Hi Folks,
this weekend I've been involved in a interesting Windows Forensic Analysis Process. There are lots of Forensic Analysis tools around here (just ask google to see a couple of that), but in some scenarios, like for example scenarios where you wont shutdown the machine, you might find some troubles to install new security tools because some malware make it impossible.
In these and other situations is still useful knowing where Auto Start Locations are in Windows XP and Windows VISTA (I dunno yet Windows 7, and for older Windows these location might be different).
Reading different blogs, forum and some good book, I learned some interesting places where find out malware and viruses,and today I wanna point out these interesting places where the penetrator should investigate. I don't think the following list complete, but anyway... stay tuned for more upgrades.
Some useful variables to make the list shorter:
HKLM : HKEY_LOCAL_MACHINE
HKCU : HKEY_CURRENT_USER
HKCR : HKEY_CLASSES_ROOT
%windir% : The Windows Directory. Can be C:Windows or C:WINNT or anything, depending on the location, the OS & the customization of the OS!
%USERPROFILE% : Normally is C:Documents and Settings, depending on the installation location.
%ALLUSERSPROFILE% : Normally is C:Documents and SettingsAll Users, depending on the installation location.
Register locations:
1. HKLMSystemCurrentControlSetControlTerminal ServerWdsrdpwdStartupPrograms
2. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAppSetup
3. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsStartup
4. HKCUSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon
5. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon
6. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
7. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell
8. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
9. HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell
10. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell
11. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonTaskman
12. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce
13. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx
14. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun
15. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
16. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx
17. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce
18. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad
19. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun
20. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun
21. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
22. HKCUSoftwareMicrosoftWindowsCurrentVersionRun
23. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
24. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceSetup
25. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal
ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce
26. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx
27. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun
28. HKLMSOFTWAREClassesProtocolsFilter
29. HKLMSOFTWAREClassesProtocolsHandler
30. HKCUSOFTWAREMicrosoftInternet ExplorerDesktopComponents
31. HKLMSOFTWAREMicrosoftActive SetupInstalled Components
32. HKCUSOFTWAREMicrosoftActive SetupInstalled Components
33. HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
34. HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
35. HKCUSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
36. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
37. HKCUSoftwareClasses*ShellExContextMenuHandlers
38. HKLMSoftwareClasses*ShellExContextMenuHandlers
39. HKCUSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers
40. HKLMSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers
41. HKCUSoftwareClassesFolderShellExContextMenuHandlers
42. HKLMSoftwareClassesFolderShellExContextMenuHandlers
43. HKCUSoftwareClassesDirectoryShellExContextMenuHandlers
44. HKLMSoftwareClassesDirectoryShellExContextMenuHandlers
45. HKCUSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers
46. HKLMSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers
47. HKCUSoftwareClassesFolderShellexColumnHandlers
48. HKLMSoftwareClassesFolderShellexColumnHandlers
49. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers
50. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers
51. HKCUSoftwareMicrosoftCtfLangBarAddin
52. HKLMSoftwareMicrosoftCtfLangBarAddin
53. HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
54. HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
55. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
56. HKCUSoftwareMicrosoftInternet ExplorerUrlSearchHooks
57. HKLMSoftwareMicrosoftInternet ExplorerToolbar
58. HKCUSoftwareMicrosoftInternet ExplorerExplorer Bars
59. HKLMSoftwareMicrosoftInternet ExplorerExplorer Bars
60. HKCUSoftwareMicrosoftInternet ExplorerExtensions
61. HKLMSoftwareMicrosoftInternet ExplorerExtensions
62. HKLMSystemCurrentControlSetServices
63. HKLMSystemCurrentControlSetServices
64. HKLMSystemCurrentControlSetControlSession ManagerBootExecute
65. HKLMSystemCurrentControlSetControlSession ManagerSetupExecute
66. HKLMSystemCurrentControlSetControlSession ManagerExecute
67. HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options
68. HKLMSoftwareMicrosoftCommand ProcessorAutorun
69. HKCUSoftwareMicrosoftCommand ProcessorAutorun
70. HKLMSOFTWAREClassesExefileShellOpenCommand(Default)
71. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppinit_Dlls
72. HKLMSystemCurrentControlSetControlSession ManagerKnownDlls
73. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSystem
74. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUIHost
75. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
76. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGinaDLL
77. HKCUControl PanelDesktopScrnsave.exe
78. HKLMSystemCurrentControlSetControlBootVerificationProgramImagePath
79. HKLMSystemCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9
80. HKLMSYSTEMCurrentControlSetControlPrintMonitors
81. HKLMSYSTEMCurrentControlSetControlSecurityProvidersSecurityProviders
82. HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages
83. HKLMSYSTEMCurrentControlSetControlLsaNotification Packages
84. HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages
85. HKLMSYSTEMCurrentControlSetControlNetworkProviderOrder
86. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload
87. HKCRbatfileshellopencommand @=""%1" %*"
88. HKCRcomfileshellopencommand @=""%1" %*"
89. HKCRexefileshellopencommand @=""%1" %*"
90. HKCRhtafileShellOpenCommand @=""%1" %*"
91. HKCRpiffileshellopencommand @=""%1" %*"
92. HKLMSoftwareClassesbatfileshellopencommand
93. HKLMSoftwareClassescomfileshellopencommand
94. HKLMSoftwareClassesexefileshellopencommand
95. HKLMSoftwareClasseshtafileshellopencommand
96. HKLMSoftwareClassespiffileshellopencommand
97. HKLMSystemCurrentControlSetControlClass{4D36E96B-E325-11CE-BFC1-08002BE10318}UpperFilters
98. HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonVmApplet
99. HKLMSoftwareMicrosoftWindows NTCurrentVersionInitFileMapping
100. HKLMSoftwareMicrosoftWindows NTCurrentVersionAedebug
101. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021493-0000-0000-C000-000000000046}
102. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021494-0000-0000-C000-000000000046}
103. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batApplication
104. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdApplication
105. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comApplication
106. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeApplication
107. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaApplication
108. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifApplication
109. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrApplication
110. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batProgID
111. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdProgID
112. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comProgID
113. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeProgID
114. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaProgID
115. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifProgID
116. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrProgID
117. HKLMSoftwareCLASSESbatfileshellopencommand @=""%1" %*"
118. HKLMSoftwareCLASSEScomfileshellopencommand @=""%1" %*"
119. HKLMSoftwareCLASSESexefileshellopencommand @=""%1" %*"
120. HKLMSoftwareCLASSEShtafileShellOpenCommand @=""%1" %*"
121. HKLMSoftwareCLASSESpiffileshellopencommand @=""%1" %*"
122. HKCRvbsfileshellopencommand
123. HKCRvbefileshellopencommand
124. HKCRjsfileshellopencommand
125. HKCRjsefileshellopencommand
126. HKCRwshfileshellopencommand
127. HKCRwsffileshellopencommand
128. HKCRscrfileshellopencommand
129. HKLMSoftwareMicrosoftActive SetupInstalled ComponentsKeyNameStubPath=C:PathToFileFilename.exe
Folders Locations
1. %ALLUSERSPROFILE%Start MenuProgramsStartup
2. %USERPROFILE%Start MenuProgramsStartup
3. %windir%Tasks
4. %windir%System32Tasks - Windows Vista
5. %ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup
6. %USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
