Hi All,

I have noticed that folks are trying to schedule SB to run without a password by:

1. creating a user account just to schedule SB.
2. using the admin account.
3. flipping a system switch

You don't have to do any of those things. Just run as: "NT AUTHORITY\SYSTEM" and click "apply" then "ok" without entering a password.

regards,

The problem with what you are suggesting is if you don't run from your user account, you may not picking your cookies and your HKEY_CURRENT_USER registry hive may not be loaded so you may not be checking things like startup entries for your account.

Hives not loaded? I doubt that ;)
HKEY_CURRENT_USER is a link to the current users entry in HKEY_USERS, and if you try regedit or RegAlyzer, you'll see that all HKEY_USERS entries can be accessed without any further trouble. Extra attention to the loading of hives need to be paid only when dealing with offline installations (e.g. the registry of a separate Windows installation on another attached drive).
The one thing that is user-account-only though is Internet Explorer browser cache stuff, including the cookies you mentioned (as well as cache content and history).

Hives not loaded? I doubt that ;)
Perhaps I should have been a little clearer. If you schedule Spybot to "Run as: NT AUTHORITY\SYSTEM", then start or re-start the system and do not logon as a user before the scheduled Spybot runs, Spybot will run under System and not see any user account hives.

Proof:

I modified the system registry to pick up the following detection:



--- Report generated: 2007-09-25 08:53 ---

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe


--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-03 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-19 Includes\Beta.sbi
2007-08-21 Includes\Beta.uti
2007-09-19 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-09-19 Includes\DialerC.sbi
2007-08-29 Includes\Hijackers.sbi
2007-09-19 Includes\HijackersC.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-09-19 Includes\KeyloggersC.sbi
2007-09-12 Includes\Malware.sbi
2007-09-19 Includes\MalwareC.sbi
2007-09-05 Includes\PUPS.sbi
2007-09-19 Includes\PUPSC.sbi
2007-09-19 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi
2007-09-19 Includes\SpybotsC.sbi
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi
2007-09-19 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll


I added the following scheduled task:
Run: "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autoclose /taskbarhide
Run as: NT AUTHORITY\SYSTEM
Scheduled Task: At System Startup
I then restarted the system and Spybot ran reporting the following:



--- Report generated: 2007-09-25 09:06 ---

Congratulations!: No immediate threats were found. ()



--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---

2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-09-03 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-09-19 Includes\Beta.sbi
2007-08-21 Includes\Beta.uti
2007-09-19 Includes\Cookies.sbi
2007-07-25 Includes\Dialer.sbi
2007-09-19 Includes\DialerC.sbi
2007-08-29 Includes\Hijackers.sbi
2007-09-19 Includes\HijackersC.sbi
2007-07-25 Includes\Keyloggers.sbi
2007-09-19 Includes\KeyloggersC.sbi
2007-09-12 Includes\Malware.sbi
2007-09-19 Includes\MalwareC.sbi
2007-09-05 Includes\PUPS.sbi
2007-09-19 Includes\PUPSC.sbi
2007-09-19 Includes\Revision.sbi
2007-05-30 Includes\Security.sbi (*)
2007-09-19 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi
2007-09-19 Includes\SpybotsC.sbi
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi
2007-09-19 Includes\TrojansC.sbi
2008-12-24 Plugins\TCPIPAddress.dll

Well.... MD...ok....

However, i see no choice but to use "NT AUTHORITY\SYSTEM" when scheduling SB on a system with multiple user accounts that are not always logged on. I don't think its practical to schedule SB for each account on the same computer and using "NT AUTHORITY\SYSTEM" is how some vendors handle automatic updates of their products.

If the scheduled SB runs while any user is logged in, will the hives be checked?


Do you suppose scheduling SB under the admin account or an account with admin privilages would cover the bases? :blink:

Anyway what other options do I have?

regards,

If a user is logged on or has been logged on sometime before Spybot is run under the SYSTEM account or an Administrator account, then Spybot should be able to see the registry hives for those users.

However, due to restrictions in the Microsoft APIs (Application Program Interfaces) used by Spybot, the scan from one account does not include the Internet Explorer cache, cookies and some other user specific entries of other accounts. So running Spybot under SYSTEM will not see those items for a user even when logged on.

ok...

So the SYSTEM account method covers all the bases except the Internet Explorer cache, cookies and some other user specific entries of other accounts whether they are logged in or not due to Microsoft's API.

So are you saying that on systems with multiple user accounts, you have no choice but to either create a SB schedule for each account and/or manually log into every account and run SB.

regards,

I went over my 15 minutes. sorry.

So are you saying that SB only does a complete job, scheduled or not, on an account basis due to Microsoft's API. So on systems with multiple accounts, you either create a SB schedule for each account and/or manually log into every account and run SB to do a complete cleanup job.

Or use the SYSTEM account and live with an incomplete job.

So how critical is not having the Internet Explorer cache, cookies and some other user specific entries of other accounts removed compared to the other things that SB does remove under the SYSTEM account?

regards,

So the SYSTEM account method covers all the bases except the Internet Explorer cache, cookies and some other user specific entries of other accounts whether they are logged in or not due to Microsoft's API.
No, it does not cover all bases except … If all the users are not or have not been logged on prior to running Spybot under the SYSTEM account, you run into the situation that I showed in post #4 (http://forums.spybot.info/showpost.php?p=122164&postcount=4) above, where Spybot did not pick up a problem in a user's registry hive.


So are you saying that on systems with multiple user accounts, you have no choice but to either create a SB schedule for each account and/or manually log into every account and run SB.
If you want cover all bases, yes.