Data Security: Resource

RUN SPYWARE IN WINDOWS REGISTRY

 Search Resources
Hot Words
Key Words
In Field



 By Chris Gudy
Run Spyware in Windows Registry
In Windows OS, registry becomes the home of information of both system and user programs. Rigorously speaking, almost all automatic starting methods is in relation to registry, especially in 32-bit Windows OS. In this section, the methods that only depend on registry to start program will be discussed.

In the registry of Windows, the most common sub-key for automatic starting is SOFTWARE\Microsoft\Windows\CurrentVersion. In this place, operating system offers a group of method to start automatically. It is interesting that this sub-key can be found in both HKEY_LOCAL_MACHINE hive and HKEY_CURRENT_USER hive. In fact, every user of system has an own sub-key like this. Nevertheless, only the current user can manage or view it.

Besides, if Windows is used in multi-user mode, in other words, this is either Windows version 2K/XP, or 95/98/ME with user profiles enabled, this sub-key is also active in HKEY_USERS\.Default hive. If Windows 95/98/ME work in single-user mode, the HKEY_USERS\.Default sub-key is identical to the HKEY_CURRENT_USER.

Consequently, examine the SOFTWARE\Microsoft\Windows\CurrentVersion. It has a number of sub-keys. Those in relation to starting is as follows. To omit the space, we use HKLM to represent HKEY_LOCAL_MACHINE, and HKCU to HKEY_CURRENT_USER.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: These programs automatically start when any user is logged in. It is used for all users on this computer
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce: – The programs here start only once when any user is logged in and will be removed after the Windows boot process finishes.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx: The programs here start only once when any user is logged in and will be removed after the Windows boot process finishes. Also the RunOnceEx registry key does not create a separate process. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices: These programs automatically start when the system is loading before the user logs in. It is used for service applications, such as anti-virus, drivers etc. In Windows 2000/XP it could be canceled by admin to use other service startup sections.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce: These programs automatically start only once when the system is loading as service application, and items are deleted after the Windows boot process finishes.
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: The programs here automatically start when the current user logs in. It is used only for current user.
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce: The programs here automatically start only once when the current user logs in and it will be deleted after the Windows boot process finishes.
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: The programs here automatically will be copied into HKCU\...\Run for every new user account.
  • HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce: The programs here automatically will be copied into HKCU\...\RunOnce for every new user account.

Before using them in program, developers should test or check related documents carefully, because these methods are not originated in one project, but are accumulated for many versions. Some is strong and fresh, whereas others are weak and old. Moreover, different methods have different features. In view of operating system these methods are processed under following characteristics.
  • The keys, located in HKLM hive, are processed earlier than corresponding keys located in HKCU hive.
  • The content of RunServices and RunServicesOnce sub-keys is processed earlier than values in Run and RunOnce sub-keys. The launch of RunServices and RunServicesOnce happens before the displaying of user logon dialog box.
  • The value, located in RunOnce or RunServicesOnce sub-key, is removed before the launch of application, which name it contains.

The values, stored in Run, RunOnce keys, are launched synchronously and in indefinite order, but only, when the content of RunServices and RunServicesOnce finishes loading.

The sub-key RunOnceEx is worthy of more attention, because it is in difference form from RunOnce and Run. Simply, the values defined in RunOnceEx sub-key will not be launched. Unlike Run, you need create own sub-keys under RunOnceEx that contain values of applications names. The keys and values located in RunOnceEx are sorted in alphabetical order to force them to rule startup order compulsorily. In other words, the item higher by alphabet would be launched earlier, not depending on when it is added to RunOnceEx sub-key. The applications invoked from this way must either finish themselves or not require the indefinite action for finishing. While one item is not finished, Windows booting has to stop waiting for compulsory terminating of the launched application. Namely, no separate process can be created for the applications launched from RunOnceEx in contrast to the RunOnce and Run.

As a matter of fact, there are some other sub-keys in registry that are very useful to start automatically. If you work on Windows 2K/XP, might have additional option. In both HKLM hive and HKCU hive, for example, you can find a sub-key as Software\Microsoft\WindowsNT\CurrentVersion\Windows.

Maybe you already notice that the name of sub-key includes “Windows NT”. It means that it can be used in operating system after Windows NT, but not only Windows NT. In this sub-key, you can view or create two entries that are named as Load and Run respectively. The both can store the list of applications for automatic starting. These values analogies to values with the same name from the autostart file Win.ini. When Windows NT or later versions are installed over Windows 95/98, the contents from section
Obviously, this mechanism is designed for compatibility with early versions, Windows 2K/XP do not use it for itself.

Moreover, you can view other sub-keys to start programs automatically. Some of them are seldom introduced in public materials. For this reason, they are often adopted in spyware. The followings are a short list of them in Windows ME/2K/XP.
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: The programs here automatically start when any user logs in. It typically indicates the GUI of users.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad: The programs here are activated automatically after the Windows GUI starts up, such as the system tray in the bottom right-hand corner of Windows and its contents.
  • HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts: The various scripts that will be executed when Windows boots up.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run: The programs here automatically start when the user GUI, explorer.exe, is activated.
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run: The programs here automatically start each time a user logs in the computer.
  • HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts: The various scripts that will be executed each time a user logs in the computer.
  • In short, the positions where developers of spyware are interested in home spyware probably