'Submerged Subkeys in W2K'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Submerged Subkeys in W2K
From:       Andrew Aronoff <ntbugtraq.sub () AARONOFF ! COM>
Date:       2004-05-26 22:39:33
Message-ID: 1156987982.20040527003933 () aya ! yale ! edu
[Download RAW message or body]

Hello,

I posted about the Silent Runners script, which identifies program
launch locations in any Windows version, on May 12. A user noticed
that the the script did not report a program that started up with W2K
and we collaborated to find an answer.

The program was located in the registry as an entry in a key with a
name similar to the following:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Inactive

It turns out that W2K has a "feature" not shared by any other MS O/S
-- it launches any program in any subkey of (at least) six keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This would simply be a curiosity except that I can't find a single
third party utility (other than the Silent Runners script) that
identifies programs located in such subkeys. If a program places
itself there under W2K, not even MSCONFIG.EXE will expose it.

MS, though, was not convinced that this constituted a security
vulnerability. I'm not sure I agree with them.

regards, Andy

P.S.: To download the free Silent Runners script, readers should
      simply contact me by e-mail.

-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic