Runscanner history and changelog


Fixed bugs in 64 bit software scanning.


Fixed an important problem where some malware files prevented Runscanner from starting.
Fixed a problem where the scanning was locked during process scanning.


Fixed a bug where the scanning process freezes after loaded modules.

Added 4 command line parameters:

/beginner : start the program in beginner mode
/beginnerscan : start the program in beginner mode and start scanning
/expert : start the program in expert mode
/expertscan : start the program in expert mode and start scanning


64 bit windows support !
Enhanced whitelisting
Updated to virustotal 2.0 uploader
Minor bug fixes

Added Launch/hijack locations:
012 S-1-5-XX\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (+subkeys)
013 S-1-5-XX\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce (+subkeys)
014 S-1-5-XX\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx (+subkeys)


Enhanced whitelisting
Windows 7 support (32 bit)
Run files now include the list of installed software on the computer.
Minor bug fixes


Enhanced whitelisting
Minor bug fixes


Switched to Delphi 2009 unicode
Run files have a new slightly smaller format
Added new certificates to the whitelist
Added filename lookup to
Removed search

Bugs fixed :

Fixed several unicode issues
Canvas does not allow drawing error
Online analysis sometimes not working
Fixed several access violation errors
AppInit_Dlls value now recognizes spaces and commas as delimiter. (used to hide malware)
Fixed bug where some startup items with parameters could not be restored
Fixed bug when some important registry settings could not be restored (LSA authentication packages)

Added Launch/hijack locations:

250 HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
251 HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
252 HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers
253 HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers
254 HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers
255 HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers


Full unicode support!
New layout to fit more items on the screen
Removed classic mode and merged it with the expert mode.
New and faster scan engine
Runscanner now scans all loaded modules by default
Runscanner text logfiles are redesigned to better fit in forums
Filepaths are no longer converted into lowercase
Run files now include all loaded modules
Old run files are no longer compatible with the new version.
Bug fixed: some incorrect "file not found" fixed for filenames
Bug fixed: no description shows for some items
Bug fixed: drwtsn32 -p %ld -e %ld -g could not be parsed
Fixed error with some unknown datatypes (systemcheck2 error)
Fixed error some items could not be deleted when a certain filter was set
Added new publishers to the whitelist.
Online whitelisting improved
History database no longer uses MSaccess (no more mdac errors)


MD5 calculation now uses the windows api for improved speed.
Added warning when access denied on reading/writing hosts file.
Fixed bug with copying MD5 hashes to clipboard.
Fixed bug with incorrect files not found.
Fixed bug when fixing some items, the items were fixed but not removed from the selection list
Fixed problem with invalid datatype for the internet explorer search page.
Added more safe publishers to the list.

Added Launch/hijack locations:

153 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\ Midi, Midi1 -> Midi9 (used by the silentbanker worm)
220 HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
222 HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
224 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
226 HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
228 HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
229 HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
230 HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
231 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
240 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
241 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers


Bug fixed: Bitmap image is not valid. (corrupt embedded icon)
Bug fixed: malware analysis after import not working in expert mode
Bug fixed: Lookup at Runscanner when no MD5 available popupmenu
Sub run folders are now only scanned on windows 2000

New launch/hijack items in version 1.6:

Restrictions for internet explorer:
080 HKLM\Software\Policies\Microsoft\Internet Explorer (+subfolders)
081 HKCU\Software\Policies\Microsoft\Internet Explorer (+subfolders)

Startup/Shutdown/logon/logoff scripts
090 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
091 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
092 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
093 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
094 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff


110 HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
200 HKLM\System\CurrentControlSet\Control\Session Manager\Execute
201 HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Shell hijacking (moved from general policies)
162 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
163 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

Terminal server related

190 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
191 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
192 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
193 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
194 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogoffApp

Debugger hijacking (thanks to Tony Klein)
176 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Denying access to websites/IP addresses by setting a wrong static route
(thanks to Bruce Harrison - nosirrah)

177 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

Hijacking of standard windows tools
210 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath
211 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Cleanuppath
212 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
213 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier
214 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Narrator
215 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\On-Screen Keyboard


Bug fixes:

Whitelist added:

Changelog 1.0.3
Added trusted zones HKLM
Added HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
Added HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
Added HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Added HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Added 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
Fixed minor bug with incorrect filter
Fixed minor sorting bug in text log file
Changed behaviour with 068 -> download lsp-fix
Changed ctrl+c (copy) formatting
Google lookup now also searches for GUID, registry entry if no exename available.

Changelog 1.0.2
Fixed bug with "problem with shortcut , searching for file gui"
Fixed false positive warning with AVG antivirus -> this was caused by pecompact packer, now the executable doubled in size without it.
(Thanks to Lusher for reporting the bug)

Changelog 1.0.1 (Bugfix)
Fixed bug with AppInit_DLLs (Thanks to Lusher for reporting the bug)

Changelog 1.0 (final release)
Rewrite of the "beginner - wizard" screen
Added version check in beginner mode
Added list of specialist helper forums
Removed "no zone defined" entries from trusted zones
Whitelisted microsoft trusted zones in textlog:
Whitelisted 063 default items
Whitelisted 036 default items
Whitelisted "::1 localhost" in vista hosts file
Whitelisted default 180 entries in log file
Whitelisted default 106 entries in log file
Fixed bug with incorrect "file not found"
Several other small bug fixes

Changelog (minor release)
Changed : restricted sites/zones are now ignored
Redesigned the beginner screen
Fixed performance issues with uploading


Fixed bug with links to folders in global startup.
Fixed description bug with internet explorer buttons (added buttontext)
Fixed bug with incorrect host file path
Fixed bug with importing of existing .run file (history)
Fixed bug 063 fix not working
Fixed bug difference string / expandstring in registry
Signed executable with authenticode certificate
Changed icons for signatures (green, blue)
Changed textlog for tasks items (added description)

Added : Beginner, expert mode (wizard)
Added : Backup & restore function
Added : Scheduled jobs now show the application started by the job
Added : free filter/search (you can now search on part of words ex: "f-secure" show all items with the phrase "f-secure")
You can search in path,executable,company,md5
Added : filesize to .run file
Added : extra info window (easy for debugging and to copy/paste)
Added : basic tutorial to the site
Added : extra backup info window in the history tab
Added extra vista UAC support
Added vista support : now program asks to run as administrator by default

Added item : 001 : hosts file location
Added item : 001 : hosts file entries <> (count)
Added item : 047 IE trusted zones
Added item : 048 IE ESC trusted zones
Added item : 008 Autorun registry entries .default user
Added item : 009 Autorun registry entries System user

-New layout
-Added 000 : User rights (administrator or limited)
-Fixed bug : first process could not be killed
-Fixed bug in contentmenuhandlers
-Fixed bug with incorrect Imagepath in registry
-Fixed bug with incorrect InprocServer32 value in registry
-Added CLSID/GUID's (ex BHO's) which could nog be found in the correct registry location
-Added : reboot computer (after killing everything)
-Added history database support (restore not yet complete in this beta)


- Online analysis (with file ratings)
- bugfixes with marking of items.
- several other bugfixes


- Check to see if user has administrator rights
- Fixed bug with corrupt drivers and services
- Added : lookup at to maingrid
- Added icons to the popup menu
- Added "first run privacy blablabla " form
- Layout changes to show more entries on the screen.
- Process killer : Start explorer (if all your explorers are killed)
- Kill process popup menu added
- - Kill and rename of process
- - Kill and delete of process
- - Delete at next reboot of process file
- - Copy to clipboard
- - Open location
- - Show file properties
- - Lookup at Google
- Marking of items (space, doubleclick, popupmenu)
(a user can save the .run file, an expert can mark the items that need fixing and send the .run file back to the user)New items:
000 General info:
Runscanner Version
Time of scan
Type of scan (full, quick)
Service Pack
Version Build
Internet explorer version

- Fixed process kill bug
- Added "non whitelist" to the filter box (same result as .log file)Added new items:
+043) HKCU\Software\Microsoft\Internet Explorer\Extensions
+171) HKCU\Control Panel\Desktop : SCRNSAVE.EXE
+172) HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+173) HKCR\*\shellex\ContextMenuHandlers

- Added filter : "Non signed Microsoft" (equal to short log)
- New icons for service/driver status
- Fixed bug when no host file available
- Fixed bug when fixing multiple items
- Whitelisted some items in log fileAdded new items:

044) HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
045) HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
068) HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
106) HKLM\Software\Microsoft\Windows\CurrentVersion\URL
145) HKLM\System\CurrentControlSet\Control\Class\
146) HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
147) HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
148) HKLM\System\CurrentControlSet\Control\WOW\cmdline
149) HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
150) HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
151) HKLM\Software\Microsoft\Command Processor\Autorun
152) HKCU\Software\Microsoft\Command Processor\Autorun
160) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System (enumerate policies)
161) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System (enumerate policies)
166) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+all subkeys)
167) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+all subkeys)
120) HKLM\System\CCS\Services\VxD\MSTCP: Domain
120) HKLM\System\CCS\Services\VxD\MSTCP: NameServer
120) HKLM\System\CCS\Services\Tcpip\Parameters: Domain
120) HKLM\System\CCS\Services\Tcpip\Parameters: Nameserver
120) HKLM\System\CSS\Services\Tcpip\Parameters: SearchList
120) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony: DomainName
120) HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (all interfaces) : Domain
120) HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (all interfaces) : NameServer
170) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
180) FileType Hijacking


- Warningscreen when fixing items now shows "real" warning
- Logfiles are saved to desktop (default value)
- Added new logo
- Changed logfile (only short logfile is used)Updated and new items:002) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (now includes all subkeys)
003) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (now includes all subkeys)
135) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (+ subkeys)
136) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (+ subkeys)
137) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ (+ subkeys)
138) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ (+ subkeys)
065) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (debugger)
121) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
122) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
104) HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units (activex controls)
139) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
140) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
107) HKLM\System\CurrentControlSet\Services\Winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\

- Importing of .run files directly from internet links now works.
- Possibility to save text .log file.
- Saving and uploading doesn't disable the grid.
- Fixed bug when no "start" value for drivers and services.

- Added buildinfo to the statusbar.
- Added service information (enabled, disabled, automatic)
- Added driver infromation (kernel, IO, enabled, disabled, automatic)
- Added username/domain to the process killer list
- Added possibility to verify signature to the process killer list
- Right click "show file properties"
- Fixing of all implemented items is now possible.
- CTRL+C copy formatting extended
- Fixed bug with "," in winlogon entries.New items:
006) %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup (vista)
007) %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (vista)
037) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
038) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
041) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
073) %WINDIR%\Tasks
074) %WINDIR%\System32\Tasks (vista)
102) HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
102) HKLM\Software\Microsoft\Internet Explorer\Explorer Bars

- Layout
- Progress bar now shows "real progress"
- Difference between full scan and quick scan
- Regedit jump now jumps to values
- Import/export of .run files bugs fixed
- Process killer can now kill processes runing under the system account
- Link to online help for each item (help pages are still work in progress)
- Fixed bug with "rundll.exe"
- Added confirmation checkbox to "fix" items
- Various bug fixes

- First upload