The oddly named file will be sitting in your system32 folder, unless it has been removed by AV. If instead you see an entry such as the following in your BootExecute key, there are problems. By default the only entry in this string array is autocheck autochk * which runs Autochk during boot. Smss.exe will load any programs it finds listed here.
It calls the configuration manager subsystem to load the hives listed in the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\hivelistĪs far as locations in the registry where malicious processes or modules can be configured to launch from, the BootExecute key is the earliest.
REGISTRY KEY FOR STARTUP TIME WINDOWS
Since it loads before the Windows Subsystem has loaded, it can't use standard Windows API functions and uses native API calls instead. We look for the "few" by leveraging the "many".Īs a Windows computer powers up, the Session Manager (smss.exe) starts as the first user-mode process. We do this same process for files, network IPs, prefetch files, services, scheduled tasks, etc. Other tools that rely on "known indicators" will miss them too. We routinely see unusual DLLs that are part of a targeted attack and that endpoint AV is completely blind to. For example, below we see the DLLs loaded by svchost.exe, the shared service host. We take this data and analyze it in SQL and Excel which gives us the ability to identify the "low frequency" outliers. It is also designed to run on a regular basis (perhaps quarterly) as a means of quickly identifying abnormal behavior. Our assessment is designed to be very low impact on the thousands of computers in your enterprise on which it runs. We do this at Cylance as part of our compromise assessment collection script.
( ).įigure 1: Sysinternals Autoruns Utility Compromise AssessmentĪs I discuss each registry location, I will occasionally demonstrate native windows commands that can be scripted to gather information related to these registry persistence locations. The utility, called Autoruns, is freely available here. I won’t be covering each of these in this post.īefore getting started, Microsoft has a great utility available to inspect all (and more) of these registry keys. Note: Some of these keys are also reflected under HKLM\Software\wow6432node on systems running on a 64bit architecture and with a 64bit version of Windows.
REGISTRY KEY FOR STARTUP TIME MANUAL
The following list of registry keys are accessed during system start in order of their use by the different windows components: 1) HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute 2) HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation) 3) HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM) 4) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 5) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce 6) HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices 7) HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices 8) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify 9) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 10) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell 11) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell 12) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 13) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 14) HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx 15) HKLM\Software\Microsoft\Windows\CurrentVersion\Run 16) HKCU\Software\Microsoft\Windows\CurrentVersion\Run 17) HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 18) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 19) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 20) HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load 21) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows 22) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only) 23) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
The registry is accessed even before the NT kernel is loaded, so it is very important to understand what the computer is configured to load at startup. Registry Keys to Launch Persistent Services or Applications (in Load Order) The intention of this article is to present a list of registry keys that are used to persist services or applications in the order they are loaded by the operating system and then discuss some important ones. "It is only prudent never to place complete confidence in that by which we have even once been deceived." ― René DescartesĪnother method of persistence that has been around for a very long time is the use of what are collectively known as the "run keys" in the Windows registry.Īs stated in Part 1 of this blog series, the most common method up until this year has been the use of hosted services configured in the registry.
0 kommentar(er)
