This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Searching User Folders and HKEY_USERS

funkytechmonky
Engaged Sweeper III

‎06-27-2024 06:32 PM

I am trying to find a way we can search user's download folder for a specific exe file

Is it possible to use a wildcard to search C:\Users\*\Downloads? 

I am also trying to search HKEY_USERS registry but will need to do a wildcard for this as well since sub the keys are based on users SID. 

Any help with this would be much appreciated. 

Labels:
0 Kudos
8 REPLIES 8
Jacob_H
Lansweeper Employee
Lansweeper Employee

‎06-28-2024 07:20 PM

Can you give me an example of the HKLU key?  is it just the user that has a SID or does the software reside in its own GUID under that?  Here's some keys you should be able to scan (you can scan HKLU keys which will scan whatever user that's logged on at the time's SID), though its formatted weird: https://www.malwarebytes.com/blog/detections/pup-optional-wave

Also, if it actually installs under the user profile, versus a complete standalone, the software would show up under software as a profile-based software (it will have the little person avatar), but will disappear if it scans while another user is logged on.. so if that applies you could make a 'seen within last 5 minutes' and email it out on a 5 minute schedule...

Also, you could create a deployment package that does an xcopy wildcard search or something that deploys on machines that were scanned within the past X minutes at a similar schedule, then creates a registry key or txt file if found that you could scan with Lansweeper, or perhaps appends a network share file...   just throwing out some ideas that come to mind if you want to do a wildcard search with lansweeper....  or, make a scheduled task with a GPO that executes a search upon user logon that searches for it and makes a file or registry key to then scan with Lansweeper to get info...

you could also make a report of running processes and filter for the .exe seen for assets scanned within the past 5 minutes and have it email you on a 5 minute schedule...

or you could use applocker i think...  

just spitballing 🙂

 

0 Kudos
funkytechmonky
Engaged Sweeper III
In response to Jacob_H

‎06-28-2024 07:46 PM

I am testing AppLocker now. This WaveBrowser has been a pain. 

I think this is the key lansweeper is seeing to show its installed and I'm trying to find any other information about it. So far this is everything I have found with the install. I just need a batter way to search these areas. 

HKEY_USERS\S-1-5-21-USERS_SIDXXXXXXXXX\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WaveBrowser

WaveBrowserKey.jpg
0 Kudos
funkytechmonky
Engaged Sweeper III
In response to funkytechmonky

‎06-28-2024 07:48 PM - edited ‎06-28-2024 07:49 PM

Here is more info I've found... been trying to figure out how I can search any of these areas

Search in Users "Downloads" folder for the installer.
Wave Browser.exe

Delete Files and Folders located -
c:\Users\USER ID\ "Wavesor Software"
c:\Users\*\AppData\Local\ "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs "WaveBrowser"
c:\Users\*\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\7285d05065a86476

Scheduled Task
Folder: \Wavesor Software{USER SID}
Example Folder: \Wavesor Software_S-1-5-21-XXXXXXXXXXXXXXXX
WavesorSWUpdaterTaskUser
WaveBrowser-StartAtLogin

Change Default App
Default Applications for PDF and .htlm are set to WaveBrowser

Delete Reg Keys -
HKEY_USERS\USER SID\SOFTWARE\WaveBrowser
HKEY_USERS\USER SID\SOFTWARE\Wavesor
HKEY_USERS\USER SID\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WaveBrowser

Installer log -
c:\Users\USER ID\AppData\Local\Temp "wavebrowser_installer.log"

0 Kudos
Jacob_H
Lansweeper Employee
Lansweeper Employee
In response to funkytechmonky

‎06-28-2024 10:10 PM

oof - ok, I'm not an expert scripter but you could use GPT to help you make a powershell script to do these tasks...  I pasted your requisites into it and it gave me powershell pieces that can do it.  you could scan the appropriate registry keys in lansweeper, and then make a deployment package to run it against that report (i.e. the ones that registry keys are found), and then tell the package to rescan after deployment...

 

0 Kudos
RolandB
Engaged Sweeper III

‎06-28-2024 08:18 AM

For C:\Users\*\Downloads  == %USERPROFILE%\Downloads

0 Kudos
funkytechmonky
Engaged Sweeper III
In response to RolandB

‎06-28-2024 02:01 PM

Thanks for replying. I have tried that and rescanned a test machine that I know has the file and it comes back false. The file I am looking for is "Wave Browser.exe" that downloads to the users "Downloads" folder. 

So I put it in this like 

%USERPROFILE%\Downloads\Wave Browser.exe

0 Kudos
David_GF
Lansweeper Tech Support
Lansweeper Tech Support
In response to funkytechmonky

‎06-28-2024 03:26 PM

@funkytechmonky The allowed parameters for custom file scanning are: %programfiles%, %programfiles(x86)% and %windir%.
You can use these parameters in your file paths to make Lansweeper search for the Program Files, Program Files (x86) or Windows directory in any drive on your machines. You can find more information on custom file scanning in this article: https://community.lansweeper.com/t5/scanning-your-network/windows-custom-file-scanning/ta-p/64272

 

It is not possible to use wildcards for registry scans, you must submit an exact registry value. For performance reasons, registry scanning only queries specific registry values. Retrieving all values within a key or searching the entire registry for a specific value is not possible.



~~~~~~~ (〃 ̄︶ ̄)人( ̄︶ ̄〃) ~~~~~~~
Sweep that LAN, sweep it!
0 Kudos
RolandB
Engaged Sweeper III
In response to David_GF

‎07-01-2024 08:28 AM

With lspush it´s work with %APPDATA%, %LOCALAPPDATA%
I think it´s work also with %USERPROFILE%,   but all is only work with lspush

0 Kudos

General Discussions

Find answers to technical questions about Lansweeper.

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now