(note, the screenshots are from XP cuz it’s holiday and I am lazy, but same applies to newer versions of Windows)<\/p>\n Once the appropriate Event is selected f.ex. Startup:<\/p>\n We can add the script using a dialog box:<\/p>\n We can also repeat the sequence and add a number of scripts:<\/p>\n The system stores the scripts in the following location:<\/p>\n Inside the folder we can see the following files:<\/p>\n Note: I have added 2 scripts for each event.<\/p>\n The content of the files is as follows:<\/p>\n And the same story for Logon\/Logoff events:<\/p>\n with the content as follows:<\/p>\n Trivia fact: while preparing the post I noticed that an old autoruns present on my test VM shows some of the scripts incorrectly i.e. under the HKLM\\…\\Run key:<\/p>\n The latest version works like a charm… or not \ud83d\ude42 – note that scripts are duplicated and Logoff event shows 6 entries instead of 2:<\/p>\n Inspecting the Registry entries we can notice that the …\\Scripts\\Logon\\<number>\\FileSysPath properties can be modified:<\/p>\n In my case I modify it to c:\\test and I am recreating the Logon\/Logoff scripts folder structure there:<\/p>\n Luckily, autoruns picks it up too:<\/p>\n Last, but not last – if such entries already exist on the system, an attacker could simply append some commands to existing scripts, or hijack execution of existing commands using many of existing tricks (f.ex. path interception, path companion, etc.).<\/p>\n","protected":false},"excerpt":{"rendered":" In my previous post in this series I talked about the Logon scripts. This nice concept of being able to run some code when system-wide, or user-wide events happen is very useful in a managed environment. The Logon event is … Continue reading ![\"pic1\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/05\/pic1-1.png\")
<\/a><\/p>\n\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n\n
<\/a><\/p>\n\n
\n
\n
<\/a><\/p>\n\n
\n
\n
<\/a>
\nIf we restart the computer now (making all the events happen: Logoff, Shutdown, Startup, Logon), we can observe that our scripts are all executed one by one – as indicated by the ‘trace’ files created by each script:<\/p>\n<\/a>I also temporarily modified the startup script to pause before continuing – just to show that the scripts are executed by userinit.exe:<\/p>\n<\/p>\n<\/a><\/p>\n<\/a>If in doubt, we can always visit the Registry entries where the information about these 4 events is stored:<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n