While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments:
it can be run with /RunFirstLogonAnim as a first argument and in such case will launch the ‘Windows installation’ animation. If both /RunFirstLogonAnim and /explorer are present in the command line, you won’t be able to close the animation.
These days I post most of the new stuff on Twitter as no one reads blogs anymore, right? 🙂
Still, good to document some of it in a more permanent way so this is the persistence bit I posted about yesterday:
A number of tools inside the c:\WINDOWS\system32\oobe\ folder:
include references to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd.
Turns out, if you drop your payload to c:\WINDOWS\Setup\Scripts\ErrorHandler.cmd the c:\WINDOWS\system32\oobe\Setup.exe will load it anytime there is an error. The most trivial way to trigger it is by running setup.exe w/o any arguments.
I have not checked the other executables, but it’s most likely the case as well.