New versions of Windows are shipped with an on-screen keyboard that – amongst other features – allows us to enter the text in a handwritten form:

The task of handwritten text analysis and input training is ‘outsourced’ to dedicated libraries that are loaded from the following locations in the Registry:

• HKLM\SOFTWARE\Microsoft\TPG\System Recognizers
• HKLM\SOFTWARE\Microsoft\TPG\Recognizers

Adding an entry that replaces an entry for e.g. English:

leads to the library being loaded anytime the TabTip.exe process is executed (one that presents the ‘tablet’ to handwrite on):

For what its worth, my test DLL broke the handwriting input as it doesn’t do any proxy work.

Probably not the most used feature on your desktop computer, but it could work on many tabletish computers in Asia where ideograms and other complex characters are commonly used (plus users use handwriting input a lot!).

I discussed Winsock-based persistence in the past.

There is one more.

It is a bit unusual, as it has to do with automatic proxy configuration, so it’s a bit tricky to reproduce. I have honestly not made an attempt to fully understand the logic winsock uses to determine how to find the proxy, plus it’s pretty late and I only discovered it now so maybe some other time…

For the purpose of this post, one thing that is interesting is this key:

• HKCR\AutoProxyTypes

The two standard entries underneath are:

• Application/x-internet-signup
• Application/x-ns-proxy-autoconfig

It turns out you can add your own e.g.:

Winsock will enumerate the AutoProxyTypes key children nodes while trying to find the proxy and will load DLLs located underneath.

I had luck reproducing it on Windows 7 while tinkering with the Internet Options/Lan Settings (enabling/disabling it), but could not make it work on Windows 10. I may come back to do some more testing later on, but for now this screenshot should suffice: