Beyond good ol’ Run key, Part 105

May 29, 2019 in Anti-Forensics, Autostart (Persistence)

Windows Installer is a pretty complex software that helps to install software packages in a safe, and predictable way – offering at the same time a chance to undo/rollback, uninstall or fix the installation. It’s de facto standard for many programs nowadays to use it as their installer of choice.

There is at least one area where I think persistence could be achieved with a help of this technology – it’s this set of Registry entries:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
  • HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries

This is a place where MSIEXEC stores info about all command line arguments it wants to pass to itself after reboot. So, if it is not empty, it could be something interesting to look at.

btw. wine/reactos source codes have the following comment around the code that does implement this behavior:

If the args begin with /@ IDENT then we need to load the real command line out of the RunOnceEntries key in the registry. We do that before starting to process the real commandline, then overwrite the commandline again.

Comments are closed.