Fesooff

user defined scan via context menu

Recommended Posts

Hello,

I made an context menu entry as described here:
https://www.trishtech.com/2010/10/add-emsisoft-commandline-scanner-to-right-click-menu/

The entry-value is:
"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="%1"/h /q /r /n /a /l="C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log" /pup

Yes, it works. But as soon as the scan is done, the cmd-window closes. So I can not read what Emisoft has done? Did it scan or was it any error. Were all scaned files in order or did it have any virus. Did he move some files into the quarantine? And so on.

Emisoft print this information in the cmd-window, but as it is closed so quickly i can read anything.

 

Question:
Is there any way to let emisoft keep the cmd-window open at the end of the scan?

Would appreciate a helpful answer.

Thank you.

Feesoof

Share this post


Link to post
Share on other sites

No, it does not show anything in C:\Program Files\Off-Time-Virenscanner\Reports

But it shows anything in C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log

See above: I have the parameter / l="C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log"

But I do not want first to search and open this log after each scan.

Share this post


Link to post
Share on other sites

The problem here is that a2cmd.exe needs to execute with administrator rights, and when it elevates its rights a new instance of cmd.exe is launched. The only possibility I can think of it using something such as PsExec to execute a2cmd.exe with admin rights, however this does require putting the password of the account you wish to use in the command to execute a2cmd.exe.

Here's a simple example of how to use PsExec (it may need some tweaking to work right):

psexec.exe -u <username> -p <password> -h C:\<path>\a2cmd.exe /f="<path-to-file>" /l="<path-to-log>"

 

Share this post


Link to post
Share on other sites

Thank you. But this does not work: See attached Gif-Animation.

Here is the line in Regedit:
E:\Daten\Download Programme\andere\PsExec\psexec.exe -u admin -p ljd%h4)hz -h "C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="%1" /l="C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log"

No, it does not show anything in C:\Program Files\Off-Time-Virenscanner\Reports
and it does not show anything in C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log

 

Psexec.gif
Download Image

Share this post


Link to post
Share on other sites

Your line in Regedit might need to have the first filename enclosed in quotes too, ie have

   E:\Daten\Download Programme\andere\PsExec\psexec.exe

by

   "E:\Daten\Download Programme\andere\PsExec\psexec.exe"

Share this post


Link to post
Share on other sites

"E:\Daten\Download Programme\andere\PsExec\psexec.exe"  makes no difference.

I have now moved psexec.exe into C:\Windows\System32.

Then I started cmd.

I tiped in the line as you can see here:

2117721164_Servicenotinstalled.PNG.34c6f40eee118a7d4648b8cd688dffcc.PNG
Download Image

 

Error: Couldn't install PSEXESVC service.

furthermore: Can parameter /f= "%1" work together with psexec?
( psexec.exe -u admin -p ljd%h4)hz -h "C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="%1" /l="C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log" )
 
If not: I can not scan a file via contextmenu.

Share this post


Link to post
Share on other sites

Try running PsExec from an elevated (running as Administrator) Command Prompt to see if it can install its service. It probably needs the service to execute other processes with admin rights.

Share this post


Link to post
Share on other sites

It means the command works. You can try running the command from the Run dialog or a regular Command Prompt (not elevated / running with normal user rights) now and see if it works as expected.

Share this post


Link to post
Share on other sites

The explanation that I'm seeing is that PsExec will display the error message "Couldn't install PSEXECSVC service" when you use the -h parameter without running it from an elevated Command Prompt. I find that rather odd, as I've used PsExec exactly like this on a Windows 8.1 system to run a program with elevated permissions at startup.

PowerShell can be abused as a workaround for this. Note that while this does technically work, using PowerShell in this way may trigger some Anti-Virus protection, so your mileage may vary.

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K "<path_to_a2cmd>" /f="<path_to_file" /l="<path_to_log>"' -Verb RunAs

I was able to run that from a Command Prompt, and directly from the Run dialog, so it should work from the context menu as well.

Share this post


Link to post
Share on other sites

Your quotes appear to be off. Paste the full command you're trying to run into a reply, and I'll see if I can fix it for you.

Share this post


Link to post
Share on other sites

Thank you.

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K "C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="E:\Daten\Ablage\Emisoft mit PsExec.txt" ' -Verb RunAs

 

Share this post


Link to post
Share on other sites

I think the issue was a space between the quotes on the end. Try this, and let me know if it works:

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K "C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="E:\Daten\Ablage\Emisoft mit PsExec.txt"' -Verb RunAs

 

Share this post


Link to post
Share on other sites

Your command looks OK to me. I'll ask some of our other support team members, and see if they can see what's wrong.

Share this post


Link to post
Share on other sites

FYI: While waiting, the issue is the spaces in the paths. If there were no spaces, then the command would more than likely work. The quotes should prevent issues with spaces in paths, however that doesn't appear to be working for some reason (maybe the double-quotes need to be escaped?), and I can't remember if there were spaces in the paths when I tested it. I'll wait for feedback from the rest of the team before looking into it further.

Share this post


Link to post
Share on other sites

It looks like the double quotes need to be escaped. Try this instead:

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe\" /f=\"E:\Daten\Ablage\Emisoft mit PsExec.txt\"' -Verb RunAs

 

Share this post


Link to post
Share on other sites

GT500, the escape character for cmd.exe command lines is ^, not backslash.    However Powershell seems to have its own escape character, backtick.   Also in some circumstances (I don't know which) multiple arguments to -ArgumentList seem to need to be comma-separated.   See commas and backticks in Example 7 on this page: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/start-process?view=powershell-6

The problem may also be that rather than trying to wrap several args to -ArgumentList in single quotes, with double-quotes inside that string, you need a CSV list of separate args, so eg maybe "/K", "C:\Program Files\....", ...

I've never used Powershell, so feel free to ignore me.

 

(Also, is it just me or does typing an '@' followed by somone's forum nickname no longer work here?  I find I can add someone's highlighted name but then cannot type anything after it, and have to abandon writing a post...)

Share this post


Link to post
Share on other sites

@stapp @gt500

This is weird - I just typed the '@' and then your nicknames and then a space and - in the edit window - those values were inserted like any series of character typed as usual.  I am about to click on 'Submit Reply' and we'll see if my reply gets created with highlighted labels...

Share this post


Link to post
Share on other sites

Try typing @ and then start typing stapp until it appears underneath at left side with the icon associated with my name and click on that icon.

Share this post


Link to post
Share on other sites

And they didn't.   I don't normally type the whole nickname, but instead type a little of one and then use the mouse to click on the rest of the name, so Stapp... does this work: @stapp - yes it did.  How about at the start of a paragraph?

@GT500this worked too.  Weird.  And thanks for page of 'escaping' notes - I've added that to my own notes on the subject.

Share this post


Link to post
Share on other sites

GT500 Thank you.

I tried the following:

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe\" /f=\"E:\Daten\Ablage\Emisoft mit PsExec.txt\"' -Verb RunAs

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K ^"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe\" /f=^"E:\Daten\Ablage\Emisoft mit PsExec.txt\"' -Verb RunAs

Both did not work. Same error:

678528543_EmisoftSameError.PNG.3bd0630c26c75d9855209c0d1eca5c57.PNG
Download Image

Share this post


Link to post
Share on other sites

Normally if I'm trying to get something like this working, I try to get the command I wish to execute to be 'echoed' (ie written to) the command window where it is going to be run, so I can see what actually arrives there.  I've managed to make the echo work as hoped for (note that my file paths are different from your ones), for example with:

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList "/K",'echo `"C:\Program Files\Emsisoft Internet Security\a2cmd.exe`" /f=`"E:\Daten\Ablage\Emisoft mit PsExec.txt`"' -Verb RunAs

Also note that I used the comma-separated list of arguments with the first one being: "/K"
and the second one:  'echo `"C:\Program Files\Emsisoft Internet Security\a2cmd.exe`" /f=`"E:\Daten\Ablage\Emisoft mit PsExec.txt`"'  

and note that before each of the double quotes inside that long string there's a "`" backtick.      Also, despite the "\Emsisoft Internet Security", this is EAM...

 

HOWEVER if I remove the 'echo' from the command it goes wrong again.  I tried lots of things and they all fail.   So, a different method is probably a better idea. 

I wrote a simple .cmd file which I placed on my E drive, named:  E:\TheCommandToBeRunAsAdmin.cmd         At first it contained just a "dir" command...   I ran it, as Admin by:

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList "/K","E:\TheCommandToBeRunAsAdmin.cmd" -Verb RunAs

Then I altered the command that's inside that .cmd file to the command that tries to run a2cmd.exe.   It works!    Well, it creates an error message about the need for a  /s parameter, which I didn't look into,  but at least that message MUST have been generated by a2cmd.exe.

The contents of my E:\TheCommandToBeRunAsAdmin.cmd (which you should cut&paste out of here) were:

@echo off
:: setlocal allows me to use variables whose scope is just this file
setlocal

echo At %time% - executing TheCommandToBeRunAsAdmin.cmd as Administrator:
echo.

:: This always tells me I need an /s switch...
::
:: "C:\Program Files\Emsisoft Internet Security\a2cmd.exe" /f="E:\Daten\Ablage\Emisoft mit PsExec.txt"

set thecommand="C:\Program Files\Emsisoft Internet Security\a2cmd.exe" /f="E:\Daten\Ablage\Emisoft mit PsExec.txt"

echo I will try to execute:
echo %thecommand%
echo.

:: now actually issue the command:
%thecommand%

echo.
echo At %time% - finished executing contents of TheCommandToBeRunAsAdmin.cmd
echo.

pause

 

Note that if you get something like this to work, it's not really necessary to place the command that's going to be executed into a variable ('thecommand' here) but it does have the advantage that you can write the command to the output window then execute it, and be sure that what you said you're going to do is the same as what you did do.  You could instead run the .cmd file without the initial "@echo off" and just have the actual command in it.  When I'm experimenting I prefer to do it this way.   

The thing that's important here is there's no need to escape quotes etc while getting Powershell to start the subsidiary process; I deliberately chose a .cmd filename that has no spaces in it.  Once the Administrator cmd.exe is running and the .cmd file starts you only have to worry about the command(s) in there being syntactically valid. 

 

 


 

Share this post


Link to post
Share on other sites

Thank you JeremyNicoll.

Not sure if I am on the right track: I guess, if I take your proposal I have always to change manually    " /f="E:\Daten\Ablage\Emisoft mit PsExec.txt" in the batch-file, when I want to scan an other file than "Emisoft mit PsExec.txt". Right?

But when you read my first post: This is not what I want.

What I want is: I would like to use Emisoft kit to check single files or single folder by a simple fast right click, when I am in the Windows Explorer. The same way as i can do it, when I want to check a file with Malwarebytes. I just choose "scan with malwarebytes" in the context menu:

317307003_KontextmenaufOrdnerangewendet.png.ce0b7dc1802fb108c780f9cb63271929.png
Download Image

I would like to have the same for Emisoft Kit. (Folders and Files). This way I could fast and comfortale check a new file I had downladed.

 

Share this post


Link to post
Share on other sites

All the recent attempts have been to try to get a powershell command to run the Emsi command in a separate process, and - as I understood it have failed.  I was under the impression that these failures have all been of commands you manually entered from an ordinary command window?    If that can be made to work, then we can instead try a .cmd file which takes the name of the file/folder that's to be scanned as a parameter and then store in the registry a template command (to use powershell to start the cmd file with a specfied target file/folder).  But first, can you make the powershell command work on your system?

 

Share this post


Link to post
Share on other sites

Does the following work?

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K ^"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe^" /f=^"E:\Daten\Ablage\Emisoft mit PsExec.txt^"' -Verb RunAs

 

If not then here's another alternative, although I suspect that it's less likely it will work than the previous examples:

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K ""C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe"" /f=""E:\Daten\Ablage\Emisoft mit PsExec.txt""' -Verb RunAs

 

Share this post


Link to post
Share on other sites

@JeremyNicoll

Zitat

I was under the impression that these failures have all been of commands you manually entered from an ordinary command window? 

This was only thought as intermediate stage. To bring the command into work.  The goal is what I told.

@GT500:

Both does not work:

Powershell3.PNG.9e846df41393bdba22be127c99a19389.PNG
Download Image

Share this post


Link to post
Share on other sites

I understand what the goal is, but does the intermediate stage work if you try it?    If it does then we can work on a different way to make the goal work.

Share this post


Link to post
Share on other sites

I don't know why escaping the quotes isn't working (perhaps it's due to it being a non-English version of Windows?), as it worked in our own testing. You may have to move the Emsisoft Emergency Kit folder somewhere that doesn't have spaces in the folder names in order to get this working.

Share this post


Link to post
Share on other sites

BTW: All of the screenshots you posted were of the Command Prompt. Do any of the commands work from the Run dialog? You can hold down the Windows logo key and tap the R key to open the Run dialog.

Share this post


Link to post
Share on other sites
13 hours ago, JeremyNicoll said:

Escaping the quotes doesn't work on my system either, which is set to English (UK) - I just checked...

Interesting. Our Support Manager looked at the PowerShell command, and told me that the followed worked on his system (I would believe Windows 10):

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Emsisoft Anti-Malware\a2cmd.exe\" /s /f="C:\Users\David\Desktop\Emsisoft mit PsExec.txt"' -Verb RunAs

 

It looks like he only escaped the double quotes in the path to a2cmd.exe, and not in the path to the log file. I imagine that would prevent the log from being saved at the full path, however I can't be 100% certain without trying it myself.

Note that his command won't work with EEK due to the /s parameter, which the version of a2cmd.exe that comes bundled with EEK doesn't support.

  • Upvote 1

Share this post


Link to post
Share on other sites

I tried this latest form of the command (changing the folder names though).   One of them sort-of worked.  These were the two commands:

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Emsisoft Internet Security\a2cmd.exe\" /s /f="E:\Huge files not being kept on C"' -Verb RunAs

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Emsisoft Internet Security\a2cmd.exe\" /s /f="E:\Huge files not being kept on C\"' -Verb RunAs

which are the same except the second one has a trailing slash on the folder specified on the E drive...  The first command shows, in the Administrator cmd.exe window:

Emsisoft Commandline Scanner v. 2018.7.2.8843
(C) 2003-2018 Emsisoft - www.emsisoft.com

Emsisoft Commandline Scanner - Version 2018.7
Last update: 10/08/2018 21:59:28

Scan settings:

Scan type:                             Custom Scan
Objects:

Detect Potentially Unwanted Programs:  Off
Scan archives:                         Off
Scan mail archives:                    Off
ADS Scan:                              Off
File extensions:                       Off
Direct disk access:                    Off

Scan start:                            10/08/2018 22:22:00

Incorrect parameters - no objects to scan.

C:\Windows\system32>

 

whereas the second command gives an oh so familiar error message instead:

'C:\Program' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>

 

 

 

Share this post


Link to post
Share on other sites

Thank you all.

I have tried out the proposal from GT500. I have the same result as JeremyNicoll.

The program-Issue is solved, but there is a incorrect parameter issue.

1706722233_Emisoftcmd.PNG.a7b61bd1ac46e6529fa1edc59902568f.PNG
Download Image

This was the exactly powershell command:

PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList '/K \"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe\" /s /f="E:\Daten\Ablage\Emisoft mit PsExec.txt"' -Verb RunAs

I made also a try with making a registry command with exactly the above powershell command. This is the result:

17689828_withRegistry.PNG.9de162e9bf8087d6201ef3c7412e4ab4.PNG
Download Image

Short flash of the cmd-window: " Error: Couldn't install PSEXESVC service. service: access denied." It's the same error as in post 8 of this thread.

Share this post


Link to post
Share on other sites
On 8/11/2018 at 2:09 PM, Fesooff said:

The program-Issue is solved, but there is a incorrect parameter issue.

That's caused by the /S parameter, which EEK doesn't support. Remove that from the command, and it should work.

Share this post


Link to post
Share on other sites

@Fesooff on Saturday you said: "I made also a try with making a registry command with exactly the above powershell command"  but the screenshot (of the brief flash of the command window) that you included shows an attempt to run the SysInternals psexec command... which isn't what the Powershell command tries to do.  What precisely did you set the registry key to?

And, have you tried the .cmd file that I suggested yet?

 

Share this post


Link to post
Share on other sites

OK. In the mean time I tried this:

Am 13.8.2018 um 21:45 schrieb GT500:

That's caused by the /S parameter, which EEK doesn't support. Remove that from the command, and it should work.

But was not successful.

 

Then I began  to try this:

Am 8.8.2018 um 11:32 schrieb JeremyNicoll:

HOWEVER if I remove the 'echo' from the command it goes wrong again.  I tried lots of things and they all fail.   So, a different method is probably a better idea. 

I wrote a simple .cmd file which I placed on my E drive, named:  E:\TheCommandToBeRunAsAdmin.cmd         At first it contained just a "dir" command...   I ran it, as Admin by:

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList "/K","E:\TheCommandToBeRunAsAdmin.cmd" -Verb RunAs

But was not successful.

Then I went back to this:

675520893_gehtgarnichtmehr.PNG.3f503f92fdc30868463526cf37fb8f9f.PNG
Download Image

Error: PowerShell.exe is not a permissive application.

Even this does no more go. It was previously successful in post "samedi 20:09h".

Looks like there is something wrong with my system now(?)

 

Share this post


Link to post
Share on other sites

You said that trying

C:\>PowerShell.exe -Command Start-Process -FilePath 'C:\Windows\System32\cmd.exe' -ArgumentList "/K","E:\TheCommandToBeRunAsAdmin.cmd" -Verb RunAs

was not successful.   What /did/ happen?  Can you confirm that you cut & pasted my command into your command window then (if needed) edited the file paths - that's to say the quotes were exactly as I typed them?    And that you/ did/ use a command window, not a registry entry?   What did it say in the ordinary command window where you entered that command, when you ran it?    Did a second command window get opened?    If so what was in it?

Share this post


Link to post
Share on other sites

I'm not sure how long it took me, but I finally got it working (at least on my system):

PowerShell.exe -Command Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/K','\"C:\Program Files\EEK\bin64\a2cmd.exe\"','/f=E:\Daten\Ablage\Emisoft mit PsExec.txt') -Verb RunAs

I do have Windows 10 x64, and it has a different version of PowerShell than Windows 7, so there's a possibility it may not work on Windows 7.

Note: Since I have a 64-bit version of Windows, the above example runs a2cmd.exe from the bin64 folder rather than the bin32 folder.

Share this post


Link to post
Share on other sites

@GT500

Zitat

PowerShell.exe -Command Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/K','\"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe\"','/f=E:\Daten\Ablage\Emisoft mit PsExec.txt') -Verb RunAs

I tried the code above. But it does not work either:281514418_cmdEmisoftOutput4.PNG.5eb97fb180081ee7ca6e93a8f6454de4.PNG
Download Image

I was not aware, that this is that difficult.

So I have decidet to use the following in the registry:

Zitat

"C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd.exe" /f="%1"/h /q /r /n /a /l="C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log" /pup

And make a fast access to C:\Program Files\Off-Time-Virenscanner\bin32\a2cmd-DW.log in the taskliste.

Thank you.

Share this post


Link to post
Share on other sites

There is a problem with copying the paths out of the forums. It seems to be adding extra unicode characters that are otherwise not visible, however they are showing in the Command Prompt when I paste the command into Notepad++, edit it, and then paste it into the Command Prompt:

image.png
Download Image

Share this post


Link to post
Share on other sites

The following command works for me (including scanning the file, which I didn't test with the previous command):

PowerShell.exe -Command Start-Process -FilePath "C:\Windows\System32\cmd.exe" -ArgumentList @('/K','\"\"C:\Program Files\EEK\bin64\a2cmd.exe\" /f=\"E:\Daten\Ablage\Emsisoft mit PsExec.txt\"\"') -Verb RunAs

That being said, I suspect that the command won't work if you simply copy it out of my post and try to use it, so here's a link to a text file that contains the command and should work if copying it from the forums does not:
https://www.gt500.org/emsisoft/examples/Fesooff/2018-Aug-20/PowerShell_Elevate_A2CMD.txt

Note: In order to get this working, I typed the path to the file by hand and I named the folders and file by hand, rather than copying the names from the forums. You may need to do the same in your own testing if copying my examples does not work.

If you're curious about why I did the quotes the way I did, then you can see an explanation here.

image.png
Download Image

 

Process Hacker showing the command that was used to launch the second instance of cmd.exe (the one that PowerShell launches to execute a2cmd.exe):

image.png
Download Image

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.