[thisisu]

Hi guys,

I am trying to do some heuristic registry key deletion using batch and could use some help.

Here is an example of what I would like to achieve:
Look for registry keys that begin with these characters: crossriderapp
that are located at: hkey_local_machine\software\classes

If condition is met, delete the entire crossriderapp* key from hkey_local_machine\software\classes

More examples (full paths)
"hkey_local_machine\software\classes\crossriderapp0004352.bho"
"hkey_local_machine\software\classes\crossriderapp0004352.bho.1"
"hkey_local_machine\software\classes\crossriderapp0004352.fbapi"
"hkey_local_machine\software\classes\crossriderapp0004352.fbapi.1"
"hkey_local_machine\software\classes\crossriderapp0004352.sandbox"
"hkey_local_machine\software\classes\crossriderapp0004352.sandbox.1"

Would like all of these to be deleted using heuristics.

Thanks!

[Cody Johnston]

Looking for something like this?

Code: Select all

reg query HKEY_LOCAL_MACHINE\Software\Classes | findstr /i crossriderapp

in batch you need to escape the pipe like this:

Code: Select all

^|

above code returns correctly all keys:

Code: Select all

HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp0004352.fbapi
HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp0004352.fbapi.1
HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp0004352.sandbox
HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp0004352.sandbox.1
HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp004352.bho
HKEY_LOCAL_MACHINE\Software\Classes\crossriderapp004352.bho.1

[thisisu]

That will work, thank you! (+rep)

[thisisu]

Hi,

Sorry to be bringing this up again but can you show an example using the carrot (^) symbol? I keep getting errors when trying to use it.

Error using this code:

Code: Select all

reg query hkey_local_machine\software\classes ^| findstr /i crossriderapp0>>%systemdrive%\JRT\temp\regheur.txt

or

Code: Select all

reg query hkey_local_machine\software\classes ^|findstr /i crossriderapp0>>%systemdrive%\JRT\temp\regheur.txt

Results in "ERROR: Invalid Syntax." error message.

Here is what I ended up using and it works fine but would still like to see a working example with ^ for future purposes.

Thanks!

Code: Select all

if not exist %systemdrive%\JRT\temp\null.txt goto exit
reg query hkey_local_machine\software\classes|findstr /i crossriderapp0>>%systemdrive%\JRT\temp\regheur.txt
fc %systemdrive%\JRT\temp\regheur.txt %systemdrive%\JRT\temp\null.txt >nul 2>&1
if %errorlevel% EQU 0 (
                       REM Both files are empty! Nothing to delete here
                      )
if %errorlevel% EQU 1 (
                       for /f "tokens=*" %%g in (%systemdrive%\JRT\temp\regheur.txt) do (
                               reg delete %%g /f >nul 2>&1
                               reg query %%g >nul 2>&1
                               IF ERRORLEVEL 1 (
                                                Echo(Successfully deleted: [Registry Key-Heur] %%g>>%systemdrive%\JRT\temp\keys.txt
                                               ) else (
                                                       Echo(Failed to delete: [Registry Key-Heur] %%g>>%systemdrive%\JRT\temp\keys.txt
                                                      )
                                                                                        )
                      )

[Dany3j]

Hello.

Used to escape special characters, to work within a lower level, such as within a FOR.

Example code:

Code: Select all

echo off
FOR /F "TOKENS=*" %%A IN ('REG QUERY HKEY_LOCAL_MACHINE\Software\Classes ^| findstr /i "crossriderapp"') do (echo %%A) 
pause

Sorry for my English. ;)

[thisisu]

That explains it, thank you Dany3j (+rep)