Load and Run values

The following registry values, under their respective registry key, will trigger execution when any user logs in:

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • Load = <file path>
  • Run = <file path>

BootExecute value

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSetXXX\Control\Session Manager
  • XXX in ControlSetXXX is a three digit number usually ControlSet001, ControlSet002, or ControlSet003.
  • BootExecute = <file path>
    • The default value of BootExecute is autocheck autochk * 

Winlogon key

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Activities under this registry key are executed during Windows logon 
  • UserInit = <file path>
    • The default value of Userinit is C:\Windows\system32\userinit.exe
  • Notify = <dll file path>
    • Notify is not set by default. It is expected to be a dynamic link library file
  • Shell = <exe file path>
    • The default value of Shell is explorer.exe
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  • Shell = <exe file path>
    • The default value of Shell is explorer.exe

Policy scripts keys

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown\0\N
  • where N is a number starting from 0. Multiple scripts or executables can be run during the shutdown sequence
  • Script = [file path of executable file or script]
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0\N
  • This is where N is a number starting from 0. Multiple scripts or executables can be run during the startup sequence.
  • Script = [file path of executable file or script]
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon\0\N
  • This is where N is a number starting from 0. Multiple scripts or executables can be run when a user logs off.
  • Script = [file path of executable file or script]
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff\0\N
  • where N is a number starting from 0. Multiple scripts or executables can be run when a user logs off
  • Script = [file path of executable file or script]

AppInit_DLLs values

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
  • AppInit_DLLs = [a list of DLLs]
    • The list of DLLs are delimited by a comma or space
  • LoadAppInit_DLLs = [1 or 0]
    • Here, 1 means enabled, and 0 means disabled

Services keys

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[Service Name]
  • This is where ServiceName is the name of the service
  • ImagePath = [sys/dll file path]
  • Loads a system file (.sys) or a library file (.dll), which is the driver executable
  • The service triggers depending on the value of the start:
    • 0  (SERVICE_BOOT_START triggers when OS is being loaded)
    • 1  (SERVICE_SYSTEM_START triggers when OS is being initialized)
    • 2 (SERVICE_AUTO_START triggers when service manager starts.)
    • 3  (SERVICE_DEMAND_START triggers when it is manually started)
    • 4  (SERVICE_DISABLED. The service is disabled from triggering)

File associations

• HKEY_CLASSES_ROOT or in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\[File type or extension name]\shell\open\command
  • The entry in the (Default) registry value executes files that are described by [File type or extension name].
  • The following code shows the associated entry for executable files or .EXE files:
    
    • <show image of exefile entry in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command>
    • The (Default) value contains "%1" %*.  %1 pertains to the executable being run as is, while %* pertains to the command-line arguments.  Persistence is implemented by malware by appending its own executable. For example, the (Default) value is set to malware.exe "%1" %*.  As a result, malware.exe runs and uses %1 (the executable being run) and %* as its arguments.  malware.exe is then responsible for running %1 with its %*.