As the title says really, im getting loads of grief at work with AV's killing off scripts as soon as the usb is shoved in (techs forget to turn it off temporarily)

So is there a way to compile it to .exe without using Autoit to compile?

The reason for this is i hope using a different way will stop or reduce the detections.

PS i've already had dozens of tries with AV manufacturers but they seem to operate on AutoIt is bad so they don't care.

I don't want to stop using AutoIt just make the exe differently.


Bear in mind im looking at this at a simple level a small program that i can compile with if possible

Admittedly it may not be that simple



Just to re-iterate the point Jos is making, you don't need to re-distribute the whole AutoIt package e.g. includes, help file, examples etc... just AutoIt3.exe OR AutoIt3_x64.exe. The a3x compiled script is passed as a commandline argument to the executable.

Posted (edited)

Ok so im clear about this

I compile every problem script in the pack i use as .a3x

then paste Autoit3.exe into the main folder and call the script like this

AutoIt3exe /AutoIt3ExecuteScript mymainscript.a3x - (Copied from another answer by Jos) and that will open the script i want.

Wont the AutoIt3exe get stamped by the AV as well?

would i be as easy to add that to a cmd file and start it that way?

2nd question

In my GUI where i have things like this

ShellExecute(@ScriptDir & "\Toolz\backup_transfer\backup_transfer.exe")

I change all the links to

ShellExecute(@ScriptDir & "\Toolz\backup_transfer\backup_transfer.a3x")

and they will still work because i started the main script with the main AutoIt3exe ?


Edited by Chimaera
Posted (edited)

Compile au3 file to file.a3x and Add file.a3x to AutoItStub.exe* RCDATA/SCRPIT by Reshack.exe
*AutoItStub.exe is AutoIt Compiled EXE, user Reshack.exe delete resource RCDATA/SCRPIT

Edited by Trong


Posted (edited)

I use RESHack to delete all the AutoIt related stuff from my compiled programs. I reduces AV detections from ~5/42 to ~1/42 and sometimes 0/42. I have had to do this a lot lately while messing around with IRC functions creation since IRC + AutoIt had been used for malicious purposes in the past

Edited by rcmaehl

Posted (edited)

can you post a small compiled program with all the 'autoiit related stuff' deleted.  I'm interested in what you elected to remove.

Edited by boththose

Posted (edited)

can you post a small compiled program with all the 'autoiit related stuff' deleted.  I'm interested in what you elected to remove.

Not on a Windows computer ATM. Mainly, any debug strings, additional icons other than the application icon I use, and the default tray menu to pause the script. Will post an example in around an hour and a half.

Items below in BOLD are things I've only done once or twice and haven't thoroughly tested.


  • In "Icon" delete 1, 2, 3, and anything else that doesn't match your app icon
  • If "Menu" only has 166 delete "Menu" entirely, else just remove 166
  • Delete "String Table"
  • In "Icon Group" delete 162, 164, and 169
  • In "Version Info" learn the additional fields and add them in yourself
  • OPTIONALLY, Change 'BLOCK "080904B0"' to 'BLOCK "040904B0"' and 'VALUE "Translation", 0x0809 0x04B0' to 'VALUE "Translation", 0x0409 0x04B0' in "Version Info" then Delete 2057 to change your language from English UK to English US
  • OPTIONALLY, Change the language of all other Resources in your file to "English_US" or 1033
  • OPTIONALLY, In "Manifest", change which versions of Windows your program says it's supported on by adding/removing supportedOS IDs
Edited by rcmaehl
SupportedOS IDs

Posted (edited)

I have had to do this a lot lately while messing around with IRC functions creation since IRC + AutoIt had been used for malicious purposes in the past

I have a similar problem as all my stuff deals with areas the AV's protect, services, registry, special windows folders etc and that's why i always have this problem because of the work i do.

Edited by Chimaera
Posted (edited)

Ok ive managed to sort this now and this is how i did it

I created a small autoit script like this

#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****

and compiled the file then

downloaded Resource Hacker http://www.angusj.com/resourcehacker/  (i grabbed the portable edition)

put the stub into the resource hacker folder and opened resource hacker


Then i opened the stub and double clicked the RCData section the select SCRIPT:0

once its highlighted then right click and choose Replace Resource


Then select your previously prepared .a3x which you made from the script you want to add


Then click Replace

Then just save the exe and rename to what the file would have normally been called.

And so far i have not had a single detection :)


This may not be for everyone but if you are plagued with AV problems like i am mainly because i work with customer machines all day this may help

Many thanks to Trong for pointing me in the right direction

Edited by Chimaera
Posted (edited)

No idea ive just followed the suggestions, i dont understand why the AV kick off normally yet if i replace like above AV doesnt even stir when you add the pendrive or run the file?

Normally the second the usb drive is inserted it starts and if i run one file that starts a sequence of others its forever jumping in and trying to stop it as the files that trigger it start.

I have noticed over periods of AutoIt updates it does differ as to which AV is more aggressive to the exes but i dont know what the AV looks at. which may change as AutoIt is made.

With this method ive not seen a single AV event yet... it may happen time will tell

Edited by Chimaera

This is great.  I keep on running into similar dead processes and deleted EXEs.  Will try this.  Thanks for sharing


Why is the snake in the sky?


Interesting... and you've had no problems? Secondly, do you think that compiling a script with Reshack something similar to ResHack since its license prohibits unapproved distribution, and then switching out the script file in resources during/before run (FILES WITHIN FILES, how deep does this rabbit hole go!?) could be used to make de-compiling harder? Finally, included updated what I do in my old post.

