You are browsing the archive for Tips & Tricks.

Sysinternals’ Eulagoogoolizer

November 30, 2014 in Tips & Tricks

Update

If you plan on using parts of it for pentesting purposes – you are doing it wrong :) I mention this cuz I saw someone suggesting it on Twitter.

You don’t want to leave any traces in Registry – either you cough cough patch it, or use an alternative.

Old post

Sysinternals tools are great, but since Microsoft took over most of these software gems have been Eulaized – a pretty annoying thing, especially if you want to run them on a remote system. While some of the tools now accept the accepteula command line argument, sometimes it’s just handy to accept it all in one go.

The below reg file does exactly this; you can also edit it and cherry-pick those apps you need.

Note: It will only work if you save it as SysinternalsEulagoogoolizer.reg ;)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Sysinternals\A]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Active Directory Explorer]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Autologon]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\AutoRuns]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\C]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\CacheSet]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\ClockRes]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Coreinfo]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Ctrl2cap]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\DbgView]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Desktops]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Disk2Vhd]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Diskmon]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\DiskView]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\EFSDump]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\FindLinks]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Handle]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Hex2Dec]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Junction]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\LdmDump]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\ListDLLs]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\LoadOrder]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Movefile]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PageDefrag]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PendMove]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PipeList]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Portmon]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\ProcDump]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Process Monitor]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsExec]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\psfile]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsGetSid]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsInfo]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsKill]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsList]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsLoggedon]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsLoglist]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsPasswd]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsService]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsShutdown]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\PsSuspend]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\RegDelNull]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Regjump]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Regsize]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\RootkitRevealer]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Share Enum]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\ShellRunas - Sysinternals: www.sysinternals.com]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\SigCheck]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Streams]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Strings]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Sync]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\TCPView]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\VMMap]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\VolumeID]
"EulaAccepted"=dword:00000001
[HKEY_CURRENT_USER\Software\Sysinternals\Winobj]
"EulaAccepted"=dword:00000001

Decompiling compiled AutoIT scripts (64-bit)

November 28, 2014 in Malware Analysis, Tips & Tricks

To decompile AutoIT scripts compiled as 64-bit exes simply extract the appended script from the 64-bit file and attach it to 32-bit AutoIt exe stub.  Then run it via Exe2Aut https://exe2aut.com/.

This is probably the shortest post ever :)