Hi all. :)

Wouldn't we want to watch the following key as well?

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug

I've noticed various malware writing to it specifying a rogue executable as debugger:

http://www.symantec.com/en/aa/norton/security_response/writeup.jsp?docid=2007-110915-3903-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2007-112815-0617-99&tabid=2
http://www.sophos.com/security/analyses/w32brontokbo.html


Cheers,

---

Tony CLSID List - A Collection of Autostart Locations

Hi Geert, thanks, and you're welcome. :)

I've also added to the Sysinternals "Utility Manager" thread with this suggestion.

I haven't had the occasion to do any testing on this launch point myself, so let's wait and see what they say.

In any case, although it might be a rather unlikely launch point, it could very well 'lie dormant' for ages, at least provided the malware itself isn't detected in the meantime, and then launch the baddie in the event of a system crash.

---

Tony CLSID List - A Collection of Autostart Locations

If you really want surprises, I'll add two "undiscovered" launch points to the next version (1.6)
(I need to do some more testing with them first)

PM me for more info ;)

This is not included in the 2 "surprises", but missing in silentrunners and autoruns (and my current version)

174 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12331.mspx?mfr=true

---

Lansweeper : free software and computer inventory

OMG, i'm abandoning runscanner for silentrunners!!!

That's the advantage of Silentrunners i guess more mobile.