Category Archives: Autostart (Persistence)

Beyond good ol’ Run key, Part 121

Posted on by

This is a very convoluted way of creating a persistence mechanism, but it’s worth describing.

The SPReview.exe I covered previously has an interesting option: /WuExecuted or /WusaExecuted. When it is executed with one of these as an argument it does a lot of stuff, but the most important from our perspective is this bit:

  • It reads value of HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler=<file>
  • It copies that value to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\SPReview=<file>
  • It then deletes the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Pending\SPReviewEnabler entry

So… as long as you set up the SPReviewEnabler and run the SPReview.exe with one of the WU* options you will have your chosen file executed once the very next time current user logs on. The cycle can be then repeated to establish a permanent persistence…

Beyond good ol’ Run key, Part 120

Posted on by

This is a phantom DLL case on Windows 7 – funny bug in c:\WINDOWS\system32\spreview.exe.

When it starts it loads wdscore.dll library, but it does it incorrectly, and as a result it tries to load C:\WINDOWS\system32\spreview.exewdscore.dll file first.

So, if you place such library on a system, anytime spreview is launched, the spreview.exewdscore.dll DLL will be loaded. It’s also a Lolbin, of cuz.

The bad news – it’s used very rarely as it’s related to Service Pack installation. The better news — since spreview.exe is a part of a OS and signed, you could add it to any startup location and it will load that funnily-named DLL when it starts.