Category Archives: Forensic Analysis

Certain Windows… stay classy… part 2

Posted on by

In one of the older posts I listed a number of very recognizable windows classes that can be found hard-coded as strings inside various programs (including malware). The intention there was to help with a recognition of a compiler/protector/installer that was used to create/build/protect the file.

I thought it would be good to expand this list with a whitelist of common classes created by various legitimate Windows applications. Such list may help to determine which windows classes are potentially anomalous (e.g. if you run ‘windows’ or ‘wintree’ command in volatility).

Here’s a short list I came up so far – if you see any class missing, please let me know and I will add it:

  • $$$UI0Background
  • _SearchEditBoxFakeWindow
  • {37E561C9-40E3-44de-AF62-CECD75524364}
  • ActionsMenuOwner
  • Address Band Root
  • AMNotificationDialog
  • AppResizeAcc
  • AudioDevStubWindow32
  • AutoplayHandlerChooser
  • AVIWnd32
  • Breadcrumb Parent
  • Button
  • CabinetWClass
  • CDDEServer
  • CDVDMsgWindowClass
  • CicLoaderWndClass
  • CM Monitor Window
  • ComboBox
  • ComboBoxEx32
  • COMPDESK_DISPALYCHANGE_CLASS
  • Compose_CvPgPreview
  • ConnectionManagerMsgProc
  • ConsoleWindowClass
  • CtlFrameWork_Parking
  • CtrlAccWindow
  • CtrlNotifySink
  • CustomEventWindowClass
  • DDE Channel
  • DDE Server Window
  • DDE ViewObj
  • DeviceUpdateClass
  • DIEmWin
  • DocWndClass
  • DragWindow
  • DsPropNotifyWindow
  • DummyDWMListenerWindow
  • Dwm
  • EalMessageWindow
  • Edit
  • elevationdummy
  • EnhancedStorageAuthentication
  • ERCUITHREADMARSHALLER
  • Event Viewer Snapin Synch
  • EVRFullscreenVideo
  • EVRPowerMsgWindowClass
  • EVRVideoHandler
  • EvtQProcWndClass
  • FaxME_DocHost
  • FaxTiffView_Host
  • FDBthProviderClass
  • FloatNotifySink
  • Fn Notify Window
  • FocusMonitorWindowClass
  • GDI+ Window
  • GestureArbitrationEngineWindowClass
  • Ghost
  • GhostDivider
  • GRIDWNDCLASS
  • HH CustomNavPane
  • HH Parent
  • HH SizeBar
  • HH_API
  • HidServClass
  • HighlightCursorClass
  • HitTestWorker
  • HostCtrlAccWindow
  • IEFrame
  • InkEditReflectClass
  • invisible bmp window
  • Isolation Thread Message Window
  • ItemWndClass
  • JobPropWnd
  • JointDivider
  • JointResizeAcc
  • KBEMWndClass
  • L21DecMsgWnd
  • listbox
  • LOCATIONNOTIFICATION
  • Magnifier
  • MCI command handling window
  • mdiclient
  • MDRESNOTIFYCLASS
  • MESSAGE
  • MGMTAPI Notification Class
  • MNC_TaskmanWindow
  • MobilityCenterHelpButton
  • MobilityCenterIcon
  • MobilityCenterStatusText
  • MobilityCenterTileName
  • MouseMonitorWindowClass
  • MRT
  • MS:SyncNotificationWindow
  • MS:WPDStatusProviderNotificationWindow
  • MSAA_DA_Class
  • MSCTFIME Composition
  • msctls_progress32
  • msctls_statusbar32
  • msctls_trackbar32
  • msctls_updown32
  • MstscRemoteSessionsMgrWndClass
  • MTVDragInputHandler
  • NarratorTIEWIndowClass
  • NarratorTouchWindow
  • Notepad
  • NotificationsMenuOwner
  • OCHost
  • OE_Envelope
  • OleDocWndClass
  • OleSrvrWndClass
  • Palette Watcher
  • PCALUA
  • PowerCPL Message Window
  • PPCHiddenWindow
  • proquota
  • PRSEVENTRECEIVER
  • RadioButtonList
  • RdpClipRdrWindowClass
  • RdpSaInvitationManagerHiddenWindowClass
  • RDPSoundDVCWnd
  • RDPSoundInputWnd
  • RdvSessionMonitorClass
  • ReBarWindow32
  • RectWndClass
  • REListBox20W
  • RelMonGraphWindow
  • RICHEDIT
  • RICHEDIT50W
  • RunDLL
  • RunLegacyCPL
  • Scroll
  • SCROLLBAR
  • Search Box
  • SearchEditBoxWrapperClass
  • SeparatorBand
  • Shell Preview Extension Temporary Parent
  • Shell_Dim
  • Shell_SecondaryTrayWnd
  • Shell_TrayWnd
  • SI WMP sync hidden window
  • SJE_FULLSCREEN
  • SlideshowCache
  • SlideshowManager
  • SoftKBDClsC1
  • SoftKBDClsT1
  • SoftkbdIMXOwnerWndClass
  • SPACEAGENT!PNP!MESSAGEWND
  • SrvrWndClass
  • SSDemoParent
  • Static
  • StubNtPrintWindow
  • StubPrintWindow
  • StubWindow32
  • sync hidden window
  • SysHeader32
  • SysLink
  • SysListView32
  • SysMonthCal32
  • SysPager
  • SysTabControl32
  • SystemMonitorWindowClass
  • SystemTray_Main
  • SysTreeView32
  • TabCal_WndClass
  • TabletModeCoverWindow
  • TabletModeInputHandler
  • Tapi32WndClass
  • Task Host Window
  • TaskListOverlayWnd
  • TaskListThumbnailWnd
  • TextRendererMsgProc
  • TiBusUpdate
  • ToolbarWindow32
  • tooltips_class32
  • TravelBand
  • TrayDummySearchControl
  • TrayInputIndicatorWClass
  • TrayNotifyWnd
  • TrayShowDesktopButtonWClass
  • TSC_POPUP_PARENT_WNDCLASS
  • TSMF Geometry
  • UIAInvokeHelperWndClass
  • UIManager Message Window
  • UniversalSearchBand
  • UpBand
  • URL Moniker Notification Window
  • UserAdapterWindowClass
  • VBBubbleRT6
  • VBFocusRT6
  • VisualViewportMessageWindow
  • VolNotifySink
  • WdcGraphWindow
  • WebInstanceCoreInputWindow
  • Webview Window
  • WiaPreviewControl
  • WMPMessenger
  • WMPSimpleMessageWindow
  • WMPTransition
  • WorkerA
  • WorkerMessageWindow
  • WorkerW
  • WusaHidden
  • XAMLMessageWindowClass
  • XAMLWebViewHostWindowClass
  • XCPDeferredClass
  • XCPTimerClass
  • XMLMimeWnd
  • YO
  • ZIP Folder STUB window

Beyond good ol’ Run key, Part 72

Posted on by

In my old post I described a simple trick that shows how to set up a hot key that can be assigned to execute shortcuts (.LNK files) placed on a Desktop or in a Start Menu. This action survives reboots and logon/logoffs so it’s a nice, and somehow accidental persistence mechanism.

Turns out there is one more variant of this trick that relies on using the .URL files.

Placing a .URL files containing the following data:

[InternetShortcut]
URL=file:///c:/windows/system32/calc.exe
HotKey=768

on a Desktop will assign CTRL+SHIFT sequence to an action that will trigger the execution of the calculator.

The Hotkey can be assigned either manually (via properties):

– in such case you won’t be able to assign the more trickier combinations like CTRL+SHIFT. Or we can do it manually, and in such case all the hotkey tricks are available. All you have to do is to assign a proper value to the HotKey parameter inside the .url file.

You can find out what values represent what codes or by experimenting… or… you can cheat and read this old guide: An Unofficial Guide to the URL File Format.