A source for many batch-file tricks: ghidra/launch.bat at master · NationalSecurityAgency/ghidra
Posted by jpluimers on 2026/05/20
If you want to improve your batchfile-fu, this might be your start: [Wayback/Archive] ghidra/launch.bat at master · NationalSecurityAgency/ghidra
After a quick look, I already recognised these tricks:
^<%%#%~set "SUPPORT_DIR=%SUPPORT_DIR:~0,-1%""%SUPPORT_DIR:!=%"=="%SUPPORT_DIR%"set /A INDEX=!INDEX!+1if %INDEX% geq 6 goto continue1java -version >nul 2>nulfor /f "delims=*" %%i in%SystemRoot%\System32\timeout.exe /NOBREAK 1 > NULexit /B %ERRORLEVEL%^(
Via:
- [Wayback/Archive] SwiftOnSecurity on Twitter: “The is the ideal Windows batch script. You may not like it, but this is what peak performance looks like.”
Broken WMI. It’s pretty extreme but it’s deployed at scale if the issue is detected.
- [Wayback/Archive] Malwrologist on Twitter: “@JohnLaTwC @danielhbohannon @RGB_Lights timeout is used commonly in malicious batch scripts”
- [Wayback/Archive] John Lambert on Twitter: “I wonder if the use of # as a variable name (in
%%#) instead ofa–zis a TTP. So much expertise to signature. Time for #Yara rule retrohunt!”
Swift quoted this source code via [Wayback/Archive] Google Lens OCR:
[Wayback/Archive] Batch file from https://twitter.com/SwiftOnSecurity/status/1644002540810280964 (hope there are no typos)
–jeroen
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| :: WMI repair has not yet been attempted, starting attempt. | |
| :: Creating tag to prevent reoccurance. | |
| :: Logging event. | |
| :: Stopping Windows Update. | |
| "C:\Windows\system32\net.exe" stop wuauserv | |
| rd "C:\Windows\Software Distribution" /5 /Q | |
| :: Enabling cloud repair by temporarily overriding update settings. | |
| "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing" /v RepairContentServerSource /t REG_DWORD /d 2 /f | |
| "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Update" /v DoNotConnectToWindows Update InternetLocations /t REG_DWORD /d 0 /f | |
| "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Update\AU" /v AllowMUUpdateService /t REG_DWORD /d 1 /f | |
| "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Update\AU" /v IncludeRecommended Updates /t REG_DWORD /d 1 /f | |
| "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Update\AU" /v UseWUServer /t REG_DWORD d @ /f | |
| :: Starting Windows Update service again. "C:\Windows\system32\net.exe" | |
| start wuauserv | |
| :: Before proceeding, attempt to repair component store. | |
| "C:\Windows\system32\DISM.exe" /Online /Cleanup-Image /RestoreHealth | |
| :: Before proceeding, attempt to repair system files. | |
| start "" /wait /b "C:\Windows\system32\sfc.exe" /scannow | |
| :: Repair supporting DLLS http://www.slyar.com/blog/solve-bitlokcer-invalid-namespace-error.html | |
| "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\scecli.dll" | |
| "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\userenv.dll" | |
| :: Stop WMI service. | |
| "C:\Windows\system32\net.exe" stop winmgmt /y | |
| "C:\Windows\system32\taskkill.exe" /im "wmipryse.exe" /f | |
| :: Register all WBEM DLLs. | |
| for /f %%s in ('dir /b C:\Windows\system32\wbem\*.dll') do ( | |
| "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\wbem\%%s" | |
| ) | |
| for /f %%s in ('dir /b C:\Windows\sysWOW64\wbem\*.dll") do ( | |
| "C:\Windows\sysWOW64\regsvr32.exe" /s "C:\Windows\sysWOW64\wbem\%%s" | |
| ) | |
| :: Restore WMI service. | |
| "C:\Windows\system32\sc.exe" config winmgmt start= Auto | |
| "C:\Windows\system32\net.exe" start winmgmt | |
| :: Resync performance counters. | |
| "C:\Windows\System32\wbem\winmgmt.exe" /resyncperf | |
| :: Register WMI EXES. | |
| :: Attribution– ConfigMgrClientHealth.ps1. | |
| for %%1 IN (unsecapp.exe, wmiadap.exe, wmiapsrv.exe, wmipryse.exe, scrcons.exe) do ( | |
| if exist "C:\Windows\system32\wbem\%%1" ( | |
| "C:\Windows\system32\wbem\%%1" /RegServer | |
| ) | |
| if exist "C:\Windows\sysWOW64\wbem\%%i" ( | |
| "C:\Windows\sysWOW64\wbem\%1" /RegServer | |
| ) | |
| ) | |
| :: Registering MOFs | |
| for /f%%s in ('dir /b C:\Windows\system32\wbem\*.mof C:\Windows\system32\wbem\*.mfl') DO mofcomp "C:\Windows\system32\wbem\%%s" |
The Wiert Corner - irregular stream of stuff 
Leave a comment