1

I've got a laptop that has what appears to be a command prompt pop up and vanish, whenever it connects to the net. I can repeat it, by turning off/on wifi, it flashes up and vanishes too fast to see, or show up in procmon/taskman. Is there any way I can slow it down, log its execution, or otherwise figure out what it is?

Procmon seems to be able to log fast enough to catch it, but between not knowing what I'm looking for, and the fact it's thousands of lines long, it might as well not log at all. There are several 'cmd.exe' entries in the log, but none seem to be relevant or happening at the (apparent) time this executes.

I'm not even sure it IS cmd.exe, but it's the same 'dos window' look, it just vanishes before I can see what it is :( Anyone have any ideas at all?

Christiebunny
  • 53

1 Answers1

0

You may look at the following locations for programs, links & scripts:

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /f shell /e
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system" /f shell /e
reg query "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager" /f PendingFileRenameOperations /e
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager" /f ExcludeFromKnownDlls /e
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f run /e
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f load /e
reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" /f shell /e
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
msconfig -4

See also the task manager's "Start-up" tab (taskmgr.exe)

Endoro
  • 3,014