Beyond good ol’ Run key, Part 70

December 30, 2017 in Anti-*, Anti-Forensics, Archaeology, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis

Back in early 2000s shell extensions and desktop enhancers were very popular. Some of these ideas survived till today and even now one can either use pre-installed ones, or install new deskbands on the system.

There are many coders who already did a great job explaining what desk bands are and how to implement them, so instead of pretending that I know what I am talking about, I will just suggest that you read this great article ‘Shell Extensibility – Explorer Desk Band, Tray Notification Icon et al.‘ by Alex Blekhman. When you run the Calendar.exe that is attached to the article you will then have an option to make the calendar present as a Deskband

Interestingly enough, as far as I can tell Autoruns still doesn’t detect them.

To find out where the information about deskbands and other Explorer extension bars is stored in Registry you can read this article.

If you are in a hurry, just need to enumerate Registry and look for all CLSIDs with the Implemented Categories\ key with the following deskband identifiers set:

DeskBand
{00021492-0000-0000-C000-000000000046}

VerticalBand 
{00021493-0000-0000-C000-000000000046}

HorizontalBand 
{00021494-0000-0000-C000-000000000046}

e.g.:

HKLM\SOFTWARE\Classes\CLSID\...\
Implemented Categories\{00021492-0000-0000-C000-000000000046}

Additionally, it may be worth checking the following key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Discardable\PostSetup\Component Categories\...\Enum

This is where Explorer stores cached information about explorer bar objects.

Share this :)

Comments are closed.