![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/bt1.png\")
<\/a>Despite efforts I didn’t manage to trigger it, but I don’t have many Bluetooth devices at hand. Perhaps someone will be able to run a QC on this one.<\/p>\nThe setting is located inside the Registry under the following location:<\/p>\n
- \n
- HKCU\\Software\\Toshiba\\BluetoothStack\\
\nV1.0\\Mng\\IasStartAplPath= EXE Path<\/li>\n<\/ul>\nThe second, is not just one, but it’s actually a group of individual settings assigned to each connection – here is an example of properties of such one connection where I added the c:\\windows\\system32\\notepad.exe to execute anytime the connection is established:<\/p>\n
![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/bt2.png\")
<\/a>This one works for sure and it was easy to test it.<\/p>\nThe location of these settings is as follows:<\/p>\n
- \n
- HKCU\\Software\\Toshiba\\BluetoothStack\\
\nV1.0\\EZC\\DATA\\1001\\SCORIGINAL
\nAPPEXECUTE=hex:01
\nAPPFILEPATHBYTECNT=dword:<Path Length in bytes>
\nAPPFILEPATH=hex:<Path expressed as a sequence of hexadecimal numbers>
\nAPPFILEPATH2=EXE Path represented as a string
\nPSM=dword:0000000f
\nSECURITY=dword:00000001<\/li>\n<\/ul>\nThe key DATA\\1001\\SCORIGINAL changes to DATA\\1002\\SCORIGINAL for the second connection and increases for subsequent connections. This is how it looks like inside the Registry:<\/p>\n
![](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/01\/bt3-300x82.png\")
<\/a><\/p>\nIt’s pretty simple, but it’s also not very convincing – I don’t think we should expect a flood of malware using it. Still, worth documenting.<\/p>\n","protected":false},"excerpt":{"rendered":"
I stumbled upon this persistence mechanism by chance and its nature is similar to the many I have covered before – the preset applications that are executed when a certain event happens. This time I was checking the Bluetooth Stack … Continue reading
- HKCU\\Software\\Toshiba\\BluetoothStack\\