Jump to content

[SNIPPET] Remove last run entry

9o3

By 9o3
in Payloads

 Share

Recommended Posts

9o3 Newbie

9o3

Posted
Posted

As of now, most payloads simply remove the entire RunMRU history. This however may be noticed by a user that regularly uses the run dialog.
Instead removing just the last entry can be done like so:
  

#Remove latest run entry
$p="HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU";$m="MRUList";$l=(gp $p).$m;rp $p $l[0];sp $p $m $l.SubString(1);


Let's break it down:
First we grab a list of all entries in RunMRU MRUList: $l=(gp $p).$m

After this we remove the last entry by its key: rp $p $l[0]

Finally we update the MRUList to omit the remove key: sp $p $m $l.SubString(1)  

gp -> Get-ItemProperty                                                                                               
rp -> Remove-ItemProperty                                                                                            
sp -> Set-ItemProperty

I hope this can be useful to some of you.
~9o3

P.s.
I shortened the snippet as much as possible, however it's still a good idea to include this in a second stage if possible.

  • Like 2
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...