I mentioned TestHook at least twice in the past. I actually love this keyword/string, because it is associated with many undocumented internal Microsoft test frameworks that we can sometimes abuse. And many ‘TestHook’ string references are present in many binaries belonging to both Server an Desktop versions of Windows, hence a lot of research opportunities await…

And here’s one of them:

Adding an entry below:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\TestHooks\TestAggregatorDll=<malware>

will result in the DLL of our choice being loaded when the system starts.