Results 1 to 6 of 6

Thread: Windows XP Startup locations

  1. #1

    Windows XP Startup locations

    Windows XP Startup locations

    I checked out Malware: Fighting Malicious Code and found it's section on starting backdoors automatically. I checked out its list of folders, files, and registry entries and I felt it would be a good idea to post it here, and see if anyone else knows of other locations a startup entry could be entered into. I think BHO's should be included in this list, but I'm not sure. So please, add directories or registry paths that can be exploited if you know of them. I plan on making a tool that will check them for changes. If it works good enough, I might post the source here. I just felt this would be valuable against viruses and hijacks, as well.

    Autostart folders

    Documents and settings\user\start menu\programs\startup
    C:\windows\win.ini
    c:\windows\system.ini
    c:\windows\Wininit.ini
    c:\Winstart.bat
    c:\Autoexec.bat
    c:\config.sys


    Registry

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesOnce
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEX
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Winlogon\Userinit
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
    HKLM\SOFTWARE\Microsoft\Windows\System\Scripts
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServicesonce
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnce
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunOnceEx
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ Policies\Explorer\Run
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\Run
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\Load
    HKCU\SOFTWARE\Policies\Microsoft\Windows\System\ Scripts
    HKCU\Exefiles\Shell\Open\Command


    Task Scheduler

    ------------------------------


    Again, please add any that aren't listed. Im about to google for more, I'll add them as I find them.

  2. #2
    Clearly the author of that book is not very familiar with 9x C:\Documents and Settings\All Users\Start Menu\Programs\Startup.... sure but in 9x it goes a little more like C:\Windows\Start Menu\Programs\Startup

    What about ICQ? [HKEY_LOCAL_MACHINE] SOFTWARE\Mirabilis\ICQ\Agent\Apps\

  3. #3
    Does that start with the box? Or only with ICQ...

    I think I am going to extend the list with popular software as well. Might get pretty long :/

  4. #4
    No I just remember that you could make ICQ open files like that. You can also change file associations VIA: the registry & I think you can even have all kinds of files hooked to open with specific files not just file types. You can also modify shortcuts but thats not really much of a startup method but really you can reverse then inject, modify, & just generally trojanise virtually anything you want and then claim it as some type of execution/startup method.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    <Cough>

    Clearly the author of that book is not very familiar with 9x
    The title of the thread is "Windows XP Startup Locations" and I'm pretty sure that Ed Skoudis could give you a little tour of Win9x anytime you like if you ask him nicely.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    I think you might also need to include
    HKLM\system\currentcontrolset
    This is where the starting of services and drivers are managed.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •