|Menu||UVK Help: Custom commands||Pub|
This page will show you how to use custom commands in the Run UVK Scripts section.
Type, paste or import the commands you wish to execute into the the text box on the UVK widow. Alternately you can create a UVK script with the commands you want to run and open it with UVK.
When creating a UVK script, the first line must contain the keyword <UVKCommandsScript> or UVK won't run it. This is a security feature to ensure that the file is a real UVK commands script. However, if you enter the commands directly in the UVK commands text box, you don't have to use this string.
When opening a UVK script, the text in the script will automatically be added to the Run UVK Scripts text box. You'll just have to select the desired options in the lower pane, click Run / Fix listed and confirm to execute the script.
To easily create an UVK script, or the custom commands use the Log analyzer. It inserts the mode headers in one click, allows drag an drop to create file and folder paths, and automatically creates scripts to perform full system maintenance and repair.
The syntax for multiline commands is:
The Mode is the keyword of multiline commands. It's on the top of a sequence of lines and tells UVK to do the same action to the lines below until the mode is changed to a different one, or the end of the script is reached. For single line commands you just have to enter the command tag followed by its parameters (if the command uses parameters, of course.)
The table below shows all available modes and commands. Click the name for more details.
The Mode lines can have white spaces before the mode string, but the commands under the mode keword can only contain the command string. Blank lines are ignored.
Windows environment variables like %windir%, %systemroot%, %userprofile%,
We also added support for six more variables to simplify writing common paths (case insensitive):
These variables are expanded in all modes except <Reg>.
This may seem complicated at first sight but it's very simple. I'll explain in detail:
This mode allows you to write comments in your script, explaining what it does and how it works. The lines under the <Comment> keyword will be ignored by UVK and you can use this mode anywhere in the script. Example:
This script will defragment the
system drive and clear the hosts file.
%comspec% /c echo 127.0.0.1
This mode allows to pause the script for a given number of seconds. The number of seconds must be right after the mode string. Example:
The command below will pause the script for five seconds:
you want to set the registry value QuickEdit under the key
HKEY_CURRENT_USER\Console to 1
You will note that it's the same format regedit uses to export registry entries. That's the idea!
You can export keys from another computer using regedit or reg export and then use UVK to import them to the infected pc.
To delete a registry key use use a "-" before the key's name. e.g.: [-HKEY...]
To delete a registry value use "=-" after the value's name. e.g.: "ValueName"=-
<Delete> and <SDelete>
<Delete> is used to delete files and folders and it's very simple: You only have to insert lines with the paths of the files or folders you want to delete under the mode line. You can use multiple paths under the same mode line, but only one path per line. The deleted files will be moved to the recycle bin, for possible recovery.
<SDelete> is similar to <Delete>, except the files and folders will be permanently deleted, instead of moved to the recycle bin. <SDelete> can sometimes be more effective, but doesn't allow to recover the deleted files.
When deleting files, don't forget to enter the extension. If the files or folders cannot be deleted immediately, they will be scheduled to be deleted on the next reboot.
With these modes you don't have to use double quotes for paths with spaces.
<ReplaceFile> and <SReplaceFile>
These modes can be used to replace a file with another file. If the file is locked, it will be replaced on reboot. The first given file doesn't have to exist, meaning these commands can also be used to copy files.
The difference between these two modes is that <ReplaceFile> moves the file to be replaced to the recycle bin before replacing it, while <SReplaceFile> deletes the file permanently.
Path of the file to be replaced (destination file) | Path of the file to replace with (source file).
%SystemDir%\urlmon.dll | %SystemDir%\dllcache\urlmon.dll
<Run> and <RunWait>
Either one of these two modes executes files. The difference is that <RunWait> executes an application and waits until it closes to step to next command. <Run> executes the file and continues immediately. You can use the one that best fits the action you want to perform.
Parameters with spaces need to be enclosed in quotation marks.
%comspec% /c copy /y
With this mode you can kill one or several processes based on the process executable path.
Since Windows doesn't have a native tool to do this job, this mode will be very useful to kill processes with the same name as system files like csrss.exe, svchost.exe or winlogon.exe, etc.
e.g. If you killed a
trojan's process which
parent executable is %appdata%\svchost.exe using the command
The commands in the example below will kill the process %appdata%\svchost.exe and restart Windows explorer:
With this mode you don't need to enclose paths in double quotes even when they have white spaces.
If there are several processes with the same path, they all will be killed.
This mode can be very useful if your browser is infected and you can't download an antivirus or anti-spyware program, or if you want to automatically download and run a file in a specific part of a script.
The syntax for this mode is: Url of the file to download | Path to save the file on the hard disk.
As you can see in the example below, the url is separated from the destination path by " | ". This separator is very important and it must always be a vertical bar (|) with only one space on each side:
Register all system dlls is a unique UVK feature that can solve many problems related to the Windows explorer, Windows update, missing services, installation problems, runtime errors, missing windows features, system working too slow and many other problems.
This is a standalone command. No other lines are required. Example:
This script will register all system dll's
This mode allows you to integrate one or several cmd batch scripts in the UVK script code. UVK will run the script with administrator privileges. Example:
This script will empty the temp folders and defragment the hard drives.
This powerful feature allows you to keep your set of tools updated by simply running a UVK script.
The syntax for this mode is as follows:
Path of program to update | Direct download url
Each command has two or three arguments separated with " | " (whitespace + vertical bar + whitespace).
The first argument is the path of the program to update. Example F:\UVKSetup.exe. Environment variables are supported.
The second argument is a url. This url may have three different types. See below.
The third argument is optional:
Using a direct url:
If you specify a direct url as the second argument, don't set the third argument. Direct urls are urls that point directly to the file you wish to download. The UVKSetup.exe or UVKPortable.exe downloads from our server are examples of direct urls.
The script above will update UVKPortable.exe and MBAM.exe (Malwarebytes anti-malware) in your desktop folder.
Using a MajorGeeks software page:
This is the option we recommend when the program you wish to update doesn't have an updated download url.
Specify the url of the MajorGeeks page corresponding to the software you want to update. Not the download page, just the main software page. i.e.: for UVK it's this one, for Avast! Virus cleaner tool it's this one.
Then, always specify "MajorGeeks" as the third argument. Quite simple, huh? Here's an example:
The script above will update UVKSetup.exe and SAS.exe (Super AntiSpyware) in your desktop folder.
Using a link text as the third argument:
If the software you want to update is not listed at MajorGeeks, or if you do not wish to use the MajorGeeks method, you can set the second agument as the url of a page containing a text link pointing directly to the updated file you want to download.
Then set the third argument with the text of the direct link. UVK will parse the link, retrieve the url it's pointing to, and perform the update with the corresponding file. That means when the link is updated, the software will be updated too. Neat, huh?
http://www.bleepingcomputer.com/download/combofix/dl/12/ | click
The script above will update Combofix, TDSSKiller and CCleaner in your desktop folder.
If the program is already updated, UVK will skip the download and jump to the next command.
Immunizes or un-immunizes one or more areas. For more information about the UVK immunization see UVK Immunization.
The syntax for this command is <ImunizeSystem>[Area number 1]|[Area number 2]|[Area number n]|AllUsers.
Using this command without parameters will make UVK un-immunize any previously immunized areas.
The area numbers must be separated by a vertical bar (|).
Available areas and corresponding numbers are:
0 - Autorun
Using AllUsers at the end of the command will make UVK set the immunization for all the local users. This feature is only available for the users having a UVK license key.
The example below will immunize the Autorun entries, Winlogon entries, IE toolbars and search and the Start menu areas:
The example below will immunize the recommended areas for all users:
The example below will un-immunize any previously immunized areas:
Any previously immunized areas not specified in the new command will be automatically un-immunized:
Grants access to the registry keys corresponding to the following file extensions: .exe, .reg, .msi, .bat, .cmd, .com and .vbs.
This can be useful if you have locked the file extensions with the command <ProtectFileExtensions>.
Fixes one or several file extensions. Supported extensions are: .exe, .reg, .msi, .bat, .cmd, .com, .vbs and .vbe.
Usage: <FileExtension> | Extension
Extension is the file extension to fix, including the dot. If you use All instead of a file extension, then all seven file extensions will be fixed. Examples:
<FileExtension> | .msi
<FileExtension> | All
Protects the following file extensions from being changed: .exe, .reg, .msi, .bat, .cmd, .com, .vbs and .vbe.
This can be an important step on the malware protection techniques, considering the number of modern malware that affect these file extensions.
This command fixes the most common problems related to software installation. It repairs Windows installer, the %appdata% environment variable, empties and repairs the temporary folders. Example:
This script will fix installation problems.
This command enables Windows autoplay function for all drives. Example:
This script will enable autoplay for CD/DVD and USB drives.
This command disables Windows autoplay function for all drives. Example:
This script will disable autoplay for all drives.
This command repairs and enables Windows Update. Example:
This command resets the hosts file to its defaults and flushes the DNS. Example:
This command fixes the windows sidebar. Using 1 right after the command will keep the current Windows sidebar settings (the gadgets on the desktop, their positions, etc). If you don't want to keep these settings, just delete the 1. This will increase the success rate. Examples:
This script will fix the Windows sidebar and keep the current settings:
======= // =======
This script will fix the Windows sidebar and delete the current settings:
This command fixes, enables and resets the windows firewall to its defaults. Example:
This script will reset and fix fix the Windows firewall:
This command will repair possible Windows shell hijacks, repair Internet explorer, and register the files needed for the shell to work properly. Example:
This script will repair the Windows shell:
Sometimes the WMI is corrupted, which also prevents the system restore from working. This command will fix both the WMI core and the system restore service. Example:
This script will repair the WMI and the system restore:
This command resets Internet explorer settings and Windows internet settings to their defaults, meaning these settings will be set as if you had just created a new user. Example:
This command repairs the desktop and internet shortcuts file extensions and associations, and also restores the registry keys for the internet protocols to their defaults. Example:
This command deletes all existing system restore points. Example:
This command creates a restore point named UVK Fix. Creating a restore point before running the commands is already part of UVK's interface, but this command allows to create a restore point in a specific part of the script or after executing all the commands. Example:
This command empties the cache for all the installed internet browsers. Supported browsers are: Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari. Example:
This command deletes the cookies for all the installed internet browsers. Supported browsers are: Internet Explorer, Mozilla Firefox, Google Chrome, Opera and Safari. Example:
This command resets the following system event logs: Application, Security, Setup, System and Internet Explorer.
You should use this fix when the event logs become too big, and are not easy to read or are causing performance issues.
This command resets the registry and ntfs security settings to their defaults using the Windows Api functions. Use it when you have issues related to file or registry access. Example:
This command resets the registry and ntfs security settings to their defaults using secedit.exe. Use it when you have permissions problems when installing updates or other software. Example:
This command resets the local group policies to their defaults. The fix will take effect not only for the policies configured with gpedit.msc, but for the ones configured directly in the registry.
This command will reset the registry entries for the User Shell Folders key (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders).
This command resets the local IP, Winsock and proxy settings to the defaults.
This command will enable the hidden admin account. Example:
This command will disable the hidden admin account. Example:
This command will recreate the icon cache database. Use it when the icons aren't displaying properly in the Windows explorer. Example:
This command will enable the user account control. This option is only valid for Vista or newer Windows versions. Example:
This command will disable the user account control. This option is only valid for Vista or newer Windows versions. Example:
This command will enable the corrent user's desktop, the icons displaying and the context menu. Example:
Use this command if you can no longer login to your account, or when you log in, the system account is used instead of yours. Note: This fix is not available on Xp. Example:
Some malware hijack the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems registry key. This fix will repair it. Example:
This fix will add "Local service" and "Network service" members to the administrators group.
Use it when you have network or service problems, such as your network icon not displayng the connected state.
This command will unhide the user's files and folders. Use it if malware has hidden them. System files and folders like the AppData, Recent, or the Start menu folders, and the desktop.ini, thumbs.db, index.dat or user.dat* files, etc. won't be unhidden. Example:
This command updates the DirectX in unattended mode. Example:
This command updates Java in unattended mode. Example:
This command updates the Flash player plugin and activeX in unattended mode. Example:
This command installs the non installed versions of .NET Framework in unattended mode. Example:
This command will empty the temporary folders for all users. This command was created only for maintenance and it won't delete the files in use nor running executable files. If you wish to delete all temporary files, check Empty temporary folders checkbox before running the command or script. Example:
This command will reset the following Windows event logs: Application, Security, Setup, System and Internet Explorer. You should use this fix if the event logs have become too big and can no longer be easily read or are causing performance issues.
This command will release memory used by the applications by emptying their working set. Usually this doesn't affect performance, but users should use this feature only if they are running out of memory. Example:
This command will add some registry tweaks to reduce the boot time, defragment all the hard drives to improve performance and process the idle tasks to reduce the boot time.
Please note that the boot optimization can not be stopped and will only take effect after rebooting the computer at least twice. Also, defragmenting the hard drives can take a long time depending on how fragmented they are, their size and the system speed. Example:
If you use this command, UVK will verify the digital signatures of the processes to kill.
If the signer is part of an internal trusted signers list, the process will not be killed.
The list includes some trusted publishers like Microsoft, Google, Mozilla, Opera, Hewlett Packard, Acer, etc.
This command will kill all non system processes. Use it to stop the malware activity and free system resources. The processes will be filtered by path. Ignored processes are:
This command will kill all non critical processes. Use it to stop the malware activity and free system resources if you think that system files can be infected. The processes will be filtered by path. Ignored processes are:
This command will try to stop all non Microsoft running services. Example:
This command will schedule the system drive to be checked on next reboot. Example:
This command will run the system protected resources scan (sfc.exe /scannow). Example:
This command will tell UVK to reboot the computer after running the current script. This command doesn't have to be the last command in the script. Example:
The commands above will kill all non system processes, defragment and optimize the hard drives, and then reboot the computer.
This command is similar to <Reboot>, except it will shutdown the computer instead of restarting it. Example:
Create scripts for full system maintenance and repair
You can combine the commands described above to create UVK scripts to automate a full system maintenance or repair, or both. Example of a repair script:
Example of a maintenance script:
You can also combine the two scripts above to make a repair and maintenance script.
Using the custom modes and commands
All modes and commands listed above can be combined together in the same UVK script or set of commands.
When using a multi line mode you should write all the commands that correspond to that mode under the mode line before changing to a different mode.
You can use the same mode several times in the same script.
Copyright Carifred © 2010 - 2013, all rights reserved.