Using wildcards in command line of Appdefend

Discussion in 'Ghost Security Suite (GSS)' started by xwray, Sep 4, 2006.

Thread Status:
Not open for further replies.
  1. xwray

    xwray Registered Member

    Mar 15, 2006
    Is it now or will it be possible to edit a command line with a wild card. For instance I have an application that resulted in several similar entries that are the same except for the last part of the command line such as:

    "c:\winnt\system32\rundll32.exe" c:\winnt\system32\nview.dll,nvtaskbarmenucmd 40001


    "c:\winnt\system32\rundll32.exe" c:\winnt\system32\nview.dll,nvtaskbarmenucmd 40556

    There are several other entries that are the same except for the trailing number. I would like to be able to substitute a wildcard for the number so one rule would be able to handle all cases.

    Any hope of getting something like this?

  2. tonyjl

    tonyjl Registered Member

    May 25, 2004
    Hi xwray.

    You can use wild cards as long it's between the quotation marks (if the cmd-line contains them in the first place). You can't use wild cards outside the quotation marks or if the cmd-line doesn't have them. I have a couple for removing the Win Hotfix Uninstall folders.

    "c:\windows\system32\cmd.exe" /c rd /s /q "c:\windows\$ntuninstallkb**"
    "c:\windows\system32\cmd.exe" /c rd /s /q "c:\windows\$ntuninstallq**"

    I've tried to do it for 'wuauclt.exe' coz it's cmd-line is random,and after ending up with nearly 20 entries for it i tried to use a wild card but to no avail. :'(

    "c:\windows\system32\wuauclt.exe" /runstoreascomserver local\[548]susdsbe82bb6bae1dd64bae3b7bca1e266c6d <-- note that there are no quotation marks in the second half of the cmd-line.

    If anyone finds a way,let us know.
  3. gottadoit

    gottadoit Security Expert

    Jul 12, 2004
    I would think it is fairly likely that Jason will implement something like this (prior to release) because it is required in order to properly be able to control processes like rundll32 properly and minimise the number of unnecessary prompts

    Some of the rundll32 command lines have the part that changes in the middle of the argument string and others at the end so it might make things easier to have a richer regular expression match available (ie: more than just a *) if possible...
Thread Status:
Not open for further replies.