06-27-2024 06:32 PM
I am trying to find a way we can search user's download folder for a specific exe file
Is it possible to use a wildcard to search C:\Users\*\Downloads?
I am also trying to search HKEY_USERS registry but will need to do a wildcard for this as well since sub the keys are based on users SID.
Any help with this would be much appreciated.
06-28-2024 07:20 PM
Can you give me an example of the HKLU key? is it just the user that has a SID or does the software reside in its own GUID under that? Here's some keys you should be able to scan (you can scan HKLU keys which will scan whatever user that's logged on at the time's SID), though its formatted weird: https://www.malwarebytes.com/blog/detections/pup-optional-wave
Also, if it actually installs under the user profile, versus a complete standalone, the software would show up under software as a profile-based software (it will have the little person avatar), but will disappear if it scans while another user is logged on.. so if that applies you could make a 'seen within last 5 minutes' and email it out on a 5 minute schedule...
Also, you could create a deployment package that does an xcopy wildcard search or something that deploys on machines that were scanned within the past X minutes at a similar schedule, then creates a registry key or txt file if found that you could scan with Lansweeper, or perhaps appends a network share file... just throwing out some ideas that come to mind if you want to do a wildcard search with lansweeper.... or, make a scheduled task with a GPO that executes a search upon user logon that searches for it and makes a file or registry key to then scan with Lansweeper to get info...
you could also make a report of running processes and filter for the .exe seen for assets scanned within the past 5 minutes and have it email you on a 5 minute schedule...
or you could use applocker i think...
just spitballing 🙂
06-28-2024 07:46 PM
I am testing AppLocker now. This WaveBrowser has been a pain.
I think this is the key lansweeper is seeing to show its installed and I'm trying to find any other information about it. So far this is everything I have found with the install. I just need a batter way to search these areas.
HKEY_USERS\S-1-5-21-USERS_SIDXXXXXXXXX\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WaveBrowser
06-28-2024 07:48 PM - edited 06-28-2024 07:49 PM
Here is more info I've found... been trying to figure out how I can search any of these areas
Search in Users "Downloads" folder for the installer.
Wave Browser.exe
Delete Files and Folders located -
c:\Users\USER ID\ "Wavesor Software"
c:\Users\*\AppData\Local\ "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7285d05065a86476
Scheduled Task
Folder: \Wavesor Software{USER SID}
Example Folder: \Wavesor Software_S-1-5-21-XXXXXXXXXXXXXXXX
WavesorSWUpdaterTaskUser
WaveBrowser-StartAtLogin
Change Default App
Default Applications for PDF and .htlm are set to WaveBrowser
Delete Reg Keys -
HKEY_USERS\USER SID\SOFTWARE\WaveBrowser
HKEY_USERS\USER SID\SOFTWARE\Wavesor
HKEY_USERS\USER SID\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WaveBrowser
Installer log -
c:\Users\USER ID\AppData\Local\Temp "wavebrowser_installer.log"
06-28-2024 10:10 PM
oof - ok, I'm not an expert scripter but you could use GPT to help you make a powershell script to do these tasks... I pasted your requisites into it and it gave me powershell pieces that can do it. you could scan the appropriate registry keys in lansweeper, and then make a deployment package to run it against that report (i.e. the ones that registry keys are found), and then tell the package to rescan after deployment...
06-28-2024 08:18 AM
For C:\Users\*\Downloads == %USERPROFILE%\Downloads
06-28-2024 02:01 PM
Thanks for replying. I have tried that and rescanned a test machine that I know has the file and it comes back false. The file I am looking for is "Wave Browser.exe" that downloads to the users "Downloads" folder.
So I put it in this like
%USERPROFILE%\Downloads\Wave Browser.exe
06-28-2024 03:26 PM
@funkytechmonky The allowed parameters for custom file scanning are: %programfiles%, %programfiles(x86)% and %windir%.
You can use these parameters in your file paths to make Lansweeper search for the Program Files, Program Files (x86) or Windows directory in any drive on your machines. You can find more information on custom file scanning in this article: https://community.lansweeper.com/t5/scanning-your-network/windows-custom-file-scanning/ta-p/64272
It is not possible to use wildcards for registry scans, you must submit an exact registry value. For performance reasons, registry scanning only queries specific registry values. Retrieving all values within a key or searching the entire registry for a specific value is not possible.
07-01-2024 08:28 AM
With lspush it´s work with %APPDATA%, %LOCALAPPDATA%
I think it´s work also with %USERPROFILE%, but all is only work with lspush
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now