Scanning the Windows files for possible persistence mechanisms I came across a few interesting strings inside the Natural Language Development Platform 6 library (NaturalLanguage6.dll):
- StemmerDLLPathOverride
- WBDLLPathOverride
- StemmerClass
- WBreakerClass
Quick google exercise followed and I found this post in Russian that explains that these are actual Registry entries – by changing them the author was able to use Russian morphology modules for searches on Sharepoint.
Cool.
Now that I had an idea what it is, I was curious if the entries are used on Windows 10.
Procmon with boot logging enabled confirmed that it is the case – the C:\WINDOWS\system32\SearchIndexer.exe process looks for the DLLOverridePath entries under the following locations (language may vary on non-English OS versions):
- HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_UK
- HKLM\System\CurrentControlSet\Control\ContentIndex\Language\English_US
- HKLM\System\CurrentControlSet\Control\ContentIndex\Language\Neutral
Since the overridden locations are loaded via LoadLibrary, it is yet another persistence location to look at.