{"id":3946,"date":"2016-11-24T01:16:48","date_gmt":"2016-11-24T01:16:48","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3946"},"modified":"2016-11-24T10:11:30","modified_gmt":"2016-11-24T10:11:30","slug":"beyond-good-ol-run-key-part-51","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/11\/24\/beyond-good-ol-run-key-part-51\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 51"},"content":{"rendered":"<p>There is a <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/02\/09\/beyond-good-ol-run-key-part-7\/\">number<\/a> of <a href=\"https:\/\/www.hexacorn.com\/blog\/2014\/04\/16\/beyond-good-ol-run-key-part-10\/\">persistence<\/a> mechanisms related to Office that I have already discussed in the past, but the most obvious one &#8211; one that is actually documented &#8211; has not been covered in my posts yet. I am fixing it now \ud83d\ude09<\/p>\n<p>When Word starts, it looks for the items inside the STARTUP folder that it can load. The older version of Office would look for files with the following extensions: .lnk, .wll (Word Add-in DLLs), or .dot\u00a0 f.ex.:<\/p>\n<ul>\n<li>c:\\Program Files\\Microsoft Office\\&lt;version&gt;\\STARTUP\\*.dot<\/li>\n<li>c:\\Program Files\\Microsoft Office\\&lt;version&gt;\\STARTUP\\*.lnk<\/li>\n<li>c:\\Program Files\\Microsoft Office\\&lt;version&gt;\\STARTUP\\*.wll<\/li>\n<\/ul>\n<p>Newer versions look for additional files *.dotm and *.dotx.<\/p>\n<p>The location above is a STARTUP folder common for all users (and it&#8217;s a <strong>WORD <\/strong><strong>STARTUP<\/strong> <strong>persistence location #1<\/strong>).<\/p>\n<p>The user-specific folder is located&#8230; well, this is where it gets interesting \ud83d\ude42<\/p>\n<p>So&#8230; Winword tries to find the following registry key:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Office\\&lt;version&gt;\\Word\\Options\\STARTUP-PATH<\/li>\n<\/ul>\n<p>f.ex.<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Office\\15.0\\Word\\Options\\STARTUP-PATH<\/li>\n<\/ul>\n<p>If exists, it will read its value and treat it as a user-specific STARTUP folder. if we change it to our own, we can abuse it (<strong>WORD <\/strong><strong>STARTUP<\/strong> <strong>persistence location #2<\/strong>):<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3947\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup1-300x75.png\" alt=\"regstartup1\" width=\"499\" height=\"125\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup1-300x75.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup1-756x190.png 756w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup1.png 759w\" sizes=\"(max-width: 499px) 100vw, 499px\" \/><\/a><\/p>\n<p>Otherwise&#8230; if it doesn&#8217;t exist, Word will read another Registry entry:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Office\\&lt;version&gt;\\Common\\General\\Startup<\/li>\n<\/ul>\n<p>The default value is &#8216;STARTUP&#8217;, but we can change it to anything we want.<\/p>\n<p>So, if the value is &#8216;Common\\General\\Startup&#8217; default and equal &#8216;STARTUP&#8217;, the path will be:<\/p>\n<ul>\n<li>%APPDATA%\\Microsoft\\Word\\STARTUP (<strong>WORD <\/strong><strong>STARTUP<\/strong> <strong>persistence #3a<\/strong>)<\/li>\n<\/ul>\n<p>But if we change it to f.ex. TEMP, the location will be<\/p>\n<ul>\n<li>%APPDATA%\\Microsoft\\Word\\TEMP (<strong>WORD STARTUP persistence #3b<\/strong>)<\/li>\n<\/ul>\n<p>We can try to wrap it up as follows (Word\/Office 15.0):<\/p>\n<ul>\n<li>c:\\Program Files\\Microsoft Office\\Office15\\STARTUP<\/li>\n<li>%APPDATA%\\Microsoft\\Word\\STARTUP<br \/>\nOR<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Office\\Office15\\Common\\General\\Startup = <em>FOOBAR<\/em><\/li>\n<li>%APPDATA%\\Microsoft\\Word\\<em>FOOBAR<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Excel behaves in a similar way, except the paths and keys are (for Office 15.0):<\/p>\n<ul>\n<li>C:\\Program Files\\Microsoft Office\\Office15\\XLSTART<\/li>\n<li>%APPDATA%\\Microsoft\\Excel\\XLSTART<br \/>\nOR<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Office\\Office15\\Common\\General\\Xlstart = <em>FOOBAR<\/em><\/li>\n<li>%APPDATA%\\Microsoft\\Excel\\<em>FOOBAR<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Here are the Word and Excel options that dictate what are the actual user-specific %APPDATA% startup folders for both programs:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3953\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup2-300x102.png\" alt=\"regstartup2\" width=\"501\" height=\"170\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup2-300x102.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/11\/regstartup2.png 722w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/a><\/p>\n<p>That&#8217;s all!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There is a number of persistence mechanisms related to Office that I have already discussed in the past, but the most obvious one &#8211; one that is actually documented &#8211; has not been covered in my posts yet. I am &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/11\/24\/beyond-good-ol-run-key-part-51\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[13,35,15,19,46,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3946"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3946"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3946\/revisions"}],"predecessor-version":[{"id":3955,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3946\/revisions\/3955"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3946"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3946"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3946"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}