Category Archives: Autostart (Persistence)

Yet another way to hide from Sysinternals’ tools

Posted on by

The recipe is simple:

  • Pick up one of the environment variables.
  • Name your executable as ‘%environment variable%.exe’
  • Drop it in a place where system will find it (as per PATH)
  • Set e.g. Run key to point to it.

Example:

  • Drop c:\WINDOWS\%USERNAME%.exe

And add:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    “foobar”=”%USERNAME%”

Both Autoruns and Process Explorer (autorun location) won’t be able to locate the file, because they expand the environment variables. They will also mislead the user by showing a path to an executable that is definitely not on the system e.g. if the user’s name is JOHN, the entry I listed above will show up as ‘File not found: john.exe’. Looking for ‘john.exe’ on the system will not bring any relevant results.

Bonus #1:

You could concatenate a number of environment variables – the file will run, but the entry in the Autoruns will look like a bug. Only visiting the actual entry in the Registry will allow you to spot the trick.

Bonus #2:

Using less common environment variables can give even more random misleading information eg. ‘%PROCESSOR_LEVEL%’ can resolve to ‘6.exe’. Finding that ‘6.exe’ on the system will be pretty tricky.

Bonus #3:

Using ‘%ComSpec%’ gives the most intriguing result.

Autoruns will resolve it to ‘c:\WINDOWS\System32\cmd.exe’ instead of ‘c:\WINDOWS\%ComSpec%.exe’ and… since the resolved binary is native OS signed executable… it will be hidden from the view, unless you Unhide the ‘Hide Windows Entries’.

Beyond good ol’ Run key, Part 70

Posted on by

Back in early 2000s shell extensions and desktop enhancers were very popular. Some of these ideas survived till today and even now one can either use pre-installed ones, or install new deskbands on the system.

There are many coders who already did a great job explaining what desk bands are and how to implement them, so instead of pretending that I know what I am talking about, I will just suggest that you read this great article ‘Shell Extensibility – Explorer Desk Band, Tray Notification Icon et al.‘ by Alex Blekhman. When you run the Calendar.exe that is attached to the article you will then have an option to make the calendar present as a Deskband

Interestingly enough, as far as I can tell Autoruns still doesn’t detect them.

To find out where the information about deskbands and other Explorer extension bars is stored in Registry you can read this article.

If you are in a hurry, just need to enumerate Registry and look for all CLSIDs with the Implemented Categories\ key with the following deskband identifiers set:

DeskBand
{00021492-0000-0000-C000-000000000046}

VerticalBand 
{00021493-0000-0000-C000-000000000046}

HorizontalBand 
{00021494-0000-0000-C000-000000000046}

e.g.:

HKLM\SOFTWARE\Classes\CLSID\...\
Implemented Categories\{00021492-0000-0000-C000-000000000046}

Additionally, it may be worth checking the following key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
Discardable\PostSetup\Component Categories\...\Enum

This is where Explorer stores cached information about explorer bar objects.