Posted 28 March 2005 - 09:46 AM

1. Autostart folder

2. Win.ini

3a. System.ini

3b. Winlogon\\Shell

4. c:\windows\winstart.bat

5a. Registry Run/RunOnce/RunServices keys

5b. RunOnceEx Key

5c. Terminal Server Autoruns

6a. wininit.ini

6b. PendingFileRenameOperations

7. Autoexec.bat

8. Registry Shell Spawning

9. Icq Inet

10. Dosstart.bat

11. Active Setup\Installed Components

12. UserInit reg value (NT/2000/XP/Vista/7)

13. AppInit_DLLs

14. RunOnce\Setup reg keys

15. ShellServiceObjectDelayLoad

16. Task Scheduler startup

17. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

18. Policies Run keys

19a. HKEY_CLASSES_ROOT\PROTOCOLS\Filter

19b. HKEY_CLASSES_ROOT\PROTOCOLS\Handler

20. Virtual Device Driver files (VXDs) in Win 9x systems

21. Services (NT based systems including Windows XP, Vista, Win7)

22. Layered Service Providers

23. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW

24. Screensaver startup:

25. Config.nt and Autoexec.nt in Windows NT4/2000/XP:

26. The BootExecute registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager (NT/2000/XP/Vista/7)

27. Winlogon\Notify (Win XP/2000/NT)

28. The "AutoRun" reg value in the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER\Software\Microsoft\Command Processor Registry keys

29. Script Policies: (Win NT/2000/XP,Vista/7)

30. GinaDLL (Win NT/2000/XP/7)

31. MPRServices (Win 95, 98, ME )

32. "System" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

33. VMApplet

34. Browser Helper objects

35. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key (Windows NT/2000/XP)

36. ContextMenuHandlers, CopyHookHandlers, DragDropHandlers

37. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks registry key

38. The 'Taskman' string value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

39. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager registry key.

40. ColumnHandlers

41. The UseAlternateShell value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey

42. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders

43. Autorun.inf files

44. App Paths

45. Print Monitors

46. LSA Authentication, Notification and Security Packages

47. "UIHost" string value in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

48. The AeDebug registry key

49. Session Manager\SubSystems

CODE

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

50. ShellIconOverlayIdentifiers

CODE

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Malware

@={11111111-1234-1234-1234-111111111111}

51. Drivers32/Audio and Video Codecs

52. BootVerificationProgram

53. Backup, disk error checking, disk cleanup, and disk defragmentation paths

54. Credential Providers

55. Autoplay Handlers

56. Service Control Manager Extension

57. AppCertDlls

This is a list of known Windows autostart locations. Any of these startup/launch methods can and will of course be used by both legitimate applications and by malware such as trojans, viruses, worms, spyware or adware.C:\windows\start menu\programs\startupand the "Global" Startup folder:C:\Windows\All Users\Start Menu\Programs\StartUpC:\Documents and Settings\"User Name"\Start Menu\Programs\StartupC:\Documents and Settings\All Users\Start Menu\Programs\StartupC:\Users\"User Name"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.This Autostart Directory is saved in :[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]Startup="C:\windows\start menu\programs\startup"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]Startup="C:\windows\start menu\programs\startup"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]"Common Startup"="C:\windows\start menu\programs\startup"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]"Common Startup"="C:\windows\start menu\programs\startup"By setting it to anything other than C:\windows\start menu\programs\startup will lead to execution of ALL and EVERY executable inside set directory. Examples of malware using this and related techniques:[windows]load=file.exerun=file.exe[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]"run"="""load"=""If, In NT based systems, Windows finds sections in .ini files which are not present in the registry, those sections will automatically be registered.Examples:(Windows 95/98/Millennium)[boot]Shell=Explorer.exe file.exe(Windows XP/NT/2000/Vista/7)During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to determine the name of the executable that should be loaded as the Shell.By default, this value specifies Explorer.exe.This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).Examples of malware using this startup method:In the following keys as well, a "Shell" string value can be used to specify an alternate user interface for (Windows 2000/XP/Vista/7):HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\systemHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\systemAdditionally, Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exeIf malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe withoutnotice from the user.(Windows 95, 98)Behaves like a normal BAT file. Used for copying or deleting specific files. Autostarts every time.Occasionally used by malware as well:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices] (Win 95/98/ME only)"Whatever"="c:\runfolder\program.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce] (Win 95/98/ME only)"Whatever"="c:\runfolder\program.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"Whatever"="c:\runfolder\program.exe"[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Whatever"="c:\runfolder\program.exe"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]"Whatever"="c:\runfolder\program.exe"[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]"Whatever"="c:\runfolder\program.exe"Only on 64-bit Windows 7, there's also:[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run... used to store autostart entries for 32-bit software on 64-bit systemsExamples of malware using these keys:(all operating systems)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx(Windows NT/2000/XP/Vista/7)HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceExHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunHKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceHKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceExHKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunFrequently used by malware:(Win 9x)Often Used by Setup-Programs; when the file exists it is run ONCE and then is deleted by windows.Example content of wininit.ini :[Rename]NUL=c:\windows\picture.exeThis example sends c:\windows\picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totally stealth.More info on Wininit.ini: HOWTO: Move Files That Are Currently in Use Examples of malware using Wininit.ini:(Windows NT/2000/XP/Vista/7)Windows XP/NT does not use Wininit.ini. Instead it uses a "PendingFileRenameOperations" REG_MULTI_SZ value in the following Registry Key.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"PendingFileRenameOperations"More info on the PFRO reg value: How to replace in-use files at Windows restart Examples of malware making use of PendingFileRenameOperations:Another Possible Multi-String Value here to look at is: ExcludeFromKnownDllsThe reason is this: the KnownDlls key lists dlls which can only be run from the System Folder. If the same file is located in a program's folder it will not be run. The version in System32 will be run instead.Here 's the MS article: INFO: Windows Uses KnownDLLs Registry Entry to Find DLLs (Win 95, 98)Stands foromaticallyuted batch file, the file that DOS automatically executes when a computer boots up.Note that Windows Millennium ignores AutoExec.bat other than to lift Set, Path and Prompt statements from it and integrate these into the registry(Windows NT 4.0/2000/XP/Vista/7)[HKEY_CLASSES_ROOT\exefile\shell\open\command][HKEY_CLASSES_ROOT\comfile\shell\open\command][HKEY_CLASSES_ROOT\cplfile\shell\cplopen\command[HKEY_CLASSES_ROOT\batfile\shell\open\command][HKEY_CLASSES_ROOT\htafile\shell\open\command][HKEY_CLASSES_ROOT\http\shell\open\command[HKEY_CLASSES_ROOT\htmlfile\shell\opennew\command][HKEY_CLASSES_ROOT\htmlfile\shell\print\command][HKEY_CLASSES_ROOT\inffile\shell\install\command][HKEY_CLASSES_ROOT\InternetShortcut\shell\open\command[HKEY_CLASSES_ROOT\piffile\shell\open\command][HKEY_CLASSES_ROOT\regfile\shell\open\command][HKEY_CLASSES_ROOT\regfile\shell\merge\command][HKEY_CLASSES_ROOT\vbsfile\shell\open\command][HKEY_CLASSES_ROOT\vbefile\shell\open\command][HKEY_CLASSES_ROOT\jsfile\shell\open\command][HKEY_CLASSES_ROOT\jsefile\shell\open\command][HKEY_CLASSES_ROOT\wshfile\shell\open\command][HKEY_CLASSES_ROOT\wsffile\shell\open\command][HKEY_CLASSES_ROOT\scrfile\shell\open\command][HKEY_CLASSES_ROOT\scrfile\shell\config\command][HKEY_CLASSES_ROOT\txtfile\shell\open\command]... and so onThe default value data for such a key should be; if this is changed to, the server.exe is executed EVERY TIME an exe/pif/com/bat/hta/txt is executed.This startup method is used by a large number of worms and trojans:Just a few examples of other subkeys the default value data of which have been seen to be exploited:HKEY_CLASSES_ROOT\Unknown\shell\openas\commandHKEY_CLASSES_ROOT\Directory\Shell\"KeyName"\CommandHKEY_CLASSES_ROOT\Folder\shell\open\commandHKEY_CLASSES_ROOT\Folder\shell\explore\commandHKEY_CLASSES_ROOT\Drive\shell\find\commandHKEY_CLASSES_ROOT\Applications\iexplore.exe\shell\open\commandHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\CommandHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\commandSome reading:... and the default value data of the "Command" string value in:HKEY_CLASSES_ROOT\.lnk\ShellNewHKEY_CLASSES_ROOT\.bfc\ShellNewSee here Also, in NT based systems the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts key can be used to associate a given file extension with another application.For example, go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txtClick on .txt and in the right pane there will be a String Value named "Application". Modify its value to the name of the executable you want to use. No path. Just Notepad.exe or EditPad.exe or Wordpad.exe etc. If there is not a String Value named Application, create it.Now doubleclick a txtfile, and it will be opened by the designated application. Likewise, malware could hack any subkey here in order to get itself to start when a file of that type is launched.Some useful reading: Mastering File Types in Windows XP An example of malware using this technique: http://www.avira.com...llfiles.ja.html [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test]"Path"="test.exe""Startup"="c:\\test""Parameters"="""Enable"="Yes"[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\When ICQNET detects an Internet Connection ALL applications in this reg key are executed.Examples of malware using this startup method:(Win 95, 98 )This is a regular text format batch file. It contains instructions identical to those contained in autoexec.bat but there is one important difference: when it is executed.While autoexec.bat executes immediately upon boot-up, dosstart.bat executes only when you are running Windows 95/98 and select the "restart in MSDOS mode" option from the shutdown menu.At that point Windows exits with instructions to reboot DOS but not the Windows interface, and DOS executes the dosstart.bat file which typically loads a mouse driver, CD ROM driver, and possibly a couple of others.(all operating systems)HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyNameStubPath=C:\PathToFile\Filename.exeHKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\KeyNameStubPath=C:\PathToFile\Filename.exeThis starts filename.exe BEFORE the shell and any other Program normally started over the Run Keys.Each time a NEW user logs in, the HKLM\Software\Microsoft\Active Setup\Installed Components\{GUID} will be compared with the same CurrentUser Entry and the command defined in the StubPath (can be anything) will be executedExamples of malware using this technique:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\WINDOWS\system32\userinit.exe,Executed when a user logs in. A path to a program can be added after the comma. Examples of malware using this technique:(Windows NT 4.0/2000/XP/Vista/7)Reg Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""The DLLs specified in this value are loaded into the process memory of processes that run after the Registry change has been made.Info: Working with the AppInit_DLLs Registry Value Examples of malware using this technique:(all operating systems)Normally used only by Setup. A progress dialog box is displayed as the keys are run one at a timeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SetupString Value > some program or fileHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\SetupString Value > some program or file(all operating systems)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadExecuted by Explorer.exe as soon as it has loadedThe layout of the values in that key is somewhat like the one in the Run key, only it points to the InProcServer for the CLSID instead of pointing to a file.Examples of malware using this startup method:Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.A .job file describing this task is placed in the %WinDir%\Tasks folder ( Vista+: %WINDIR%\\Tasks\ ):Example of malware using this technique: http://securityrespo....cone.d@mm.html (all opearting systems)Dlls referenced in this registry key are loaded at boot.For examples of malware using this autostart method, see here:(Win ME/NT/2000/XP/Vista/7)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\any subkeyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShellString Value > path to some program or fileExamples of malware using this Startup method:(all operating systems)Not so much an autostart method, as a location where some foistware register a permanent filter in order to implement a hijack:Here's the Microsoft technical article on Pluggable MIME Filters (all operating systems)Handlers can be registered for various protocols.Examples of malware using this key:Loaded from System.ini ( [386enh] section)And from the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxDMore info on VXDs here: The Windows 98 Startup Process Examples of malware using this technique:In the Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesMany worms and trojans use this startup method as well:Likewise, malware can compromise an existing service by modifying it's ServiceDLL string value, so that the baddie is executed instead of thew legitimate file once the service is started, as shown here Related: In Win NT/2000/XP one can use the NT resource kit utility called AUTOEXNT (autoexec for NT)The AutoExNT Service allows you to start a custom batch file, Autoexnt.bat, when you start a computer - without having to log onto the computer on which it will runSee: How to Run a Batch File Before Logging on to Your Computer Found in subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_EntriesLayered Service Providers (LSP) are small pieces of software that can be added or inserted into the Windows TCP/IP handler chain by other software. Data outward bound from your computer to a legitimate destination on the Internet can be intercepted by an LSP and sent somewhere other than where you intend it to go.They are executed before user login.Examples of malware implementing LSP's:(Windows NT 4.0/2000/XP/Vista/7)Defines the command line that runs when an MS-DOS-based application runs under Windows NT+. This command line continues to run until the related application is closed.The wowcmdline value there defines the command line that runs when a 16-bit Windows-based application is started. The switches instruct Windows NT to start either an MS-DOS "VDM" (Virtual Dos Machine) or a WOW VDM.More information: REG: CurrentControlSet Entries PART 3 and in this article Windows (Windows NT 4.0/2000/XP/Vista/7)HKEY_CURRENT_USER\Control Panel\DesktopString value: SCRNSAVE.EXE = badfile.scrExamples of malware using this technique:In systems running Win 9x, the System.ini file is used:[boot]SCRNSAVE.EXE=badfile.exeExample of malware using this technique: http://securityrespo...hllp.lassa.html Files:%SYSTEMROOT%\SYSTEM32\config.nt%SYSTEMROOT%\SYSTEM32\autoexec.ntSee: http://www.esecurity...names-Files.htm Contains the names and arguments of programs that are executed by Session Manager. Session Manager looks in the %WinDir%\system32 directory for the executables listed here.Example of a trojan using this technique: http://www.sophos.co...jthemousea.html Other values of interest in this key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager"Execute"="SetupExecute"="S0InitialCommand"=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyAnother well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.Examples of malware using this technique:(Windows NT 4.0/2000/XP/Vista/7)When CMD.EXE starts, it looks for the above REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.Examples of malware using this technique:[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts]Startup = C:\winNT\system32\GroupPolicy\Machine\Scripts\StartupStartup = C:\winNT\system32\GroupPolicy\User\Scripts\LogonHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts (Vista+)Also, a logon script that only runs for a user when he or she connects to a Terminal Server through the Terminal Server client or by the console can be added by writing to[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]Windows NT is shipped to load and execute the standard Microsoft GINA DLL (MSGina.dll). To load a different GINA (Graphical Identification and Authentication dynamic-link library) , a "GinaDLL" value in the following Registry key must be created:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinlogonThe GinaDLL value must contain the name of a GINA DLL, which Winlogon will then load and use.An example of malware using this technique: http://www.sophos.co...e/trojgina.html Somewhat analogously to the "Notify" subkey on NT systems, in Win 9x the following Registry key can be used to load a dll:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MPRServices\"Subkey"DllName =EntryPoint =StackSize =Examples:(Windows NT 4.0/2000/XP/Vista/7)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"System"= "(Path to) Badfile.exe"This value is present in Windows versions NT, 2000 and XP. It contains the list of executable files launched by Winlogon in the system context during the system initialisation. This list can be varied by modification of this value.Examples of malware using this technique:(Windows NT 4.0/2000/XP/Vista/7)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"VmApplet"=This registry value stores the file which is launched by Winlogon process to let the user adjust the virtual memory settings in case the system volume misses the paging swap-file. The file extensions for the file name are not obligatory.The default value for it is ?rundll32 shell32, Control_RunDLL "sysdm.cpl"?.and other Internet Explorer add-Ins and extensions, Browser pagesA Browser Helper Object or BHO is in effect a small program that runs automatically every time you start your Internet browser.Every time an instance of Internet Explorer is started, it looks in the registry for CLSIDs stored under the following key:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsIf this key exists and there are CLSIDs listed under it, Internet Explorer will try to create an instance of each object listed as a subkey under this key.Here's the authoritative MS article:Examples of malware using this technique:Other locations for IE Add-Ins, Toolbars, extensions and related:HKLM\Software\Microsoft\Internet Explorer\ToolbarHKCU\Software\Microsoft\Internet Explorer\Explorer BarsHKLM\Software\Microsoft\Internet Explorer\Explorer BarsHKCU\Software\Microsoft\Internet Explorer\UrlSearchHooksHKCU\Software\Microsoft\Internet Explorer\ExtensionsHKLM\Software\Microsoft\Internet Explorer\ExtensionsIn addition, Explorer Bars are registerd in one of the following registry Keys:HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046} (vertical Explorer Bar)HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046} (horizontal Explorer Bar)Browser pages:[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]"SearchAssistant"="CustomizeSearch"="Default_Search_URL"[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]"Default_Page_URL"="Local Page"="Start Page""Start Page_bak"=-"HOMEOldSP"=-"Default_Search_URL""Search Page"=[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]"Default_Page_URL"="Local Page"="Start Page""Start Page_bak"=-"HOMEOldSP"=-"Search Page""Search Bar"=[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]""=[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]"Search Page""Search Bar""Use Custom Search URL"=A subkey can be added to this regkey by the name of a legitimate application, for example Explorer.exe. In the Explorer.exe subkey create a string value called Debugger, its value data containing the path to a file, say "%Windows%\baddie.exe" , and baddie.exe will be executed every time an instance of explorer.exe is launched.Examples of malware using this method:When a user right-clicks a "Shell object", its context menu is displayed. A Context menu handler is a Component Object Model (COM) object that adds commands to such a context menu.An well known example is the "Open With" context menu entry when right-clicking a file. In the Registry it looks as follows:[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT\CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.Recently this method has also been seen used by malware, for example the Qoologic trojan:HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\@="{f1445181-385e-4b9f-ba55-4fec86b25d01}The InProcServer subkey to HKEY_CLASSES_ROOT\CLSID\{f1445181-385e-4b9f-ba55-4fec86b25d01} will show the path to the 'rogue' dll that's loaded into memory.Other ContextHandler keys:HKEY_CURRENT_USER\Software\Classes\\ShellEx\ContextMenuHandlersHKEY_CURRENT_USER\Software\Classes\Folder\ShellEx\ContextMenuHandlersHKEY_CURRENT_USER\Software\Classes\Directory\ShellEx\ContextMenuHandlersHKEY_CURRENT_USER\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlersHKEY_CURRENT_USER\Software\Classes\*\ShellEx\ContextMenuHandlersHKEY_CURRENT_USER\Software\Classes\AllFilesystemObjects\ShellEx\ContextMenuHandlersFurther examples of malware making use of this launch point:Other related keys:HKCU\Software\Classes\*\shellex\CopyHookHandlersHKCU\Software\Classes\*\shellex\DragDropHandlersHKCU\Software\Classes\*\shellex\PropertySheetHandlersHKCU\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlersHKCU\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlersHKCU\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlersHKCU\Software\Classes\Directory\shellex\CopyHookHandlersHKCU\Software\Classes\Directory\shellex\DragDropHandlersHKCU\Software\Classes\Directory\shellex\PropertySheetHandlersHKCU\Software\Classes\Directory\Background\shellex\CopyHookHandlersHKCU\Software\Classes\Directory\Background\shellex\DragDropHandlersHKCU\Software\Classes\Directory\Background\shellex\PropertySheetHandlers(all operating systems)The ShellExecuteHooks registry key contains the list of the COM objects (usually dlls) that trap execute commands. The value name equals the GUID (CLSID) of the COM object in question.Some technical reading on the subject:Examples of malware using this technique:(Windows NT 4.0/2000/XP/Vista/7)This value, not installed by default, can be used to launch Task Manager, see here: Have Ctrl-Esc Start Task Manager You can replace Taskman.exe byapplication, and itbe executed at boot!Examples of malware using this autostart method:The Utility Manager can be configured to start accessibility programs on Windows startup, so a trojan could be slipped in here by altering the Application Path and setting the "Start with..." field, in the way a legitimate application like Magnify.exe is shown to be registered in this example:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier]"Application path"="Magnify.exe""Application type"=dword:00000001"Start with Utility Manager"=dword:00000001"Start with Windows"=dword:00000001Eample of malware using this launch method:In Windows Vista+ the folowing key is used:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ConfigurationHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlersHKEY_CURRENT_USER\SOFTWARE\Classes\Folder\shellex\ColumnHandlersBasically this is a Shell Extension Handler called by Explorer in order to extend the Details view of a file system folder. here's the Microsoft technical article on the subject .However, it has recently come to be used as another loading point for malware, notably some recent variants of the the Qoologic trojan.It will add a subkey here where the default value data track back to the rogue dll.See here: http://www.sophos.co...jqoolaidan.html (Win ME/NT/2000/XP/Vista)At boot UserInit.exe checks the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option subkey.If a value UseAlternateShell is present with its value data set to "1", Userinit runs the program specified as the user's shell in the AlternateShell value in HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot rather than executing Explorer.exeTherefore, if malware creates this UseAlternateShell value and sets it to "1" it can modify AlternateShell to run any program at startup.When this program is executed it can run explorer.exe to load the shell and the user will never know about the trojan.Example of malware using this technique:(all Windows versions)ALL dlls listed in the SecurityProviders string value in this key are loaded by Windows at startup!An example of malware using this technique:Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:shell\open\command=trojan.exeAt least as insidiously, some malware add autorun.inf filesExamples of malware using these techniques:Sometimes (the Virus.Win32.Small.k aka W32/Autom-A Worm is a case in point), "MountPoints" subkeys are compromised:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints (Win 9x, Windows 2000)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 (Windows XP)Example from an infected registry:HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\AutoRun\command]@="C:\\"[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\explore\Command]@="WScript.exe .\\autorun.vbs"[HKCU\...\MountPoints\{36e87055-e94f-11d9-8331-806d6172696f}\Shell\open\Command]@="WScript.exe .\\autorun.vbs"Here, an infector file (Autorun.vbs) is placed in the root of Drive C, and this file gets executed whenever the user either double-clicks on Drive C, or right-clicks the drive and chooses 'Explore'Another example: http://www.securelis...tions/old151255 One major purpose of the ?App Paths? registry key is to map the name of an application's executable file to the file's fully qualified path.An App Paths subkey for a particular application (in this case iexplore.exe) will look something like this:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE]@="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE""Path"="C:\\Program Files\\Internet Explorer;"As a result one can typein the "Run" dialogue box without including the full path, and an instance of Internet Explorer will be started.Malware could alter a file path by pointing to itself so that "trojan.exe" would be launched instead of the original application!Some examples of malware using this technique:(all operating systems)The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\MonitorsThis too can be a launch point used by malware; example:(Win ME/NT/2000/XP/Vista)Lsass.exe, the "Local Security Authentication Server", generates the process responsible for authenticating users for the Winlogon service.At System startup, the LSA will load the authentication package DLLs referenced in the following registry value:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]A recent variant of Virtumonde/Vundo malware adds to this registry value in order to load a dll into memory:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Authentication Packages"= msv1_0Other REG_MULTI_SZ values to watch in this registry key are:, which specifies the dlls that are loaded or called when passwords are set or changed.Again, currently used by a Vundo variant:[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]"Notification Packages"= scecli, containing the path to the security package dll loaded into memoryThis value data specifies the path to the dll implementing the Welcome screen, the default being logonui.exeA rogue application could be subsituted here.(Windows NT/2000/XP/Vista/7)The "AeDebug" key allows one to specify a remote debugger to be invoked in the event of a system crash:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug"auto"="1""debugger"="file.exe"Various malware write to it specifying a rogue executable as debugger:(Windows NT/2000/XP/Vista/7)During the Boot process smss.exe, the Session Manager, among other things loads subsystems defined in the following Registry key:HKEY_Local_Machine\System\CurrentControlSet\Control\Session Manager\SubSystemsThe typical value data for the "Windows" REG_EXPAND_SZ registry value in this key would be:Recently malware has appeared on the scene that replaces the default basesrv.dll server dll in order to load a rogue dll into memory:Also see here (Windows 98/ME/NT/2000/XP/Vista/7)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiersLegitimate software can create a subkey here in order to implement a shell icon overlay identifier.Malware can of course do this just as well, for example:The default value data of HKEY_CLASSES_ROOT\CLSID\{11111111-1234-1234-1234-111111111111}\InProcServer32 would then point to a rogue dll to be loaded into memoryExample of malware using this launch point:(Windows NT/2000/XP/Vista/7)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32"midi1"="midi2"="wave1"="wave2"="mixer1"="mixer2"="aux1"="aux2"=String values in this registry key define the dlls related to Audio and video codecs, a mechanism that is gaining popularity as a way for malware to gain automatic executionAlso see this ThreatExpert Report (Windows NT/2000/XP/Vista/7)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\"ImagePath"=The BootVerificationProgram subkey stores data about custom startup verification programs, see here The "ImagePath" REG_EXPAND_SZ value could specify the path to a rogue executable.(Windows NT/2000/XP/Vista+)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\ChkDskPath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppathHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPathThe default value in each of these registry keys contains the path to the default application Windows uses for the purpose in question. These could be substituted by rogue applications.(Vista/7)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider FiltersHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential ProvidersCan be used to deploy a custom credential provider. See Custom Login Experiences: Credential Providers in Windows Vista (XP/Vista/7)AutoPlay Handlers for various events, for example when right-clicking a CD drive or removable drive, are found in:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\HandlersExample of malware misusing this registry key:(Win7)HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceControlManagerExtension (Thank you, Silent Runners' Andrew Aronoff)(Windows NT/2000/XP/Vista/7)A dll registered within the AppCertDlls subkey of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager will be loaded into every process as soon as it attempts to start another process using the kernel32!CreateProcess() API function.Examples of malware writing to this key:

Edited by TonyKlein, 27 November 2010 - 01:02 PM.