Beyond good ol’ Run key, Part 92
October 11, 2018 in Anti-Forensics, Autostart (Persistence)
This is an old one, but I realized I have never covered it: Winlogon GP Extensions.
The key is located here:
- HKLM\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\
Winlogon\GPExtensions\
{GUID}\DllName=<DLL>
Again, it’s an oldie and it’s supported by many startup enumeration programs including e.g. Autoruns. Some web sites list a number of known extensions e.g. here.
Comments are closed.