![]() HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.The following Registry keys can be used to set startup folder items for persistence: For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evildll" Registry run key entries can reference programs directly or list them as a dependency. The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.The following run keys are created by default on Windows systems: The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The startup folder path for the current user is C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. Placing a program within a startup folder will also cause that program to execute when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level. ![]() ![]() Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. ![]() Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |