After googling around I couldn’t find any reference to Rover autostart mechanism, so here is a quick introduction for you:

Adding this key [key only is enough]:

• HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}

and dropping the following file:

• c:\windows\system32\rover.dll

with an exported function called RunMonitor will cause rover.dll to be loaded.anytime user logs in [it’s loaded by userinit.exe].

Tested on Windows 7 and Windows 8.1.

I have received a few questions with regards to this post, so here are some notes that I hope will be helpful:

• Despite being placed under HKCR, it’s not a regular COM entry
• It’s an equivalent of a Boolean flag stored in Registry; same as a presence of a file on a disk
  • If key exists
    { do something }
• I believe it’s a part of some testing/QA platform; maybe some exotic extension used only in special builds [Windows is actually full of these conditionally loaded DLLs]

Note: For unknown reason this post disappeared. Re-adding it. (suspecting wordpress hiccup; update: after checking logs it looks more like a DB problem and it was restored by the provider from a backup /removing the post on the way/)

I must admit that finding new paths that could be exploited as a persistence mechanism is a silly hobby of mine. When I started this series I thought that a few posts will suffice, but to my surprise it’s already #11. For your convenience, these are links to the older posts::

• Beyond good ol’ Run key, Part 1
• Beyond good ol’ Run key, Part 2
• Beyond good ol’ Run key, Part 3
• Beyond good ol’ Run key, Part 4
• Beyond good ol’ Run key, Part 5
• Beyond good ol’ Run key, Part 6
• Beyond good ol’ Run key, Part 7
• Beyond good ol’ Run key, Part 8
• Beyond good ol’ Run key, Part 9
• Beyond good ol’ Run key, Part 10

You may also want to have a look at ‘A Collection of Autostart Locations’ – a very large and comprehensive list of autostart entries collected by Tony Klein

• http://gladiator-antivirus.com/forum/index.php?showtopic=24610

Back to the #11.

In the part #10 (Office Test) I mentioned that Microsoft products seem to be heavily integrated with various testing platforms. I also referenced various aspects of performance analysis, profiling, monitoring and debugging in parts #4 (various debuggers), #6 (VBA Monitors), #7 (OAClient). There is one more trick that we can add to the list – legitimate, developer-friendly profiling mechanisms that can be enabled on non-developer systems and… act as a persistence mechanism.

The profiling mechanisms described further require a persistent environment variable to be set. This can be achieved by setting the respective values under HKCU or HKLM:

• HKEY_CURRENT_USER\Environment
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

The values that need to be placed under the Environment keys depend on the profiling mechanism – these are listed below:

• JS_PROFILER – Active Script Profiling (I believe it was introduced in IE 8.0)

• COR_ENABLE_PROFILING & COR_PROFILER & COR_PROFILER_PATH &
  COMPLUS_ProfAPI_ProfilerCompatibilitySetting &
  CORECLR_ENABLE_PROFILING & CORECLR_PROFILER &  CORECLR_PROFILER_PATH
  – .NET Profiling
  see also
  Registry-Free Profiler Startup and Attach
  Writing a Profiler for Silverlight 4
  CLRProfiler V4 and
  Writing a Profiler of Windows Store apps (PDF)

Example for JS_PROFILER:

Adding the following Registry entries:

[HKEY_CLASSES_ROOT\CLSID\{12345678-1234-1234-1234-123456789abc}\InprocServer32]
@=hex(2):63,00,3A,00,5C,00,74,00,65,00,73,00,74,00,5C,00,74,00,65,00,\
  73,00,74,00,2E,00,64,00,6C,00,6C,00,00,00

[HKEY_CURRENT_USER\Environment]
"JS_PROFILER"="{12345678-1234-1234-1234-123456789abc}"

will ensure that c:\test\test.dll (added as a REG_EXPAND_SZ value using ‘@=hex(2):…’) is loaded anytime Internet Explorer is executed or its control instantiated (JS_PROFILER is used internally by JSCRIPT*.DLLs – they handle scripting and they are used by Internet Explorer).