- Standard ways which are probably discovered by most antiviruses:
- Put an exe as a string value under ‘HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and it runs on user login
- Put an exe as a string value after ‘explorer.exe’ under ‘HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell’ and it runs on user login immediately after explorer.exe runs
- On windows 7+ place file under ‘C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup’ and it will run on startup of any user. On windows xp: ‘C:\Documents and Settings\All Users\Start Menu\Programs\Startup’
- On windows 7+ place file under ‘C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup’ of a specific user. On windows xp: ‘C:\Documents and Settings\%USERNAME%\Start Menu\Programs\Startup’
- Less standard ways:
- Add key called ‘Driver’ under ‘HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors’ with value being a string pointing to your malicious dll path and it will load on startup. The dll must be placed in C:\Windows\system32. You can load multiple DLL’s like this. The print monitors which are installed are shown in sysinternals autoruns tool under the “Print Monitors” tab.