Please use the script to get a list of startup commands from your target (Endpoint)
def ExecuteCMD(CMD, OUT = False):
import ctypes
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
from subprocess import PIPE, Popen
with disable_file_system_redirection():
OBJ = Popen(CMD, shell = True, stdout = PIPE, stderr = PIPE)
out, err = OBJ.communicate()
RET = OBJ.returncode
if RET == 0:
if OUT == True:
if out != '':
return out.strip()
else:
return True
else:
return True
else:
return False
def writeVBS(vbs):
import os
import random
FILEPATH = os.path.join(os.environ['TEMP'], str(random.randint(1, 10000))+'.vbs')
print FILEPATH
with open(FILEPATH, 'w') as f:
f.write(vbs)
return FILEPATH
vbs=r'''' List Computer Startup Commands
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colStartupCommands = objWMIService.ExecQuery _
("Select * from Win32_StartupCommand")
For Each objStartupCommand in colStartupCommands
Wscript.Echo "Command: " & objStartupCommand.Command
Wscript.Echo "Description: " & objStartupCommand.Description
Wscript.Echo "Location: " & objStartupCommand.Location
Wscript.Echo "Name: " & objStartupCommand.Name
Wscript.Echo "Setting ID: " & objStartupCommand.SettingID
Wscript.Echo "User: " & objStartupCommand.User
Wscript.Echo vbCrLf
Next'''
import os
file=writeVBS(vbs)
##print file
print ExecuteCMD('cscript "'+file+'"', True)
os.remove(file)
sample output:
Script to Import:
20170216-List-Startup-Commands.json (2.88 KB)