0

I'm new to powershell (and really scripting in general) and I've recently created a tool to search and delete malicious files on a remote host (I work in security ops) but I'm struggling to work out how to do the same with registry keys and registry values. I have a list of the entries I'm looking for to be used as an array and need the script to cycle through them.

Can anyone give me any steers or advice on this? This is what I have cobbled together so far from other threads. It runs through the array fine but keeps trying to search within the directory the script is in at the moment.

$computer = Read-Host -Prompt ‘Input target host’

$mallist = @("mazqnjrurg","mazqnjrurg.vbs","Angry Birds","Angry Birds.vbe")
foreach ($mal in $mallist)

    { $Reg = Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $computer)
      $RegKey= $Reg.OpenSubKey("Software\Microsoft\Windows\CurrentVersion\Run")
      get-childitem $regkey | foreach-object {if ($_ -match "$mal"){Remove-Item -Path "Registry::$_" }}
    }

Thank you

RJK
  • 35
  • 1
  • 5
  • 1
    Please share what you have tried anyway. If they were right you would not be here asking the question. – EBGreen Mar 23 '18 at 15:55
  • Hi EB, I've updated the original question with an example. – RJK Mar 23 '18 at 16:14
  • Now please explain how this is not working for you. – EBGreen Mar 23 '18 at 16:26
  • It doesn't search the registry of the remote host. Instead it seems to be trying to search through the current directory of where the script is. – RJK Mar 23 '18 at 16:41
  • This post has a good explanation and script for doing remote registry operations: http://www.powershelladmin.com/wiki/Script_for_finding_which_dot_net_versions_are_installed_on_remote_workstations – Thom Schumacher Mar 23 '18 at 16:45
  • Thanks for the link, I'll check it out. I'll update the post if I find a solution. – RJK Mar 26 '18 at 09:54

0 Answers0