Directives/Commands
All the commands/directives in FRST should be on one line as FRST processes the script line by line.
Quick reference of Directives/Commands
Note: Directives/Commands are not case sensitive.
For use only in Normal Mode
CreateRestorePoint:
SystemRestore:
TasksDetails:
For use only in Normal Mode, Safe Mode
CloseProcesses:
EmptyEventLogs:
EmptyTemp:
Powershell:
Reboot:
RemoveProxy:
StartPowershell: — EndPowershell:
Zip:
For use in Normal Mode, Safe Mode and in the Recovery Environment (RE)
cmd:
Comment:
Copy:
CreateDummy:
DeleteJunctionsInDirectory:
DeleteKey: and DeleteValue:
DeleteQuarantine:
DisableService:
ExportKey: and ExportValue:
File:
FilesInDirectory: and Folder:
FindFolder:
Hosts:
ListPermissions:
Move:
Reg:
RemoveDirectory:
Replace:
RestoreQuarantine:
SaveMbr:
SetDefaultFilePermissions:
StartBatch: — EndBatch:
StartRegedit: — EndRegedit:
Symlink:
testsigning on:
Unlock:
For use only in the Recovery Environment (RE)
LastRegBack:
RestoreFromBackup:
RestoreMbr:
Examples of use
CloseProcesses:
Closes all the non-essential processes. Helps to make fixing more effective and faster.
When this directive is included in a fix it will automatically apply a reboot. There is no need to use the Reboot: directive. The CloseProcesses: directive is not needed and not available in the Recovery Environment.
CMD:
Occasionally you need to run CMD command. In that case you must use "CMD:" directive.
The script will be:
CMD: command
If there is more than one command, start each line with CMD: to get an output log for each command.
Example:
CMD: copy /y c:\windows\minidump\*.dmp e:\
CMD: bootrec /FixMbr
The first command will copy the minidump files to flash drive ( if the drive letter for flash drive is E).
The second command is used to fix the MBR in Windows Vista and higher.
Alternatively, the StartBatch: — EndBatch: directives could be used (see below).
Note: Unlike the native or other FRST directives the cmd commands should have the proper cmd.exe syntax, like use of " quotes in case of a space in the file/directory path.
Comment:
Adds a note to provide feedback on the Fixlist content.
Example:
Comment: The following command will remove all network proxies from the system
RemoveProxy:
Copy:
To copy files or folders in a style similar to xcopy.
The syntax is:
Copy: source file/folder destination folder
The destination folder will be automatically created (if not present).
Example:
Copy: C:\Users\User\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb C:\Users\User\Desktop\Edge Backup
Copy: C:\Windows\Minidump F:\
Note: For replacing single files, it is recommended to use the Replace: directive. In case of an existing target file Copy: only tries to overwrite the file, while Replace: additionally tries to unlock and move the file to Quarantine.
CreateDummy:
Creates a locked dummy folder to prevent a restoration of a bad file/folder. The dummy folder should be removed after neutralizing the malware.
The syntax is:
CreateDummy: path
Example:
CreateDummy: C:\Windows\System32\bad.exe
CreateDummy: C:\ProgramData\Bad
CreateRestorePoint:
To create a restore point.
Note: This directive works only in normal mode. It also fails when System Restore has been disabled.
DeleteJunctionsInDirectory:
To remove junctions use the following Syntax:
DeleteJunctionsInDirectory: path
Example:
DeleteJunctionsInDirectory: C:\Program Files\Windows Defender
DeleteKey: and DeleteValue:
The most efficient way to delete keys/values, bypassing limitations of the standard deletion algorithms present in Reg: and StartRegedit: — EndRegedit:.
The syntax is:
1. For keys:
DeleteKey: key
Alternatively, a regedit format could be used:
[-key]
2. For values:
DeleteValue: key|value
If the value is a default value, leave the value name empty:
DeleteValue: key|
Example:
DeleteKey: HKLM\SOFTWARE\Microleaves
DeleteValue: HKEY_CURRENT_USER\Environment|SNF
DeleteValue: HKU\S-1-5-21-3145329596-257967906-3285628945-1000\Software\Clients\StartMenuInternet|
[-HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Dataup]
The directives have the ability to delete keys/values that are locked due to insufficient permissions, keys/values that contain embedded-null characters, and registry symbolic links. No need to use the Unlock: directive.
For keys/values that are protected by a running software ("Access denied" response) you need to use Safe Mode (to circumvent the running software) or delete the main components before using the commands.
Note: If the listed key for deletion is a registry link to another key, the (source) key which is the registry symbolic link, will be deleted. The target key will not be deleted. This is done to avoid removing both a bad registry symbolic link that might point at a legitimate key and the legitimate key itself. In a situation where both the source key and the target key are bad, then they both should be listed for deletion.
DeleteQuarantine:
After finishing with cleaning, the %SystemDrive%\FRST (usually C:\FRST) folder made by FRST tool should be removed from the computer. In some cases the folder can't be removed manually because the %SystemDrive%\FRST\Quarantine folder contains locked or unusual malware files or directories. The DeleteQuarantine: command will remove the Quarantine folder.
Tools that move files as opposed to deleting files should not be used to delete C:\FRST as those tools just move the files to their own directory and it remains on the system anyway.
Note: The automatic FRST uninstallation (see the description under Introduction) includes the same ability to delete a locked Quarantine.
DisableService:
To disable a service or driver service you can use the following script:
DisableService: ServiceName
Example:
DisableService: sptd
DisableService: Wmware Nat Service
FRST will set the service to Disabled and the service will not run at the next boot.
Note: The service name should be listed as it appears in the registry or FRST log, without adding anything. For example quotation marks are not required.
EmptyEventLogs:
Clears Windows Event Logs. The total amount of logs cleared and any eventual errors will be listed.
EmptyTemp:
The following directories are emptied:
- Windows Temp
- Users Temp folders
- Caches, HTML5 storages, Cookies and History for browsers scanned by FRST except Firefox clones
- Recently opened files cache
- Discord cache
- Java cache
- Steam HTML cache
- Explorer thumbnail and icon cache
- BITS transfer queue (qmgr.db and qmgr*.dat files)
- WinHTTP AutoProxy cache
- DNS cache
- Recycle Bin
When EmptyTemp: directive is used the system will be rebooted after the fix. No need to use Reboot: directive.
Also no matter if EmptyTemp: is added at the start, middle, or end of the fixlist it will be executed after all other fixlist lines are processed.
Important: When the EmptyTemp: directive is used items are permanently deleted. They are not moved to quarantine.
Note: The directive is turned off in the Recovery Environment to prevent harm.
ExportKey: and ExportValue:
More reliable way to inspect a key content. The directives overcome some regedit.exe and reg.exe limitations. The difference between the directives is a scope of the export. ExportKey: lists all values and subkeys recursively, while ExportValue: shows only values in the key.
The syntax is:
ExportKey: key
ExportValue: key
Example:
ExportKey: HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key
================== ExportKey: ===================
[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key]
[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\InvalidKey ]
"Hidden Value"="Hidden Data"
[HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\LockedKey]
HKEY_LOCAL_MACHINE\SOFTWARE\Suspicious Key\LockedKey => Access Denied.
=== End of ExportKey ===
Note: The export is meant for research purposes only and can't be used for backup and import operations.
File:
To check file properties. Multiple files can be included, separated by semicolons.
File: path;path
Example:
File: C:\Users\User\AppData\Roaming\Pcregfixer\PCREGFIXER\background\wmplayer.exe
========================= File: C:\Users\User\AppData\Roaming\Pcregfixer\PCREGFIXER\background\wmplayer.exe ========================
File not signed
MD5: 4793A9663376EF3A9044E07A9A45D966
Creation and modification date: 2017-07-30 12:04 - 2017-07-30 12:04
Size: 000242688
Attributes: ----A
Company Name:
Internal Name: wmplayer.exe
Original Name: wmplayer.exe
Product: Windows Media Player
Description: Windows Media Player
File Version: 1.0.0.0
Product Version: 1.0.0.0
Copyright: Copyright © 2017
====== End of File: ======
Note: The digital signatures check is not available in the Recovery Environment.
FilesInDirectory: and Folder:
To check a folder content. FilesInDirectory: is meant to list specific files matching one or more wildcard * patterns, while Folder: is designed to get the full content of a folder. Output from both the directives includes MD5 checksums (for all files) and digital signatures (for .exe, .dll, .sys and .mui files).
The syntax is:
FilesInDirectory: path\pattern;pattern
Folder: path
Example:
FilesInDirectory: C:\Windows\desktop-7ec3qg0\*.exe;*.dll
Folder: C:\Windows\desktop-7ec3qg0
Note: The Folder: directive works recursively and lists the content of all subfolders. Therefore, it might produce gigantic logs.
FindFolder:
See Search features in the Other optional scans section. The directive works in the same way as FindFolder: in the Search box, but results are recorded in the Fixlog.txt.
Hosts:
To reset the hosts. Also, see hosts in the Main scan (FRST.txt) section.
ListPermissions:
Used to list permissions on the files/directories/keys included in the script.
ListPermissions: path/key
Example:
ListPermissions: C:\Windows\Explorer.exe
ListPermissions: C:\Users\User\appdata
ListPermissions: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip
ListPermissions: HKLM\SYSTEM\CurrentControlSet\services\afd
Move:
At times renaming or moving a file, specially when it is done across the drives, is troublesome and MS Rename command might fail. To move or rename a file use the following script:
Move: source destination
Example:
Move: c:\WINDOWS\system32\drivers\afd.sys c:\WINDOWS\system32\drivers\afd.sys.old
Move: c:\WINDOWS\system32\drivers\atapi.bak c:\WINDOWS\system32\drivers\atapi.sys
The tool moves the destination file to the Quarantine (if present) then moves the source file to destination location.
Note: Renaming can be carried out when using the Move: directive.
Note: The destination path should contain the file name even if the file is currently missing in destination directory.
Powershell:
To run PowerShell commands or script files.
1. To run a single independent PowerShell command and get the output in the Fixlog.txt the syntax is:
Powershell: command
Example:
Powershell: Get-Service
.
2. To run an independent PowerShell command and get the output in a text file (not in the Fixlog.txt) use redirection operators or Out-File cmdlet:
Powershell: command > "Path to a text file"
Powershell: command | Out-File "Path to a text file"
Example:
Powershell: Get-Service > C:\log.txt
Powershell: Get-Process >> C:\log.txt
3. To run a ready script file (.ps1) containing one or more PowerShell commands/lines the syntax is:
Powershell: "Path to a script file"
Examples:
Powershell: C:\Users\UserName\Desktop\script.ps1
Powershell: "C:\Users\User Name\Desktop\script.ps1"
4. To run more PowerShell commands/lines of a script as they were in a script file (.ps1), but without creating the .ps1 file, use a semicolon ; instead of line breaks to separate them:
Powershell: line 1; line 2; (and so on)
Example:
Powershell: $WebClient = New-Object System.Net.WebClient; $WebClient.DownloadFile("http://server/file.exe", "C:\Users\User\Desktop\file.exe")
Alternatively, the StartPowershell: — EndPowershell: directives could be used (see below).
Reboot:
To force a restart.
It doesn't matter where in the fixlist you put it. Even if you put it at the start, the reboot will be carried out after all the other fixes are completed.
Note: This command will not work and is not needed in the Recovery Environment.
Reg:
To manipulate Windows Registry using Reg command line tool.
The syntax is:
Reg: reg command
Example:
Reg: reg add HKLM\SYSTEM\CurrentControlSet\Services\Schedule /v Start /t REG_DWORD /d 0x2 /f
Reg: reg export "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" C:\Users\User\Desktop\backup.reg
Note: Unlike the native FRST directives, the Reg command should have the proper reg.exe syntax, like use of " quotes in case of space in key/value name.
Note: The directive won't handle locked or invalid keys/values. See the DeleteKey: and DeleteValue: description earlier in the tutorial.
RemoveDirectory:
To remove (not move to Quarantine) directories with limited permissions and invalid paths or names. No need to use the Unlock: directive. RemoveDirectory: should be used for directories that resist the usual move operation. If it is used in Safe Mode it should be very powerful and in RE it should be most powerful.
The script will be:
RemoveDirectory: path
RemoveProxy:
Removes some Internet Explorer policy restriction settings like "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" or ProxySettingsPerUser in HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings. It removes "ProxyEnable" (if it is set to 1), "ProxyServer", "AutoConfigURL", "DefaultConnectionSettings" and "SavedLegacySettings" values from the machine and users keys. It also applies the BITSAdmin command with NO_PROXY.
In addition, it removes the default value of the "HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies" key if it is altered.
Note: Where there is a running software or a service, that restores those settings, the software should be uninstalled and the service should be removed before using the directive. This to ensure the proxy settings don't return.
Replace:
To replace a file use the following script:
Replace: source destination
Example:
Replace: C:\WINDOWS\WinSxS\amd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_cf8ff0d2c0eeb431\dnsapi.dll C:\WINDOWS\system32\dnsapi.dll
Replace: C:\WINDOWS\WinSxS\wow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_d9e49b24f54f762c\dnsapi.dll C:\WINDOWS\SysWOW64\dnsapi.dll
The tool moves the destination file (if present) to Quarantine then copies the source file to destination location.
It will not move the source file and the source file is still in its original location. So in the above example dnsapi.dll in WinSxS directories will be there for future.
Note: The destination path should contain the file name even if the file is currently missing in destination directory.
Note: In case of missing destination directory, the command will fail. FRST doesn't rebuild a complete directory structure. The Copy: directive could be used instead.
RestoreFromBackup:
The first time the tool is run it copies the hives to %SystemDrive%\FRST\Hives (usually C:\FRST\Hives) directory as a backup. It will not be overwritten by subsequent running of the tool unless the backup is older than two months. If something went wrong either one of the hives could be restored. The syntax will be:
RestoreFromBackup: HiveName
Examples:
RestoreFromBackup: software
RestoreFromBackup: system
RestoreMbr:
To restore the MBR, FRST will use MbrFix that is saved on the flash drive to write a MBR.bin file to a drive. What is needed is the MbrFix/MbrFix64 utility, the MBR.bin to be restored and the script showing the drive:
RestoreMbr: Drive=#
Example:
RestoreMbr: Drive=0
(Note: The MBR to be restored should be named MBR.bin and should be zipped and attached).
RestoreQuarantine:
You can restore the whole content of Quarantine or restore single or multiple file(s) or folder(s) from Quarantine.
To restore the whole content of Quarantine the syntax is either:
RestoreQuarantine:
Or:
RestoreQuarantine: C:\FRST\Quarantine
To restore a file or folder the syntax is:
RestoreQuarantine: PathInQuarantine
Example:
RestoreQuarantine: C:\FRST\Quarantine\C\Program Files\Microsoft Office
RestoreQuarantine: C:\FRST\Quarantine\C\Users\User\Desktop\ANOTB.exe.xBAD
To find the path in the Quarantine you can use:
Folder: C:\FRST\Quarantine
Or:
CMD: dir /a/b/s C:\FRST\Quarantine
Note: If a file already exists (outside Quarantine) in the destination path, FRST will not overwrite it. The original file will not be moved and will remain in Quarantine. If however, you still need to restore the file from Quarantine then the file in the destination path should be renamed/removed.
SaveMbr:
Refer Drives and MBR & Partition Table section in the tutorial.
To make a copy of MBR the following syntax is used:
SaveMbr: Drive=#
Example:
SaveMbr: Drive=0
Note: By doing this there will be MBRDUMP.txt made on the flash drive that should be attached to the post by the user.
SetDefaultFilePermissions:
Created for locked system files/folders. It sets group "Administrators" as owner and depending on the system grants access rights to the standard groups.
Note: The directive will not set TrustedInstaller as the owner but still it could be used for system files/folders that are locked by the malware.
The syntax is:
SetDefaultFilePermissions: path
StartBatch: — EndBatch:
To create and run a batch file.
The syntax is:
StartBatch:
Line 1
Line 2
Etc.
EndBatch:
The output will be redirected to the Fixlog.txt.
StartPowershell: — EndPowershell:
A better alternative to create and run a PowerShell file containing multiple lines (see the Powershell: directive earlier in the tutorial).
The syntax is:
StartPowershell:
Line 1
Line 2
Etc.
EndPowershell:
The output will be redirected to the Fixlog.txt.
StartRegedit: — EndRegedit:
To create and import a registry file (.reg).
The syntax is:
StartRegedit:
.reg file format
EndRegedit:
Including Windows Registry Editor Version 5.00 header is optional, but REGEDIT4 header is required.
Example:
StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
"Start"=dword:00000002
EndRegedit:
You will get a confirmation in the Fixlog.txt:
Registry ====> The operation completed successfully.
Note: The confirmation line appears regardless of any eventual errors in your .reg file.
Note: The directives won't handle locked or invalid keys/values. See the DeleteKey: and DeleteValue: description earlier in the tutorial.
Symlink:
To list symbolic links or junctions in a folder.
The syntax is:
Symlink: path
Example:
Symlink: C:\Windows
Note: The directive works recursively. Therefore, the scan can take a significant amount of time depending on the location.
SystemRestore:
To enable or disable System Restore.
The syntax is:
SystemRestore: On
SystemRestore: Off
When the On switch is used, FRST checks if there is sufficient free space to enable System Restore. If the requirement is not met, an error will be printed.
TasksDetails:
Lists additional tasks details related to execution time.
Example:
========================= TasksDetails: ========================
UCBrowserUpdater (LastRunTime: NA -> NextRunTime: 2016-10-13 11:32:00 -> Status: Ready -> Schedule Type: Undefined)
Note: The directive is not supported on Windows XP and works only in normal mode.
testsigning on:
Note: For Windows Vista and later, not supported on Secure Boot enabled devices.
Enabled testsigning is a non-default BCD modification, which could be introduced by malware or users trying to install unsupported drivers. When FRST locates evidence of this sort of tampering it will report like this:
testsigning: ==> 'testsigning' is set. Check for possible unsigned driver <===== ATTENTION
Inspect the Drivers section looking for a driver matching the warning. Depending on the situation, include the driver together with the warning or the warning alone in the fixlist.
In case of side effects after processing the entries, use the directive to re-enable the testsigning for further troubleshooting.
Unlock:
In the case of files/directories it sets group "Administrators" as owner and grants access to "Administrators", "Users" and "SYSTEM". It should be used for bad files/directories. To unlock system items, use the SetDefaultFilePermissions: directive.
In the case of registry keys it sets group "Administrators" as owner and grants the groups the usual access and works only on the key applied. It can be used for both bad and legitimate keys.
The syntax is:
Unlock: path
Note: To remove an item you don't need to unlock it prior to removing it:
- For files/folders just include the path in the fixlist and FRST will reset permissions and move the objects to Quarantine. To remove a folder permanently use the RemoveDirectory: directive.
- For registry keys deploy the DeleteKey: directive.
Zip:
To zip files/folders and save them as Date_Time.zip to the users desktop for subsequent manual uploading by the user. More than one archive will be created for files/folders with duplicated names.
As many files/folders as needed can be listed, separated by semicolons.
Zip: path;path
Example:
Zip: C:\malware.exe;C:\Windows\Minidump;C:\Windows\Logs\CBS\CBS.log
Edited by picasso, 28 February 2024 - 12:44 PM.