You are browsing the archive for Autostart (Persistence).

Beyond good ol’ Run key, Part 83

August 4, 2018 in Autostart (Persistence)

If you ever downloaded a file using IE, Firefox, Chrome, Thunderbird you might have seen messages from these programs telling you that the files being downloaded are being scanned by the antivirus program. The way the scanning works on Windows is quie simple: the programs use IOfficeAntiVirus and IAttachmentExecute interfaces. These in turn rely on a Registry entries for COM objects that implement the ‘antivirus’ category and advertise it by adding ‘tags’ under their respective CLSID entries.

The ‘tag’ for IOfficeAntiVirus is a GUID 56FFCC30-D398-11D0-B2AE-00A0C908FA49). For example, ‘Windows Defender IOfficeAntiVirus implementation’ has the following Registry entry:

  • HKCR\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}
    • (Default) = Windows Defender IOfficeAntiVirus implementation
    • Implemented Categories
      • {56FFCC30-D398-11D0-B2AE-00A0C908FA49}

When IOfficeAntiVirus::Scan method is called by the programs (or internally via IAttachmentExecute) the system enumerates the Registry, collects info about all components implementing IOfficeAntiVirus, and stores them inside the following location:

  • HKCU\Software\Microsoft\Windows\
    PostSetup\Component Categories\

and its 64-bit version equivalent:

  • HKCU\Software\Microsoft\Windows\
    PostSetup\Component Categories64\

It then instantiates them, and calls the Scan method one by one. The Registry enumeration is quite slow so the caching mechanism (obviously) speeds things up (as a result, any new component added should always delete this cache to ensure it is properly loaded next time the Scan method is called).

The topic is very old, and there are tones of descriptions, discussions, and actual sample code snippets available online, but it’s always worth documenting possible persistence mechanisms.


  • A source code showing on how to implement IOfficeAntiVirus component can be found here.
  • A good discussion about both interfaces (IOfficeAntiVirus and IAttachmentExecute) with regards to Firefox can be found here.
  • A source code of Firefox using these interfaces can be found here.
  • A good discussion about the interfaces, their internals and their impact on Chrome development can be found here.

And in case it’s not obvious yet, a custom component implementing IOfficeAntiVirus interface could act as a very persistent ‘antivirus’ 🙂

Beyond good ol’ Run key, Part 82

July 29, 2018 in Anti-*, Autostart (Persistence)

This is just an addendum to my previous post. I’ve been reading more about what other UI enhancements Windows Explorer offers with regards to menus and found one more interesting bit that is worth documenting. Again, nothing ground breaking (and the more I read online the more I find out that it was actually discussed a lot before), but who knows… maybe one day this knowledge will come handy…

Shell has the menu entries for the ‘usual’ right click, and SHIFT+right click. The latter is defined by the presence of ‘Extended’ value under the key e.g.:

  • HKCR\Directory\shell\cmd
    • @=”@shell32.dll,-8506″
    • “Extended”=””
    • “HideBasedOnVelocityId”=dword:00639bc8
    • “NoWorkingDirectory”=””

One can ‘force’ the menu to appear on right click by removing the ‘Extended’ value (you can see it on the screenshot below where I removed that entry and the command appears on the menu).

Then there is one more interesting bit – we can add menu items that shows up only when the user clicks the ‘white’ space of the opened folder. This is pretty cool, as we can add both right click, and extended right click menu there as well + users do right click on that white space a lot. Little persuasion, and they may actually click our entry.

For the RIGHT click, all we have to do is to add this data to the Registry:

  • HKCR\Directory\Background\shell\test
    • @=”Launch Chrome”
  • HKCR\Directory\Background\shell\test\command
    • @=”c:\\windows\\system32\\calc.exe”

For the SHIFT+RIGHT CLICK we just need to add the ‘Extended’ value.

With no ‘Extended’ value for the ‘Launch Chrome’ menu item and with the removed ‘Extended’ bit for the ‘Open command window here’ the result will look like this:

Again, this particular menu is activated ONLY when the user right clicks on the folder’s white space (‘background’).

This MSDN post provides some more details, same as this discussion on StackOverflow.