On the heels of my last blog post on this topic, I had a couple of thoughts and insights that I wanted to research a bit, and then address. I wanted to take a look at ways that the StartupApproved\Run key might be impacted, so I started by grabbing the contents of that key based on what we saw from the previous post, which are illustrated in figure 1.
 |
| Fig 1: StartupApproved\Run key contents |
Then, I captured the contents of the Run key, illustrated in figure 2.
 |
| Fig 2: Run key contents |
As you can see in figure 2, there appears to be an entry missing, the "com.squirrel.Teams.Teams" value. We know from the previous blog post that this value was disabled on 14 Jul 2021, just over a year ago. I have no idea how that happened, as it wasn't part of an intentional test at the time, and was just a matter of me not wanting Teams to launch every time I logged in.
As part of this research effort, I deleted the OneDrive value from the Run key (see figure 2 above) via RegEdit, and rebooted the system. When I re-opened RegEdit and navigated to the Run key in my user hive, I confirmed that the OneDrive value was no longer in the Run key. However, when I navigated to the corresponding StartupApproved\Run key, I found that the corresponding OneDrive value still appeared as illustrated in figure 1. From this then, yes, it appears that if you delete a value from the Run key via RegEdit, that entry is not removed from the corresponding StartupApproved\Run key.
For step 2 in this experiment, I added a value to the Run key via RegEdit; I created a new string value, named it "Calc", and then added the path, "C:\Windows\system32\calc.exe". I rebooted the system, logged in, and the calculator opened on my desktop...but there was no "Calc" value in the corresponding StartupApproved\Run key!
I then removed the Calc value via RegEdit, and then typed the following command:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Calc /t REG_SZ /d C:\windows\system32\calc.exe /f
After ensuring that the command succeeded, I looked at the contents of the Run key via RegEdit and could see the new value. However, I could not see a corresponding value in the StartupApproved\Run key!
Finally, after having removed the "calc" value from the Run key, I added it back via RegEdit, and then opened the Task Manager Startup Tab to see the "Windows Calculator" value. I then disabled the value via the Startup Tab, and verified that a "calc" value was added to the StartupApproved\Run key, as illustrated in figure 3.
 |
| Fig. 3: StartupApproved\Run key after disabling Calc value |
So, the question becomes, how do entries make it into the StartupApproved\Run key? If neither the use of RegEdit nor reg.exe to add a value to the Run key explicitly lead to corresponding values being added to the StartupApproved\Run key (say, by the operating system), then how are they added? Looking back at figure 1, all of the entries in the StartupApproved\Run key were for applications that were added via an installation process, such as an MSI or a setup.exe file. Maybe this is what needs to be better understood and addressed about these keys.
3 comments:
I know this is a few years old, but I stumbled across this post looking for more information about the StartupApproved registry key, which I only just learned about.
From my own testing (in Windows 10 at least) it seems that manually adding an entry to the Run key doesn't automatically add the entry to the StartupApproved\Run key. If there is no entry in StartupApproved\Run, then it is assumed that the entry in Run is enabled and will auto-start.
When opening task manager and going to the startup tab, or using the Settings app, all of the values missing from the StartupApproved\Run key appear to be added automatically from the Run keys with a 02 (enabled) setting.
When disabling or enabling an entry from Task Manager or Settings app the existing value for the entry in StartupApproved\Run is updated.
My testing was as follows (All registry keys below are assumed under HKCU\Software\Microsoft\Windows\CurrentVersion, but work the same under HKLM\Software\Microsoft\Windows\CurrentVersion and probably also the same for Run32 and Startup subkeys of StartupApproved but I haven't tested those):
1. Add entry to Run key
2. Check StartupApproved\Run - entry is not present
3. Open Task Manager and view Startup tab, item is listed as enabled.
4. Checked the StartupApproved\Run key - entry is now present with a 02 value
5. Used Task Manager to disable the entry.
6. StartupApproved\Run key - entry now has a data value of 03.
7. Deleted entry from StartupApproved\Run
8. Relaunched Task Manager and checked under Startup tab, entry was still present and now listed as Enabled again.
9. Checked StartupApproved\Run key, entry is back with a 02 data value.
10. Deleted entry from Run key via regedit
10. Relaunched Task Manager - Item is no longer displayed in list.
11. Checked StartupApproved\Run - item is still present with a 02 data value.
12. Changed entry in StartupApproved\Run from 02 to 03.
13. Re-added entry to Run key.
14. Relaunched Task Manager and the entry is back and set to Disabled.
So it seems that the "StartupApproved" key is really only updated when using a GUI utility (Task Manager or Settings app) to manage startup items and the default value for items that are in Run but not already in StartupApproved is to be enabled. Removing an entry from the Run key does not remove or change the status of the entry in StartupApproved\Run and is a way to manage enabling/disabling startup entries without actually deleting them. Obviously, deleting an entry from the Run key will "disable" it by removing it from the startup list, but then it has to be re-added with the correct path and everything in order to re-enable it.
And I just saw the next blog post about this where you had all of this info and more already figured out! Sorry!
First off, thanks for commenting...
> So it seems that the "StartupApproved" key is really only updated when using a GUI utility...
That's kind of the point. A threat actor can do something to add a value to the Run key, then manually add the necessary entry to a StartUpApproved key value, disabling the entry. This could then be a "red herring" during an investigation.
Post a Comment