For the first one, the <entries> refer to ‘standard’ startup entries like Run Key, Startup folder, etc.. This key is populated by Task Manager\/Startup tab when we enable\/disable entries:<\/p>\n\n\n\n Some people claim it is already abused<\/a> by malware, but I have not tested it.<\/p>\n\n\n\n We can use Procmon to track this activity e.g. for 3 Run entries we can see this enumeration and each entry is checked against the StartupApproved<\/em> list:<\/p>\n\n\n\n For the second entry… when I searched for it online, I quickly discovered that it seems to be really old and was discussed many times. For example, one of the older twits from @swiftonsecurity<\/a> mentions it<\/a> (in 2014!). <\/p>\n\n\n\n What is its meaning though? <\/p>\n\n\n\n Basically, if the value is not set, it is set when Explorer starts (note that it is for a specific session registry node for which the function SHCreateSessionKey<\/a> opens a dedicated volatile Registry entry created during logon by userinit.exe). It then guards the repetitive execution of most of the legacy autostart and Registry startup entries.<\/p>\n\n\n\n For the third entry, it’s very similar to the second one, it just guards a different set of startup execution. If the entry exists, it prevents the Startup folders from being enumerated over and over again for a given session.<\/p>\n\n\n\n I think the primary reasons for these two entries is to prevent recurring execution of programs that are meant to execute during logon, but should not execute when e.g. Windows Explorer crashes and is restarted, or perhaps when sessions flips between interactive (user with a direct access to the box), and Terminal session\/RDP (? need to test if userinit creates separate sessions for this; may depend on the licenses stipulating number of concurrent sessions available). There may be other scenarios(?).<\/p>\n\n\n\n Since we talk about things happening around startup, I want to refer to a more recent discovery that I already briefly discussed<\/a> on this blog, and which has been discovered by Samir<\/a> (kudos!). Thanks to his analysis<\/a> we can now track execution of at least some of the autostart entries. We can do so by looking at Microsoft-Windows-Shell-Core\/Operational<\/em> logs and its 9707\/9708 events.<\/p>\n\n\n\n Last, but not least, if you see Registry entries, or folders named AutorunsDisabled<\/em> you will of course know these have been ‘imprisoned’ by someone using Autoruns and ticking off some entries.<\/p>\n\n\n\n Now… for the bonus part…<\/p>\n\n\n\n When we talk about startup locations, it’s easy to forget that all of them are executed in a sequence. For example, as a part of this sequence, Windows Explorer enumerates and executes Run keys first, only then it executes stuff from the Startup folders. With that knowledge it is possible to create a number of artifacts that are clean, perhaps even volatile (only exist during the start-up process). Autoruns and other tools will see bogus entries, or entries that on their own look non-malicious. One could use Run keys to create a new file on the system, which in turn could be executed by the shell:startup folder from a .lnk file pointing to the non-existing file (more precisely, file that only exists during startup, and is then deleted – see next sentence). After that, the temporarily file could be deleted by another startup entry. I think race conditions like this could be an interesting development in the future.<\/p>\n\n\n\n Finally, one more entry to look at:<\/p>\n\n\n\n The default value is 10000 ms. The max value is 3600000 ms. When changed, it affects how long the OS will wait for the ‘standard’ startup entries to execute. Many optimizing guides suggest changes to this registry entry (making it 0 removes all the delays).<\/p>\n","protected":false},"excerpt":{"rendered":" Today’s entry is not about new persistence mechanism, but about a few relatively less known mechanisms that are involved in the Windows startup on newer versions of the OS, and are primarily involved during the user log on process. Newer … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/02\/startup1.png\")
<\/a><\/figure>\n\n\n\n<\/a><\/figure>\n\n\n\n