Re: Submerged Subkeys in W2K

From: Andrew Aronoff (ntbugtraq.sub_at_AARONOFF.COM)
Date: 06/04/04

  • Next message: Sam _at_ ProData: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins" 
    Date:         Fri, 4 Jun 2004 09:46:23 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Hello,

    On Wed 02 June 2004 at 14:49 -0400, when writing about the Silent
    Runners script, Geo. advised:
    > Couple other locations you missed, see
    > http://www.nthelp.com/40/automatic.htm for the list.

    The Silent Runners script checks far more than what is listed on the
    page that Geo. submitted. At last count, Silent Runners checks any of
    32 keys, depending on the O/S, more than any other "startup" utility
    that I've ever run across. That's why I wrote it. If anyone is aware
    of something that's missing, please let me know so that the script may
    be improved.

    The nthelp.com page lists, but Silent Runners does _not_ check:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    Note that they're in the HKCU hive; the HKLM versions *are* checked by
    Silent Runners.

    The two HKCU keys would only apply to W98, but I've never been able to
    launch a service from either of them despite numerous attempts. MS
    doesn't list these keys in their KB articles, 137367 and 179365. If
    anyone knows of any executable that launches from either of these keys
    in any O/S, please share that information.

    The nthelp.com page also lists for NT:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    The Silent Runners script checks these keys for NT4, but if it finds
    anything it prefaces the listing with the words "EXECUTION UNLIKELY:".
    I can get these keys to work for W2K and WXP, but *not* for NT4 SP6a.
    Furthermore, I can find no mention of this for NT4 on Google and MSKB
    270035 omits it for that O/S. If anyone knows of a program that
    launches from either of these keys in NT4, please share that
    information.

    The list of exactly what's checked by the Silent Runners script is on
    the welcome page: http://www.aaronoff.com/silent_runners/#keylist

    A previous version of that list was posted to NTBugTraq on May 12. It
    can be found here: http://tinyurl.com/2dpba

    regards, Andy

    -----
    Patch Automation v6.0 by Mobile Automation, Inc. allows you to quickly
    identify and fix all PC's that are exposed to the Sasser worm! Our
    solution provides quick and seamless discovery and deployment of all your
    PC computer's Microsoft security patching needs. Regardless of where
    you're PC's reside (inside the LAN, at home or on the road), Patch
    Automation gets the job done. Contact us to learn about our free 30-day
    trial version at 800-344-1150 or visit our website at
    <http://www.patchautomation.com>
    -----

  • Next message: Sam _at_ ProData: "Re: Russ Cooper's AusCERT Presentation on MS Security Bulletins"