{"id":3840,"date":"2016-09-24T00:14:26","date_gmt":"2016-09-24T00:14:26","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3840"},"modified":"2016-09-24T06:25:01","modified_gmt":"2016-09-24T06:25:01","slug":"beyond-good-ol-run-key-part-46","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/09\/24\/beyond-good-ol-run-key-part-46\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 46"},"content":{"rendered":"<p>A persistent mechanism that requires a user interaction is probably deemed to fail, but there is still some potential here (I described some functionality like this <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/03\/02\/beyond-good-ol-run-key-part-9\/\">before<\/a>) and that&#8217;s why I am going to talk about yet another little trick like this here&#8230;<\/p>\n<p>Every once in a while Windows needs to tell the user about something important. The standard way to do it is through these annoying balloons at the bottom of the tray&#8217;s area (or system area, or whatever they call it nowadays &#8211; this changes all the time). One of the first examples of such &#8216;important&#8217; notification was the Tour in Windows XP. Anytime you install XP from the scratch, or add a new user and that user logs on, the annoying balloon immediately shows up:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/tour.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3841\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/tour-300x102.png\" alt=\"tour\" width=\"300\" height=\"102\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/tour-300x102.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/tour.png 398w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a>The balloons like this are created using the <a href=\"https:\/\/msdn.microsoft.com\/en-gb\/library\/windows\/desktop\/bb774424(v=vs.85).aspx\">IUserNotification interface<\/a>. Clicking the &#8216;cloud&#8217; area executes a program that is associated with the balloon. And this this is the interactivity part I mentioned. The user needs to click the thing to launch the application associated with the message.<\/p>\n<p>Now that we know how the interactive part works, let&#8217;s explore the persistence bit.<\/p>\n<p>Windows uses a mechanism called PostBootReminder to preserve a list of important notifications that system will show after the reboot. The name is misleading as these notifications are user-related and stored in the user&#8217;s Registry hive. So it&#8217;s not really Post Boot, but when Shell is loaded. One just needs to log off and log on again and the thingie will trigger.<\/p>\n<p>Adding PostBootReminder entries is relatively easy. The below reg file is a simple example of such notification:<\/p>\n<pre>[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PostBootReminders\\Malware]\r\n\"Title\"=\"Malwaretest\"\r\n\"Text\"=\"Yet another lame persistence mechanism-wannabe...\"\r\n\"ToolTip\"=\"Hello World!\"\r\n\"ShellExecute\"=\"c:\\\\windows\\\\system32\\\\calc.exe\"\r\n\"IconResource\"=\"%SystemRoot%\\\\\\\\system32\\\\\\\\shell32.dll,-16783\"\r\n\"ShowTime\"=dword:00803600\r\n\"RetryInterval\"=dword:0000060\r\n\"RetryCount\"=dword:00000060\r\n\"TypeFlags\"=dword:00000000<\/pre>\n<p>As we can see, the entries are stored under the HKCU key:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PostBootReminders\\&lt;name&gt;<\/li>\n<\/ul>\n<p>Once the system reads and creates the notification, it deletes the entry. So, in some way it works like a RunOnce key.<\/p>\n<p>The Tour application that is being executed by Windows XP is scheduled the same way, except it is added not prior to reboot\/log off, but when Windows Explorer starts. There is a Registry entry:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Tour\\RunCount<\/li>\n<\/ul>\n<p>that dictates whether the Tour app will get scheduled via PostBootReminders mechanism.<\/p>\n<p>This is obviously a bit of an archaeologic trivia, but I can mention that the name of that PostBootReminders entry is &#8216;Microsoft.OfferTour&#8217;. Of course, being clever reader as you are, you will surely notice that the Tour Registry key, together with a replacement of the Tour program executable (tourstart.exe) could work as a nice persistence mechanism as well (back when replacing files in system32 was easier).<\/p>\n<p>Another trivia to add: there is one more fake PostBootReminders\u00a0 entry added by Windows Explorer on Windows XP. It is called &#8216;Microsoft.FixScreenResolution&#8217;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/displaysettings.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3842\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/displaysettings-300x111.png\" alt=\"displaysettings\" width=\"300\" height=\"111\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/displaysettings-300x111.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/displaysettings.png 330w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>and is supposed to help fixing the screen resolution. This entry is controlled by the following Registry key:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\DontShowMeThisDialogAgain\\ScreenCheck<\/li>\n<\/ul>\n<p>The conditions when it is launched are a bit more complex than just a presence\/value of the Registry entry and are described <a href=\"https:\/\/support.microsoft.com\/en-gb\/kb\/961174\">in detail here<\/a>.<\/p>\n<p>Going back to the future &#8211; Windows 10 continues to use the very same mechanism. The known\u00a0PostBootReminders\u00a0 entries include:<\/p>\n<ul>\n<li>Microsoft.AuditingLogIsFull<\/li>\n<li>Microsoft.CachedLogon<\/li>\n<li>Microsoft.KerbCredentialsExpired<\/li>\n<li>Microsoft.LogoffWarning<\/li>\n<li>Microsoft.LogonHoursWarning<\/li>\n<li>Microsoft.NetDriveReconnectFailed<\/li>\n<li>Microsoft.PasswordExpiryWarning<\/li>\n<li>Microsoft.SmartCardUnlockRequired<\/li>\n<li>Microsoft.SubscriberFailed<\/li>\n<li>ProfileError<\/li>\n<\/ul>\n<p>Going back to the .reg example I posted above &#8211; the arguments of the PostBootReminders subkey are passed directly to methods of IUserNotification interface, so their explanation can be easily found by exploring the Microsoft site: <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb774428(v=vs.85).aspx\">Title, Text and TypeFlags<\/a>, <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb774430(v=vs.85).aspx\">RetryInterval, RetryCount, ShowTime<\/a>, <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/bb774432(v=vs.85).aspx\">IconResource, ToolTip<\/a>. The ShellExecute is just a path to the executable. It is worth mentioning that there is also one more entry that can be added &#8211; CLSID &#8211; this represents the GUID of the class that will be instantiated if present, but I have not explored it yet and not sure how it works.<\/p>\n<p>As I mentioned, I doubt this thing can fly, but who knows&#8230; one could annoy the user, by making the message never go away (hint: RetryCount\/RetryInterval), until clicked &#8211; same as on the animation below \ud83d\ude42 [you may need to click to watch]<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/postbootrmeinderloop.gif\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-3843\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/09\/postbootrmeinderloop-300x80.gif\" alt=\"postbootrmeinderloop\" width=\"300\" height=\"80\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A persistent mechanism that requires a user interaction is probably deemed to fail, but there is still some potential here (I described some functionality like this before) and that&#8217;s why I am going to talk about yet another little trick &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/09\/24\/beyond-good-ol-run-key-part-46\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3840"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3840"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3840\/revisions"}],"predecessor-version":[{"id":3846,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3840\/revisions\/3846"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3840"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3840"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3840"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}