Runscanner : freeware startup analyzer
If you want free network inventory don't forget to visit Lansweeper : Freeware asset and software inventory
Welcome Guest Search | Active Topics | Members | Log In | Register

RunScanner » RunScanner (English) » Beta testing » HKEY_LOCAL_MACHINE\Software\ Microsoft\WindowsNT\ CurrentVersion\Winlogon\Appsetup?

HKEY_LOCAL_MACHINE\Software\ Microsoft\WindowsNT\ CurrentVersion\Winlogon\Appsetup? Options
Previous Topic · Next Topic
LUSHER
Posted: Sunday, August 19, 2007 8:46:49 PM
Rank: Member
Groups: Member

Joined: 3/2/2007
Posts: 53
Points: 159
http://support.microsoft.com/kb/195461

In Autoruns not in Runscanner. (confirmed).
Back to top
 
GeertM
Posted: Sunday, August 19, 2007 8:57:37 PM

Rank: Administration
Groups: Administration

Joined: 2/16/2007
Posts: 141
Points: 192
Location: Belgium
This is correct, I haven't included it because there is no known malware that uses this technique.
(The programs only starts if you log on to the computer using terminal services) It's not very effective for malware.

Lansweeper : free software and computer inventory
Back to top
 
LUSHER
Posted: Sunday, August 19, 2007 9:08:53 PM
Rank: Member
Groups: Member

Joined: 3/2/2007
Posts: 53
Points: 159
What about...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
Back to top
 
GeertM
Posted: Sunday, August 19, 2007 9:15:46 PM

Rank: Administration
Groups: Administration

Joined: 2/16/2007
Posts: 141
Points: 192
Location: Belgium
Same story.

I started programming with one terminal service entry, but afterwards I figured out it wasn't very useful for version 1.0

These location will be included in future versions just to be complete, but as far as I found out (and asked others) : no known malware uses these entries.
(But autoruns is correct to list them because they start up when you log on using terminal services/remote desktop)

There are also 4 more autoruns locations that I don't use know (have to look them up tomorrow, i have them in a .txt file)

The problem is : if I include them, the log will be more complete, but it will be harder for malware fighter to find the "wrong" entries (because these keys only contain legitimate entries)

Lansweeper : free software and computer inventory
Back to top
 
LUSHER
Posted: Sunday, August 19, 2007 9:42:48 PM
Rank: Member
Groups: Member

Joined: 3/2/2007
Posts: 53
Points: 159
You probably have a good reason for leaving out stuff. I notice some really weird entries that autoruns monitor like HKLM\Software\Microsoft\Ctf\LangBarAddin , what is that one about? Related to Ctfmon?

I'm also not sure if you want to monitor stuff like HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders which controls startup folders. It's usually fine UNLESS it is different from the default. So maybe you whitelist and display it only if it is different from the default/safe entries?

I mean you monitor host file locations right?
Back to top
 
GeertM
Posted: Wednesday, December 12, 2007 12:10:41 AM

Rank: Administration
Groups: Administration

Joined: 2/16/2007
Posts: 141
Points: 192
Location: Belgium
I'm searching for a technet article or something else about ...\Software\Microsoft\Ctf\LangBarAddin, but I can't seem to find any good information about it.


Lansweeper : free software and computer inventory
Back to top
 
Users browsing this topic
Guest

RunScanner » RunScanner (English) » Beta testing » HKEY_LOCAL_MACHINE\Software\ Microsoft\WindowsNT\ CurrentVersion\Winlogon\Appsetup?


Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

SoClean Theme Created by Jaben Cargman
Powered by YetAnotherforum.net
Copyright © 2003-2006 Yet Another Forum.net. All rights reserved.
This page was generated in 0.107 seconds.