Jump to content


Photo

A Collection of Autostart Locations


  • Please log in to reply
1 reply to this topic

#1 TonyKlein

TonyKlein

    Adv. Member

  • Malware Experts
  • 112 posts

Posted 28 March 2005 - 09:46 AM

This is a list of known Windows autostart locations. Any of these startup/launch methods can and will of course be used by both legitimate applications and by malware such as trojans, viruses, worms, spyware or adware.


1. Autostart folder


In Windows 95, 98, Millennium

C:\windows\start menu\programs\startup

and the "Global" Startup folder:

C:\Windows\All Users\Start Menu\Programs\StartUp


In Win XP and 2000:

C:\Documents and Settings\"User Name"\Start Menu\Programs\Startup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup


In Windows Vista/7:

C:\Users\"User Name"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.



This Autostart Directory is saved in :

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

By setting it to anything other than C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory. Examples of malware using this and related techniques:

http://www.avira.com...2_toffus.a.html
http://www.sophos.co...rojwock32a.html
http://www.sophos.co...ojoptix03c.html


2. Win.ini

In Win 9x

[windows]
load=file.exe
run=file.exe


In Windows NT/2000/XP/Vista:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"run"=""
"load"=""

Programs Automatically Start When User Logs on to Windows

If, In NT based systems, Windows finds sections in .ini files which are not present in the registry, those sections will automatically be registered.

Examples:

http://www.symantec...._...-99&tabid=2
http://threatinfo.tr...WORM_LOVGATE.AB
http://securityrespo...a/vbs.grez.html



3a. System.ini (Windows 95/98/Millennium)

[boot]
Shell=Explorer.exe file.exe


3b. Winlogon\\Shell (Windows XP/NT/2000/Vista/7)

During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to determine the name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).

Examples of malware using this startup method:

http://www.symantec...._...-99&tabid=2
http://www.symantec...._...-99&tabid=2


In the following keys as well, a "Shell" string value can be used to specify an alternate user interface for (Windows 2000/XP/Vista/7):

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system


Additionally, Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exe

If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.



4. c:\windows\winstart.bat (Windows 95, 98)

Behaves like a normal BAT file. Used for copying or deleting specific files. Autostarts every time.

Occasionally used by malware as well:

http://securityrespo...door.optix.html
http://vil.nai.com/v...ent/v_99196.htm
http://www.sophos.co...ojnettroja.html



5a. Registry Run/RunOnce/RunServices keys


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] (Win 95/98/ME only)
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] (Win 95/98/ME only)
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"


Only on 64-bit Windows 7, there's also:

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run

... used to store autostart entries for 32-bit software on 64-bit systems



INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)

Definition of the RunOnce Keys in the Registry (Q137367)

A Definition of the Run Keys in the Windows XP Registry


Examples of malware using these keys:

http://www.microsoft.....aMSIL/Noszbot
http://www.microsoft...../Slenfbot.AKD
http://www.microsoft.....AVBS/Cantix.A
http://www.microsoft.....in32/Arhost.A


5b. RunOnceEx Key (all operating systems)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx


Description of the RunOnceEx Registry Key

Syntax for the RunOnceEx Registry Key


5c. Terminal Server Autoruns (Windows NT/2000/XP/Vista/7)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

Frequently used by malware:

http://www.microsoft.....32/Pushbot.QV
http://www.microsoft.....32/Neubreku.C
http://vil.nai.com/v...nt/v_268926.htm


6a. wininit.ini (Win 9x)

Often Used by Setup-Programs; when the file exists it is run ONCE and then is deleted by windows.

Example content of wininit.ini :

[Rename]
NUL=c:\windows\picture.exe

This example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totally stealth.

More info on Wininit.ini: HOWTO: Move Files That Are Currently in Use

Examples of malware using Wininit.ini:

http://www.symantec....en.12288.a.html
http://hq.mcafeeasap...p?virus_k=99619
http://securityrespo...etlip.worm.html


6b. PendingFileRenameOperations (Windows NT/2000/XP/Vista/7)

Windows XP/NT does not use Wininit.ini. Instead it uses a "PendingFileRenameOperations" REG_MULTI_SZ value in the following Registry Key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
"PendingFileRenameOperations"

More info on the PFRO reg value: How to replace in-use files at Windows restart

Examples of malware making use of PendingFileRenameOperations:

http://www.symantec....-061923-1754-99
http://securityrespo...goner.a@mm.html
http://www.symantec..../...-99&tabid=2


Another Possible Multi-String Value here to look at is: ExcludeFromKnownDlls

The reason is this: the KnownDlls key lists dlls which can only be run from the System Folder. If the same file is located in a program's folder it will not be run. The version in System32 will be run instead.

Here 's the MS article: INFO: Windows Uses KnownDLLs Registry Entry to Find DLLs



7. Autoexec.bat (Win 95, 98)

Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up.

Note that Windows Millennium ignores AutoExec.bat other than to lift Set, Path and Prompt statements from it and integrate these into the registry


8. Registry Shell Spawning (Windows NT 4.0/2000/XP/Vista/7)

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
[HKEY_CLASSES_ROOT\comfile\shell\open\command]
[HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command
[HKEY_CLASSES_ROOT\batfile\shell\open\command]
[HKEY_CLASSES_ROOT\htafile\shell\open\command]
[HKEY_CLASSES_ROOT\http\shell\open\command
[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command]
[HKEY_CLASSES_ROOT\htmlfile\shell\print\command]
[HKEY_CLASSES_ROOT\inffile\shell\install\command]
[HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command
[HKEY_CLASSES_ROOT\piffile\shell\open\command]
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
[HKEY_CLASSES_ROOT\regfile\shell\merge\command]
[HKEY_CLASSES_ROOT\vbsfile\shell\open\command]
[HKEY_CLASSES_ROOT\vbefile\shell\open\command]
[HKEY_CLASSES_ROOT\jsfile\shell\open\command]
[HKEY_CLASSES_ROOT\jsefile\shell\open\command]
[HKEY_CLASSES_ROOT\wshfile\shell\open\command]
[HKEY_CLASSES_ROOT\wsffile\shell\open\command]
[HKEY_CLASSES_ROOT\scrfile\shell\open\command]
[HKEY_CLASSES_ROOT\scrfile\shell\config\command]
[HKEY_CLASSES_ROOT\txtfile\shell\open\command]

... and so on

The default value data for such a key should be "%1" %*; if this is changed to server.exe "%1 %*", the server.exe is executed EVERY TIME an exe/pif/com/bat/hta/txt is executed.

This startup method is used by a large number of worms and trojans:

http://www.symantec...._...-99&tabid=2


Just a few examples of other subkeys the default value data of which have been seen to be exploited:

HKEY_CLASSES_ROOT\Unknown\shell\openas\command
HKEY_CLASSES_ROOT\Directory\Shell\"KeyName"\Command
HKEY_CLASSES_ROOT\Folder\shell\open\command
HKEY_CLASSES_ROOT\Folder\shell\explore\command
HKEY_CLASSES_ROOT\Drive\shell\find\command
HKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\command
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

Some reading:

http://www.symantec....-092410-3350-99
http://threatinfo.tr...e=VBS_IPNUKER.A
http://www.avira.com...lmir.51944.html


... and the default value data of the "Command" string value in:

HKEY_CLASSES_ROOT\.lnk\ShellNew
HKEY_CLASSES_ROOT\.bfc\ShellNew

See here


Also, in NT based systems the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts key can be used to associate a given file extension with another application.

For example, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt

Click on .txt and in the right pane there will be a String Value named "Application". Modify its value to the name of the executable you want to use. No path. Just Notepad.exe or EditPad.exe or Wordpad.exe etc. If there is not a String Value named Application, create it.
Now doubleclick a txtfile, and it will be opened by the designated application. Likewise, malware could hack any subkey here in order to get itself to start when a file of that type is launched.

Some useful reading: Mastering File Types in Windows XP

An example of malware using this technique: http://www.avira.com...llfiles.ja.html



9. Icq Inet

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]
"Path"="test.exe"
"Startup"="c:\\test"
"Parameters"=""
"Enable"="Yes"

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\

When ICQNET detects an Internet Connection ALL applications in this reg key are executed.

Examples of malware using this startup method:

http://www.securelis...ptions/old34239
http://www.sophos.co...32ronoperg.html



10. Dosstart.bat (Win 95, 98 )

This is a regular text format batch file. It contains instructions identical to those contained in autoexec.bat but there is one important difference: when it is executed.
While autoexec.bat executes immediately upon boot-up, dosstart.bat executes only when you are running Windows 95/98 and select the "restart in MSDOS mode" option from the shutdown menu.
At that point Windows exits with instructions to reboot DOS but not the Windows interface, and DOS executes the dosstart.bat file which typically loads a mouse driver, CD ROM driver, and possibly a couple of others.



11. Active Setup\Installed Components (all operating systems)

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe


This starts filename.exe BEFORE the shell and any other Program normally started over the Run Keys.
Each time a NEW user logs in, the HKLM\Software\Microsoft\Active Setup\Installed Components\{GUID} will be compared with the same CurrentUser Entry and the command defined in the StubPath (can be anything) will be executed

Examples of malware using this technique:

http://www.microsoft.....in32/Hamweq.A
https://www.microsof...fOnLineGames.GR
http://www.symantec..../...-99&tabid=2
http://www.symantec..../...-99&tabid=2




12. UserInit reg value (NT/2000/XP/Vista/7)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,

Executed when a user logs in. A path to a program can be added after the comma. Examples of malware using this technique:

http://www.symantec...._...-99&tabid=2
http://www.symantec...._...-99&tabid=2
http://www.symantec...._...-99&tabid=2
http://www.symantec...._...-99&tabid=2




13. AppInit_DLLs (Windows NT 4.0/2000/XP/Vista/7)

Reg Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

The DLLs specified in this value are loaded into the process memory of processes that run after the Registry change has been made.

Info: Working with the AppInit_DLLs Registry Value


Examples of malware using this technique:

http://www.symantec....oor.ginwui.html
http://vil.mcafee.co...p?virus_k=99238
http://www.symantec....an.riler.e.html


14. RunOnce\Setup reg keys (all operating systems)

Normally used only by Setup. A progress dialog box is displayed as the keys are run one at a time

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value > some program or file

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
String Value > some program or file



15. ShellServiceObjectDelayLoad (all operating systems)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Executed by Explorer.exe as soon as it has loaded
The layout of the values in that key is somewhat like the one in the Run key, only it points to the InProcServer for the CLSID instead of pointing to a file.

Examples of malware using this startup method:

http://www.symantec..../...-99&tabid=2
http://www.symantec..../...-99&tabid=2
http://www.symantec..../...-99&tabid=2



16. Task Scheduler startup

Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.

A .job file describing this task is placed in the %WinDir%\Tasks folder ( Vista+: %WINDIR%\System32\Tasks\ ):

Example of malware using this technique: http://securityrespo....cone.d@mm.html



17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (all opearting systems)

Dlls referenced in this registry key are loaded at boot.

For examples of malware using this autostart method, see here:

http://www.symantec....-121319-3804-99
http://www.symantec..../...-99&tabid=2
http://www.sophos.co...trojhasuma.html



18. Policies Run keys (Win ME/NT/2000/XP/Vista/7)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\any subkey

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
String Value > path to some program or file

Examples of malware using this Startup method:

http://www.symantec...._...-99&tabid=2
http://www.symantec...._...-99&tabid=2
http://threatinfo.tr...ORM_AUTORUN.BSE
http://www.sophos.co...rojproratd.html




19a. HKEY_CLASSES_ROOT\PROTOCOLS\Filter (all operating systems)

Not so much an autostart method, as a location where some foistware register a permanent filter in order to implement a hijack:

http://securityrespo...jan.popdis.html
http://uk.trendmicro...ROJ_STARTPGE.AF


Here's the Microsoft technical article on Pluggable MIME Filters



19b. HKEY_CLASSES_ROOT\PROTOCOLS\Handler (all operating systems)

Handlers can be registered for various protocols.

Examples of malware using this key:

http://home.mcafee.c...key=158190#none
http://www.bleepingc...al-protect-2009



20. Virtual Device Driver files (VXDs) in Win 9x systems

Loaded from System.ini ( [386enh] section)

And from the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD


More info on VXDs here: The Windows 98 Startup Process

Examples of malware using this technique:

http://securityrespo...d.trojan.c.html
http://www.viruslibr...95.MrKlunky.htm
http://hq.mcafeeasap...?virus_k=100242



21. Services (NT based systems including Windows XP, Vista, Win7)

In the Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Many worms and trojans use this startup method as well:

http://www.microsoft.....n32/Machime.A
http://www.symantec...._...-99&tabid=2
http://www.symantec....-121314-2529-99
http://www.symantec..../...-99&tabid=2


Likewise, malware can compromise an existing service by modifying it's ServiceDLL string value, so that the baddie is executed instead of thew legitimate file once the service is started, as shown here


Related: In Win NT/2000/XP one can use the NT resource kit utility called AUTOEXNT (autoexec for NT)
The AutoExNT Service allows you to start a custom batch file, Autoexnt.bat, when you start a computer - without having to log onto the computer on which it will run

See: How to Run a Batch File Before Logging on to Your Computer



22. Layered Service Providers

Found in subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

Layered Service Providers (LSP) are small pieces of software that can be added or inserted into the Windows TCP/IP handler chain by other software. Data outward bound from your computer to a legitimate destination on the Internet can be intercepted by an LSP and sent somewhere other than where you intend it to go.

They are executed before user login.

Examples of malware implementing LSP's:

http://www.sarc.com/...an.riler.c.html
http://www.avira.com....maran.g.5.html
http://vil.nai.com/v...nt/v_139590.htm



23. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW (Windows NT 4.0/2000/XP/Vista/7)

Defines the command line that runs when an MS-DOS-based application runs under Windows NT+. This command line continues to run until the related application is closed.

The wowcmdline value there defines the command line that runs when a 16-bit Windows-based application is started. The switches instruct Windows NT to start either an MS-DOS "VDM" (Virtual Dos Machine) or a WOW VDM.

More information: REG: CurrentControlSet Entries PART 3 and in this article.



24. Screensaver startup:

Windows (Windows NT 4.0/2000/XP/Vista/7)

HKEY_CURRENT_USER\Control Panel\Desktop

String value: SCRNSAVE.EXE = badfile.scr

Examples of malware using this technique:

http://www.symantec..../...-99&tabid=2
http://www.symantec..../...-99&tabid=2


In systems running Win 9x, the System.ini file is used:

[boot]
SCRNSAVE.EXE=badfile.exe

Example of malware using this technique: http://securityrespo...hllp.lassa.html



25. Config.nt and Autoexec.nt in Windows NT4/2000/XP:

Files:

%SYSTEMROOT%\SYSTEM32\config.nt
%SYSTEMROOT%\SYSTEM32\autoexec.nt

See: http://www.esecurity...names-Files.htm



26. The BootExecute registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager (NT/2000/XP/Vista/7)

Contains the names and arguments of programs that are executed by Session Manager. Session Manager looks in the %WinDir%\system32 directory for the executables listed here.

Example of a trojan using this technique: http://www.sophos.co...jthemousea.html

Other values of interest in this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
"Execute"=
"SetupExecute"=
"S0InitialCommand"=



27. Winlogon\Notify (Win XP/2000/NT)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Another well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.

Examples of malware using this technique:

http://vil.nai.com/v...nt/v_100441.htm
http://sarc.com/avce...re.look2me.html
http://www.sophos.co...ojhaxdooru.html
http://www.symantec..../w32.naras.html



28. The "AutoRun" reg value in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER\Software\Microsoft\Command Processor Registry keys (Windows NT 4.0/2000/XP/Vista/7)

When CMD.EXE starts, it looks for the above REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.

Examples of malware using this technique:

http://www.sophos.co...2autorunzi.html
http://www.symantec..../...-99&tabid=2
http://www.symantec..../...-99&tabid=2



29. Script Policies: (Win NT/2000/XP,Vista/7)

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]
Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\Startup
Startup = C:\winNT\system32\GroupPolicy\User\Scripts\Logon

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts (Vista+)


Also, a logon script that only runs for a user when he or she connects to a Terminal Server through the Terminal Server client or by the console can be added by writing to

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"AppSetup"=



30. GinaDLL (Win NT/2000/XP/7)

Windows NT is shipped to load and execute the standard Microsoft GINA DLL (MSGina.dll). To load a different GINA (Graphical Identification and Authentication dynamic-link library) , a "GinaDLL" value in the following Registry key must be created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The GinaDLL value must contain the name of a GINA DLL, which Winlogon will then load and use.

An example of malware using this technique: http://www.sophos.co...e/trojgina.html




31. MPRServices (Win 95, 98, ME )

Somewhat analogously to the "Notify" subkey on NT systems, in Win 9x the following Registry key can be used to load a dll:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\"Subkey"
DllName =
EntryPoint =
StackSize =

Examples:

http://securityrespo....haxdoor.b.html
http://threatinfo.tr...me=WORM_LAMUD.A
http://vil.nai.com/v...nt/v_138991.htm


32. "System" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon (Windows NT 4.0/2000/XP/Vista/7)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
"System"= "(Path to) Badfile.exe"

This value is present in Windows versions NT, 2000 and XP. It contains the list of executable files launched by Winlogon in the system context during the system initialisation. This list can be varied by modification of this value.

Examples of malware using this technique:

http://www.symantec...._...-99&tabid=2
http://www.sophos.co...rojzlobaeq.html


33. VMApplet (Windows NT 4.0/2000/XP/Vista/7)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"VmApplet"=

This registry value stores the file which is launched by Winlogon process to let the user adjust the virtual memory settings in case the system volume misses the paging swap-file. The file extensions for the file name are not obligatory.

The default value for it is ?rundll32 shell32, Control_RunDLL "sysdm.cpl"?.



34. Browser Helper objects and other Internet Explorer add-Ins and extensions, Browser pages

A Browser Helper Object or BHO is in effect a small program that runs automatically every time you start your Internet browser.

Every time an instance of Internet Explorer is started, it looks in the registry for CLSIDs stored under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

If this key exists and there are CLSIDs listed under it, Internet Explorer will try to create an instance of each object listed as a subkey under this key.

Here's the authoritative MS article:

Browser Helper Objects: The Browser the Way You Want It


Examples of malware using this technique:

http://www.symantec...._...-99&tabid=2
http://www.microsoft.....32/BaiduSobar
http://www.sophos.co...rojpuperad.html
http://www.symantec....martallyes.html
http://www.sophos.co.../trojlixyb.html


Other locations for IE Add-Ins, Toolbars, extensions and related:

HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Extensions

In addition, Explorer Bars are registerd in one of the following registry Keys:

HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046} (vertical Explorer Bar)
HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046} (horizontal Explorer Bar)

Browser pages:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"=
"CustomizeSearch"=
"Default_Search_URL"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=
"Local Page"=
"Start Page"
"Start Page_bak"=-
"HOMEOldSP"=-
"Default_Search_URL"
"Search Page"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=
"Local Page"=
"Start Page"
"Start Page_bak"=-
"HOMEOldSP"=-
"Search Page"
"Search Bar"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"
"Search Bar"
"Use Custom Search URL"=




35. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key (Windows NT/2000/XP)

A subkey can be added to this regkey by the name of a legitimate application, for example Explorer.exe. In the Explorer.exe subkey create a string value called Debugger, its value data containing the path to a file, say "%Windows%\baddie.exe" , and baddie.exe will be executed every time an instance of explorer.exe is launched.

Examples of malware using this method:

http://vil.nai.com/v...nt/v_142377.htm
http://www.symantec...._...-99&tabid=2
http://www.eset.eu/b...p?page_id=15027
http://www.symantec....t...-99&tabid=2



36. ContextMenuHandlers, CopyHookHandlers, DragDropHandlers

When a user right-clicks a "Shell object", its context menu is displayed. A Context menu handler is a Component Object Model (COM) object that adds commands to such a context menu.
An well known example is the "Open With" context menu entry when right-clicking a file. In the Registry it looks as follows:

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.

Recently this method has also been seen used by malware, for example the Qoologic trojan:

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmmxn]
@="{f1445181-385e-4b9f-ba55-4fec86b25d01}

The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will show the path to the 'rogue' dll that's loaded into memory.


Other ContextHandler keys:

HKEY_CURRENT_USER\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\*\ShellEx\ContextMenuHandlers
HKEY_CURRENT_USER\Software\Classes\AllFilesystemObjects\ShellEx\ContextMenuHandlers


Further examples of malware making use of this launch point:

http://www.sophos.co...trojcimuze.html
http://threatinfo.tr...=TROJ_QOOLAID.R

Other related keys:

HKCU\Software\Classes\*\shellex\CopyHookHandlers
HKCU\Software\Classes\*\shellex\DragDropHandlers
HKCU\Software\Classes\*\shellex\PropertySheetHandlers

HKCU\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers
HKCU\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers
HKCU\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers

HKCU\Software\Classes\Directory\shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\shellex\DragDropHandlers
HKCU\Software\Classes\Directory\shellex\PropertySheetHandlers

HKCU\Software\Classes\Directory\Background\shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Background\shellex\DragDropHandlers
HKCU\Software\Classes\Directory\Background\shellex\PropertySheetHandlers




37. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks registry key (all operating systems)

The ShellExecuteHooks registry key contains the list of the COM objects (usually dlls) that trap execute commands. The value name equals the GUID (CLSID) of the COM object in question.

Some technical reading on the subject:

Creating a shell extension with C#
Logging the Shell Activity

Examples of malware using this technique:

https://www.microsof.....in32/Lolyda.F
http://www.symantec....er.jianghu.html
http://about-threats...e=WORM_KORGO.AB
http://www.sophos.co...jspytoolgk.html




38. The 'Taskman' string value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Windows NT 4.0/2000/XP/Vista/7)

This value, not installed by default, can be used to launch Task Manager, see here: Have Ctrl-Esc Start Task Manager

You can replace Taskman.exe by any application, and it will be executed at boot!

Examples of malware using this autostart method:

http://www.microsoft.....n32/Rimecud.A
http://www.sophos.co...l?_log_from=rss
http://www.symantec...._...-99&tabid=2
http://vil.nai.com/v...nt/v_252087.htm




39. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager registry key.

The Utility Manager can be configured to start accessibility programs on Windows startup, so a trojan could be slipped in here by altering the Application Path and setting the "Start with..." field, in the way a legitimate application like Magnify.exe is shown to be registered in this example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier]
"Application path"="Magnify.exe"
"Application type"=dword:00000001
"Start with Utility Manager"=dword:00000001
"Start with Windows"=dword:00000001

Eample of malware using this launch method:

http://threatinfo.tr...ROJ_DLOADER.QRQ


In Windows Vista+ the folowing key is used:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration



40. ColumnHandlers

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_CURRENT_USER\SOFTWARE\Classes\Folder\shellex\ColumnHandlers

Basically this is a Shell Extension Handler called by Explorer in order to extend the Details view of a file system folder. here's the Microsoft technical article on the subject .

However, it has recently come to be used as another loading point for malware, notably some recent variants of the the Qoologic trojan.
It will add a subkey here where the default value data track back to the rogue dll.

See here: http://www.sophos.co...jqoolaidan.html



41. The UseAlternateShell value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey (Win ME/NT/2000/XP/Vista)

At boot UserInit.exe checks the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey.

If a value UseAlternateShell is present with its value data set to "1", Userinit runs the program specified as the user's shell in the AlternateShell value in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot rather than executing Explorer.exe
Therefore, if malware creates this UseAlternateShell value and sets it to "1" it can modify AlternateShell to run any program at startup.

When this program is executed it can run explorer.exe to load the shell and the user will never know about the trojan.

Example of malware using this technique:

http://www.symantec....t...-99&tabid=1
http://www.symantec...._...-99&tabid=2
http://vil.nai.com/v...nt/v_143316.htm


42. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders (all Windows versions)

ALL dlls listed in the SecurityProviders string value in this key are loaded by Windows at startup!


An example of malware using this technique:

http://www.ca.com/us...s.aspx?id=58686



43. Autorun.inf files

Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.

If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:

shell\open\command=trojan.exe

At least as insidiously, some malware add autorun.inf files to the root and all logical drives.

Examples of malware using these techniques:

http://www.symantec..../...-99&tabid=2
http://threatinfo.tr...=VBS_RESULOWS.A
http://www.symantec..../...-99&tabid=1
http://www.symantec..../...-99&tabid=2
http://de.trendmicro...e=WORM_SIWEOL.A

Sometimes (the Virus.Win32.Small.k aka W32/Autom-A Worm is a case in point), "MountPoints" subkeys are compromised:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints (Win 9x, Windows 2000)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (Windows XP)

Example from an infected registry:

HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\AutoRun\command]
@="C:\\"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\explore\Command]
@="WScript.exe .\\autorun.vbs"

[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\open\Command]
@="WScript.exe .\\autorun.vbs"


Here, an infector file (Autorun.vbs) is placed in the root of Drive C, and this file gets executed whenever the user either double-clicks on Drive C, or right-clicks the drive and chooses 'Explore'

Another example: http://www.securelis...tions/old151255



44. App Paths

One major purpose of the ?App Paths? registry key is to map the name of an application's executable file to the file's fully qualified path.

An App Paths subkey for a particular application (in this case iexplore.exe) will look something like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE]
@="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"
"Path"="C:\\Program Files\\Internet Explorer;"

As a result one can type iexplore in the "Run" dialogue box without including the full path, and an instance of Internet Explorer will be started.

Malware could alter a file path by pointing to itself so that "trojan.exe" would be launched instead of the original application!

Some examples of malware using this technique:

http://www.symantec..../...-99&tabid=2
http://www.sophos.co...ojbckdrpuq.html



45. Print Monitors (all operating systems)

The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors

This too can be a launch point used by malware; example:

http://threatinfo.tr...ADW_BETTERINT.A



46. LSA Authentication, Notification and Security Packages (Win ME/NT/2000/XP/Vista)

Lsass.exe, the "Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.
At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"


A recent variant of Virtumonde/Vundo malware adds to this registry value in order to load a dll into memory:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnlli.dll


Other REG_MULTI_SZ values to watch in this registry key are:

- Notification Packages, which specifies the dlls that are loaded or called when passwords are set or changed.

Again, currently used by a Vundo variant:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli qxjpszou.dll wlwlthwh.dll yjcsmsha.dll agpyeoqv.dll yedgjtvy.dll ivbreraq.dll


- Security Packages, containing the path to the security package dll loaded into memory



47. "UIHost" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

This value data specifies the path to the dll implementing the Welcome screen, the default being logonui.exe

A rogue application could be subsituted here.



48. The AeDebug registry key (Windows NT/2000/XP/Vista/7)

The "AeDebug" key allows one to specify a remote debugger to be invoked in the event of a system crash:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
"auto"="1"
"debugger"="file.exe"

Various malware write to it specifying a rogue executable as debugger:

http://www.symantec..../...-99&tabid=2
http://www.sophos.co...2brontokbo.html
http://www.symantec...._...-99&tabid=2


49. Session Manager\SubSystems (Windows NT/2000/XP/Vista/7)

During the Boot process smss.exe, the Session Manager, among other things loads subsystems defined in the following Registry key:

HKEY_Local_Machine\System\CurrentControlSet\Control\Session Manager\SubSystems

The typical value data for the "Windows" REG_EXPAND_SZ registry value in this key would be:

CODE
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16


Recently malware has appeared on the scene that replaces the default basesrv.dll server dll in order to load a rogue dll into memory:

http://www.sophos.co...ojagentgjs.html

Also see here



50. ShellIconOverlayIdentifiers (Windows 98/ME/NT/2000/XP/Vista/7)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

Legitimate software can create a subkey here in order to implement a shell icon overlay identifier.

Malware can of course do this just as well, for example:

CODE
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Malware
@={11111111-1234-1234-1234-111111111111}


The default value data of HKEY_CLASSES_ROOT\CLSID\{11111111-1234-1234-1234-111111111111}\InProcServer32 would then point to a rogue dll to be loaded into memory

Example of malware using this launch point:

http://vil.nai.com/v...nt/v_102053.htm




51. Drivers32/Audio and Video Codecs (Windows NT/2000/XP/Vista/7)


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
"midi1"=
"midi2"=
"wave1"=
"wave2"=
"mixer1"=
"mixer2"=
"aux1"=
"aux2"=


String values in this registry key define the dlls related to Audio and video codecs, a mechanism that is gaining popularity as a way for malware to gain automatic execution

http://vil.nai.com/v...nt/v_143943.htm
http://www.symantec..../...-99&tabid=2
http://www.symantec...._...-99&tabid=2

Also see this ThreatExpert Report




52. BootVerificationProgram (Windows NT/2000/XP/Vista/7)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
"ImagePath"=

The BootVerificationProgram subkey stores data about custom startup verification programs, see here

The "ImagePath" REG_EXPAND_SZ value could specify the path to a rogue executable.



53. Backup, disk error checking, disk cleanup, and disk defragmentation paths (Windows NT/2000/XP/Vista+)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath

The default value in each of these registry keys contains the path to the default application Windows uses for the purpose in question. These could be substituted by rogue applications.



54. Credential Providers (Vista/7)

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers

Can be used to deploy a custom credential provider. See Custom Login Experiences: Credential Providers in Windows Vista



55. Autoplay Handlers (XP/Vista/7)

AutoPlay Handlers for various events, for example when right-clicking a CD drive or removable drive, are found in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers

Example of malware misusing this registry key:

http://www.sophos.co...tiviruspro.html



56. Service Control Manager Extension (Win7)

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceControlManagerExtension (Thank you, Silent Runners' Andrew Aronoff)



57. AppCertDlls (Windows NT/2000/XP/Vista/7)

A dll registered within the AppCertDlls subkey of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager will be loaded into every process as soon as it attempts to start another process using the kernel32!CreateProcess() API function.

Examples of malware writing to this key:

http://www.microsoft.com/security/portal/T...rsnif.gen!I
http://www.avira.com...y.browse.a.html



Edited by TonyKlein, 27 November 2010 - 01:02 PM.


#2 Chachazz

Chachazz

    Is GSF inventory

  • General Admin
  • 33,723 posts

Posted 02 August 2010 - 02:14 PM

-bump-


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users