{"id":1613,"date":"2013-01-19T10:47:24","date_gmt":"2013-01-19T10:47:24","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1613"},"modified":"2014-09-20T22:22:53","modified_gmt":"2014-09-20T22:22:53","slug":"beyond-good-ol-run-key-part-3","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/01\/19\/beyond-good-ol-run-key-part-3\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 3"},"content":{"rendered":"<p>Possible Autostart\/start mechanisms that are built-in &#8216;natively&#8217; in Windows and also available by means of extra features offered by many applications go beyond typical path locations and registry keys highlighted by popular programs and scripts like <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb963902.aspx\">Autoruns<\/a> and <a href=\"http:\/\/www.silentrunners.org\/\">SilentRunners<\/a>. I have covered some of the non-standard persistence techniques in 2 older posts in the series <a title=\"Beyond good ol\u2019 Run key\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/07\/23\/beyond-good-ol-run-key\/\">here<\/a> and <a title=\"Beyond good ol\u2019 Run key, Part 2\" href=\"https:\/\/www.hexacorn.com\/blog\/2012\/09\/16\/beyond-good-ol-run-key-part-2\/\">here<\/a>, but as usual &#8211; there is always more to write about.<\/p>\n<p>In this post I will cover another batch of less known and possibly &#8216;obscure&#8217; technique that could be potentially used for autostart\/start purposes. I write &#8216;obscure&#8217;, because it is not a typical way of doing autostart, but let&#8217;s be honest &#8211; there is nothing really extraordinary about it &#8211; just a simple abuse of built-in features in both OS and applications.<\/p>\n<h3>Code-in-the-middle proxy<\/h3>\n<p>Long story short, it is a well known fact that many existing registry entries and files pointing to or containing code can be modified to introduce a code-in-the-middle proxy (DLL, EXE, etc.) that will be executed\/loaded first instead of a legitimate entry. The original entries are preserved so that they can be transparently executed\/loaded once malware is running. There are many existing examples of this technique already being used e.g. hijacks of Shell Open Command,\u00a0 Image File Execution Options , etc., but it is important to remember that this technique can be extended literally to any registry key or file that is loaded either during autostart or often used by users.<\/p>\n<h3>Application Registration (App Paths) hijacking<\/h3>\n<p>Another proxy technique that could be used to hijack popular applications relies on registry entries stored under the following key:<\/p>\n<p style=\"padding-left: 30px;\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths<\/p>\n<p>As per <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ee872121%28v=vs.85%29.aspx\">Microsoft<\/a>:<\/p>\n<p style=\"padding-left: 30px;\">The entries found under App Paths are used primarily for the following purposes:<\/p>\n<ul>\n<li style=\"padding-left: 30px;\">To map an application&#8217;s executable file name to that file&#8217;s fully qualified path.<\/li>\n<li style=\"padding-left: 30px;\">To pre-pend information to the PATH environment variable on a per-application, per-process basis.<\/li>\n<\/ul>\n<p>A legitimate entry that can be found on many newer versions of Windows is shown below:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1655\" alt=\"apppaths1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths1.png\" width=\"539\" height=\"112\" \/><\/a><\/p>\n<p>It is responsible for launching MS Paint program when someone tries to run it using a legacy &#8216;pbrush.exe&#8217; name.<\/p>\n<p>One could add a modification for e.g. calc.exe:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1656\" alt=\"apppaths2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths2.png\" width=\"540\" height=\"88\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths2.png 850w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/apppaths2-300x49.png 300w\" sizes=\"(max-width: 540px) 100vw, 540px\" \/><\/a><\/p>\n<p>From now on, anytime someone tries to run calc.exe manually (e.g. via Start Menu\/Run\u00a0 window), Notepad will be launched. It may not be a main persistence mechanism, but could be used for re-infection purposes on systems that have been cleaned up, but not rebuilt.<\/p>\n<p>You can test it (XP needed) by downloading this <a href=\"https:\/\/www.hexacorn.com\/examples\/2013-09-24_app_paths_notepad.reg\">reg<\/a> file , then applying it to your Registry and then launching Win+R and typing &#8216;calc&#8217; or &#8216;calc.exe&#8217; and hitting enter. Note: It doesn&#8217;t work from command line (a mistake in an older version of this post which I correct here).<\/p>\n<h3>Text Services (TSF)<\/h3>\n<p>Microsoft <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms629032%28v=vs.85%29.aspx\">defines Text Services<\/a> as:<\/p>\n<p style=\"padding-left: 30px;\">Microsoft Windows Text Services Framework (TSF) is a system service available as a redistributable for Windows 2000. TSF provides a simple and scalable framework for the delivery of advanced text input and natural language technologies. TSF can be enabled in applications, or as a TSF text service. A TSF text service provides multilingual support and delivers text services such as keyboard processors, handwriting recognition, and speech recognition.<\/p>\n<p>From a practical point of view, TSF offers ways to extend available input methods by allowing to install support for languages that are not natively supported by Windows. A good example of such extension is <a href=\"https:\/\/github.com\/thanlwinsoft\/ekaya\">Ekaya<\/a> &#8211; an extension for a Myanmar (Burmese) language.<\/p>\n<p>In order for TSF to work on Windows XP, one has to enable the &#8216;Extended support of advanced text services to all programs&#8217;:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1621\" alt=\"TextService-Step01.4\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.4.png\" width=\"351\" height=\"421\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.4.png 404w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.4-249x300.png 249w\" sizes=\"(max-width: 351px) 100vw, 351px\" \/><\/a><\/p>\n<p>On Windows 7, it is enabled by default (but to install a TSF DLL one requires administrator privileges).<\/p>\n<p>Examples on how to use TSF are provided in <a href=\"http:\/\/msdn.microsoft.com\/en-us\/dd299405.aspx\">Microsoft SDK<\/a> (look for &#8216;Samples\\winui\\Input\\tsf\\TextService&#8217; directory). For the purpose of this article, I just picked up the simplest possible example i.e. a project from the &#8216;Samples\\winui\\Input\\tsf\\TextService\\TextService-Step01&#8217; subdirectory and updated it with a trivial cosmetic change &#8211; a call to OutputDebugString so that we can observe processes loading and unloading our test DLL.<\/p>\n<pre style=\"padding-left: 30px;\">BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID pvReserved)\r\n{\r\n\u00a0 <span style=\"color: #ff0000;\">TCHAR szFileFullPath[256];<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0 TCHAR buf[300];<\/span>\r\n\u00a0\u00a0\u00a0 switch (dwReason)\r\n\u00a0\u00a0\u00a0 {\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 case DLL_PROCESS_ATTACH:\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 g_hInst = hInstance;\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0<span style=\"color: #ff0000;\">GetModuleFileName (NULL,szFileFullPath,256);<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 _tcscpy (buf, TEXT(\"TSF DLL loaded: \"));<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 _tcscat (buf, szFileFullPath);<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0OutputDebugString(buf);<\/span>\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (!InitializeCriticalSectionAndSpinCount(&amp;g_cs, 0))\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return FALSE;\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 break;\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 case DLL_PROCESS_DETACH:\r\n\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0GetModuleFileName (NULL,szFileFullPath,256);<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 _tcscpy (buf, TEXT(\"TSF DLL unloaded: \"));<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0 _tcscat (buf, szFileFullPath);<\/span>\r\n<span style=\"color: #ff0000;\">\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0OutputDebugString(buf);<\/span>\r\n\r\n\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0 \u00a0DeleteCriticalSection(&amp;g_cs);\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 break;\r\n\u00a0\u00a0\u00a0 }\r\n\r\n\u00a0\u00a0\u00a0 return TRUE;\r\n}<\/pre>\n<p>Once registered with Regsrv32.exe:<\/p>\n<pre style=\"padding-left: 30px;\">regsvr32 TextService-Step01.dll<\/pre>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1617\" alt=\"TextService-Step01.1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.1.png\" width=\"288\" height=\"107\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.1.png 339w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.1-300x111.png 300w\" sizes=\"(max-width: 288px) 100vw, 288px\" \/><\/a><\/p>\n<p>the DLL is now active and it will now be loaded to each new process utilizing Text Services (pretty much every single GUI application, including these already running) as can be shown via <a href=\"http:\/\/technet.microsoft.com\/en-us\/sysinternals\/bb896647.aspx\">DebugView<\/a> from Sysinternals.<\/p>\n<p>Running a few test applications shows the following output in DebugView:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1653\" alt=\"TextService-Step01.2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.2.png\" width=\"546\" height=\"121\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.2.png 764w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.2-300x66.png 300w\" sizes=\"(max-width: 546px) 100vw, 546px\" \/><\/a><\/p>\n<p>Of course, it survives the reboot and is loaded next time user logs on and applications are executed + it works under Windows 7 without any problem:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1652\" alt=\"TextService-Step01.5\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.5.png\" width=\"539\" height=\"136\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.5.png 637w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.5-300x75.png 300w\" sizes=\"(max-width: 539px) 100vw, 539px\" \/><\/a><\/p>\n<p>You may be wondering if there is any visual indication of the DLL being present on the system.<\/p>\n<p>There is.<\/p>\n<p>If you look at the legitimate software like aforementioned Ekaya &#8211; it adds a set of icons to the Language Bar:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1625\" alt=\"Ekaya1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya1.png\" width=\"197\" height=\"110\" \/><\/a><\/p>\n<p>and<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1626\" alt=\"Ekaya2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya2.png\" width=\"233\" height=\"82\" \/><\/a><\/p>\n<p>It can be also seen in Text Services and Input Languages section (you can find it under Regional Settings):<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1627\" alt=\"Ekaya3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya3.png\" width=\"360\" height=\"433\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya3.png 404w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/Ekaya3-249x300.png 249w\" sizes=\"(max-width: 360px) 100vw, 360px\" \/><\/a><\/p>\n<p>There is no requirement for TSF DLLs to add extra features to the Language Bar, so the Text Services and Input Languages section under Regional Settings is the only place where it is possible to spot the loaded DLL &#8211; for our test sample it looks like this:<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1628\" alt=\"TextService-Step01.3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/TextService-Step01.3.png\" width=\"378\" height=\"453\" \/><\/p>\n<h3>DLL load order<\/h3>\n<p>This is a trick relying on \u00a0DLL load order &#8211; it has been covered on many security blogs in last 2 years so I just mention it for completeness &#8211; there are many DLLs that can be &#8216;injected&#8217; into a loading process of many popular programs. Two of them: <strong>fxsst.dll<\/strong> and <strong>ntshrui.dll<\/strong> have been covered by Nick Harbour from Mandiant in his posts from <a href=\"https:\/\/www.mandiant.com\/blog\/malware-persistence-windows-registry\/\">July 2010<\/a> and <a href=\"https:\/\/www.mandiant.com\/blog\/fxsst\/\">June 2011<\/a>.<\/p>\n<h3>IIS Server Extensions (ISAPI filters)<\/h3>\n<p>In my older post I mentioned plugins and various extensions that can be loaded into various applications. There are really a lot of possibilities here, including multum of popular software, Windows Shell extensions, aforementioned Text services, IME, URL handlers, and so on and so forth. There are also possibilities of writing server environment-specific extensions e.g. <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms524610%28v=vs.90%29.aspx\">ISAPI filters:<\/a> As per the information on the page<\/p>\n<p style=\"padding-left: 30px;\">Every ISAPI filter is contained in a separate DLL that must export two entry-point functions, GetFilterVersionand HttpFilterProc, and optionally export the TerminateFilter function. The metabase property, FilterLoadOrder, contains a list of all filters that IIS loads when the Web service is started.<\/p>\n<h3>\u00a0AppCertDlls<\/h3>\n<p>This is also a known technique &#8211; it has been researched and published by EP_X0FF in 2007 on sysinternals <a href=\"http:\/\/forum.sysinternals.com\/appcertdlls_topic12546.html\">forum<\/a>. There were a few follow-up posts about it, and a sample code can be found <a href=\"http:\/\/www.cyberforum.ru\/win-api\/thread304222.html\">here<\/a>, <a href=\"http:\/\/x64blog.name\/tag\/APC\">here<\/a> and <a href=\"http:\/\/www.kernelmode.info\/forum\/viewtopic.php?p=16552#\">here<\/a>. If you are interested you may also read ReactOS code that implements this feature <a href=\"https:\/\/code.google.com\/p\/reactos-mirror\/source\/browse\/trunk\/reactos\/dll\/win32\/kernel32\/client\/proc.c?spec=svn58084&amp;r=58084\">here<\/a> (search for &#8216;BasepIsProcessAllowed&#8217;).<\/p>\n<p>Using a slightly modified code from one of the posts, we can build a DLL to demonstrate how it works.<\/p>\n<p>First we need to add a registry key:<\/p>\n<pre style=\"padding-left: 30px;\">HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls<\/pre>\n<p>then any\u00a0REG_EXPAND_SZ value pointing to a DLL we have built.<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1629\" alt=\"appcertsdll1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll1.png\" width=\"558\" height=\"118\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll1.png 732w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll1-300x63.png 300w\" sizes=\"(max-width: 558px) 100vw, 558px\" \/><\/a><\/p>\n<p>\u00a0Now we need to restart the system to ensure a system-wide coverage. For testing purposes, it is okay to restart Windows Explorer so that it can refresh its internal program state to include these DLL in a process creation sequence. Or, one can simply launch cmd.exe and then run programs from command line to observe the DLL being loaded into each newly created process:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1650\" alt=\"appcertsdll2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll2.png\" width=\"551\" height=\"122\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll2.png 696w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll2-300x66.png 300w\" sizes=\"(max-width: 551px) 100vw, 551px\" \/><\/a><\/p>\n<p>\u00a0You may be wondering how it works under 64-bit system. It works pretty well.<\/p>\n<p>In fact, you can register both 32-bit and 64-bit DLLs as a notification on a 64-bit system:<\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1639\" alt=\"appcertsdll3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll3.png\" width=\"562\" height=\"162\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll3.png 625w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll3-300x86.png 300w\" sizes=\"(max-width: 562px) 100vw, 562px\" \/><\/a><\/p>\n<p>to ensure notifications will be processed for both 64-bit and 32-bit programs:<\/p>\n<p>&nbsp;<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1649\" alt=\"appcertsdll6\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll6.png\" width=\"564\" height=\"188\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll6.png 718w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/01\/appcertsdll6-300x99.png 300w\" sizes=\"(max-width: 564px) 100vw, 564px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>That&#8217;s all ! Thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Possible Autostart\/start mechanisms that are built-in &#8216;natively&#8217; in Windows and also available by means of extra features offered by many applications go beyond typical path locations and registry keys highlighted by popular programs and scripts like Autoruns and SilentRunners. I &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/01\/19\/beyond-good-ol-run-key-part-3\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1613"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1613"}],"version-history":[{"count":29,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1613\/revisions"}],"predecessor-version":[{"id":2154,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1613\/revisions\/2154"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1613"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1613"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1613"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}