There are still many Windows persistence mechanisms that are not described properly and my mission is to cover it all.
Some of these mechanisms may be seen as archaic, unusual, or ‘there is no way it affects me’, but the reality is that with the gazillions of Windows installs worldwide, with the gazillion of random software installs on top of the main OS, we better do a good job in describing persistence mechanisms that are kinda niche, yet may still affect lots of people.
The old Xerox libraries include an interesting export function: XRTLLoadDebugger.
When it’s executed, it tries to load a DLL from one of these locations:
I decided to add this post to this old series, but the scope of this post is – as you will find out soon – much wider.
You will find servercoreshell.exe program to be present on both Windows Server 2022 and 2025. It is an interesting binary, because it does a lot of stuff that, well… makes it interesting!
When you execute it, it displays the following screen:
I have not explored these options.
Because… the far more interesting things happen under the hood. If you start Process Monitor before you execute servercoreshell.exe program and then look at the events collected during a single test session you will find out that some of them are… well.. interesting!
It accesses a lot of interesting Registry locations, including:
And that HKLM\SOFTWARE\Microsoft\ServerCore\Shell Launcher\Shell is a DEFAULT persistent location that allows me to put this post in the Beyond good ol’ Run key series:
For starters, we can modify the content of the file c:\WINDOWS\System32\servercoreshelllaunch.bat. We can also change the value of the Registry entry that shell points to. Then the only remaining bit is to ensure the servercoreshell.exe program is executed at some time during system start, or after user logs in.
Bad news though — need Trusted Installer rights for that.
Still, this single program runs through many ‘shell’ initialization routines that Windows Symbols describe as:
ProcessHKLMRunOnce
_RunStartupGroup
ProcessPackagedStartupTasks
ProcessRun6432
LaunchCustomShellAndWait
During my tests, I played around and pointed some of the aforementioned registry settings to calculator, notepad, etc. and I discovered that the servercoreshell.exe program often goes into a never-ending loop. When you launch it, then kill the main window, it will just continue to spawn its own copies. And when I set shell value to a randomly named user under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerCore\Shell Launcher\Users\Domain\<user>\Shell to calculator, I ended up with a never-ending loop of new Calculator instances being spawn:
I suspect it’s a little buggy…
I also believe the servercoreshell.exe program is related to this documented Shell Launcher feature:
Shell Launcher is a Windows feature that you can use to replace the default Windows Explorer shell (Explorer.exe) with a Windows desktop application or a Universal Windows Platform (UWP) app. This feature is useful for creating a custom user experience on devices that are used for a specific purpose, including kiosks, ATMs, and digital signage.
Installing the latter on Windows 11 introduces a slightly different executable to the system though: ShellLauncherConfig.exe and the shell keys it relies on are located in a different place too:
