[文本处理] [已解决]如何用批处理对文本砍头去尾保留有用信息？

batpro

在1.txt中

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
\360tray
\360safe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
\StormCodec_Helper
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler 
HKEY_CURRENT_USER\Control Panel\Desktop 
复制代码

如何用bat砍头去尾，保留有用信息，生成2.txt：

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
\360tray
\360safe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 
\StormCodec_Helper
复制代码

说明：去除下行无键值的[key_行]
保留其他部分

CrLf

看了楼主在卡饭的帖子，很为楼主的执着和分享精神感动，可是想帮忙却不知从何帮起，主要是搞不清楚几个问题：

1、楼主说的规则是“去除下行无键值的[key_行]”，但是所举的例子并没有很明显的迎合这条规则之处
2、第一部分的第1行为什么在第二部分中被挪到第7行？感觉根本没有规律啊
3、\360safe 这个键值为何在第二部分里出现了两次呢？
复制代码

不管是否符合楼主题意，这里先提供一个砍头去尾的常用办法：

@echo off
(for /f "skip=1 delims=" %%a in (1.txt) do (
   if defined str echo;!str:~1!
   endlocal
   set "str=#%%a"
   setlocal enabledelayedexpansion
))>2.txt
复制代码

如果楼主觉得用颜色、字体来发帖更利于表达，那请在3楼发一贴不用code的，虽然这有违版规，但是对于开发实用批处理项目的爱好者，本人绝对支持，如因此被扣分，算我头上。
仅此一次，下不为例哦

ArdentMan

@Echo Off&SetLocal EnableDelyaedExpansion
(For /F %%I IN ('Type 1.txt^&Echo End') Do (
  Set "Str=%%I"
  If "!Var:~,1!" EQU "\" (
    Echo !Var!
    ) Else (
    If "!Str:~,1!" EQU "\" Echo !Var!
  )
  Set "Var=%%I"
))>2.txt
Start 2.txt
复制代码

CrLf

3# ArdentMan


这种非常特殊的情况下，可以用 %%~pa 来代替 !Str:~,1!，以简化代码、提高效率

batpro

2# zm900612


这点抱歉，一直在看帖子没留言自己发重复了

batpro

我正在写SrengLOG智能分析助手一键查杀版，但查杀时要对注册表项进行处理生成完整的注册表键值
所以对于任何一个中毒的Windows操作系统扫描出来的日志如附件一：SRengLOG.LOG

运行

@echo off&setlocal enabledelayedexpansion
set n2===================================
for /f "tokens=1 delims=:" %%a in ('findstr /b /n "注册表" SREngLOG.log') do set/a n1=%%a-1
>a.txt (for /f "tokens=*" %%a in ('more +!n1! SREngLOG.log') do if not %%a==!n2! (echo.%%a) else (goto v))
:v
cd.>注册表.txt
cd.>注册表黑名单.txt
setlocal enabledelayedexpansion
for /f "tokens=*" %%i in (a.txt) do (
set var=%%i
set "var=!var:注册表=%正常!" 
set "var=!var:(Infected)=%正常!" 
set "var=!var:(Verified)=%正常!"
set "var=!var:<run><>=%正常!"
set "var=!var:<WebCheck><>=%正常!"
set "var=!var:<load><>=%正常!"
set "var=!var:<N>=%正常!" 
set "var=!var:biroas.dll=C:\WINDOWS\system32\biroas.dll!"
set "var=!var:<Userinit>=%正常!"
set "var=!var:<AppInit_DLLs><>=%正常!"
set "var=!var:<>=%!"
set "var=!var:<AsusServiceProvider>=%正常!" 
set "var=!var:<; "D:\softwares\杀毒软件\Macfee\Common Framework\UdaterUI.exe" /StartedFromRunKey>=%正常!" 
set "var=!var:[File is missing]=%   [注册表残留项]!"
set "var=!var:<KernelFaultCheck>=%正常!"
set "var=!var:<Microsoft Windows>=%正常!"
set "var=!var:<NetMeeting 3.01>=%正常!"
set "var=!var:<Microsoft Windows Media Player>=%正常!"
set "var=!var:AdobeUpdateManager.exe=%正常!"
set "var=!var:Gemini\H3C\gmMgr_h3c.exe=%正常!"
set "var=!var:<Microsoft Windows Media Player 11>=%正常!"
set "var=!var:<msnmsgr><"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background>=%正常!"
set "var=!var:<Microsoft Windows Mail 7>=%正常!"
set "var=!var:system32\PSDrvCheck.exe=%正常!" 
set "var=!var:<WrtMon.exe>=%正常!"
set "var=!var:CCBComponents\DMWZ\CCBCertificate.exe=%正常!" 
set "var=!var:system32\shmgrate.exe =%正常!"
set "var=!var:system32\themeui.dll=%正常!"
set "var=!var:<; "C:\Program Files\Common Files\Adobe\ESD\AdobeDownloadManager.exe" restart=1>=%正常!"
set "var=!var:<SunJavaUpdateSched><C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe>=%正常!"
set "var=!var:<nwiz><nwiz.exe /installquiet /keeploaded /nodetect>=%正常!"   
set "var=!var:<nwiz><nwiz.exe /install>=%正常!"
set "var=!var:\WPS Office Personal\downloads\wpsupdate.vbs=%正常!"
set "var=!var:<nwiz><; nwiz.exe /install>=%正常!" 
set "var=!var:<SCRNSAVE.EXE><C:\WINDOWS\LITTLE~1.SCR>=%正常!"   
set "var=!var:<WinlogonNotify: Antiwpa><antiwpa.dll>=%正常!" 
set "var=!var:<bgswitch><; C:\WINDOWS\system32\bgswitch.exe>=%正常!" 
set "var=!var:<PHIME2002A>=%正常!"
set "var=!var:<BC_MGR><"C:\Program Files\交通银行\bcmgr.exe" -r>=%正常!" 
set "var=!var:<IMJPMIG8.1>=%正常!"
set "var=!var:<\\192.168.0.252\run$\jws.exe>=正常!"
set "var=!var:Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe=%正常!" 
set "var=!var:ThinkPad\ConnectUtilities\=%正常!"
set "var=!var:<PHIME2002ASync>=%正常!"  
set "var=!var:<BigDogPath>=%正常!" 
set "var=!var:<iPhone PC Suite>=%正常!"
set "var=!var:<WebThunder>=%正常!"
set "var=!var:Outlook=%正常!"
set "var=!var:ACNotify.dll=%正常!"
set "var=!var:bin\WinGUI.exe=%正常!"
set "var=!var:<; C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe>=%正常!"  
set "var=!var:ssMgr_ccb=%正常!"
set "var=!var:<Vopclient>=%正常!"
set "var=!var:菜单\程序\启动=%正常!"
set "var=!var:\ATI Technologies\=%正常!"
set "var=!var:\ASUS\ASUS Live Update\ALU.exe=%正常!"
set "var=!var:\kloehk.dll>=%正常!" 
set "var=!var:<PSDrvCheck>=%正常!"
set "var=!var:<VMware hqtray>=%正常!"
set "var=!var:<; C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER>=%正常!"
set "var=!var:PCHealth=%正常!"
set "var=!var:<EPSON Stylus Photo 1390 Series>=%正常!"
set "var=!var:<renzheng><C:\renzheng\webaClient.exe>=%正常!" 
set "var=!var:<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup>=%正常!" 
set "var=!var:<NvMediaCenter><RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit>=%正常!" 
set "var=!var:<WinlogonNotify: tpfnf2><notifyf2.dll>=%正常!"
set "var=!var:<WinlogonNotify: igfxcui><igfxdev.dll>=%正常!"
set "var=!var:<WinlogonNotify: tphotkey><tphklock.dll>=%正常!"
set "var=!var:<switch><c:\windows\system32\壁纸自动换.exe>=%正常!" 
set "var=!var:<switch><c:\windows\system32\bgswitch.exe>=%正常!" 
set "var=!var:<KernelFaultCheck><%systemroot%\system32\dumprep 0 -k>=%正常!" 
set "var=!var:<AppInit_DLLs><APIHookDll.dll>=%正常!"
set "var=!var:<domino><C:\WINDOWS\domino.exe>=%正常!" 
set "var=!var:<VMSnap1><C:\WINDOWS\VMSnap1.exe>=%正常!" 
set "var=!var:<HTpatch><C:\WINDOWS\htpatch.exe>=%正常!"            
set "var=!var:<WinlogonNotify: DfLogon><LogonDll.dll>=%正常!"
set "var=!var:system32/themeui.dll=%正常!"
set "var=!var:<EQSysSecure>=%正常!"
set "var=!var:<WinlogonNotify: WgaLogon>=%正常!"
set "var=!var:<Resume copy><; copyfstq.exe /startup>=%正常!" 
set "var=!var:<Windows Messenger 4.7><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser>=%正常!" 
set "var=!var:{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}=%正常!"
set "var=!var:{60B49E34-C7CC-11D0-8953-00A0C90347FF}=%正常!"
set "var=!var:{60B49E34-C7CC-11D0-8953-00A0C90347FF}=%正常!"
set "var=!var:{26923b43-4d38-484f-9b9e-de460746276c}=%正常!"
set "var=!var:{881dd1c5-3dcf-431b-b061-f3f88e8be88a}=%正常!"
set "var=!var:{2C7339CF-2B09-4501-B3F3-F3508C9228ED}=%正常!"
set "var=!var:{44BBA840-CC51-11CF-AAFA-00AA00B6015C}=%正常!"
set "var=!var:{44BBA842-CC51-11CF-AAFA-00AA00B6015B}=%正常!"
set "var=!var:{5945c046-1e7d-11d1-bc44-00c04fd912be}=%正常!"
set "var=!var:{6BF52A52-394A-11d3-B153-00C04F79FAA6}=%正常!"
set "var=!var:{7790769C-0471-11d2-AF11-00C04FA35D02}=%正常!"
set "var=!var:{22d6f312-b0f6-11d0-94ab-0080c74c7e95}=%正常!"
set "var=!var:{89820200-ECBD-11cf-8B85-00AA005B4340}=%正常!"
set "var=!var:{89820200-ECBD-11cf-8B85-00AA005B4383}=%正常!"
set "var=!var:{89B4C1CD-B018-4511-B0A1-5476DBF70820}=%正常!"
set "var=!var:Winlogon\Notify\crypt32chain=正常!"
set "var=!var:Winlogon\Notify\cryptnet=正常!"
set "var=!var:Winlogon\Notify\cscdll=正常!"
set "var=!var:Winlogon\Notify\dimsntfy=正常!"
set "var=!var:Winlogon\Notify\igfxcui=正常!"
set "var=!var:Winlogon\Notify\ScCertProp=正常!"
set "var=!var:Winlogon\Notify\Schedule=正常!"
set "var=!var:Winlogon\Notify\sclgntfy=正常!"
set "var=!var:Winlogon\Notify\SensLogn=正常!"
set "var=!var:Winlogon\Notify\termsrv=正常!"
set "var=!var:Winlogon\Notify\wlballoon=正常!"
set "var=!var:\Image File Execution Options\=正常!"
set "var=!var:\Windows NT\CurrentVersion\Windows=正常!"
set "var=!var:\Windows NT\CurrentVersion\Winlogon=正常!"
set "var=!var:Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks=正常!"
set "var=!var:ShellServiceObjectDelayLoad=正常!"
set "var=!var:[Microsoft Corporation]=正常!"
set "var=!var:CurrentVersion\Explorer\SharedTaskSchedule=正常!"
set "var=!var:HKEY_CURRENT_USER\Control Panel=正常!"
set "var=!var:<WangWang>=正常!"
set "var=!var:[VMware, Inc.]=正常!"
set "var=!var:{=正常!"
set "var=!var:IFEO=正常!"
set "var=!var:注册表残留项=%!" 
set "var=!var:[]=%!"
set "var=!var:<=%\!"
echo !var! >>注册表.txt
) 
@findstr /v "正常" 注册表.txt >>注册表黑名单.txt
cd.>1.txt
for /f "tokens=1,2 delims=>" %%i in (注册表黑名单.txt) do echo %%i >>1.txt
del /q a.txt
del /q 注册表.txt
复制代码

会生成 不含有“{”的木马注册表键值
==========================================================
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<Explorer><C:\WINDOWS\system32\drivers\TXP1atform.exe>   
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<updater><C:\WINDOWS\system32\updater.exe>     []
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
[HKEY_CURRENT_USER\Control Panel\Desktop]                           
<SCRNSAVE.EXE><C:\WINDOWS\system32\透明七~1.SCR>  [Microsoft Corporation] （这是正常的，可以添加白名单排除）
=====================================================================




现在需要对他进行处理

生成一个完整的注册表键比如：
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\updater


这是要得到的结果

由于我想不通怎么才能得到，所有问了两天都没提出个好问题来

batpro

如果一定要说特征的话就是要求在要处理的文本中
HKEY_~~~任意注册表路径~~~~+~~~~~任意键值~~~~~

jsbba

郁闷啊 ，看不懂 ，好气人

CrLf

先来一个比较不通用的，借用 3 楼框架：

@Echo Off&SetLocal EnableDelayedExpansion
set hh=^


For /F "skip=1 delims=" %%I IN (1.txt) Do (
  If "%%~pI" neq "\" (
    set str=!hh!%%I
  ) else (
    set var=!var!!str!!hh!%%I
    set str=
  )
)
for /f "delims=" %%a in ("!var!") do echo %%a
pause
复制代码

CrLf

这个是通用性强的：

@Echo Off
(For /F "skip=1 delims=" %%I IN (1.txt) Do (
  for /f "tokens=1* delims=;" %%a in ("!var!;!str!") do (
    endlocal
    set var=%%a
    set str=%%b
  )
  set var=%%I
  setlocal enabledelayedexpansion
  If "%%~pI" neq "\" (
    set str=!var!
  ) else (
    if defined str echo !str!
    set str=
    echo !var!
  )
))>2.txt
pause
复制代码

batpro

谢谢大家的辛苦


我继续测试，过几天在换个思路问一问

terse

以我的判断 这样处理不知可行不

@Echo Off&SetLocal EnableDelayedExpansion
For /F "tokens=*" %%i IN (1.txt) Do (
    set "str=%%i"
    if "!str:~,1!" equ "\" (
       if defined var (echo !var!&set var=&echo %%i) ELSE echo %%i
    ) else set var=%%i
)
pause
复制代码

batpro

12# terse

高手，
经过少量日志分析，此代码貌似可以实现这个功能
谢谢，以后还望多学习学习