Jump to content

Run external application

SNVC

By SNVC
in ESET NOD32 Antivirus

 Share

Recommended Posts

SNVC

SNVC 0

Posted
Posted

I created a little bat file.

Then converted it to an exe.

I scheduled eset to run the exe and I get nothing.  It gives me a last run date and time but nothing happens.

 

I double click the exe and it runs fine. 

 

Any ideas

Link to comment
Share on other sites
Arakasi

Arakasi 549

Posted
Posted

This may answer the question to why sometimes a scheduled scan does not run.

I have seen multiple inquires regarding why the scheduled on-demand scan didn't run.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,935

Posted
  • Administrators
Posted

Scheduled tasks run applications in the system account, couldn't this be what causes the issue? If you schedule a task to run the calculator (calc.exe) for instance, does that work?

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted

It would also good if you could upload the bat and/or exe-file, so we can test it.

If it contains sensitive data then delete it before or make a test-batch file without this data.

Link to comment
Share on other sites
Arakasi

Arakasi 549

Posted
Posted

It would also good if you could upload the bat and/or exe-file, so we can test it.

If it contains sensitive data then delete it before or make a test-batch file without this data.

 

Well we could make our own batch file to test this theory, wouldn't need his.

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted

 

It would also good if you could upload the bat and/or exe-file, so we can test it.

If it contains sensitive data then delete it before or make a test-batch file without this data.

 

Well we could make our own batch file to test this theory, wouldn't need his.

 

 

Yes, I'm currently testing it. :)

Link to comment
Share on other sites
rugk

rugk 397

Posted
Posted (edited)

So this are my test results:

 

1. Calc.exe started by the schedule

Screenshot(s):

post-3952-0-66766400-1405082866_thumb.pngpost-3952-0-79023900-1405083261_thumb.png

If I click on "View the message" then it shows the real calculator:

post-3952-0-92456700-1405083521_thumb.png

 

Processes:

post-3952-0-66596300-1405083264_thumb.png

Here you can see that the real calc.exe runs with system privileges.

 

If I click on "Ask me later" then the process which was showing the "error message" exits:

post-3952-0-01363100-1405083603_thumb.png

So I have to terminate the calc.exe and the UI0Detect.exe to exit all processes, but that's natural, because I don't close calc.exe.

 

If I close calc.exe then it shows:

post-3952-0-17870300-1405083848_thumb.png

and it closes calc.exe. Only the UI0Detect.exe (under user "system") is still running.

 

2. Calc.exe started by the schedule manually

 

Screenshot:

post-3952-0-03949000-1405084043_thumb.png

 

Processes:

Then it is simply running under the current user (but it's elevated):

post-3952-0-05470900-1405084138_thumb.png

 

3. Batch file started by the schedule

 

Screenshot(s):

post-3952-0-48750400-1405108001_thumb.pngpost-3952-0-50494000-1405108002_thumb.png

 

Processes:

post-3952-0-49132800-1405108009_thumb.png

 

This was quite the same like with the calc.exe. Exept of the fact that conhost.exe starts every time with the batch but this is normal.

A stranger fact is that there is displayed a wrong username (%username% in batch file). More at 4.

 

3. Batch file started by the schedule manually

 

Screenshot(s):

post-3952-0-67943600-1405108013_thumb.png

 

This was also quite similar. And although the "real" username (in it was executed) was the local user (elevated) %username% expands to Win7$. I have to say that the real username would be "Admin" and the computer name was "Win7".

 

I also test it with a batch file putted into an exe, but this changes nothing.

Now I only uploaded pictures of the following test, because in all other test are similar to the test before.

 

4. Batch file that wasn't waiting by the schedule

 

No I tried to run a batch file that did not wait for the user - it only wait a few seconds.

And the result was quite the same.

 

I only have to say that every time I saw the "error message" it was minimized and it blinks.

post-3952-0-11755200-1405111414.png

 

 

Summary

 

No error occurred during my tests, all files started properly. There is one strange fact: The username that is every time wrong.

And there are differences between manually and automatic starting with the scheduler.

 

So for you @: Maybe your script runs very quick and so you can't see the normal windows message. I also only tested in with Windows 7. Maybe on other Windows versions there are differences.

 

And again to @all: I uploaded the batch script* which I used and here you can download a Batch To Exe Converter. (there is also an online version available)

 

* virustotal analyse here

Edited by rugk
Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 4,935

Posted
  • Administrators
Posted

No error occurred during my tests, all files started properly. There is one strange fact: The username that is every time wrong.

 

This is how Windows expands the %username% variable in the local system account. Instead of %username%, run "whoami" and the result will be "nt authority/system".

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...