on its limited code, couldn’t figure out if certain things were
suspicious or not, so it put it in the output file so you could go figure it out.
Under some circumstances, the script will alert about suspicious data.
It will do this by prefacing the entry in the output file with the symbols
“<<!>>”
or “<<H>>” and an
explanatory note will be placed in the report footer. This does not mean that the PC
is infected. It does mean that such a line is atypical and bears very close scrutiny.
The script completes most of its checks in under 2 minutes. One check can take much longer –
the search of all directories of local fixed drives for DESKTOP.INI DLL
launch points. (This check is identified by superscript “1” in the “O/S” column on the
Launch Points page.)
This search has been made supplementary and can be activated either by answering
“No” to the script’s first message box and “Yes” to the message box
that follows it or by starting the script with the “-supp” parameter:
C:\directory_containing_the_script>"silent runners.vbs" -supp
To force the script to show everywhere it looks and everything it finds, start it from
the command line with the “-all” parameter:
C:\directory_containing_the_script>"silent runners.vbs" -all
The output file will only show the launch points that apply to your PC’s operating system.
Script parameters can also be conveniently added to a shortcut’s Target field.
Note that the “-all” and “-supp” parameters are mutually exclusive
— you can use one or the other, but not both.
To see a list of the registry keys, INI-file sections, files, and folders that are
checked for launch points, click here.
To see a detailed, illustrated procedure for downloading and running the script,
click here.
|
|