|
Hackers can gain access to Windows Registry and manipulate user passwords, DNS settings, access rights or others features that they may need in order to accomplish their objectives. One simple method for loading an application at startup is to add an entry (Key) to the following Registry Hive:
|
|
Explanation:
Explanation: Refer EC-Council study material page 1371
Some of the Windows AutoStart registry keys targeted by malicious programs are discussed below:
▪ Run/RunOnce Keys Malware often modifies the below-mentioned registry keys to continue running on the system whenever the user logs in:
o HKEY_CURRENT_USER∖Software∖Microsoft∖Windows∖CurrentVersion∖Run
o HKEY_CURRENT_USER∖Software∖Microsoft∖Windows∖CurrentVersion∖RunOnce
A malicious program can also modify the following system-related keys:
o HKEY_LOCAL_MACHINE∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖Run
o HKEY_LOCAL_MACHINE∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖RunOnce
o HKEY_LOCAL_MACHINE∖Software∖Microsoft∖Windows∖CurrentVersion∖Policies∖Expl orer∖Run
Startup Keys
Malware authors also try to place their malicious executable file within the startup directory of the compromised system and create a shortcut entry on the location pointed by the Startup subkey which is set to execute the service automatically on each logon/reboot.
These startup locations are found both at the user level and system level:
o HKEY_LOCAL_MACHINE∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖Explorer∖S hell Folders, Common Startup
o HKEY_LOCAL_MACHINE∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖Explorer∖ User Shell Folders, Common Startup
o HKEY_CURRENT_USER∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖Explorer∖Sh ell Folders, Startup
o HKEY_CURRENT_USER∖SOFTWARE∖Microsoft∖Windows∖CurrentVersion∖Explorer∖Us er Shell Folders, Startup
|
|
