![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/12\/payment.png\")
<\/figure><\/div>\n\n\n\nNot sure what they are, but when I grepped win10 for DLLs that referenced the parent key name I found the DLL called SEMgrSvc.dll.<\/p>\n\n\n\n
The internal name of the DLL is ‘NFC SEManagement Service DLL’. A quick google followed and I found this post<\/a>. It refers to the `Payments and NFC\/SE Manager` service.<\/p>\n\n\n\n Browsing through the code of the DLL I spotted a possible persistence opportunity. I can’t test it as I really don’t know under what circumstances it is being used, but documenting in case someone wants to poke around, or one day it is actually being used:<\/p>\n\n\n\n The <file> is loaded via LoadLibraryW when Wallet instance is created, and then the API GetMockWalletCOMInstance exported by the wallet DLL is executed.<\/p>\n\n\n\n If you know how it is being used, please let me know. Thanks.<\/p>\n","protected":false},"excerpt":{"rendered":" Today, while browsing through the Registry, I came across this strange set of garbled Registry keys: HKCU\\Software\\Microsoft\\Payment\\PaymentApps Not sure what they are, but when I grepped win10 for DLLs that referenced the parent key name I found the DLL called … Continue reading