Beyond good ol’ Run key, Part 67

October 21, 2017 in Anti-*, Autostart (Persistence), Compromise Detection, Forensic Analysis

New versions of Windows are shipped with an on-screen keyboard that – amongst other features – allows us to enter the text in a handwritten form:

The task of handwritten text analysis and input training is ‘outsourced’ to dedicated libraries that are loaded from the following locations in the Registry:

  • HKLM\SOFTWARE\Microsoft\TPG\System Recognizers
  • HKLM\SOFTWARE\Microsoft\TPG\Recognizers

Adding an entry that replaces an entry for e.g. English:

leads to the library being loaded anytime the TabTip.exe process is executed (one that presents the ‘tablet’ to handwrite on):

For what its worth, my test DLL broke the handwriting input as it doesn’t do any proxy work.

Probably not the most used feature on your desktop computer, but it could work on many tabletish computers in Asia where ideograms and other complex characters are commonly used (plus users use handwriting input a lot!).


Comments are closed.