{"id":9008,"date":"2023-12-29T21:57:39","date_gmt":"2023-12-29T21:57:39","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9008"},"modified":"2024-12-25T23:19:45","modified_gmt":"2024-12-25T23:19:45","slug":"1-little-known-secret-of-fsquirt-exe","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/12\/29\/1-little-known-secret-of-fsquirt-exe\/","title":{"rendered":"1 little known secret of fsquirt.exe"},"content":{"rendered":"\n<p>The program in the title of this post is not very well-known. It&#8217;s being used for some random Bluetooth stuff that not too many PC users care about (okay, it&#8217;s a bit of a stretch, but I guess it&#8217;s really not very well-known).<\/p>\n\n\n\n<p>How do you make a use of a binary no one cares about?<\/p>\n\n\n\n<p>When I first looked at <em>fsquirt.exe<\/em>&#8216;s command line arguments, I immediately thought of using it in my <em><a href=\"https:\/\/www.google.com\/search?q=&quot;Beyond+Good+Ol'+Run+key&quot;+site%3Ahexacorn.com\">Beyond Good Ol&#8217; Run key<\/a><\/em> series as it was really a perfect candidate &#8211; until I discovered that despite behaving in a predictable way, delivering what I needed it to, I could not write the new post in that series, because the intended trick simply didn&#8217;t work.<\/p>\n\n\n\n<p>I know it sounds dramatic, but this is a nature of the research. <\/p>\n\n\n\n<p>I still wanted to make a triumph of the discovery though, so here we are&#8230;<\/p>\n\n\n\n<p>When you run <em>fsquirt.exe<\/em> with the <em>-Register<\/em> argument it will create a LNK file <em>c:\\Users\\&lt;user>\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Bluetooth File Transfer.LNK<\/em> that will lead Explorer to add the following item under your <em>Send To<\/em> Explorer submenu:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2023\/12\/fsquirt_1.png\"><img decoding=\"async\" loading=\"lazy\" width=\"491\" height=\"31\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2023\/12\/fsquirt_1.png\" alt=\"\" class=\"wp-image-9009\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2023\/12\/fsquirt_1.png 491w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2023\/12\/fsquirt_1-300x19.png 300w\" sizes=\"(max-width: 491px) 100vw, 491px\" \/><\/a><\/figure>\n\n\n\n<p>Running it with <em>-UnRegister<\/em> argument will remove this entry.<\/p>\n\n\n\n<p>But here&#8217;s the secret&#8230;<\/p>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">c:\\windows\\System32\\fsquirt.exe -Register<\/pre>\n\n\n\n<p>To ensure that this LNK file is created:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">c:\\Users\\&lt;user&gt;\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Bluetooth File Transfer.LNK<\/pre>\n\n\n\n<p>Add a legitimate Run entry pointing to the LNK created in last step:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg add \"hkcu\\software\\microsoft\\windows\\currentversion\\run\" \/v foo \/d \"c:\\Users\\&lt;user&gt;\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\Bluetooth File Transfer.LNK\"<\/pre>\n\n\n\n<p>Copy <em>c:\\windows\\System32\\fsquirt.exe<\/em> to a different folder f.ex. <em>c:\\test<\/em> by running a command like this:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">copy c:\\windows\\System32\\fsquirt.exe c:\\test<\/pre>\n\n\n\n<p>Re-register it to a different location:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">c:\\test\\fsquirt.exe  <em>-Register<\/em> <\/pre>\n\n\n\n<p>This will overwrite the LNK file above to point to <em>c:\\test\\fsquirt.exe<\/em>.<\/p>\n\n\n\n<p>Overwrite c<em>:\\test\\fsquirt.exe<\/em> with any executable of your choice &#8211; now you have an executable that will run anytime user logs on.<\/p>\n\n\n\n<p>It&#8217;s a classic bait and switch.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The program in the title of this post is not very well-known. It&#8217;s being used for some random Bluetooth stuff that not too many PC users care about (okay, it&#8217;s a bit of a stretch, but I guess it&#8217;s really &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/12\/29\/1-little-known-secret-of-fsquirt-exe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[126,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9008"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9008"}],"version-history":[{"count":4,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9008\/revisions"}],"predecessor-version":[{"id":9017,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9008\/revisions\/9017"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9008"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}