Beyond good ol’ Run key, Part 122

November 9, 2019 in Anti-Forensics, Autostart (Persistence)

This is another quickie: there is an established process for using the OCSetup program that is available on a couple of Windows versions. When this tool is executed it checks a number of Registry entries which it then interprets, and executes programs (.exe) or installers (.msi, .msp) listed under these entries.

The entries of interest are as follows:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\<ComponentName>\CustomSetup = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\<ComponentName>\Component = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\PatchFiles = <file>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OCSetup\Components\\CustomSetup = <file>

Comments are closed.