{"id":4668,"date":"2018-03-11T23:32:48","date_gmt":"2018-03-11T23:32:48","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4668"},"modified":"2018-03-11T23:32:48","modified_gmt":"2018-03-11T23:32:48","slug":"certain-windows-stay-classy-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/03\/11\/certain-windows-stay-classy-part-2\/","title":{"rendered":"Certain Windows\u2026 stay classy\u2026 part 2"},"content":{"rendered":"<p>In one of the older <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/06\/22\/certain-windows-stay-classy\/\">posts<\/a> I listed a number of very recognizable windows classes that can be found hard-coded as strings inside various programs (including malware). The intention there was to help with a recognition of a compiler\/protector\/installer that was used to create\/build\/protect the file.<\/p>\n<p>I thought it would be good to expand this list with a whitelist of common classes created by various legitimate Windows applications. Such list may help to determine which windows classes are potentially anomalous (e.g. if you run &#8216;windows&#8217; or &#8216;wintree&#8217; command in volatility).<\/p>\n<p>Here&#8217;s a short list I came up so far &#8211; if you see any class missing, please let me know and I will add it:<\/p>\n<ul>\n<li>$$$UI0Background<\/li>\n<li>_SearchEditBoxFakeWindow<\/li>\n<li>{37E561C9-40E3-44de-AF62-CECD75524364}<\/li>\n<li>ActionsMenuOwner<\/li>\n<li>Address Band Root<\/li>\n<li>AMNotificationDialog<\/li>\n<li>AppResizeAcc<\/li>\n<li>AudioDevStubWindow32<\/li>\n<li>AutoplayHandlerChooser<\/li>\n<li>AVIWnd32<\/li>\n<li>Breadcrumb Parent<\/li>\n<li>Button<\/li>\n<li>CabinetWClass<\/li>\n<li>CDDEServer<\/li>\n<li>CDVDMsgWindowClass<\/li>\n<li>CicLoaderWndClass<\/li>\n<li>CM Monitor Window<\/li>\n<li>ComboBox<\/li>\n<li>ComboBoxEx32<\/li>\n<li>COMPDESK_DISPALYCHANGE_CLASS<\/li>\n<li>Compose_CvPgPreview<\/li>\n<li>ConnectionManagerMsgProc<\/li>\n<li>ConsoleWindowClass<\/li>\n<li>CtlFrameWork_Parking<\/li>\n<li>CtrlAccWindow<\/li>\n<li>CtrlNotifySink<\/li>\n<li>CustomEventWindowClass<\/li>\n<li>DDE Channel<\/li>\n<li>DDE Server Window<\/li>\n<li>DDE ViewObj<\/li>\n<li>DeviceUpdateClass<\/li>\n<li>DIEmWin<\/li>\n<li>DocWndClass<\/li>\n<li>DragWindow<\/li>\n<li>DsPropNotifyWindow<\/li>\n<li>DummyDWMListenerWindow<\/li>\n<li>Dwm<\/li>\n<li>EalMessageWindow<\/li>\n<li>Edit<\/li>\n<li>elevationdummy<\/li>\n<li>EnhancedStorageAuthentication<\/li>\n<li>ERCUITHREADMARSHALLER<\/li>\n<li>Event Viewer Snapin Synch<\/li>\n<li>EVRFullscreenVideo<\/li>\n<li>EVRPowerMsgWindowClass<\/li>\n<li>EVRVideoHandler<\/li>\n<li>EvtQProcWndClass<\/li>\n<li>FaxME_DocHost<\/li>\n<li>FaxTiffView_Host<\/li>\n<li>FDBthProviderClass<\/li>\n<li>FloatNotifySink<\/li>\n<li>Fn Notify Window<\/li>\n<li>FocusMonitorWindowClass<\/li>\n<li>GDI+ Window<\/li>\n<li>GestureArbitrationEngineWindowClass<\/li>\n<li>Ghost<\/li>\n<li>GhostDivider<\/li>\n<li>GRIDWNDCLASS<\/li>\n<li>HH CustomNavPane<\/li>\n<li>HH Parent<\/li>\n<li>HH SizeBar<\/li>\n<li>HH_API<\/li>\n<li>HidServClass<\/li>\n<li>HighlightCursorClass<\/li>\n<li>HitTestWorker<\/li>\n<li>HostCtrlAccWindow<\/li>\n<li>IEFrame<\/li>\n<li>InkEditReflectClass<\/li>\n<li>invisible bmp window<\/li>\n<li>Isolation Thread Message Window<\/li>\n<li>ItemWndClass<\/li>\n<li>JobPropWnd<\/li>\n<li>JointDivider<\/li>\n<li>JointResizeAcc<\/li>\n<li>KBEMWndClass<\/li>\n<li>L21DecMsgWnd<\/li>\n<li>listbox<\/li>\n<li>LOCATIONNOTIFICATION<\/li>\n<li>Magnifier<\/li>\n<li>MCI command handling window<\/li>\n<li>mdiclient<\/li>\n<li>MDRESNOTIFYCLASS<\/li>\n<li>MESSAGE<\/li>\n<li>MGMTAPI Notification Class<\/li>\n<li>MNC_TaskmanWindow<\/li>\n<li>MobilityCenterHelpButton<\/li>\n<li>MobilityCenterIcon<\/li>\n<li>MobilityCenterStatusText<\/li>\n<li>MobilityCenterTileName<\/li>\n<li>MouseMonitorWindowClass<\/li>\n<li>MRT<\/li>\n<li>MS:SyncNotificationWindow<\/li>\n<li>MS:WPDStatusProviderNotificationWindow<\/li>\n<li>MSAA_DA_Class<\/li>\n<li>MSCTFIME Composition<\/li>\n<li>msctls_progress32<\/li>\n<li>msctls_statusbar32<\/li>\n<li>msctls_trackbar32<\/li>\n<li>msctls_updown32<\/li>\n<li>MstscRemoteSessionsMgrWndClass<\/li>\n<li>MTVDragInputHandler<\/li>\n<li>NarratorTIEWIndowClass<\/li>\n<li>NarratorTouchWindow<\/li>\n<li>Notepad<\/li>\n<li>NotificationsMenuOwner<\/li>\n<li>OCHost<\/li>\n<li>OE_Envelope<\/li>\n<li>OleDocWndClass<\/li>\n<li>OleSrvrWndClass<\/li>\n<li>Palette Watcher<\/li>\n<li>PCALUA<\/li>\n<li>PowerCPL Message Window<\/li>\n<li>PPCHiddenWindow<\/li>\n<li>proquota<\/li>\n<li>PRSEVENTRECEIVER<\/li>\n<li>RadioButtonList<\/li>\n<li>RdpClipRdrWindowClass<\/li>\n<li>RdpSaInvitationManagerHiddenWindowClass<\/li>\n<li>RDPSoundDVCWnd<\/li>\n<li>RDPSoundInputWnd<\/li>\n<li>RdvSessionMonitorClass<\/li>\n<li>ReBarWindow32<\/li>\n<li>RectWndClass<\/li>\n<li>REListBox20W<\/li>\n<li>RelMonGraphWindow<\/li>\n<li>RICHEDIT<\/li>\n<li>RICHEDIT50W<\/li>\n<li>RunDLL<\/li>\n<li>RunLegacyCPL<\/li>\n<li>Scroll<\/li>\n<li>SCROLLBAR<\/li>\n<li>Search Box<\/li>\n<li>SearchEditBoxWrapperClass<\/li>\n<li>SeparatorBand<\/li>\n<li>Shell Preview Extension Temporary Parent<\/li>\n<li>Shell_Dim<\/li>\n<li>Shell_SecondaryTrayWnd<\/li>\n<li>Shell_TrayWnd<\/li>\n<li>SI WMP sync hidden window<\/li>\n<li>SJE_FULLSCREEN<\/li>\n<li>SlideshowCache<\/li>\n<li>SlideshowManager<\/li>\n<li>SoftKBDClsC1<\/li>\n<li>SoftKBDClsT1<\/li>\n<li>SoftkbdIMXOwnerWndClass<\/li>\n<li>SPACEAGENT!PNP!MESSAGEWND<\/li>\n<li>SrvrWndClass<\/li>\n<li>SSDemoParent<\/li>\n<li>Static<\/li>\n<li>StubNtPrintWindow<\/li>\n<li>StubPrintWindow<\/li>\n<li>StubWindow32<\/li>\n<li>sync hidden window<\/li>\n<li>SysHeader32<\/li>\n<li>SysLink<\/li>\n<li>SysListView32<\/li>\n<li>SysMonthCal32<\/li>\n<li>SysPager<\/li>\n<li>SysTabControl32<\/li>\n<li>SystemMonitorWindowClass<\/li>\n<li>SystemTray_Main<\/li>\n<li>SysTreeView32<\/li>\n<li>TabCal_WndClass<\/li>\n<li>TabletModeCoverWindow<\/li>\n<li>TabletModeInputHandler<\/li>\n<li>Tapi32WndClass<\/li>\n<li>Task Host Window<\/li>\n<li>TaskListOverlayWnd<\/li>\n<li>TaskListThumbnailWnd<\/li>\n<li>TextRendererMsgProc<\/li>\n<li>TiBusUpdate<\/li>\n<li>ToolbarWindow32<\/li>\n<li>tooltips_class32<\/li>\n<li>TravelBand<\/li>\n<li>TrayDummySearchControl<\/li>\n<li>TrayInputIndicatorWClass<\/li>\n<li>TrayNotifyWnd<\/li>\n<li>TrayShowDesktopButtonWClass<\/li>\n<li>TSC_POPUP_PARENT_WNDCLASS<\/li>\n<li>TSMF Geometry<\/li>\n<li>UIAInvokeHelperWndClass<\/li>\n<li>UIManager Message Window<\/li>\n<li>UniversalSearchBand<\/li>\n<li>UpBand<\/li>\n<li>URL Moniker Notification Window<\/li>\n<li>UserAdapterWindowClass<\/li>\n<li>VBBubbleRT6<\/li>\n<li>VBFocusRT6<\/li>\n<li>VisualViewportMessageWindow<\/li>\n<li>VolNotifySink<\/li>\n<li>WdcGraphWindow<\/li>\n<li>WebInstanceCoreInputWindow<\/li>\n<li>Webview Window<\/li>\n<li>WiaPreviewControl<\/li>\n<li>WMPMessenger<\/li>\n<li>WMPSimpleMessageWindow<\/li>\n<li>WMPTransition<\/li>\n<li>WorkerA<\/li>\n<li>WorkerMessageWindow<\/li>\n<li>WorkerW<\/li>\n<li>WusaHidden<\/li>\n<li>XAMLMessageWindowClass<\/li>\n<li>XAMLWebViewHostWindowClass<\/li>\n<li>XCPDeferredClass<\/li>\n<li>XCPTimerClass<\/li>\n<li>XMLMimeWnd<\/li>\n<li>YO<\/li>\n<li>ZIP Folder STUB window<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>In one of the older posts I listed a number of very recognizable windows classes that can be found hard-coded as strings inside various programs (including malware). The intention there was to help with a recognition of a compiler\/protector\/installer that &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/03\/11\/certain-windows-stay-classy-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4668"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4668"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4668\/revisions"}],"predecessor-version":[{"id":4669,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4668\/revisions\/4669"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}