Batch File Help (.bat)

Page may contain affiliate links. Please see terms for details.

Spinal

MB Enthusiast
Joined
Sep 14, 2004
Messages
4,806
Location
between Uxbridge and the Alps
Car
x254, G350, Duster, S320, Mach1, 900ss and a few more
I need some help decompiling a Windows batch file...

Code:
1. regedit.exe /s ".\SYS\lsa.reg"

2. <some code>

3. regedit.exe /s ".\SYS\win.reg"

I've added the line markers... The middle line contains a few batch commands, but I have no clue what the two registry editor commands do... any ideas?

M.
 
The /S bit means that it will run silently.

Without seeing what the script is doing its hard to say exactly but if you are modifying the LSA then its some sort of security setting thats being modified by the batch file.

Winreg I believe can be user to control whether or not remote registry changes are authorised so if the batch file is being pushed it might be a requirement.
 
but I have no clue what the two registry editor commands do... any ideas?

They are importing the registry files.

The registry files will be text files containing lists of registry keys and values. So if you can open them you should be able to see what keys are being imported.
 
Thanks - the "script" isn't a pretty one... it silences output, invokes another bit of software, runs line 1 above, then creates an admin account, enables remote access on that account and runs line 3 above...

Short... yet really quite dangerous...

Doing some looking up - the LSA can't be accessed from the GUI... not even from an admin account... If I'm not mistaken it deals with account passwords...

The last part (line 3 above) I'm still unsure about... I don't have a VM installed on this machine... but tomorrow I'm going to do some playing...

M.
 
sounds like a virus :)


LSA is in the registry

Number 3 is probably granting remote registry access for the user account just created.
 

Attachments

  • lsa.jpg
    lsa.jpg
    76.8 KB · Views: 61
Last edited:
My bad - for some odd reason my entries were all greyed out...

I think I know what it's adding to the registry... as soon as I get the rest of the code & a VM I'll verify - but I think it's changing either the restrictanonymous or the forceguest options... (or both)...

As I thought, really not something you want to find on your machine!

M.
 
As thought - the registry entries do precisely that...

LSA: "forceguest"=dword:00000000

Nasty...

thanks for the help!

M.
 
So it was a virus then?

If so, any idea what it was called?
 
Nope - not really a virus...

More of a custom piece of malware... it's actually an extension of something you've alread seen. I'll pm you the name (it caused some issues last time :p)

M.
 

Users who are viewing this thread

Back
Top Bottom