Submerged Subkeys in W2K

From: Andrew Aronoff (ntbugtraq.sub_at_AARONOFF.COM)
Date: 05/27/04

Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"

Previous message: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
Next in thread: Geo.: "Re: Submerged Subkeys in W2K"
Reply: Geo.: "Re: Submerged Subkeys in W2K"
Maybe reply: Andrew Aronoff: "Re: Submerged Subkeys in W2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 27 May 2004 00:39:33 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Hello,

I posted about the Silent Runners script, which identifies program
launch locations in any Windows version, on May 12. A user noticed
that the the script did not report a program that started up with W2K
and we collaborated to find an answer.

The program was located in the registry as an entry in a key with a
name similar to the following:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Inactive

It turns out that W2K has a "feature" not shared by any other MS O/S
-- it launches any program in any subkey of (at least) six keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

This would simply be a curiosity except that I can't find a single
third party utility (other than the Silent Runners script) that
identifies programs located in such subkeys. If a program places
itself there under W2K, not even MSCONFIG.EXE will expose it.

MS, though, was not convinced that this constituted a security
vulnerability. I'm not sure I agree with them.

regards, Andy

P.S.: To download the free Silent Runners script, readers should
simply contact me by e-mail.

-----
Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
identify and fix all PC's that are exposed to the Sasser worm! Our
solution provides quick and seamless discovery and deployment of all your
PC computer's Microsoft security patching needs. Regardless of where
you're PC's reside (inside the LAN, at home or on the road), Patch
Automation gets the job done. Contact us to learn about our free 30-day
trial version at 800-344-1150 or visit our website at
<http://www.patchautomation.com>
-----

Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"

Previous message: Russ: "Russ Cooper's AusCERT Presentation on MS Security Bulletins"
Next in thread: Geo.: "Re: Submerged Subkeys in W2K"
Reply: Geo.: "Re: Submerged Subkeys in W2K"
Maybe reply: Andrew Aronoff: "Re: Submerged Subkeys in W2K"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]