none
An additional AutoRun place for shell

    General discussion

  • I found that some malware might use the following place to start up automatically.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

    HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

    In the above keys, there may be some REG_SZ values. The name of those string values points to CLSID keys.

    Please add corresponding locations into AutoRuns.

    Wednesday, November 28, 2018 8:09 AM

All replies

  • Hello

    thanks for raising this. I looked at the history for this code and it looks like we used to monitor these locations but removed them a few years ago. I just spoke to Mark R. about the history here and he said it was dropped because this location isn't an ASEP as such but a filter for enabling/disabling shell extensions that are registered elsewhere.

    If you have a specific case where this is being abused by malware though I'd be interested in hearing more about it in case we need to revisit this.

    MarkC(MSFT)

    Wednesday, November 28, 2018 11:52 PM
  • Thank you for your replying.

    Recently I installed an application from this link:

    (prepend the http:// prefix here)wdl1.cache.wps.cn/wps/download/W.P.S.7989.12012.2019.exe

    Download the application, run it and click the big blue button at the center the installer program window and the installation will be finished.

    The main application process was wps.exe, which was an application did something similar link MS Office.

    After exiting the application, terminating the process and disabling everything about the product with AutoRuns (disabling relative shell extensions, task scheduler items, etc.). The wps.exe process kept reappearing periodically. I checked the DLL with Process Explorer and found two dll files in its directory was loaded into Windows Explorer.

    I suspected that the behavior of the process resurrection of the application was by design, exploiting multiple auto start locations. The same technique could be exploited by malware programmers.

    Could you help address the auto start up of that application?

    Saturday, December 1, 2018 1:16 AM