Posted inCardiagtech

Mastering Farbar Recovery Scan Tool (FRST) Directives: A Comprehensive Guide

No Comments

For users seeking advanced system repair and malware removal, the Farbar Recovery Scan Tool (FRST) is an indispensable utility, often recommended on platforms like Bleeping Computer. FRST’s power lies in its ability to execute specific commands, known as directives, allowing for targeted fixes and system modifications. Understanding and utilizing these directives is crucial for effectively leveraging FRST to diagnose and resolve complex computer issues.

This guide provides a comprehensive overview of FRST directives, categorized by their operational environment and function. Whether you are troubleshooting in Normal Mode, Safe Mode, or the Recovery Environment, this document will equip you with the knowledge to use FRST directives effectively.

FRST Directives: Quick Reference and Usage

FRST directives are command-line instructions that must be entered on a single line for the tool to process them correctly. They are not case-sensitive, offering flexibility in their usage. Below is a categorized quick reference to help you navigate the available directives.

Directives for Normal Mode Only

These directives are designed to be used when your Windows operating system is running in its normal state.

  • CreateRestorePoint: Initiates the creation of a System Restore point. This is a crucial step before making system changes, enabling you to revert to a previous state if needed.
  • SystemRestore: Manages System Restore functionality, specifically to enable or disable it. Note: CreateRestorePoint: automatically attempts to enable System Restore if it’s off, so using SystemRestore: On might be redundant in many cases.
  • TasksDetails: Provides detailed information about scheduled tasks, including their last and next run times, status, and schedule type. This is helpful for identifying potentially malicious or unnecessary tasks.

Directives for Normal Mode and Safe Mode

These directives can be employed in both Normal Mode and Safe Mode, offering flexibility when troubleshooting.

  • CloseProcesses: Terminates non-essential running processes. This can be beneficial to ensure fixes are applied more effectively and swiftly, as it reduces interference from other software. Note: Using this directive automatically triggers a system reboot after the fix execution.

  • EmptyEventLogs: Clears Windows Event Logs, which can be useful for cleaning up clutter or when troubleshooting requires a fresh log state. The tool will report the number of logs cleared and any errors encountered.

  • EmptyTemp: Empties temporary directories, browser caches (excluding Firefox clones), and other temporary data locations including:

    • Windows Temp directory
    • User Temp directories
    • Browser caches, HTML5 storage, cookies, and history (for browsers scanned by FRST, excluding Firefox clones)
    • Recently opened files cache
    • Discord cache
    • Java cache
    • Steam HTML cache
    • Explorer thumbnail and icon cache
    • BITS transfer queue
    • WinHTTP AutoProxy cache
    • DNS cache
    • Recycle Bin

    Important: This directive permanently deletes items. They are not moved to quarantine. Using EmptyTemp: will also automatically reboot the system after other fixlist commands are processed.

    Note: This directive is disabled in the Recovery Environment to prevent unintended data loss.

  • Powershell: Executes PowerShell commands or scripts. This directive is versatile and can be used for a wide range of tasks, from simple commands to complex script executions.

    • Single command execution: Powershell: command
    • Output redirection to a file: Powershell: command > "Path to a text file" or Powershell: command | Out-File "Path to a text file"
    • Running a script file: Powershell: "Path to a script file"
    • Running multiple commands in a line: Powershell: line 1; line 2; ...

  • Reboot: Forces a system restart. While CloseProcesses: and EmptyTemp: automatically include a reboot, Reboot: can be used independently if a restart is needed after other directives. Note: This directive is not functional in the Recovery Environment.

  • RemoveProxy: Eliminates Internet Explorer policy-based proxy restrictions, often set by malware. It targets settings in both machine and user registry keys and also applies the BITSAdmin command to remove proxy settings. It’s crucial to uninstall any software or services that might reinstate these proxy settings before using this directive.

  • StartPowershell:EndPowershell: Allows for the execution of multi-line PowerShell scripts directly within the fixlist. Output is redirected to Fixlog.txt.

  • Virusscan: Scans specified files using Jotti’s malware scan service. FRST checks for prior scans on Jotti and uploads new files for analysis if needed. Multiple files can be checked by separating paths with semicolons.

  • Zip: Compresses specified files or folders into a ZIP archive named with the current date and time, saved to the user’s desktop. This is useful for collecting files for analysis or backup. Multiple items can be zipped by separating their paths with semicolons.

Directives for Normal Mode, Safe Mode, and Recovery Environment (RE)

These directives are the most versatile, functioning across all FRST operational environments, including the Windows Recovery Environment.

  • cmd: Executes Command Prompt commands. Each command should be prefixed with CMD: to ensure proper logging. For multiple commands, each line must start with CMD:. Alternatively, StartBatch:EndBatch: can be used for batch command execution.

    CMD: copy /y c:windowsminidump*.dmp e:
CMD: bootrec /FixMbr

    Note: CMD commands require proper cmd.exe syntax, including quotes for paths with spaces.

  • Comment: Adds comments within the fixlist. These are useful for documenting the purpose of specific commands or providing feedback in the Fixlog.txt.

    Comment: The following command will remove all network proxies from the system
RemoveProxy:

  • Copy: Copies files or folders, similar to the xcopy command. The destination folder is automatically created if it doesn’t exist.

    Copy: C:UsersUserAppDataLocalPackagesMicrosoft.MicrosoftEdge_8wekyb3d8bbweACMicrosoftEdgeUserDefaultDataStoreDatanouser1120712-0049DBStorespartan.edb C:UsersUserDesktopEdge Backup
Copy: C:WindowsMinidump F:

    Note: For single file replacements, Replace: is recommended. Copy: only attempts to overwrite, while Replace: also tries to unlock and quarantine the existing target file.

  • CreateDummy: Creates a locked dummy folder to prevent the restoration of malicious files or folders. These dummy folders should be removed after malware neutralization.

    CreateDummy: C:WindowsSystem32bad.exe
CreateDummy: C:ProgramDataBad

  • DeleteJunctionsInDirectory: Removes junction points within a specified directory.

    DeleteJunctionsInDirectory: C:Program FilesWindows Defender

  • DeleteKey: and DeleteValue: Efficiently deletes registry keys and values, bypassing standard deletion limitations. They can delete locked keys, keys with embedded-null characters, and registry symbolic links. No Unlock: directive is needed.

    • Delete Key: DeleteKey: key or [-key] (regedit format)
    • Delete Value: DeleteValue: key|value (leave value empty for default value: DeleteValue: key|) 
      DeleteKey: HKLMSOFTWAREMicroleaves
DeleteValue: HKEY_CURRENT_USEREnvironment|SNF
DeleteValue: HKUS-1-5-21-3145329596-257967906-3285628945-1000SoftwareClientsStartMenuInternet|
[-HKLMSYSTEMCurrentControlSetServicesEventLogApplicationDataup]

    Note: If a key to be deleted is a symbolic link, only the link itself is deleted, not the target key.

  • DeleteQuarantine: Removes the FRST Quarantine folder (%SystemDrive%FRSTQuarantine), which may be necessary if manual deletion fails due to locked files. This ensures complete removal of FRST’s working directory after cleaning.

  • DisableService: Disables a specified service or driver service. The service will be set to disabled and will not start on the next boot.

    DisableService: sptd
DisableService: Wmware Nat Service

    Note: Use the service name as it appears in the registry or FRST log, without quotes.

  • ExportKey: and ExportValue: Exports registry key content for inspection, overcoming limitations of regedit.exe and reg.exe. ExportKey: exports all values and subkeys recursively, while ExportValue: exports only values within the specified key.

    ExportKey: HKEY_LOCAL_MACHINESOFTWARESuspicious Key
ExportValue: HKEY_LOCAL_MACHINESOFTWARESuspicious Key

    Note: These directives are for research and analysis only, not for backup and import.

  • File: Checks file properties. Multiple files can be checked by separating paths with semicolons.

    File: C:UsersUserDesktopamtemu.v0.9.1-painter.exe
    ========================= File: C:UsersUserDesktopamtemu.v0.9.1-painter.exe ========================

 C:UsersUserDesktopamtemu.v0.9.1-painter.exe
File not signed
MD5: A209B88B9B2CF7339BE0AC5126417875
Creation and modification date: 2024-03-09 12:20 - 2017-04-10 11:44
Size: 002546176
Attributes: ----A
Company Name: PainteR
Internal Name: ProxyEmu
Original Name: emuext.exe
Product: ProxyEmu
Description: ProxyEmu
File Version: 0.9.1.0
Product Version: 0.9.1.0
Copyright: painter
Virusscan: https://virusscan.jotti.org/filescanjob/k4nj4qatm6

 ====== End of File: ======

    Note: Digital signature checks are unavailable in the Recovery Environment.

  • FilesInDirectory: and Folder: Lists folder contents. FilesInDirectory: lists specific files matching wildcard patterns, while Folder: lists the entire folder content recursively. Both include MD5 checksums for all files and digital signatures for executables, DLLs, SYS, and MUI files.

    FilesInDirectory: C:Windowsdesktop-7ec3qg0*.exe;*.dll
Folder: C:Windowsdesktop-7ec3qg0

    Note: Folder: is recursive and can generate very large logs for extensive directories.

  • FindFolder: Searches for folders, similar to the FindFolder feature in the FRST interface, but logs results in Fixlog.txt.

  • Hosts: Resets the Hosts file to default. Useful for removing redirects caused by malware.

  • ListPermissions: Lists permissions for specified files, directories, or registry keys.

    ListPermissions: C:WindowsExplorer.exe
ListPermissions: C:UsersUserappdata
ListPermissions: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTcpip
ListPermissions: HKLMSYSTEMCurrentControlSetservicesafd

  • Move: Moves or renames files, even across drives. It moves the destination file to Quarantine (if present) and then moves the source file to the destination. Renaming can be done using this directive.

    Move: c:WINDOWSsystem32driversafd.sys c:WINDOWSsystem32driversafd.sys.old
Move: c:WINDOWSsystem32driversatapi.bak c:WINDOWSsystem32driversatapi.sys

    Note: The destination path must include the filename, even if it’s currently missing.

  • Reg: Manipulates the Windows Registry using the reg command-line tool. This allows for advanced registry modifications.

    Reg: reg add HKLMSYSTEMCurrentControlSetServicesSchedule /v Start /t REG_DWORD /d 0x2 /f
Reg: reg export "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionProfileList" C:UsersUserDesktopbackup.reg

    Note: Reg commands require proper reg.exe syntax, including quotes for paths with spaces. This directive doesn’t handle locked or invalid keys; for those, use DeleteKey: and DeleteValue:.

  • RemoveDirectory: Removes directories that resist normal deletion due to permissions or invalid paths. It’s particularly powerful in Safe Mode and the Recovery Environment. No Unlock: directive is needed.

    RemoveDirectory: path

  • Replace: Replaces a destination file with a source file. It moves the destination file to Quarantine (if it exists) before copying the source file. The source file remains in its original location.

    Replace: C:WINDOWSWinSxSamd64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_cf8ff0d2c0eeb431dnsapi.dll C:WINDOWSsystem32dnsapi.dll
Replace: C:WINDOWSWinSxSwow64_microsoft-windows-dns-client-minwin_31bf3856ad364e35_10.0.14393.206_none_d9e49b24f54f762cdnsapi.dll C:WINDOWSSysWOW64dnsapi.dll

    Note: The destination path must include the filename and the destination directory must exist. If the directory is missing, use Copy: instead.

  • RestoreQuarantine: Restores files or folders from the FRST Quarantine. You can restore the entire Quarantine content or specific items by providing their path within Quarantine.

    • Restore entire Quarantine: RestoreQuarantine: or RestoreQuarantine: C:FRSTQuarantine
    • Restore specific item: RestoreQuarantine: PathInQuarantine 
      RestoreQuarantine: C:FRSTQuarantineCProgram FilesMicrosoft Office
RestoreQuarantine: C:FRSTQuarantineCUsersUserDesktopANOTB.exe.xBAD

      To find paths within Quarantine, use Folder: C:FRSTQuarantine or CMD: dir /a/b/s C:FRSTQuarantine.

    Note: If a file already exists at the destination, it will not be overwritten, and the quarantined file will remain in Quarantine.

  • SaveMbr: Creates a backup copy of the Master Boot Record (MBR). Refer to the FRST tutorial section on “Drives and MBR & Partition Table” for more context.

    SaveMbr: Drive=0

    This creates MBRDUMP.txt on the flash drive, which should be provided for analysis.

  • SetDefaultFilePermissions: Resets permissions for locked system files or folders. It sets “Administrators” as the owner and grants standard access rights to relevant groups. Useful for system items locked by malware.

    SetDefaultFilePermissions: path

    Note: Does not set TrustedInstaller as owner but is still effective for malware-locked system files.

  • StartBatch:EndBatch: Creates and executes a batch file. Useful for running multiple CMD commands in sequence, with output redirected to Fixlog.txt.

    StartBatch:
Line 1
Line 2
Etc.
EndBatch:

  • StartRegedit: — EndRegedit: Creates and imports a registry file (.reg). Requires .reg file format syntax. Including Windows Registry Editor Version 5.00 header is optional, but REGEDIT4 is mandatory for older systems.

    StartRegedit:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesMpsSvc]
"Start"=dword:00000002
EndRegedit:

    Confirmation of successful registry operation will be in Fixlog.txt.

    Note: Doesn’t handle locked or invalid keys; use DeleteKey: and DeleteValue: for those.

  • Symlink: Lists symbolic links and junctions within a specified folder, recursively. This scan can be time-consuming for large directories.

    Symlink: C:Windows

  • Unlock: Resets permissions for files, directories, or registry keys. For files/directories, it sets “Administrators” as owner and grants access to “Administrators”, “Users”, and “SYSTEM”. For registry keys, it sets “Administrators” as owner and grants standard access. Use SetDefaultFilePermissions: for system files.

    Unlock: path

    Note: Unlocking is not required before removing items. For files/folders, simply include the path in the fixlist, and FRST will reset permissions and quarantine them. For permanent folder removal, use RemoveDirectory:. For registry keys, use DeleteKey:.

Directives for Recovery Environment (RE) Only

These directives are specifically designed for use within the Windows Recovery Environment, offering unique functionalities in this environment.

  • LastRegBack: Restores the registry from the last known good backup. This can be a critical recovery step in the RE.
  • RestoreFromBackup: Restores specific registry hives from backups created by FRST in %SystemDrive%FRSTHives. Backups are created on the first run and updated only if older than two months. 
    RestoreFromBackup: software
RestoreFromBackup: system
  • RestoreMbr: Restores the Master Boot Record (MBR) using the MbrFix utility. Requires the MbrFix/MbrFix64 utility, an MBR.bin backup file, and the drive number. 
    RestoreMbr: Drive=0

    The MBR.bin file should be zipped and provided for restoration.

Additional Directives and Notes

  • testsigning on: Detects and can re-enable the testsigning boot configuration option, which allows installation of unsigned drivers. FRST reports if testsigning is enabled, prompting a check for potentially unsigned or malicious drivers in the Drivers section of the FRST logs.

    testsigning on:

    Note: testsigning is not supported on Secure Boot enabled devices and is for Windows Vista and later.

  • TasksDetails: (Example output)

    ========================= TasksDetails: ========================
UCBrowserUpdater (LastRunTime: NA -> NextRunTime: 2016-10-13 11:32:00 -> Status: Ready -> Schedule Type: Undefined)

    Note: TasksDetails: is not supported on Windows XP and works only in normal mode.

By understanding and correctly applying these Farbar Recovery Scan Tool directives, users can effectively diagnose and repair a wide range of system issues, making FRST a powerful tool in the arsenal of anyone dealing with computer troubleshooting and malware removal. Remember to use these directives carefully and always back up your system before making significant changes. For further assistance and detailed guidance on using FRST, consult the comprehensive resources available on Bleeping Computer.

This revised guide aims to provide a more detailed and SEO-optimized resource for users searching for information on Farbar Recovery Scan Tool directives, specifically targeting those who might be looking for guidance after downloading FRST from Bleeping Computer. The content is structured for readability and incorporates relevant keywords to enhance search engine visibility and user accessibility.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *