Home
  Why Runscanner?
  Screenshots
  Helper forums
  Support forum
  Faq
  Process list
  About
Driver Scan
Download
Freeware: 1.58 MB
Database search
Filename / Process
Guid / CLSID
MD5 hash


Top process list
svchost.exe
alg.exe
ctfmon.exe
explorer.exe
lsass.exe
services.exe
smss.exe
winlogon.exe
ZCfgSvc.exe
csrss.exe
userinit.exe
logon.scr
spoolsv.exe
wmiprvse.exe
trustedinstaller.exe
searchfilterhost.exe
searchprotocolhost.exe
inetinfo.exe
vsmon.exe
taskmgr.exe
 
Other Freeware
Download my Free network and software inventory for windows : Lansweeper
Blackberry software list : a collection of useful software for your blackberry device (freeware and shareware)

Runscanner download
Always consult an expert before fixing items on your system!
View a list of specialist helper forums

Runscanner.net is a completely free service.
Consider making a donation if this program helped you.

Latest version : 1.6.3.0
This version works only on Windows 2000 and newer.

Start download
Freeware: 1.58 MB

Check out why Runscanner for a feature overview.
Use Runscanner to detect autostart, spyware, virus, drivers and registry problems.
Changelog 1.6.3.0

MD5 calculation now uses the windows api for improved speed.
Added warning when access denied on reading/writing hosts file.
Fixed bug with copying MD5 hashes to clipboard.
Fixed bug with incorrect files not found.
Fixed bug when fixing some items, the items were fixed but not removed from the selection list
Fixed problem with invalid datatype for the internet explorer search page.
Added more safe publishers to the list.

Added Launch/hijack locations:

153 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\ Midi, Midi1 -> Midi9 (used by the silentbanker worm)
220 HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
221 HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
222 HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
223 HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
224 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
225 HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
226 HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
227 HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
228 HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
229 HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
230 HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
231 HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
240 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
241 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

Changelog 1.6.1.0

Bug fixed: Bitmap image is not valid. (corrupt embedded icon)
Bug fixed: malware analysis after import not working in expert mode
Bug fixed: Lookup at Runscanner when no MD5 available popupmenu
Sub run folders are now only scanned on windows 2000

New launch/hijack items in version 1.6:

Restrictions for internet explorer:
080 HKLM\Software\Policies\Microsoft\Internet Explorer (+subfolders)
081 HKCU\Software\Policies\Microsoft\Internet Explorer (+subfolders)


Startup/Shutdown/logon/logoff scripts
090 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
091 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
092 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
093 HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
094 HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff

Various
110 HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
200 HKLM\System\CurrentControlSet\Control\Session Manager\Execute
201 HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Shell hijacking (moved from general policies)
162 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
163 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell

Terminal server related
190 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
191 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
192 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
193 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
194 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogoffApp

Debugger hijacking (thanks to Tony Klein)
176 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Denying access to websites/IP addresses by setting a wrong static route
(thanks to Bruce Harrison - nosirrah)
177 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

Hijacking of standard windows tools
210 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath
211 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Cleanuppath
212 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath
213 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier
214 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Narrator
215 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\On-Screen Keyboard

Changelog 1.5.0.39

  • New design in all modes
  • Layout is now shown correctly for people with "large fonts" enabled
  • Certificates of files are now analysed in all modes for signer/issuer
  • Certificates are now shown as a certificate image in the grid instead of the green/red icons
  • Virusscanner integration with Virustotal (upload file for scanning)
  • Integration with Bit9 FileAdvisor (lookup MD5 hash)
  • Integration with CastleCops (lookup MD5 hash)
  • New Classic mode : This mode is targetted at removing hijacks, it only shows non-whitelisted items and there is an easy "Fix selected items" button, all other "safe" startup items can still be found in the expert mode.
  • Added "Item fixer" tab in expert mode.
  • Added "classic mode / hijack" tab in expert mode.
  • Quick scan is removed in expert mode.
  • New in expert mode : loaded modules analyzer.
  • Warning if windows version is not supported. (Only win2000 or higher is supported)
  • Added drivers with type = 2
  • Disabled drivers and services are now automatically whitelisted in classic mode.
  • Runscanner now finds drivers with undefined imagepath.
  • Scanning is done a bit faster, the most processor intense part of the scan is still calculating the MD5 hashes
  • No internet connection is needed anymore during the scan.
  • Vista : Process killer now shows also protected processes

Bug fixes:

  • Fixed bug with corrupt MDAC installation in windows XP (used by history database)
  • Fixed visual bug with screen flash after quit.
  • Fixed bug with EOleSysError on incorrect/corrupt startup shortcuts.
  • Fixed bug with corrupt taskscheduler service.
  • Fixed bug with corrupt .run files.

Whitelist added:

  • A list of safe certificate publishers (56)
  • Standard search pages
  • Standard start pages
  • Standard safe zones (microsoft,...)
  • Blacklisted dangerous policies (DisableTaskMgr,DisableRegistryTools,DisableCMD,...)


Changelog 1.0.3
Added trusted zones HKLM
Added HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
Added HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
Added HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Added HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Added 105 HKCU\Software\Microsoft\Internet Explorer\MenuExt
Fixed minor bug with incorrect filter
Fixed minor sorting bug in text log file
Changed behaviour with 068 -> download lsp-fix
Changed ctrl+c (copy) formatting
Google lookup now also searches for GUID, registry entry if no exename available.

Changelog 1.0.2
Fixed bug with "problem with shortcut , searching for file gui"
Fixed false positive warning with AVG antivirus -> this was caused by pecompact packer, now the executable doubled in size without it.
(Thanks to Lusher for reporting the bug)

Changelog 1.0.1 (Bugfix)
Fixed bug with AppInit_DLLs (Thanks to Lusher for reporting the bug)

Changelog 1.0 (final release)
Rewrite of the "beginner - wizard" screen
Added version check in beginner mode
Added list of specialist helper forums
Removed "no zone defined" entries from trusted zones
Whitelisted microsoft trusted zones in textlog:
Whitelisted 063 default items
Whitelisted 036 default items
Whitelisted "::1 localhost" in vista hosts file
Whitelisted default 180 entries in log file
Whitelisted default 106 entries in log file
Fixed bug with incorrect "file not found"
Several other small bug fixes


Changelog 0.9.6.1 (minor release)
Changed : restricted sites/zones are now ignored
Redesigned the beginner screen
Fixed performance issues with uploading


Changelog 0.9.6.0
Fixed bug with links to folders in global startup.
Fixed description bug with internet explorer buttons (added buttontext)
Fixed bug with incorrect host file path
Fixed bug with importing of existing .run file (history)
Fixed bug 063 fix not working
Fixed bug difference string / expandstring in registry
Signed executable with authenticode certificate
Changed icons for signatures (green, blue)
Changed textlog for tasks items (added description)

Added : Beginner, expert mode (wizard)
Added : Backup & restore function
Added : Scheduled jobs now show the application started by the job
Added : free filter/search (you can now search on part of words ex: "f-secure" show all items with the phrase "f-secure")
You can search in path,executable,company,md5
Added : filesize to .run file
Added : extra info window (easy for debugging and to copy/paste)
Added : basic tutorial to the site
Added : extra backup info window in the history tab
Added extra vista UAC support
Added vista support : now program asks to run as administrator by default

Added item : 001 : hosts file location
Added item : 001 : hosts file entries <> 127.0.0.1 (count)
Added item : 047 IE trusted zones
Added item : 048 IE ESC trusted zones
Added item : 008 Autorun registry entries .default user
Added item : 009 Autorun registry entries System user

Changelog 0.9.5.0
-New layout
-Added 000 : User rights (administrator or limited)
-Fixed bug : first process could not be killed
-Fixed bug in contentmenuhandlers
-Fixed bug with incorrect Imagepath in registry
-Fixed bug with incorrect InprocServer32 value in registry
-Added CLSID/GUID's (ex BHO's) which could nog be found in the correct registry location
-Added : reboot computer (after killing everything)
-Added history database support (restore not yet complete in this beta)

Changelog 0.9.0.0

- Online analysis (with file ratings)
- bugfixes with marking of items.
- several other bugfixes

Changelog 0.8.0.0
- Check to see if user has administrator rights
- Fixed bug with corrupt drivers and services
- Added : lookup at google.com to maingrid
- Added icons to the popup menu
- Added "first run privacy blablabla " form
- Layout changes to show more entries on the screen.
- Process killer : Start explorer (if all your explorers are killed)
- Kill process popup menu added
- - Kill and rename of process
- - Kill and delete of process
- - Delete at next reboot of process file
- - Copy to clipboard
- - Open location
- - Show file properties
- - Lookup at Google
- Marking of items (space, doubleclick, popupmenu)
(a user can save the .run file, an expert can mark the items that need fixing and send the .run file back to the user)New items:
000 General info:
Runscanner Version
Time of scan
Type of scan (full, quick)
Productname
Service Pack
Version Build
Language
Internet explorer version
Windir

Changelog 0.7.0.1
- Fixed process kill bug
- Added "non whitelist" to the filter box (same result as .log file)Added new items:
+043) HKCU\Software\Microsoft\Internet Explorer\Extensions
+171) HKCU\Control Panel\Desktop : SCRNSAVE.EXE
+172) HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
+173) HKCR\*\shellex\ContextMenuHandlers

Changelog 0.7.0.0
- Added filter : "Non signed Microsoft" (equal to short log)
- New icons for service/driver status
- Fixed bug when no host file available
- Fixed bug when fixing multiple items
- Whitelisted some items in log fileAdded new items:

044) HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
045) HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
068) HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
106) HKLM\Software\Microsoft\Windows\CurrentVersion\URL
145) HKLM\System\CurrentControlSet\Control\Class\
{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
146) HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
147) HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
148) HKLM\System\CurrentControlSet\Control\WOW\cmdline
149) HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
150) HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
151) HKLM\Software\Microsoft\Command Processor\Autorun
152) HKCU\Software\Microsoft\Command Processor\Autorun
160) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System (enumerate policies)
161) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System (enumerate policies)
166) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+all subkeys)
167) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run (+all subkeys)
120) HKLM\System\CCS\Services\VxD\MSTCP: Domain
120) HKLM\System\CCS\Services\VxD\MSTCP: NameServer
120) HKLM\System\CCS\Services\Tcpip\Parameters: Domain
120) HKLM\System\CCS\Services\Tcpip\Parameters: Nameserver
120) HKLM\System\CSS\Services\Tcpip\Parameters: SearchList
120) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony: DomainName
120) HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (all interfaces) : Domain
120) HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces (all interfaces) : NameServer
170) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
180) FileType Hijacking

Changelog 0.6.4.0
- Warningscreen when fixing items now shows "real" warning
- Logfiles are saved to desktop (default value)
- Added new logo
- Changed logfile (only short logfile is used)Updated and new items:002) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (now includes all subkeys)
003) HKCU\Software\Microsoft\Windows\CurrentVersion\Run (now includes all subkeys)
135) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (+ subkeys)
136) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ (+ subkeys)
137) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ (+ subkeys)
138) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ (+ subkeys)
065) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options (debugger)
121) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
122) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
104) HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units (activex controls)
139) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
140) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
107) HKLM\System\CurrentControlSet\Services\Winsock2\Parameters \NameSpace_Catalog5\Catalog_Entries\

Changelog 0.6.2.0
- Importing of .run files directly from internet links now works.
- Possibility to save text .log file.
- Saving and uploading doesn't disable the grid.
- Fixed bug when no "start" value for drivers and services.

Changelog 0.6.0.0
- Added buildinfo to the statusbar.
- Added service information (enabled, disabled, automatic)
- Added driver infromation (kernel, IO, enabled, disabled, automatic)
- Added username/domain to the process killer list
- Added possibility to verify signature to the process killer list
- Right click "show file properties"
- Fixing of all implemented items is now possible.
- CTRL+C copy formatting extended
- Fixed bug with "," in winlogon entries.New items:
006) %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup (vista)
007) %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (vista)
037) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
038) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
041) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
073) %WINDIR%\Tasks
074) %WINDIR%\System32\Tasks (vista)
102) HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
102) HKLM\Software\Microsoft\Internet Explorer\Explorer Bars

Changelog 0.5.0.8
- Layout
- Progress bar now shows "real progress"
- Difference between full scan and quick scan
- Regedit jump now jumps to values
- Import/export of .run files bugs fixed
- Process killer can now kill processes runing under the system account
- Link to online help for each item (help pages are still work in progress)
- Fixed bug with "rundll.exe"
- Added confirmation checkbox to "fix" items
- Various bug fixes

Changelog 0.5.0.0
- First upload
 
© Geert Moernaut - Process list