|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Get a Load of the W2K Run line!
From: Andrew Aronoff (ntbugtraq.sub
AARONOFF.COM)
Date: Mon Aug 02 2004 - 10:59:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
I've posted already about the myriad ways to launch programs at
Windows startup (see NTBugTraq May 12, 2004, "Silent Runners VBS
script available") and the "feature" that allows a program listed as a
value in *any* subkey of 6 major registry startup keys to launch under
W2K SP4 (see NTBugTraq May 27, 2004, "Submerged Subkeys in W2K").
Another W2K SP4 "feature" has recently been discovered at the
following two registry locations:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Examine the following three values and guess which of them will launch
c:\winnt\malware.exe at the above locations under W2K SP4:
c:\winnt\notepad.exeXc:\winnt\malware.exe
this_cannot_work\winnt\malware.exe
c:\winnt\notepad.exe, malware.exe
Time's up. All three!
In this case, W2K appears to parse the value backwards -- MALWARE.EXE
is launched as soon as \winnt\malware.exe is found in the tail of the
string. The remainder of the string provokes an error. NT4 & WXP do
not share this idiosyncrasy. W2K also launches any bare executable
located in the Windows or System32 directories if it's delimited by a
space or a comma; so does NT4 and WXP.
W2K, then, manages to start up almost _anything_-- a very mixed
blessing.
regards, Andy
P.S.: To identify every program that starts up with Windows, download
"Silent Runners.vbs" at www.silentrunners.org
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]