A Collection of Autostart Locations Options

[TonyKlein]

For your information and enjoyment, here's a list of autostart locations I've been collecting. Any of these startup locations can and will of course be used by both legitimate applications and by malware such as trojans, viruses, worms, spyware.


1. Autostart folder


In Windows 95, 98, Millennium

C:\windows\start menu\programs\startup

and the "Global" Startup folder:

C:\Windows\All Users\Start Menu\Programs\StartUp


In Win XP and 2000:

C:\Documents and Settings\"User Name"\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup


In Windows Vista:

C:\Users\"User Name"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.



This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

By setting it to anything other than C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory. Examples of malware using this and related techniques:

http://sophos.com/virusinfo/analyses/trojwock32a.html
http://www.sophos.com/virusinfo/analyses/trojoptix03c.html
http://www.sophos.com/virusinfo/analyses/trojspywadc.html


2. Win.ini

In Win 9x

[windows]
load=file.exe
run=file.exe


In Windows NT/2000/XP/Vista:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"=""
"load"=""

Programs Automatically Start When User Logs on to Windows]Programs Automatically Start When User Logs on to Windows[/URL]

If, In NT based systems, Windows finds sections in .ini files which are not present in the registry, those sections will automatically be registered.

Examples:

http://www.trendmicro.com/vinfo/virusencyc...WORM_LOVGATE.AB
http://securityresponse.symantec.com/avcen...a/vbs.grez.html
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=36374



3a. System.ini (Windows 95/98/Millennium)

[boot]
Shell=Explorer.exe file.exe


3b. Winlogon\\Shell (Windows XP/NT/2000)

During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to determine the name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).

Examples of malware using this startup method:

http://www.symantec.com/business/security_...-99&tabid=2
http://www.symantec.com/business/security_...-99&tabid=2


In the following keys as well, a "Shell" string value can be used to specify an alternate user interface for Windows 2000 and XP:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system


Additionally, Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exe

If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.



4. c:\windows\winstart.bat (Windows 95, 98)

Behaves like a normal BAT file. Used for copying or deleting specific files. Autostarts every time.

Occasionally used by malware as well:

http://securityresponse.symantec.com/avcen...door.optix.html
http://vil.nai.com/vil/content/v_99196.htm
http://www.sophos.com/security/analyses/trojnettroja.html



5a. Registry Run/RunOnce/RunServices keys


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] (Win 95/98/ME only)
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] (Win 95/98/ME only)
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"


INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)

Definition of the RunOnce Keys in the Registry (Q137367)

A Definition of the Run Keys in the Windows XP Registry


5b. RunOnceEx Key (all operating systems)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


Description of the RunOnceEx Registry Key

Syntax for the RunOnceEx Registry Key


5c. Terminal Server Autoruns (Windows NT/2000/XP/Vista)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Already observed to be used by malware, see here



6a. wininit.ini (Win 9x)

Often Used by Setup-Programs; when the file exists it is run ONCE and then is deleted by windows.

Example content of wininit.ini :

[Rename]
NUL=c:\windows\picture.exe

This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totally stealth.

More info on Wininit.ini: HOWTO: Move Files That Are Currently in Use

Examples of malware using Wininit.ini:

http://www.symantec.com/avcenter/venc/data...en.12288.a.html
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99619
http://securityresponse.symantec.com/avcen...etlip.worm.html


6b. PendingFileRenameOperations (Windows NT/2000/XP)

Windows XP/NT does not use Wininit.ini. Instead it uses a "PendingFileRenameOperations" REG_MULTI_SZ value in the following Registry Key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
"PendingFileRenameOperations"

More info on the PFRO reg value: How to replace in-use files at Windows restart

Examples of malware making use of PendingFileRenameOperations:

http://securityresponse1.symantec.com/sarc...jan.alemod.html
http://securityresponse.symantec.com/avcen...goner.a@mm.html
http://www.symantec.com/security_response/...-99&tabid=2


Another Possible Multi-String Value here to look at (thank you, Mosaic1) is: ExcludeFromKnownDlls

The reason is this: the KnownDlls key lists dlls which can only be run from the System Folder. If the same file is located in a program's folder it will not be run. The version in System32 will be run instead.

Here 's the MS article: INFO: Windows Uses KnownDLLs Registry Entry to Find DLLs



7. Autoexec.bat (Win 95, 98)

Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up.

Note that Windows Millennium ignores AutoExec.bat other than to lift Set, Path and Prompt statements from it and integrate these into the registry


8. Registry Shell Spawning

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
[HKEY_CLASSES_ROOT\htafile\shell\open\command]
[HKEY_CLASSES_ROOT\http\shell\open\command
[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
[HKEY_CLASSES_ROOT\inffile\shell\install\command]
[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command
[HKEY_CLASSES_ROOT\piffile\shell\open\command]
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
[HKEY_CLASSES_ROOT\regfile\shell\merge\command]
[HKEY_CLASSES_ROOT\vbsfile\shell\open\command]
[HKEY_CLASSES_ROOT\vbefile\shell\open\command]
[HKEY_CLASSES_ROOT\jsfile\shell\open\command]
[HKEY_CLASSES_ROOT\jsefile\shell\open\command]
[HKEY_CLASSES_ROOT\wshfile\shell\open\command]
[HKEY_CLASSES_ROOT\wsffile\shell\open\command]
[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
[HKEY_CLASSES_ROOT\scrfile\shell\config\command]
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]

... and so on

The default value data for such a key should be "%1" %*; if this is changed to server.exe "%1 %*", the server.exe is executed EVERY TIME an exe/pif/com/bat/hta/txt is executed.

This startup method is used by a large number of worms and trojans:

http://www.symantec.com/business/security_...-99&tabid=2


Just a few examples of other subkeys the default value data of which have been seen to be exploited:

HKEY_CLASSES_ROOT\Unknown\shell\openas\command
HKEY_CLASSES_ROOT\Directory\Shell\"KeyName"\Command
HKEY_CLASSES_ROOT\Folder\shell\open\command
HKEY_CLASSES_ROOT\Folder\shell\explore\command
HKEY_CLASSES_ROOT\Drive\shell\find\command
HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

Some reading:

http://www.sarc.com/avcenter/venc/data/w32.autex.c.html
http://www.trendmicro.com/vinfo/virusencyc...R.A&VSect=T
http://www.avira.com/en/threats/section/fu...lmir.51944.html


... and the default value data of the "Command" string value in:

HKEY_CLASSES_ROOT\.lnk\ShellNew
HKEY_CLASSES_ROOT\.bfc\ShellNew

See here


Also, in NT based systems the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts key can be used to associate a given file extension with another application.

For example, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt

Click on .txt and in the right pane there will be a String Value named "Application". Modify its value to the name of the executable you want to use. No path. Just Notepad.exe or EditPad.exe or Wordpad.exe etc. If there is not a String Value named Application, create it.
Now doubleclick a txtfile, and it will be opened by the designated application. Likewise, malware could hack any subkey here in order to get itself to start when a file of that type is launched.

Some useful reading: Mastering File Types in Windows XP

An example of malware using this technique: url=http://www.avira.com/en/threats/section/fulldetails/id_vir/2256/tr_killfiles.ja.html



9. Icq Inet

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\

When ICQNET detects an Internet Connection ALL applications in this reg key are executed.

Examples of malware using this startup method:

http://www.viruslist.com/en/viruses/encycl...a?virusid=34239
http://www.sophos.com/virusinfo/analyses/w32ronoperg.html



10. Dosstart.bat (Win 95, 98 )

This is a regular text format batch file. It contains instructions identical to those contained in autoexec.bat but there is one important difference: when it is executed.
While autoexec.bat executes immediately upon boot-up, dosstart.bat executes only when you are running Windows 95/98 and select the "restart in MSDOS mode" option from the shutdown menu.
At that point Windows exits with instructions to reboot DOS but not the Windows interface, and DOS executes the dosstart.bat file which typically loads a mouse driver, CD ROM driver, and possibly a couple of others.



11. Active Setup\Installed Components

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe


This starts filename.exe BEFORE the shell and any other Program normally started over the Run Keys.
Each time a NEW user logs in, the HKLM\Software\Microsoft\Active Setup\Installed Components\{GUID} will be compared with the same CurrentUser Entry and the command defined in the StubPath (can be anything) will be executed

Examples of malware using this technique:

http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.com/security/analyses/trojnopridea.html



12. UserInit reg value (NT/2000/XP)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,

Executed when a user logs in. A path to a program can be added after the comma. Examples of malware using this technique:

http://www.symantec.com/business/security_...-99&tabid=2
http://www.symantec.com/business/security_...-99&tabid=2
http://www.symantec.com/business/security_...-99&tabid=2
http://www.symantec.com/business/security_...-99&tabid=2



13. AppInit_DLLs

Reg Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

The DLLs specified in this value are loaded into the process memory of processes that run after the Registry change has been made.

Info: Working with the AppInit_DLLs Registry Value


Examples of malware using this technique:

http://www.symantec.com/avcenter/venc/data...oor.ginwui.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99238
http://www.symantec.com/avcenter/venc/data...an.riler.e.html


14. RunOnce\Setup reg keys

Normally used only by Setup. A progress dialog box is displayed as the keys are run one at a time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value > some program or file

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value > some program or file



15. ShellServiceObjectDelayLoad (all operating systems)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Executed by Explorer.exe as soon as it has loaded
The layout of the values in that key is somewhat like the one in the Run key, only it points to the InProcServer for the CLSID instead of pointing to a file.

Examples of malware using this startup method:

http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2



16. Task Scheduler startup

Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

A .job file describing this task is placed in the %WinDir%\Tasks folder ( Vista: %WINDIR%\System32\Tasks\ ):

Example of malware using this technique: http://securityresponse.symantec.com/avcen....cone.d@mm.html



17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (Windows 98/ME/NT/XP)

Dlls referenced in this registry key are loaded at boot.

For examples of malware using this autostart method, see here:

http://www.symantec.com/security_response/...-121319-3804-99
http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.com/security/analyses/trojhasuma.html



18. Policies Run keys (Win ME/NT/2000/XP/Vista)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

String Value > some program or file

Examples of malware using this Startup method:

http://www.ca.com/us/securityadvisor/virus...s.aspx?id=72384
http://www.trendmicro.com/vinfo/virusencyc...SE&VSect=Sn
http://www.sophos.com/virusinfo/analyses/trojproratd.html
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39429



19. HKEY_CLASSES_ROOT\PROTOCOLS\Filter

Not so much an autostart method, as a location where some foistware register a permanent filter in order to implement a hijack:

http://securityresponse.symantec.com/avcen...jan.popdis.html
http://uk.trendmicro-europe.com/consumer/s...ROJ_STARTPGE.AF


Here's the Microsoft technical article on Pluggable MIME Filters



20. Virtual Device Driver files (VXDs) in Win 9x systems

Loaded from System.ini ( [386enh] section)

And from the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD


More info on VXDs here: The Windows 98 Startup Process

Examples of malware using this technique:

http://securityresponse.symantec.com/avcen...d.trojan.c.html
http://www.viruslibrary.com/virusinfo/Win95.MrKlunky.htm
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=100242



21. Services in NT based systems (Including Windows XP and Vista) ( Start > Run > Services.msc)

In the Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Many worms and trojans use this startup method as well:

http://www.symantec.com/enterprise/securit...-121314-2529-99
http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/enterprise/securit...-99&tabid=2

Likewise, malware can compromise an existing service by modifying it's ServiceDLL string value, so that the baddie is executed instead of thew legitimate file once the service is started, as shown here


Related: In Win NT/2000/XP one can use the NT resource kit utility called AUTOEXNT (autoexec for NT)
The AutoExNT Service allows you to start a custom batch file, Autoexnt.bat, when you start a computer - without having to log onto the computer on which it will run

See: How to Run a Batch File Before Logging on to Your Computer



22. Layered Service Providers

Found in subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

Layered Service Providers (LSP) are small pieces of software that can be added or inserted into the Windows TCP/IP handler chain by other software. Data outward bound from your computer to a legitimate destination on the Internet can be intercepted by an LSP and sent somewhere other than where you intend it to go.

They are executed before user login.

Examples of malware implementing LSP's:

http://www.sarc.com/avcenter/venc/data/trojan.riler.c.html
http://www.avira.com/en/threats/section/fu....maran.g.5.html
http://vil.nai.com/vil/content/v_139590.htm



23. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW

Defines the command line that runs when an MS-DOS-based application runs under Windows NT/2000/XP. This command line continues to run until the related application is closed.

The wowcmdline value there defines the command line that runs when a 16-bit Windows-based application is started. The switches instruct Windows NT to start either an MS-DOS "VDM" (Virtual Dos Machine) or a WOW VDM.

More information: REG: CurrentControlSet Entries PART 3 and in this article.



24. Screensaver startup:

Windows NT/XP/Vista:

HKEY_CURRENT_USER\Control Panel\Desktop

String value: SCRNSAVE.EXE = badfile.scr

Examples of malware using this technique:

http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2


In systems running Win 9x, the System.ini file is used:

[boot]
SCRNSAVE.EXE=badfile.exe

Example of malware using this technique: http://securityresponse.symantec.com/avcen...hllp.lassa.html



25. Config.nt and Autoexec.nt in Windows NT4/2000/XP:

Files:

%SYSTEMROOT%\SYSTEM32\config.nt
%SYSTEMROOT%\SYSTEM32\autoexec.nt

See: http://www.esecurityplanet.com/alerts/article.php/3289911



26. The BootExecute registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager (NT/2000/XP/Vista)

Contains the names and arguments of programs that are executed by Session Manager. Session Manager looks in the %WinDir%\system32 directory for the executables listed here.

Example of a trojan using this technique: http://www.sophos.com/security/analyses/trojthemousea.html

Other values of interest in this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
"Execute"=
"SetupExecute"=
"S0InitialCommand"=



27. Winlogon\Notify (Win XP/2000/NT)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Another well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.

Examples of malware using this technique:

http://vil.nai.com/vil/content/v_100441.htm
http://sarc.com/avcenter/venc/data/pf/adware.look2me.html
http://www.sophos.com/virusinfo/analyses/trojhaxdooru.html
http://www.symantec.com/avcenter/venc/data/w32.naras.html



28. The "AutoRun" reg value in the HKEY_LOCAL_MACHINE (and HKEY_CURRENT_USER\Software\Microsoft\Command Processor (NT/XP/2000/Vista) Registry keys

When CMD.EXE starts, it looks for the above REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.

Examples of malware using this technique:

http://www.sophos.com/security/analyses/vi...2autorunzi.html
http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2



29. Script Policies: (Win NT/2000/XP)

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\Startup
Startup = C:\winNT\system32\GroupPolicy\User\Scripts\Logon

Also, a logon script that only runs for a user when he or she connects to a Terminal Server through the Terminal Server client or by the console can be added by writing to

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AppSetup"=



30. GinaDLL (Win NT/2000/XP)

Windows NT is shipped to load and execute the standard Microsoft GINA DLL (MSGina.dll). To load a different GINA (Graphical Identification and Authentication dynamic-link library) , a "GinaDLL" value in the following Registry key must be created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The GinaDLL value must contain the name of a GINA DLL, which Winlogon will then load and use.

An example of malware using this technique: http://www.sophos.com/virusinfo/analyses/trojgina.html




31. MPRServices (Win 95, 98, ME )

Somewhat analogously to the "Notify" subkey on NT systems, in Win 9x the following Registry key can be used to load a dll:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\"Subkey"
DllName =
EntryPoint =
StackSize =

Examples:

http://securityresponse.symantec.com/avcen....haxdoor.b.html
http://www.trendmicro.com/vinfo/virusencyc...D.A&VSect=T
http://vil.nai.com/vil/content/v_138991.htm


32. "System" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"= "(Path to) Badfile.exe"

This value is present in Windows versions NT, 2000 and XP. It contains the list of executable files launched by Winlogon in the system context during the system initialisation. This list can be varied by modification of this value.

Examples of malware using this technique:

http://www.symantec.com/business/security_...-99&tabid=2
http://www.sophos.com/security/analyses/trojzlobaeq.html


33. VMApplet (Win NT/XP)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"VmApplet"=

This registry value stores the file which is launched by Winlogon process to let the user adjust the virtual memory settings in case the system volume misses the paging swap-file. The file extensions for the file name are not obligatory.

The default value for it is «rundll32 shell32, Control_RunDLL "sysdm.cpl"».



34. Browser Helper objects other Internet Explorer add-Ins and extensions, Browser pages

A Browser Helper Object or BHO is in effect a small program that runs automatically every time you start your Internet browser.

Every time an instance of Internet Explorer is started, it looks in the registry for CLSIDs stored under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

If this key exists and there are CLSIDs listed under it, Internet Explorer will try to create an instance of each object listed as a subkey under this key.

Here's the authoritative MS article:

Browser Helper Objects: The Browser the Way You Want It


Examples of malware using this technique:

http://www.sophos.com/virusinfo/analyses/trojpuperad.html
http://www.symantec.com/avcenter/venc/data...martallyes.html
http://www.sophos.com/virusinfo/analyses/trojlixyb.html
http://no.trendmicro-europe.com/enterprise...e=TROJ_BRIDGE.B

Other locations for IE Add-Ins, Toolbars, extensions and related:

HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Extensions

Browser pages:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"=
"CustomizeSearch"=
"Default_Search_URL"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=
"Local Page"=
"Start Page"
"Start Page_bak"=-
"HOMEOldSP"=-
"Default_Search_URL"
"Search Page"=

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=
"Local Page"=
"Start Page"
"Start Page_bak"=-
"HOMEOldSP"=-
"Search Page"
"Search Bar"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"
"Search Bar"
"Use Custom Search URL"=




35. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key (Windows NT/2000/XP)

A subkey can be added to this regkey by the name of a legitimate application, for example Explorer.exe. In the Explorer.exe subkey create a string value called Debugger, its value data containing the path to a file, say "%Windows%\baddie.exe" , and baddie.exe will be executed every time an instance of explorer.exe is launched.

Examples of malware using this method:

http://vil.nai.com/vil/content/v_142377.htm
http://www.symantec.com/business/security_...-99&tabid=2
http://www.eset.eu/buxus/generate_page.php?page_id=15027
http://www.symantec.com/enterprise/securit...-99&tabid=2



36. ContextMenuHandlers

When a user right-clicks a "Shell object", its context menu is displayed. A Context menu handler is a Component Object Model (COM) object that adds commands to such a context menu.
An well known example is the "Open With" context menu entry when right-clicking a file. In the Registry it looks as follows:

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.

Recently this method has also been seen used by malware, for example the Qoologic trojan:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmmxn]
@="{f1445181-385e-4b9f-ba55-4fec86b25d01}

The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will show the path to the 'rogue' dll that's loaded into memory.


Other ContextHandler keys:

HKEY_LOCAL_MACHINE\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

HKEY_LOCAL_MACHINE\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Folder\ShellEx\ContextMenuHandlers

HKEY_LOCAL_MACHINE\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\ContextMenuHandlers

HKEY_LOCAL_MACHINE\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers


Further examples of malware making use of this launch point:

http://www.sophos.com/security/analyses/trojcimuze.html
http://www.trendmicro.com/vinfo/virusencyc...D.R&VSect=T



37. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks registry key

The ShellExecuteHooks registry key contains the list of the COM objects (usually dlls) that trap execute commands. The value name equals the GUID (CLSID) of the COM object in question.

Some technical reading on the subject:

Creating a shell extension with C#
Logging the Shell Activity

Examples of malware using this technique:

http://vil.nai.com/vil/content/v_142170.htm
http://www.symantec.com/avcenter/venc/data...er.jianghu.html
http://fr.trendmicro-europe.com/smb/securi...e=WORM_KORGO.AB
http://www.sophos.com/virusinfo/analyses/trojspytoolgk.html




38. The 'Taskman' string value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

This value, not installed by default, can be used to launch Task Manager, see here: Have Ctrl-Esc Start Task Manager

You can replace Taskman.exe by any application, and it will be executed at boot!



39. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager registry key.

The Utility Manager can be configured to start accessibility programs on Windows startup, so a trojan could be slipped in here by altering the Application Path and setting the "Start with..." field, in the way a legitimate application like Magnify.exe is shown to be registered in this example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier]
"Application path"="Magnify.exe"
"Application type"=dword:00000001
"Start with Utility Manager"=dword:00000001
"Start with Windows"=dword:00000001

Eample of malware using this launch method:

http://www.trendmicro.com/vinfo/virusencyc...QRQ&VSect=T


In Windows Vista the folowing key is used:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration



40. ColumnHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_CURRENT_USER\SOFTWARE\Classes\Folder\shellex\ColumnHandlers

Basically this is a Shell Extension Handler called by Explorer in order to extend the Details view of a file system folder. here's the Microsoft technical article on the subject .

However, it has recently come to be used as another loading point for malware, notably some recent variants of the the Qoologic trojan.
It will add a subkey here where the default value data track back to the rogue dll.

See here: http://www.sophos.com/virusinfo/analyses/trojqoolaidan.html



41. The UseAlternateShell value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey

At boot UserInit.exe checks the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey.

If a value UseAlternateShell is present with its value data set to "1", Userinit runs the program specified as the user's shell in the AlternateShell value in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot rather than executing Explorer.exe
Therefore, if malware creates this UseAlternateShell value and sets it to "1" it can modify AlternateShell to run any program at startup.

When this program is executed it can run explorer.exe to load the shell and the user will never know about the trojan.

Example of malware using this technique:

http://www.symantec.com/enterprise/securit...-99&tabid=1
http://www.symantec.com/business/security_...-99&tabid=2
http://vil.nai.com/vil/content/v_143316.htm


42. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders (all Windows versions)

ALL dlls listed in the SecurityProviders string value in this key are loaded by Windows at startup!


An example of malware using this technique:

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=58686



43. Autorun.inf files

Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.

If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:

shell\open\command=trojan.exe

At least as insidiously, some malware add autorun.inf files to the root and all logical drives.

Examples of malware using these techniques:

http://www.symantec.com/security_response/...-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyc...2EA&VSect=P
http://www.symantec.com/security_response/...-99&tabid=1
http://www.symantec.com/security_response/...-99&tabid=2
http://de.trendmicro-europe.com/smb/vinfo/...e=WORM_SIWEOL.A

Sometimes (the Virus.Win32.Small.k aka W32/Autom-A Worm is a case in point), "MountPoints" subkeys are compromised:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints (Win 9x, Windows 2000)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (Windows XP)

Example from an infected registry:

HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\AutoRun\command]
@="C:\\"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\explore\Command]
@="WScript.exe .\\autorun.vbs"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\open\Command]
@="WScript.exe .\\autorun.vbs"


Here, an infector file (Autorun.vbs) is placed in the root of Drive C, and this file gets executed whenever the user either double-clicks on Drive C, or right-clicks the drive and chooses 'Explore'

Another example: http://www.viruslist.com/en/viruses/encycl...?virusid=151255



44. App Paths

One major purpose of the “App Paths” registry key is to map the name of an application's executable file to the file's fully qualified path.

An App Paths subkey for a particular application (in this case iexplore.exe) will look something like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE]
@="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
"Path"="C:\\Program Files\\Internet Explorer;"

As a result one can type iexplore in the "Run" dialogue box without including the full path, and an instance of Internet Explorer will be started.

Malware could alter a file path by pointing to itself so that "trojan.exe" would be launched instead of the original application!

Some examples of malware using this technique:

http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.co.uk/security/analyses/trojbckdrpuq.html



45. Print Monitors

The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors

This too can be a launch point used by malware; example:

http://www.trendmicro.com/vinfo/grayware/v....A&VSect=Td



46. LSA Authentication, Notification and Security Packages

Lsass.exe, the "Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"


A recent variant of Virtumonde/Vundo malware adds to this registry value in order to load a dll into memory:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnlli.dll


Other REG_MULTI_SZ values to watch in this registry key are:

- Notification Packages, which specifies the dlls that are loaded or called when passwords are set or changed.

Again, currently used by a Vundo variant:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli qxjpszou.dll wlwlthwh.dll yjcsmsha.dll agpyeoqv.dll yedgjtvy.dll ivbreraq.dll


- Security Packages, containing the path to the security package dll loaded into memory



47. "UIHost" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

This value data specifies the path to the dll implementing the Welcome screen, the default being logonui.exe

A rogue application could be subsituted here.

This post has been edited by TonyKlein: Mar 3 2009, 03:55 PM

[TonyKlein]

48. The AeDebug registry key (Windows NT/2000/XP/Vista)

The "AeDebug" key allows one to specify a remote debugger to be invoked in the event of a system crash:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
"auto"="1"
"debugger"="file.exe"

Various malware write to it specifying a rogue executable as debugger:

http://www.symantec.com/en/aa/norton/secur...-99&tabid=2
http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.com/security/analyses/w32brontokbo.html


49. Session Manager\SubSystems (Windows NT/2000/XP/Vista)

During the Boot process smss.exe, the Session Manager, among other things loads subsystems defined in the following Registry key:

HKEY_Local_Machine\System\CurrentControlSet\Control\Session Manager\SubSystems

The typical value data for the "Windows" REG_EXPAND_SZ registry value in this key would be:

CODE

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Recently malware has appeared on the scene that replaces the default basesrv.dll server dll in order to load a rogue dll into memory:

http://www.sophos.com/security/analyses/trojagentgjs.html

Also see here



50. ShellIconOverlayIdentifiers (Windows 98/ME/NT/2000/XP/Vista)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

Legitimate software can create a subkey here in order to implement a shell icon overlay identifier.

Malware can of course do this just as well, for example:

CODE

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Malware
@={11111111-1234-1234-1234-111111111111}

The default value data of HKEY_CLASSES_ROOT\CLSID\{11111111-1234-1234-1234-111111111111}\InProcServer32 would then point to a rogue dll to be loaded into memory



51. Drivers32 (Windows NT/2000/XP/Vista)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

String values in this registry key define the dlls for various applications

Recenty, malware has been observed writing to this key installing itself as a .midi driver, causing it to be loaded in all applications that use sound:

CODE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"midi1"="rogue.dll"
"midi2"="rogue.dll"

http://vil.nai.com/vil/content/v_143943.htm
http://www.symantec.com/security_response/...-99&tabid=2

Other values in this key observed to have been exploited:

"wave1"=
"wave2"=
"mixer1"=
"mixer2"=
"aux1"=
"aux2"=



52. BootVerificationProgram (Windows NT/2000/XP/Vista)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
"ImagePath"=

The BootVerificationProgram subkey stores data about custom startup verification programs, see here

The "ImagePath" REG_EXPAND_SZ value could specify the path to a rogue executable.



53. Backup, disk error checking, disk cleanup, and disk defragmentation paths (Windows NT/2000/XP/Vista)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath

The default value in each of these registry keys contains the path to the default application Windows uses for the purpose in question. These could be substituted by rogue applications.