Beyond good ol’ Run key, Part 39

Posted on by

In my previous post in this series I talked about the Logon scripts. This nice concept of being able to run some code when system-wide, or user-wide events happen is very useful in a managed environment.

The Logon event is one of a number of events that can be recognized by the system and as a response, an appropriate script can be executed. Other events include Logoff, Startup and Shutdown events. Apart from the already described mechanism, one can rely on Group Policies and use GPEDIT.MSC to set up event-aware scripts on the local system.

For example:

  • Startup and Shutdown

pic1

  • Logon and Logoff

pic2

(note, the screenshots are from XP cuz it’s holiday and I am lazy, but same applies to newer versions of Windows)

Once the appropriate Event is selected f.ex. Startup:

pic3

We can add the script using a dialog box:

pic4

We can also repeat the sequence and add a number of scripts:

pic6

The system stores the scripts in the following location:

  • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts

pic5

Inside the folder we can see the following files:

  • The config file:
    • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts\scripts.ini
  • and our scripts:
    • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup\Startup1.bat
    • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup\Startup2.bat
    • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown1.bat
    • c:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown2.bat

Note: I have added 2 scripts for each event.

The content of the files is as follows:

pich

And the same story for Logon/Logoff events:

  • The config file:
    • c:\WINDOWS\System32\GroupPolicy\User\Scripts\scripts.ini
  • and our scripts:
    • c:\WINDOWS\System32\GroupPolicy\User\Scripts\Logoff\Logoff1.bat
    • c:\WINDOWS\System32\GroupPolicy\User\Scripts\Logoff\Logoff2.bat
    • c:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\Logon1.bat
    • c:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon\Logon2.bat

with the content as follows:

picf
If we restart the computer now (making all the events happen: Logoff, Shutdown, Startup, Logon), we can observe that our scripts are all executed one by one – as indicated by the ‘trace’ files created by each script:

piceI also temporarily modified the startup script to pause before continuing – just to show that the scripts are executed by userinit.exe:

pic8

Trivia fact: while preparing the post I noticed that an old autoruns present on my test VM shows some of the scripts incorrectly i.e. under the HKLM\…\Run key:

picj

The latest version works like a charm… or not 🙂 – note that scripts are duplicated and Logoff event shows 6 entries instead of 2:

picmIf in doubt, we can always visit the Registry entries where the information about these 4 events is stored:

picl

pick

Inspecting the Registry entries we can notice that the …\Scripts\Logon\<number>\FileSysPath properties can be modified:

picr

In my case I modify it to c:\test and I am recreating the Logon/Logoff scripts folder structure there:

pico

Luckily, autoruns picks it up too:

picp

Last, but not last – if such entries already exist on the system, an attacker could simply append some commands to existing scripts, or hijack execution of existing commands using many of existing tricks (f.ex. path interception, path companion, etc.).