Friday, April 08, 2005

Interesting stuff on Windows

I was working on a spreadsheet containing information about Registry AutoStart locations last night and ran across something pretty interesting that I thought I'd pass along...

One of the AutoStart locations used by malware is:


On a live system, this also maps to the HKEY_CLASSES_ROOT hive...


This entry specifies the command to be launched when an exefile (a file ending with the .exe extension) is run. The Default value for this key is "%1" %*. Some malware writes to this entry, ensuring that the malware is launched whenever an executable is run.

*Note: This same sort of thing applies to other types of executable files, such as cmdfile, comfile, scrfile, piffile, and batfile.

So I wanted to see what else could be done via these sorts of keys, so I navigated to:


I right-clicked on the Default value and chose Modify. The default entry is cmd.exe /k "cd %L", and I added && notepad.exe to the command, and clicked "OK". I then opened My Computer, right-clicked on the C:\ drive, and chose "Open Command Prompt here..." from the context menu. A command prompt AND Notepad opened!

So this adds yet another entry to one of the three classes of AutoStart locations (ie, System boot, User login, User activity). I haven't seen anything on the Internet (yet) about locations like this being used by malware or malicious users, but it does go to show what could be done.


spencer said...

Interesting info.

I'm using a perl script I wrote which lists startup
reg entries :

@LMKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" ,
"SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts" );

$lmskey = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad" ;

@CUKEY = ( "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce" ,
"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Run" ,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load" ,

@UKEY = ( ".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" ,
".DEFAULT\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce" );

and startup folders items in a html report.

Of course I'll add these keys.

What other keys sould I add ?

Have a nice day !

P.S. The script is not on the web now, but if anybody is interested

Keydet89 said...


For probably the most comprehensive list of autostart locations available online today, go to and check out AutoRuns.

I'm adding to a spreadsheet that I put together, consolidating this information and wealth of other resources...I'm trying to verify some information, and add references for others. Once I get this completed, it's been suggested that I move if from an Excel spreadsheet into something more manageable/useful.



Anonymous said...

See also Silent Runners

spencer said...

Thanks anonymous, cool one.

Have a nice day !

spencer said...


In the original post you say :

"so I navigated to:


Do you have those keys by default or do you create them ?

I don't have them (XP and 2k).

Have a nice day.

Keydet89 said...


I didn't see the key on my system at home, was XP Home. I didn't try it on my XP Pro system.

Try this...go to HKLM\Software\Classes\Drive\shell

and see what subkeys you have; if you find '\cmd\command', then you should see a '(Default)' value with 'cmd.exe /k "cd %L"' as the data.


pri said...

I neither have that key in WXP Pro nor WXP Home, just HKCR\Drive\shell\command

In W2K I cannot find it either, the closest I get is:

Btw, I found that adding && notepad.exe to HKLM\Software\Classes\exefile\shell\open\command\ tries to add whatever it is in notepad.exe to the registry everytime regedit is opened. Playing a bit with it I found it was easy to add/delete whatever from the registry without confirmation. It could be used to delete stored keys when someone manually tries to search for something.

Btw, there's a nice list of startup items in this site: