在涉及恶意软件的任何调查中，寻找持久性点（也称为“自动启动扩展点”或ASEP）是一项经常出现的任务。持久性点（Persistence Points）通常指的是计算机系统中一些可以被恶意软件利用来确保其在系统重启后仍能存活和运行的特定位置或机制。自动启动扩展点（ASEP，Automatic Startup Extension Points）

在涉及恶意软件的调查中，寻找持久性点（Persistence Points）是一项非常重要的任务。这些持久性点也被称为自动启动扩展点（ASEP，Automatic Startup Extension Points），它们是恶意软件常用的一种技术，用来在系统启动时自动运行并确保恶意软件持续存在和活动。

恶意软件利用持久性点可以在受感染的计算机系统上实现自启动，使其能够在系统启动时自动加载并在后台运行，从而持续地进行恶意活动。因此，在进行恶意软件调查时，寻找和分析这些持久性点对于识别、清除和防范恶意软件至关重要。

常见的持久性点包括注册表项、启动文件夹、计划任务、系统服务等。调查人员通常会检查这些地方，以确定是否存在恶意软件植入的自动启动项。一旦发现持久性点与恶意软件有关，调查人员可以采取适当的措施来清除恶意软件并修复系统安全漏洞，以确保系统安全。

持久性点（Persistence Points）通常指的是计算机系统中一些可以被恶意软件利用来确保其在系统重启后仍能存活和运行的特定位置或机制。恶意软件经常利用持久性点来实现自动启动、隐藏、和维持其活动的能力。以下是一些常见的持久性点：

注册表: 恶意软件可以修改注册表中的特定键值，使得自身在系统启动时被自动加载。例如，注册表的 Run 和 RunOnce 键下的条目就是常被利用的自启动位置。
启动文件夹: 恶意软件可以将其可执行文件或快捷方式放置在系统的启动文件夹中，使得在用户登录后会自动执行。
服务: 恶意软件有时会注册成为系统服务，这样它可以在系统启动时自动运行并且在后台持续操作。
任务计划程序: 恶意软件可以创建任务计划程序，以便在特定时间或系统事件发生时自动执行其代码或脚本。
启动批处理脚本: 可以通过编写启动时执行的批处理脚本，使得恶意软件在系统启动时自动运行并执行特定的操作。
启动项: 操作系统或第三方软件可能会在系统启动时加载特定的启动项，这些项可以被恶意软件利用来实现自动启动和隐藏。

持久性点的存在使得恶意软件能够在系统重启后自动重现其活动，这对于其攻击能力和持续存在非常关键。因此，安全措施通常包括监控和审查这些持久性点，定期扫描系统以检测异常活动，以及使用反恶意软件工具来清除和阻止这些持久性点的利用。

自动启动扩展点（ASEP，Automatic Startup Extension Points）是指操作系统或应用程序提供的一些机制或接口，允许软件在系统启动时自动执行特定的任务或加载特定的组件。这些扩展点通常被恶意软件利用来实现自启动和隐藏恶意活动的目的，因此在安全领域中，ASEP也成为一种关注的对象。

常见的自动启动扩展点包括：

注册表启动项: Windows系统中，通过修改注册表中的特定键值，可以指定程序在用户登录或系统启动时自动执行。恶意软件经常利用这些启动项来实现自启动，如注册表中的 HKCU\Software\Microsoft\Windows\CurrentVersion\Run 和 HKLM\Software\Microsoft\Windows\CurrentVersion\Run。
启动文件夹: 操作系统允许用户将程序的快捷方式放置在特定的启动文件夹中，这样在用户登录时会自动执行这些程序。恶意软件可以将自己的快捷方式放置在这些文件夹中，以实现自启动。
服务: 操作系统和应用程序可能会作为服务在后台运行，服务可以在系统启动时自动启动并持续运行，提供特定的功能或服务。恶意软件有时会伪装成系统服务或利用服务的机制来实现自启动和隐藏。
启动批处理脚本: 通过操作系统的任务计划程序或类似的机制，可以在系统启动时自动运行批处理脚本。这些脚本可以执行各种操作，包括启动程序、修改系统设置等。

ASEP的合法使用包括系统管理、自动化部署和配置管理等，但在安全方面，重要的是及时监控和审查这些自动启动点，以防止恶意软件的利用和攻击。安全措施可以包括使用安全软件检测和清除恶意启动项、定期审查注册表和启动文件夹、限制用户权限以及实施白名单策略等。

理解和区分这些不同术语的含义可以帮助我们更好地掌握自动启动机制。让我们分别看看它们的具体含义和区别：

1. ASEP（Autoruns Entry Points）

Autoruns Entry Points 指的是系统中负责列出所有自动运行程序的入口点。Autoruns 是由 Sysinternals（现为微软的一部分）开发的一款工具，用于显示和管理 Windows 系统启动时自动运行的所有程序、服务和驱动。

功能：主要用于查看和管理所有已经配置为自动启动的项目，包括但不限于注册表项、启动文件夹、浏览器辅助对象等。
用途：系统管理员和安全专家常用此工具来检测和删除不必要或恶意的启动项。

2. ASEP (Auto-Start Extensibility Points)

Auto-Start Extensibility Points 是一种通用术语，指的是操作系统中允许程序在启动时自动运行的扩展点。这些扩展点可以存在于多个位置，例如：

注册表中的 Run 和 RunOnce 键。
启动文件夹中的快捷方式。
Windows 服务。
任务计划程序中的任务。
浏览器插件和扩展。

这个术语通常用于描述系统整体的自动启动机制，而不是特定的工具或方法。

3. ASEP（Automatic Startup Extension Points）

Automatic Startup Extension Points 实际上是对 Auto-Start Extensibility Points 的另一种描述方式。两者可以互换使用，都指的是操作系统中管理自动启动程序的机制和位置。

区别总结

ASEP（Autoruns Entry Points）：特指由 Autoruns 工具扫描和列出的自动启动程序条目，强调的是实际使用工具查看和管理这些条目。
ASEP (Auto-Start Extensibility Points) 和 ASEP（Automatic Startup Extension Points）：这两个术语指的是同一个概念，即操作系统中允许自动启动程序的机制和位置，没有本质区别，只是表达方式不同。

小结

Autoruns Entry Points：具体指 Autoruns 工具显示的启动项。
Auto-Start Extensibility Points 和 Automatic Startup Extension Points：指操作系统中管理自动启动程序的机制，两者可以互换使用。

理解这些术语的背景和用途有助于更好地管理和维护系统的启动过程，确保系统安全和性能优化。

ASEP（Auto-Start Extensibility Points）和自动启动扩展点（Automatic Startup Extension Points）实际上是同一个概念的不同翻译或表达方式。它们都指的是操作系统（特别是Windows）中的一种机制，用于管理和控制在系统启动时自动运行的程序和服务。

ASEP（Auto-Start Extensibility Points）

ASEP 是 Auto-Start Extensibility Points 的缩写，直接翻译过来就是“自动启动扩展点”。这是一种机制，允许应用程序在系统启动时自动运行。ASEP 可以存在于多个位置，包括但不限于：

注册表中的 Run 和 RunOnce 键。
启动文件夹中的快捷方式。
Windows 服务。
任务计划程序中的任务。

这类机制通常用于确保某些关键程序或服务在系统启动时立即可用，但也可能被恶意软件滥用，以在系统启动时自动运行。

自动启动扩展点（Automatic Startup Extension Points）

自动启动扩展点 是对 ASEP 的另一种描述方式。这种表达更直观地传达了其功能，即某些程序或服务通过这些扩展点设置为在系统启动时自动运行。

相同点

目的相同：无论是 ASEP 还是自动启动扩展点，目的是相同的——管理系统启动时自动运行的程序和服务。
机制一致：它们都涉及操作系统提供的多种自动启动机制，如注册表项、启动文件夹、Windows 服务和任务计划程序等。

细微区别

术语使用：ASEP 更像是一个技术术语或者缩写，常出现在技术文档和专业讨论中。而“自动启动扩展点”则是一种更口语化、描述性的叫法，可能更容易让普通用户理解。
表达方式：ASEP 强调的是一种技术实现和扩展性，而自动启动扩展点则更强调实际的启动行为。

小结

无论是 ASEP（Auto-Start Extensibility Points）还是自动启动扩展点（Automatic Startup Extension Points），本质上指的都是同一个概念，即操作系统中用于在启动时自动运行程序和服务的各类机制。不同的表达方式只是为了适应不同的受众或场景，但其核心内容和功能没有区别。

除了自动启动扩展点（ASEP）之外，还设计和实施了多种其他安全机制。以下是一些重要的安全机制：

用户账户控制（User Account Control, UAC）：UAC通过限制应用程序和管理员权限的交互，有助于防止恶意软件的恶意行为。它要求用户确认某些可能需要管理员权限的操作，从而减少了潜在的安全风险。
防火墙（Firewall）：Windows防火墙能够监控和控制进出计算机的网络流量，有助于阻止未经授权的访问和潜在的恶意行为。
安全更新和补丁管理：微软定期发布安全更新和补丁，以修复操作系统和应用程序中的安全漏洞，提高系统的整体安全性。
数据执行保护（Data Execution Prevention, DEP）：DEP是一种内存保护技术，可以防止恶意代码在受保护的内存区域中执行，从而减少了恶意软件攻击的风险。
地址空间布局随机化（Address Space Layout Randomization, ASLR）：ASLR通过随机化系统组件的内存布局，使得恶意软件难以预测和利用特定内存地址，增加了攻击的难度。
安全启动（Secure Boot）：安全启动是一种防止恶意软件在系统启动时加载的机制。它只允许加载经过认证和签名的启动组件，从而减少了被恶意软件感染的风险。
访问控制列表（Access Control Lists, ACLs）：ACLs用于定义哪些用户或用户组可以访问特定的系统资源，以及他们可以对这些资源执行哪些操作。这有助于限制对敏感数据和资源的未经授权访问。
安全套接字层/传输层安全性 (SSL/TLS): 用于在网络上安全地传输数据，保护敏感信息（如信用卡号码或密码）不被窃听或篡改。
智能屏幕 (SmartScreen): 在Edge浏览器中，智能屏幕会检查网站和下载内容的信誉，帮助用户避免恶意软件或钓鱼网站。
Windows Defender: 内置于Windows中的反恶意软件工具，用于实时保护计算机免受病毒、间谍软件和其他恶意软件的威胁。
BitLocker驱动器加密: 提供对整个系统卷或单个文件的加密，以保护数据不被未经授权的用户访问。
AppLocker: 允许管理员定义哪些应用程序和脚本可以在特定的用户或计算机上运行，从而限制潜在的有害软件的执行。
内核模式保护: Windows内核是受到严格保护的，只允许特定的、经过验证的代码在内核模式下运行，这有助于防止恶意代码获得过高的权限。
沙盒 (Windows Sandbox): 创建一个隔离的、临时的环境，在其中可以运行不受信任的应用程序，从而保护系统免受潜在恶意行为的影响。
Credential Guard: 使用虚拟化技术保护用户凭据，防止它们被恶意软件窃取或滥用。
受控文件夹访问 (Controlled Folder Access): 通过限制对特定文件夹（如“文档”和“桌面”）的访问，减少恶意软件对这些文件夹中文件的感染或篡改。
Windows Hello: 提供基于生物识别技术的身份验证方法（如面部识别或指纹识别），以增加账户的安全性。
内核隔离 (Kernel Isolation): 在Windows 10中引入的一项功能，用于隔离系统服务以减少攻击面。
内存完整性 (Memory Integrity): Windows 11中引入的一项功能，通过启用基于虚拟化的安全功能（如HVCI），增强对内存的保护。
Device Guard: 这是一个内置的安全功能，旨在防止恶意软件在Windows设备上运行。它通过使用代码完整性策略和配置规则来限制可以运行的应用程序和驱动程序。
基于虚拟化的安全 (Virtualization-Based Security, VBS): VBS利用硬件虚拟化技术来创建一个受保护的、隔离的环境，用于执行安全关键操作，如凭证保护、受保护的代码执行等。
Microsoft Defender for Endpoint: 这是Microsoft提供的一种端点安全解决方案，结合了端点检测与响应（EDR）和防病毒功能，旨在帮助组织预防、检测和应对高级威胁。
Microsoft Defender for Identity: 提供对身份和访问管理的保护，通过检测和响应针对用户身份的威胁，减少身份盗窃和滥用的风险。
Windows Defender Application Guard (WDAG): 这是Edge浏览器的一个功能，它使用Hypervisor创建一个隔离的容器来运行不受信任的网站，从而防止恶意软件感染用户的设备。
Windows Defender Exploit Guard: 提供一组安全功能，包括攻击面减少规则、网络保护、行为监控和受控文件夹访问，以阻止恶意软件利用漏洞和攻击技术。
安全审计和日志记录: Windows操作系统提供了详细的审计和日志记录功能，允许管理员和系统管理员监控和跟踪系统活动，以检测潜在的安全事件。
加密文件系统 (EFS): 允许用户对文件进行加密，只有持有相应密钥的用户才能访问这些文件。这有助于保护存储在计算机上的敏感数据。
组策略 (Group Policy): 提供了细粒度的控制，允许管理员定义和部署安全设置、应用程序和配置，以确保整个组织的计算机都符合安全标准。
Windows信息保护 (WIP): 这是一个数据保护解决方案，旨在防止公司数据泄露。WIP可以加密和保护存储在设备上的公司数据，同时允许个人数据保持不受影响。
Windows Subsystem for Linux (WSL): 允许在Windows上运行Linux环境，并提供了一种安全的方法来运行和管理Linux应用程序。WSL提供了与Linux内核的隔离，从而减少了潜在的安全风险。
Credential Manager: 允许用户存储和管理凭据（如用户名和密码），以便在需要时自动填充。Credential Manager还提供了对凭据的加密和保护，以防止未经授权的访问。
Windows Defender Application Control (WDAC): 通过白名单技术，WDAC允许管理员定义哪些应用程序和驱动程序可以在系统上运行。这有助于防止恶意软件或未经验证的应用程序执行。
Windows Defender SmartScreen: 在Edge浏览器中提供恶意网站和下载内容的警告和阻止功能，帮助用户避免恶意软件的感染。
Windows Defender Antivirus Exclusions: 允许管理员和用户排除特定的文件、文件夹或进程，以便它们不会被Windows Defender Antivirus扫描或阻止。
Windows Update for Business: 提供了一种灵活的方式来管理和部署Windows更新，以确保组织的计算机及时获得最新的安全补丁和功能。
Windows Defender Firewall with Advanced Security: 提供了一个强大的防火墙工具，允许管理员配置入站和出站规则，以控制网络流量的进出。
Windows Defender Credential Guard and Remote Credential Guard: 这些功能使用虚拟化技术来保护用户的凭据，防止凭据被窃取或滥用。
Windows Subsystem for Android (WSA): 在Windows 11中引入的功能，允许用户在Windows上运行Android应用程序。WSA提供了对Android应用程序的隔离和安全保护。
Windows Hello for Business: 这是一个基于生物识别技术的身份验证解决方案，允许用户使用指纹、面部识别或PIN码来登录Windows设备。通过减少对传统密码的依赖，它增加了登录过程的安全性。
Microsoft Passport: 提供了一种基于虚拟智能卡技术的身份验证方法，允许用户使用手机或其他移动设备作为身份验证令牌。这增加了多因素身份验证的灵活性和安全性。
安全套接字扩展 (Secure Socket Extensions, SSE): 这些扩展提供了对SSL/TLS协议的增强支持，包括更强大的加密算法和密钥交换机制，以提高网络通信的安全性。
数据泄露防护 (Data Loss Prevention, DLP): 这是一组功能和技术，旨在防止敏感数据被意外泄露或非法传输。DLP可以监控和控制数据的流动，包括文件传输、电子邮件发送等，以确保数据的安全性和合规性。
加密文件系统 (EFS) 和 BitLocker To Go: 这些功能允许用户对单个文件或整个USB驱动器进行加密，确保即使设备丢失或被盗，数据仍然保持安全。
受信任的平台模块 (Trusted Platform Module, TPM): TPM是一个安全的硬件组件，用于存储加密密钥、执行加密操作以及验证平台的完整性。它提供了对敏感数据的保护，并帮助确保系统的安全性。
Windows Defender Offline: 这是一个扫描和清理工具，可以在系统启动之前运行，以检测和清除可能存在的顽固恶意软件。
安全启动和早期启动反恶意软件 (Early Launch Antimalware, ELAM): 安全启动确保只有受信任的代码才能在系统启动时运行，而ELAM允许反恶意软件程序在系统加载其他程序之前运行，从而提供更早的恶意软件防护。
Windows Defender Exploit Guard 的网络保护: 这是一个强大的功能，可以阻止潜在的恶意软件利用漏洞在网络中传播。
安全启动: 安全启动是UEFI（统一可扩展固件接口）的一部分，它确保从启动到操作系统加载的整个过程都是安全的。它防止恶意软件或未经授权的代码在启动过程中执行。
Windows Defender Application Guard (WDAG) for Office: 这个功能提供了对Office应用程序的额外保护，通过在隔离的容器中运行Office应用程序，防止潜在的恶意代码执行。
Windows Defender System Guard: 这个功能使用硬件级别的安全功能，如Intel SGX（软件保护扩展），来进一步保护关键系统组件和进程。
基于硬件的安全模块: 一些现代计算机配备了基于硬件的安全模块，如Intel SGX或AMD SEV（安全加密虚拟机），这些模块提供了额外的安全层，保护敏感数据和代码免受攻击。
Windows Defender Hypervisor Protection: 这个功能通过隔离和管理虚拟机来增强安全性，防止潜在的攻击。
Microsoft Defender for Cloud: 对于企业用户，Microsoft提供了Defender for Cloud，这是一个云安全平台，可以帮助管理和保护跨云和本地的工作负载。
Microsoft Defender for Identity: 这个功能提供了对身份和访问管理的保护，通过检测和响应针对用户身份的威胁，减少身份盗窃和滥用的风险。
用户账户控制 (UAC): UAC通过限制应用程序和管理员权限的滥用，帮助减少恶意软件对系统的潜在损害。
Windows Defender SmartScreen: 在Edge浏览器中，SmartScreen会检查网站和下载内容的信誉，帮助用户避免恶意软件或钓鱼网站。
Windows Defender Antivirus: 这是Windows内置的防病毒软件，它提供实时保护，检测并清除恶意软件。
Windows Defender Antivirus 云服务: Windows Defender Antivirus能够利用Microsoft的云服务进行实时分析和威胁情报更新，从而更有效地检测和防御新出现的恶意软件。
Windows Subsystem for Linux 2 (WSL 2): 虽然WSL 2允许在Windows上运行Linux分发版，但它也提供了额外的安全层。WSL 2使用独立的Linux内核，与Windows内核隔离，从而减少了潜在的攻击面。
Windows Defender Credential Guard: 这个功能通过隔离和保护凭据，如密码和Kerberos票据，来减少凭据窃取攻击的风险。
Microsoft Defender SmartScreen 网络钓鱼防护: 在Outlook和其他Office应用程序中，SmartScreen可以检测并警告用户关于潜在的网络钓鱼邮件和链接。
Windows Defender Application Guard (WDAG) for Browser: 除了Office应用程序，WDAG也可以为Microsoft Edge浏览器提供隔离的、安全的浏览环境，以防止恶意软件感染。
Windows Defender Exploit Guard 的攻击面减少规则: 通过限制应用程序的行为，这些规则可以减少针对已知漏洞的攻击面。
Microsoft Defender for Office 365: 这是一个针对Office 365用户的云安全解决方案，提供了高级威胁防护、数据保护和合规性功能。
Microsoft Defender for IoT: 对于物联网设备，Microsoft提供了专门的安全解决方案，帮助保护这些设备免受攻击，并确保它们符合安全标准。
Windows Information Protection (WIP) 的应用扩展: WIP允许企业定义哪些应用可以访问受保护的企业数据，从而控制数据的流动和访问。
Windows Update for Business 和 Windows Server Update Services (WSUS): 这些服务允许企业更好地管理和控制Windows更新的部署，确保系统的安全性和稳定性。
Windows Defender ATP (Advanced Threat Protection): 这是一个高级威胁防护平台，提供了实时检测和响应功能，帮助组织预防、检测和应对高级威胁。
Windows Hello for Business 多因素身份验证: 除了生物识别技术外，Windows Hello for Business还支持使用PIN码、智能卡或手机等多种身份验证方式，确保用户身份的准确性和安全性。
Azure Active Directory 集成: Windows可以与Azure Active Directory无缝集成，提供云端的身份和访问管理解决方案，包括单点登录、条件访问和身份保护等功能。
Windows Defender ATP 的威胁和漏洞管理: 通过集成威胁情报和漏洞管理功能，Windows Defender ATP可以帮助组织及时发现和应对潜在的威胁，并提供关于已知漏洞的情报和建议。
Windows Defender ATP 的自动化调查和响应: 该功能利用机器学习和人工智能技术，能够自动调查安全事件并采取相应的响应措施，减少手动干预的需求，提高安全运营效率。
Windows Defender Exploit Guard 的攻击面减少规则: 这些规则通过限制应用程序的行为和防止恶意软件利用漏洞，进一步减少系统的攻击面，提高系统的安全性。
Windows Defender Application Guard (WDAG) 的隔离环境: WDAG通过创建一个隔离的、安全的容器环境，保护用户在不受信任的网络上浏览或运行应用程序时的安全。
Windows Defender Credential Guard 的凭据隔离: 该功能通过将凭据隔离在受保护的容器中，防止凭据窃取攻击，保护用户的登录凭据和敏感信息。
Windows Defender System Guard 的硬件安全模块: 通过利用硬件级别的安全功能，如Intel SGX或AMD SEV，Windows Defender System Guard为关键系统组件和进程提供额外的保护。
Windows Defender 防火墙: 这是一个强大的网络防火墙，可以帮助阻止未经授权的网络访问和通信，保护系统免受网络攻击。
Windows 安全中心: 这是一个集中的安全管理和控制面板，用户可以查看和管理各种安全设置、更新和警报，以便更好地监控和保护其系统。
BitLocker 驱动器加密: BitLocker是一种全磁盘加密功能，它可以帮助保护存储在Windows操作系统上的数据。通过加密整个硬盘驱动器或特定卷，BitLocker可以防止未经授权的访问和数据泄露。
安全启动和早期启动反恶意软件: 安全启动是UEFI（统一可扩展固件接口）的一个功能，确保在操作系统加载之前，系统软件和引导加载程序是可信的。结合早期启动反恶意软件功能，可以在系统启动过程中尽早检测和阻止恶意软件的执行。
受信任的平台模块 (TPM): TPM是一种硬件安全模块，它提供了一套标准的安全功能，如密钥存储、身份验证和加密。TPM可以帮助保护存储在其中的密钥和凭据，并确保系统的完整性和可信度。
Windows Defender Application Control (WDAC): WDAC允许管理员定义应用程序白名单，只允许已知和受信任的应用程序在系统中运行。这有助于防止恶意软件或未知应用程序的执行。
Windows Defender Exploit Guard 的网络保护: 网络保护是Windows Defender Exploit Guard的一个组件，它可以监控和过滤网络流量，防止潜在的恶意软件通过网络进行传播或执行攻击。
Windows Defender Antivirus 的云交付保护: Windows Defender Antivirus利用云交付保护技术，从Microsoft的云服务中获取最新的威胁情报和病毒定义，从而提供更快速和有效的恶意软件检测和清除。
Windows Defender ATP 的攻击模拟训练: 攻击模拟训练功能允许组织模拟真实世界中的网络攻击，以测试其安全策略和响应能力。这有助于发现潜在的安全漏洞，并改进组织的防御策略。
Windows Subsystem for Linux (WSL) 的安全隔离: WSL允许在Windows上运行Linux分发版，但它在虚拟机中隔离Linux环境，与Windows内核分开。这种隔离提供了额外的安全层，减少了潜在的安全风险。
Microsoft Defender for Cloud Apps: 这是一个云访问安全代理（CASB）解决方案，它帮助组织保护其数据，无论这些数据位于何处或如何被访问。它可以识别潜在的风险行为，并提供数据泄露防护、威胁检测和响应等功能。
Windows Defender SmartScreen: 此功能在Windows 10及更高版本中提供，它可以帮助防止用户下载或运行恶意软件、潜在不需要的应用程序或可能有害的文件。
Windows 10的安全中心: Windows 10的安全中心是一个集中的安全仪表板，它提供了关于设备安全状态的信息，并允许用户管理安全设置、查看安全警报以及执行其他与安全相关的任务。
Windows Defender Exploit Guard 的控制流保护: 控制流保护是Windows Defender Exploit Guard的一个组件，它可以帮助防止恶意软件利用某些漏洞执行恶意代码。
Windows Defender Antivirus 的实时保护: Windows Defender Antivirus实时监控文件和网络活动，以检测和阻止恶意软件的安装和运行。
Windows 10的凭据守卫: 这是一个安全功能，旨在保护用户的登录凭据，防止凭据被窃取或滥用。
Windows 10的数据执行防止 (DEP): DEP是一种硬件和软件技术，它可以帮助防止恶意代码在内存中执行。
Windows 10的地址空间布局随机化 (ASLR): ASLR通过随机化内存地址布局，使得攻击者更难预测和利用软件中的漏洞。
Windows 10的受控文件夹访问: 这是一个安全功能，可以限制应用程序对特定文件夹的访问，从而减少恶意软件感染的风险。
Windows Defender Application Guard (WDAG) 的浏览器隔离: WDAG可以创建一个隔离的浏览器环境，以保护用户免受网络钓鱼、恶意软件和其他网络威胁的侵害。

自动启动类别

当你首次启动Autoruns时，系统会将所有自动启动条目显示在“所有内容”选项卡的一个长列表中。如图4-8所示，显示包括最多19个其他选项卡，这些选项卡将完整列表分解为不同的类别。

FIGURE 4-8 Autostart categories are displayed on up to 20 different tabs.

登录logon

此选项卡列出了Windows启动和用户登录时处理的“标准”自动启动条目，并包括应用程序可能最常使用的ASEPs。它们包括注册表中的各种Run和RunOnce键、开始菜单中的启动目录、计算机启动和关闭脚本以及登录和注销脚本。它还列出了初始用户会话进程，如Userinit进程和桌面shell。这些ASEPs包括每个用户和全系统范围的位置，以及为通过组策略进行控制而设计的条目。最后，它列出了Active Setup\Installed Components键，尽管这些键从未公开记录或支持第三方使用，但已被逆向工程用于好的和坏的目的。

以下列出了Autoruns在Windows 10 x64版本的特定实例中检查的登录ASEP位置。

The Startup directory in the “all users” Start menu

%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup

The Startup directory in the user’s Start menu

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Per-user ASEPs under HKCU\Software

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Per-user ASEPs under HKCU\Software—64-bit only

HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnc

Per-user ASEPs under HKCU\Software intended to be controlled through Group Policy

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff

Systemwide ASEPs in the registry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Active Setup\Installed Components
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\IconServiceLib
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram

Systemwide ASEPs in the registry, intended to be controlled through Group Policy

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown

Systemwide ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components

Systemwide ActiveSync ASEPs in the registry

HKLM\Software\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect

Systemwide ActiveSync ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect
HKLM\Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect

Explorer

The Explorer tab lists common autostart entries that hook directly into Windows Explorer³ and usually run in-process with Explorer.exe. Again, although most entries are systemwide, there are a number of per-user entries. Key entries on the Explorer tab include the following:

Shell extensions that add context menu items, modify property pages, and control column displays in folder windows
Namespace extensions such as the Desktop, Control Panel, and Recycle Bin, as well as third-party namespace extensions
Pluggable namespace handlers, which handle standard protocols such as http, ftp, and mailto, as well as Microsoft or third-party extensions such as about, mk, and res
Pluggable MIME filters

On 64-bit versions of Windows, in-process components such as DLLs can be loaded only into processes built for the same CPU architecture. For example, shell extensions implemented as 32-bit DLLs can be loaded only into the 32-bit version of Windows Explorer—and 64-bit Windows uses the 64-bit Explorer by default. Therefore, these extensions might not appear to work at all on 64-bit Windows.

The following lists the Explorer ASEP locations that Autoruns inspects on a particular instance of an x64 version of Windows 10.

Per-user ASEPs under HKCU\Software

HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\*\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKCU\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32
HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Directory\Shellex\CopyHookHandlers
HKCU\Software\Classes\Directory\Shellex\DragDropHandlers
HKCU\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKCU\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKCU\Software\Classes\Folder\ShellEx\DragDropHandlers
HKCU\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKCU\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKCU\Software\Classes\Protocols\Filter
HKCU\Software\Classes\Protocols\Handler
HKCU\Software\Microsoft\Ctf\LangBarAddin
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Systemwide ASEPs in the registry

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\Software\Classes\Protocols\Filter
HKLM\Software\Classes\Protocols\Handler


HKLM\Software\Microsoft\Ctf\LangBarAddin
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Systemwide ASEPs in the registry—64-bit only

HKLM\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\CopyHookHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Directory\Shellex\PropertySheetHandlers
HKLM\Software\Wow6432Node\Classes\Drive\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\Shellex\ColumnHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews
HKLM\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Internet Explorer

Internet Explorer is designed for extensibility, with interfaces specifically exposed to enable Explorer bars such as the Favorites and History bars, toolbars, and custom menu items and toolbar buttons. And Browser Helper Objects (BHOs) enable almost limitless possibilities for extending the capabilities and user experiences for Internet Explorer.

However, because so much of users’ computer time is spent in a browser, and because much of the high-value information that users handle (such as passwords and credit card information) goes through the browser, it has become a primary target of attackers. The same programmatic interfaces that enable integration with third-party document readers and instant messaging have also been used by spyware, adware, and other malicious endeavors.

The following lists the Internet Explorer ASEP locations that Autoruns inspects on a particular instance of an x64 version of Windows 10.

Per-user ASEPs under HKCU\Software

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

Systemwide ASEPs in the registry

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Extensions
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Per-user and systemwide ASEPs in the registry—64-bit only

HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Scheduled Tasks

The Scheduled Tasks tab displays entries that are configured to be launched by the Windows Task Scheduler. The Task Scheduler allows programs to be launched on a fixed schedule or upon triggering events, such as a user logging on or the computer being idle for a period of time. Commands scheduled with At.exe also appear in the list. The Task Scheduler was greatly enhanced in Windows Vista, so Windows now makes heavy use of it, and the list on the Scheduled Tasks tab will generally be long unless you hide verified Windows entries.

Because tasks can actually be disabled in Windows (unlike Start menu items), clearing the check box next to a scheduled task in Autoruns disables the task rather than copying it to a backup location.⁴

If you select Jump To Entry from the Entry menu for a scheduled task entry, Autoruns displays the Task Scheduler user interface, but it does not try to navigate to the selected entry.

Services

Windows services run in noninteractive, user-mode processes that can be configured to start independently of any user logging on, and that are controlled through a standard interface with the Service Control Manager. Multiple services can be configured to share a single process. A common example of this can be seen in Svchost.exe (Host Process for Windows Services), which is specifically designed to host multiple services implemented in separate DLLs.

Services are configured in the subkeys of HKLM\System\CurrentControlSet\Services. The Start value within each subkey determines whether and how the service starts.

Autoruns’ Services tab lists services that are not disabled, unless they were disabled by Autoruns (indicated by the presence of an AutorunsDisabled value in the service’s registry key). The content for the Description column comes from the text or the resource identified by the Description value in the configuration key. The image path column displays the path to the service executable; for Svchost services, Autoruns displays the path to the target DLL identified by the ServiceDll value in the service’s key or its Parameters subkey. There are cases for some services in some versions of Windows where administrative rights are required to view the Parameters key; in these cases, Autoruns displays the path to Svchost.exe in the image path column.

Be certain you know what you are doing when disabling or deleting services. Missteps can leave your system with degraded performance, unstable, or unbootable. And again, note that disabling or deleting a service does not stop the service if it is already running.

One malware technique to watch for is a service that looks like it’s supposed to be part of Windows but isn’t, such as a file named svchost.exe in the Windows directory instead of in System32. Another technique is to make legitimate services dependent on a malware service; removing or disabling the service without fixing the dependency can result in an unbootable system. Autoruns’ Jump To Entry feature is handy for verifying whether the service’s configuration in the registry includes a DependOnService value that you can inspect for dependencies before making changes.

Drivers

Like services, drivers are also configured in the subkeys of HKLM\System\CurrentControlSet\Services, as well as in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers. Unlike services, drivers run in kernel mode, thus becoming part of the core of the operating system. Most are installed in System32\Drivers and have a .sys file extension. Drivers enable Windows to interact with various types of hardware, including displays, storage, smartcard readers, and human input devices. They are also used to monitor network traffic and file I/O by antivirus software (and by Sysinternals utilities such as Procmon and Procexp!). And, of course, they are also used by malware, particularly rootkits.

As with services, the Drivers tab displays drivers that are not marked as disabled, except those disabled through Autoruns. The Description value comes from the version resource of the driver file, and the image path points to the location of the driver file.

Most blue-screen crashes are caused by an illegal operation performed in kernel mode, and most of those are caused by a bug in a third-party driver. (Less common reasons for blue screens are faulty hardware, the termination of a system-critical process such as Csrss.exe, or an intentional crash triggered through the keyboard driver’s crash functionality, as described in Knowledge Base article 244139: http://support.microsoft.com/kb/244139.)

You can disable or delete a problematic driver with Autoruns. Doing so will usually take effect after a reboot. As with services, be absolutely certain you know what you are doing when disabling or deleting the configuration of drivers. Many are critical to the operating system, and any misconfiguration might prevent Windows from working at all.

Codecs

The Codecs category lists executable code that can be loaded by media playback applications. Buggy or misconfigured codecs have been known to cause system slowdowns and other problems, and these ASEPs have also been abused by malware. The following lists the keys that are shown on the Codecs tab.

Keys inspected under both HKLM and HKCU

\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
\Software\Classes\Filter
\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

Keys inspected under both HKLM and HKCU on 64-bit Windows

\Software\Wow6432Node\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
\Software\Wow6432Node\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
\Software\Wow6432Node\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance
\Software\Wow6432Node\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

Boot Execute

The Boot Execute tab shows you Windows native-mode executables that are started by the Session Manager (Smss.exe) during system boot. BootExecute typically includes tasks, such as hard-drive verification and repair (Autochk.exe), that cannot be performed while Windows is running. The Execute, S0InitialCommand, and SetupExecute entries should never be populated after Windows has been installed. The following lists the keys that are displayed on the Boot Execute tab.

Keys that are displayed on the Boot Execute tab

HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute

Image hijacks

Image hijacks is the term I use for ASEPs that run a different program from the one you specify and expect to be running. The Image Hijacks tab displays four types of these redirections:

exefile Changes to the association of the .exe or .cmd file types with an executable command. The file-association user interfaces in Windows have never exposed a way to change the association of the .exe or .cmd file types, but they can be changed in the registry. Note that there are per-user and systemwide versions of these ASEPs.
htmlfile Changes to the association of the .htm or .html file types with an executable command. Some malware that hijacks these ASEPs can come into play when you open an HTML file. Verify that the executable command is a legitimate browser.
Command Processor\Autorun A command line that is executed whenever a new Cmd.exe instance is launched. The command runs within the context of the new Cmd.exe instance. There is a per-user and systemwide variant, as well as a separate version for the 32-bit Cmd.exe on 64-bit Windows.
Image File Execution Options (IFEO) Subkeys of this registry location (and its echo in the 64-bit versions of Windows) are used for a number of internal and undocumented purposes. One purpose for IFEO subkeys that has been documented is the ability to specify an alternate program to start whenever a particular application is launched. By creating a subkey named for the file name of the original program and a “Debugger” value within that key that specifies an executable path to an alternate program, the alternate program is started instead and receives the original program path and command line on its command line. The original purpose of this mechanism was for the alternate program to be a debugger and for the new process to be started by that debugger, rather than having a debugger attach to the process later, after its startup code had already run. However, there is no requirement that the alternate program actually be a debugger, nor that it even look at the command line passed to it. In fact, this mechanism is how Process Explorer (described in Chapter 3) replaces Task Manager.

The following list shows the registry keys corresponding to these ASEPS that are shown on the Image Hijacks tab.

Registry locations inspected for EXE file hijacks

HKCU\Software\Classes\Exefile\Shell\Open\Command\(Default)
HKCU\Software\Classes\.exe
HKCU\Software\Classes\.cmd
HKLM\Software\Classes\Exefile\Shell\Open\Command\(Default)
HKLM\Software\Classes\.exe
HKLM\Software\Classes\.cmd

Registry locations inspected for htmlfile hijacks

HKCU\Software\Classes\Htmlfile\Shell\Open\Command\(Default)
HKLM\Software\Classes\Htmlfile\Shell\Open\Command\(Default)

Command processor autorun keys

HKCU\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Microsoft\Command Processor\Autorun
HKLM\Software\Wow6432Node\Microsoft\Command Processor\Autorun

Keys inspected for Image File Execution Options hijacks

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

AppInit

The idea behind AppInit DLLs surely seemed like a good idea to the software engineers who incorporated it into Windows NT 3.1. Specify one or more DLLs in the Appinit_Dlls registry key, and those DLLs will be loaded into every process that loads User32.dll (that is, virtually all user-mode Windows processes). Well, what could go wrong with that?

The AppInit DLLs are loaded into the process during User32’s initialization—that is, while its DllMain function is executing. Developers are explicitly told not to load other DLLs within a DllMain. It can lead to deadlocks and out-of-order loads, which can lead to application crashes. And yet here, the AppInit DLL “feature” does exactly that. And yes, that has led to deadlock and application crashes.⁵
A DLL that automatically gets loaded into every process on the computer sounds like a winner if you are writing malware. Although AppInit has been used in legitimate (but misguided) software, it is frequently used by malware.

Because of these problems, AppInit DLLs are deprecated and disabled by default in Windows Vista and newer. For purposes of backward compatibility, it is possible to re-enable AppInit DLL functionality, but doing so is strongly discouraged. To ensure that AppInit DLLs have not been re-enabled, verify that the LoadAppInit_DLLs DWORD value is 0 in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows and in HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows.

Registry values inspected for AppInit Entries

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

KnownDLLs

KnownDLLs helps improve system performance by ensuring that all Windows processes use the same version of certain DLLs, rather than choose their own from various file locations. During startup, the Session Manager maps the DLLs listed in HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls into memory as named section objects. When a new process is loaded and needs to map these DLLs, it uses the existing sections rather than searching the file system for another version of the DLL.

The Autoruns KnownDLLs tab should contain only verifiable Windows DLLs. On 64-bit versions of Windows, the KnownDLLs tab lists one ASEP, but file entries are duplicated for both 32-bit and 64-bit versions of the DLLs, in directories specified by the DllDirectory and DllDirectory32 values in the registry key. Note that the Windows-On-Windows-64 (WOW64) support DLLs are present only in the System32 directory and Autoruns will report “file not found” for the corresponding SysWOW64 directory entries. This is normal.

To verify that malware hasn’t deleted an entry from this key so that it can load its own version of a system DLL, save the Autoruns results from the suspect system and compare it against the results from a known-good instance of the same operating system. See the “Saving and comparing results” section later in this chapter for more information.

Winlogon

The Winlogon tab displays entries that hook into Winlogon.exe, which manages the Windows interactive-logon user interface. Introduced in Windows Vista, the Credential Provider interface manages the user authentication interface. Today, Windows includes many credential providers that handle password, PIN, picture-password, smartcard, and biometric logon. Most of these are shown only if you disable the Hide Windows Entry option. Third parties can supply credential providers that further customize interactive user logons.

The Winlogon tab also includes the user’s configured screen saver, which is started by Winlogon.exe after inactivity, and registered Group Policy client-side extensions (CSEs), which are DLLs that the Group Policy engine loads. The Group Policy engine used to run in the Winlogon process, but now it runs in the Group Policy Client service.

The following list specifies the registry keys that are shown on the Winlogon tab.

Per-user specification of the screen saver

HKCU\Control Panel\Desktop\Scrnsave.exe

Per-user specification of the screen saver, controlled by Group Policy

HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe

Group Policy Client-Side Extensions (CSEs)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions

Credential provider ASEPs

HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers

Systemwide identification of a program to verify successful boot

HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath

ASEP for custom setup and deployment tasks

HKLM\System\Setup\CmdLine

Winsock providers

Windows Sockets (Winsock) is an extensible API on Windows because third parties can add a transport service provider that interfaces Winsock with other protocols or layers on top of existing protocols to provide functionality such as proxying. Third parties can also add a namespace service provider to augment Winsock’s name-resolution facilities. Service providers plug into Winsock by using the Winsock service provider interface (SPI). When a transport service provider is registered with Winsock, Winsock uses the transport service provider to implement socket functions, such as connect and accept, for the address types that the provider indicates it implements. There are no restrictions on how the transport service provider implements the functions, but the implementation usually involves communicating with a transport driver in kernel mode.

The Winsock tab lists the providers registered on the system, including those that are built into Windows. You can hide the latter group by enabling Hide Windows Entries and Verify Code Signatures to focus on the entries that are more likely to be causing problems.

Keys inspected for Winsock Provider Entries

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64

Print monitors

The entries listed on the Print Monitors tab are DLLs that are configured in the subkeys of HKLM\System\CurrentControlSet\Control\Print\Monitors. These DLLs are loaded into the Spooler service, which runs as Local System.

LSA providers

This category of autostarts comprises packages that define or extend user authentication for Windows, via the Local Security Authority (LSA). Unless you have installed third-party authentication packages or password filters, this list should contain only Windows-verifiable entries. The DLLs listed in these entries are loaded by Lsass.exe or Winlogon.exe and run as Local System.

The SecurityProviders ASEP that is also shown on this tab lists registered cryptographic providers. DLLs listed in this ASEP get loaded into many privileged and standard user processes, so this ASEP has been targeted as a malware persistence vector. (This ASEP isn’t truly related to the LSA, except that, like the LSA, it represents security-related functionality.)

Keys inspected for Authentication Providers

HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\System\CurrentControlSet\Control\Lsa\Security Packages
HKLM\System\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

Keys inspected for Registered Cryptographic Providers

HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders

Network providers

The Network Providers tab lists the installed providers handling network communication, which are configured in HKLM\System\CurrentControlSet\Control\NetworkProvider\Order. On a Windows desktop operating system, for example, this tab includes the default providers that provide access to SMB (file and print) servers, Microsoft RDP (Terminal Services/Remote Desktop) servers, and access to WebDAV servers. Additional providers are often visible in this list if you have a more heterogeneous network or additional types of servers that Windows needs to connect to. All entries in this list should be verifiable.

WMI

The WMI tab lists registered WMI event consumers that can be configured to run arbitrary scripts or command lines when a particular event occurs. When you select an entry on the WMI tab, the lower panel reports information about the target file, the event consumer’s full command line, and the condition, such as a WQL query, that will trigger the event consumer to execute.

When you disable a WMI entry, Autoruns replaces the entry with a clone that has the same name but with “_disabled” appended. This breaks the binding to the event filter so that it won’t execute. By re-enabling, the original name and the event binding is reestablished.

These events and bindings are stored in the WMI repository in the ROOT\subscription namespace.

Sidebar gadgets

On Windows Vista and Windows 7, this tab lists the Sidebar Gadgets (called “Desktop Gadgets” on Windows 7) that are configured to appear on the user’s desktop. Although gadget software is often (but not always) installed in a systemwide location such as %ProgramFiles%, the configuration of which gadgets to run is in %LOCALAPPDATA%\Microsoft\Windows Sidebar\Settings.ini, which is per-user and nonroaming. Disabling or deleting gadgets with Autoruns manipulates entries in the Settings.ini file.

The image path usually points to an XML file. The gadgets that shipped with Windows Vista and Windows 7 are catalog signed and can be verified. Gadgets were discontinued after Windows 7.

Office

The Office tab lists add-ins and plug-ins registered to hook into documented interfaces for Access, Excel, Outlook, PowerPoint, and Word. On 64-bit Windows, Office add-ins can be registered to run in 32-bit or 64-bit Office versions. 32-bit add-ins are registered in Wow6432Node subkeys on 64-bit Windows.

Keys inspected under both HKLM and HKCU

\Software\Microsoft\Office\Access\Addins
\Software\Microsoft\Office\Excel\Addins
\Software\Microsoft\Office\Outlook\Addins
\Software\Microsoft\Office\PowerPoint\Addins
\Software\Microsoft\Office\Word\Addins

Keys inspected under both HKLM and HKCU on 64-bit Windows

\Software\Wow6432Node\Microsoft\Office\Access\Addins
\Software\Wow6432Node\Microsoft\Office\Excel\Addins
\Software\Wow6432Node\Microsoft\Office\Outlook\Addins
\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins
\Software\Wow6432Node\Microsoft\Office\Word\Addins

ASEPs list

Software hive

Microsoft\Windows\CurrentVersion\Run,
Microsoft\Windows\CurrentVersion\RunOnce,
Microsoft\Windows\CurrentVersion\RunServices,
Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Wow6432Node\Microsoft\Windows\CurrentVersion\Run,
Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce,
Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce

NTUSER.DAT hives

Software\Microsoft\Windows\CurrentVersion\Run,
Software\Microsoft\Windows\CurrentVersion\RunOnce,
Software\Microsoft\Windows\CurrentVersion\RunServices,
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce,
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce,
Software\Microsoft\Windows NT\CurrentVersion\Run,
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Winlogon & AppInit

Microsoft\Windows NT\CurrentVersion\Winlogon (value AppInit_DLLs)
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
Microsoft\Windows NT\CurrentVersion\Winlogon\System

Services

CurrentControlSet\Services

Scheduled Tasks

C:\Windows\System32\Tasks\ (Windows Vista and onwards only)

Active Setup

Microsoft\Active Setup\Installed Components

Microsoft Fix-it

Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

Autopsy plugin that scans the Auto-Start Extensibility Points (ASEPs) and list out the potential persistences

Current Capabilities

System Registry Run keys
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
- HKLM/SYSTEM/Control/SafeBoot, 'AlternateShell'
- HKLM/SYSTEM/Control/Terminal Server/wds/rdpwd, 'StartupPrograms'
- HKLM/SYSTEM/Control/Terminal Server/WinStations/RDP-Tcp, 'InitialProgram'
User Registry Run Keys
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServicesOnce
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Load
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/Shell
- HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logon
- HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logoff
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
WinLogon
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'TaskMan'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Shell'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Userinit'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Notify'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'System'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'VmApplet'
Services
- HKLM/SYSTEM/ControlSet*/Services/*
Active Setup
- HKLM/SOFTWARE/Microsoft/Active Setup/Installed Components/*
Scheduled Tasks
- C:/Windows/System32/Tasks
Startup Program
- %APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup
- %ALLUSERSPROFILE%/Microsoft/Windows/Start Menu/Programs/Startup

gpedit.msc 中设置启动和关机脚本时，可以通过以下步骤实现：打开 gpedit.msc（本地组策略编辑器）。转到 "计算机配置" 或 "用户配置" 下的 "Windows 设置"。在 "Windows 设置" 下，选择 "脚本 (启动/关机)"。在 "脚本 (启动/关机)" 下，您可以配置启动脚本和关机脚本。双击 "启动" 或 "关机" 脚本，然后添加需要运行的脚本文件的路径。保存设置并关闭本地组策略编辑器

打开注册表编辑器（regedit）：按下 Win + R 组合键打开运行对话框，输入 "regedit" 并按 Enter 键打开注册表编辑器。

转到以下注册表路径：

对于启动脚本：

Copy Code

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

对于关机脚本：

Copy Code

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

在相应的路径下，右键单击空白处，选择 "新建" -> "字符串值"。
为新字符串值命名，例如 "StartupScript"（启动脚本）或 "ShutdownScript"（关机脚本）。
右键单击新创建的字符串值，选择 "修改"，并在数值数据字段中输入需要运行的脚本文件的路径。

Autopsy Autoruns Plugin

Overall Idea

Autopsy plugin that scans the Auto-Start Extensibility Points (ASEPs) and list out the potential persistences

Current Capabilities

System Registry Run keys
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
- HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
- HKLM/SYSTEM/Control/SafeBoot, 'AlternateShell'
- HKLM/SYSTEM/Control/Terminal Server/wds/rdpwd, 'StartupPrograms'
- HKLM/SYSTEM/Control/Terminal Server/WinStations/RDP-Tcp, 'InitialProgram'
User Registry Run Keys
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServices
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/RunServicesOnce
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Load
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Run
- HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/Shell
- HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logon
- HKCU/SOFTWARE/Policies/Microsoft/Windows/System/Scripts/Logoff
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/Run
- HKCU/SOFTWARE/WOW6432Node/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders, 'Startup'
- HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders, 'Startup'
WinLogon
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'TaskMan'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Shell'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Userinit'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'Notify'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'System'
- HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon, 'VmApplet'
Services
- HKLM/SYSTEM/ControlSet*/Services/*
Active Setup
- HKLM/SOFTWARE/Microsoft/Active Setup/Installed Components/*
Scheduled Tasks
- C:/Windows/System32/Tasks
Startup Program
- %APPDATA%/Microsoft/Windows/Start Menu/Programs/Startup
- %ALLUSERSPROFILE%/Microsoft/Windows/Start Menu/Programs/Startup

ASEPs list

Software hive

Microsoft\Windows\CurrentVersion\Run,
Microsoft\Windows\CurrentVersion\RunOnce,
Microsoft\Windows\CurrentVersion\RunServices,
Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Wow6432Node\Microsoft\Windows\CurrentVersion\Run,
Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce,
Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce

NTUSER.DAT hives

Software\Microsoft\Windows\CurrentVersion\Run,
Software\Microsoft\Windows\CurrentVersion\RunOnce,
Software\Microsoft\Windows\CurrentVersion\RunServices,
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce,
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run,
Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce,
Software\Microsoft\Windows NT\CurrentVersion\Run,
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,
Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

Winlogon & AppInit

Microsoft\Windows NT\CurrentVersion\Winlogon (value AppInit_DLLs)
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
Microsoft\Windows NT\CurrentVersion\Winlogon\System

Services

CurrentControlSet\Services

Scheduled Tasks

C:\Windows\System32\Tasks\ (Windows Vista and onwards only)

Active Setup

Microsoft\Active Setup\Installed Components

Microsoft Fix-it

Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Other sub-techniques of Boot or Logon Autostart Execution (14)

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.^[1] These programs will be executed under the context of the user and will have the account's associated permissions level.

The following run keys are created by default on Windows systems:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Run keys may exist under multiple hives.^[2]^[3] The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.^[1] For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" ^[4]

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.

The following Registry keys can be used to set startup folder items for persistence:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run automatically for the currently logged-on user.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, AltStartup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, AltStartup

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt

Extended Startup

User Logon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\policies\system\Shell
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\Stubpath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect

Explorer Extensions
HKEY_MACHINE_AND_USER\Software\Classes\Protocols\Filter
HKEY_MACHINE_AND_USER\Software\Classes\Protocols\Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\Source
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\CopyHookHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\DragDropHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ColumnHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Microsoft\Ctf\LangBarAddin
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Explorer Context Menu
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers

Audio Video Codecs
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKEY_MACHINE_AND_USER\Software\Classes\Filter
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance

Execute on Boot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Execute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceControlManagerExtension

Execution Hijacks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger
HKEY_MACHINE_AND_USER\Software\Microsoft\Command Processor\Autorun
HKEY_MACHINE_AND_USER\Software\Classes\exefile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\comfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\batfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\piffile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\cmdfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\.exe
HKEY_MACHINE_AND_USER\Software\Classes\.com
HKEY_MACHINE_AND_USER\Software\Classes\.bat
HKEY_MACHINE_AND_USER\Software\Classes\.pif
HKEY_MACHINE_AND_USER\Software\Classes\.cmd
HKEY_MACHINE_AND_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW\cmdline
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW\wowcmdline
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Application Initialization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions\RemoteRpcDll

Known DLLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls

Winlogon Notifications
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DllName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
HKEY_CURRENT_USER\Control Panel\Desktop\Scrnsave.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\IGDSearcherDLL

Winsock Service Providers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64

Print Drivers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Driver

Local Security Authority
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Notification Packages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages

Network Providers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

HKCU\Software\bkfouerioyou, HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}.,
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}.HKCU\Software\dnimtsoleht\StubPath,
HKCU\Software\snimtsOleht\StubPath,
HKCU\Software\Backtsaleht\StubPath,
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7},
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}。
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

基于Windows自动启动扩展点的特征与检测

Windows自动启动扩展点在内存取证中的应用

摘要：本文深入研究了Windows操作系统中的自动启动扩展点（ASEPs），并提出了一种新的分类法，将其分为系统持久性机制、程序加载器滥用、应用程序滥用和系统行为滥用四大类。同时，还详细阐述了各类ASEP的特点，包括写权限、执行特权、在内存取证中的可检测性以及对系统的新鲜度要求等。此外，本文还介绍了一种名为Winesap的工具，它可以帮助内存取证分析人员检测注册表中的Windows ASEPs。

引言

当计算机安全事件发生时，调查人员需要通过一系列的步骤来找出事件的原因。这个过程被称为事件响应过程，其中包括检测和分析阶段。在这个阶段，计算机和网络取证是非常重要的一步。取证分析包括对受感染系统的硬盘驱动器和内存进行深入的检查，以寻找与事件相关的证据。
内存取证是通过对计算机内存的快照进行分析来获取证据的过程。与传统的基于磁盘的取证相比，内存取证有一些优势，例如可以更快速地获取数据，并且可以在更小的数据集中进行搜索。此外，内存取证还可以用于检测和分析一些在磁盘上可能无法检测到的证据，例如正在运行的进程和网络连接等。
然而，内存取证也有一些挑战，例如数据的易变性和易受攻击性。由于内存中的数据是不断变化的，因此在进行取证分析时需要非常小心，以避免对数据的误操作或篡改。此外，内存取证还需要面对一些来自恶意软件的攻击，例如代码注入和数据隐藏等。
本文的目的是提供一种对Windows ASEPs的分类和特征描述，以便帮助内存取证分析人员更好地理解和检测这些扩展点。同时，本文还介绍了一种名为Winesap的工具，它可以帮助分析人员在内存取证中快速检测Windows ASEPs。

Windows自动启动扩展点的分类

本文提出了一种新的分类法，将Windows ASEPs分为四大类：系统持久性机制、程序加载器滥用、应用程序滥用和系统行为滥用。这种分类法是基于ASEP的特点和用途，与具体的取证分析类型无关。下面将详细介绍这四大类别的内容。

系统持久性机制

系统持久性机制是指由Windows操作系统提供的一些扩展点，这些扩展点可以让程序在系统启动时自动运行。这种机制通常用于启动系统服务、后台任务和计划任务等。下面是一些系统持久性机制的扩展点：

启动项：启动项是指在系统启动时自动运行的程序。这些程序可以在注册表的HKLM和HKCU根键下的特定位置进行配置。与HKCU根键下的启动项不同，HKLM根键下的启动项需要管理员权限才能配置。
服务：服务是指在系统后台运行的程序，它们不需要用户交互，可以在系统启动时自动运行。服务通常用于执行系统任务，如驱动程序、系统服务和网络服务等。在Windows中，服务由Service Control Manager（SCM）管理，SCM负责启动、停止和管理服务。服务的配置信息存储在注册表中，因此可以通过内存取证来获取服务的信息。
计划任务：计划任务是指在特定时间或事件发生时自动运行的程序。这些任务可以由Windows Task Scheduler（WTS）管理，WTS负责监视系统并在特定条件下执行任务。计划任务可以使用XML文件进行配置，这些文件通常存储在%SystemRoot%/System32/Tasks目录中。计划任务的信息也可以在内存中找到，包括任务名称、执行时间、执行的程序等。

程序加载器滥用

程序加载器滥用是指通过滥用Windows程序加载器来实现恶意软件的自动启动。这种滥用可以通过修改系统的注册表来实现，也可以通过创建虚假的程序加载项来实现。下面是一些程序加载器滥用的扩展点：

Image File Execution Options（IFEO）：IFEO是一种Windows特性，它允许开发人员在调试应用程序时直接启动软件调试器。然而，这个特性也可以被滥用，通过创建一个虚假的调试器来实现恶意软件的自动启动。由于IFEO需要管理员权限才能修改，因此这种滥用通常需要管理员权限。
扩展劫持：扩展劫持攻击是指通过修改特定文件扩展名与之相关联的程序来实现。这种攻击会将用户打开这些文件时默认启动的程序更改为其他程序，而这些程序通常是恶意软件。与更改用户级别的设置不同，更改系统级别的设置需要管理员权限。恶意软件可以利用这种技术来实现自动启动，当用户打开特定类型的文件时，就会启动恶意软件。
快捷键操作：快捷键操作攻击是指通过修改系统中的快捷键来实现。这种攻击会将用户按下快捷键时执行的操作更改为启动其他程序。由于这种扩展点基于用户的操作行为，因此需要管理员权限才能进行修改。
COM劫持：COM是一种微软组件对象模型，它允许开发人员创建可以与其他组件进行交互的软件组件。COM劫持攻击是指通过修改COM对象的注册信息来实现，当其他程序使用被劫持的COM对象时，就会加载恶意软件。
Shim数据库：Shim数据库是一种用于在程序执行前对特定二进制文件进行修补的技术。这种技术可以通过修改注册表中的特定项来实现，也可以通过直接修改系统文件来实现。由于这种技术直接修改了系统文件，因此需要管理员权限。与其他基于注册表的扩展点不同， Shim数据库的更改不会立即生效，而是在下次系统启动时生效。

应用程序滥用

应用程序滥用是指通过滥用一些合法的应用程序来实现恶意软件的自动启动。这种滥用通常是通过修改应用程序的配置文件或注册表项来实现的。下面是一些应用程序滥用的扩展点：

木马化的系统二进制文件：木马化的系统二进制文件攻击是指通过修改系统中的合法二进制文件（如DLL文件）来实现。这种攻击会将恶意代码插入到合法的DLL文件中，并更改该文件的入口点，使得当系统或其他应用程序加载该文件时，会执行恶意代码。由于DLL文件通常会被多个进程共享，因此这种攻击可能会影响到整个系统。
Office加载项：Office加载项允许用户扩展Microsoft Office应用程序的功能，并与Office文档进行交互。从Office 2013开始，这些加载项采用了类似于Web应用程序的架构，由静态HTML和符合Office规范的JavaScript代码组成。与以前基于COM和Visual Basic的实现相比，这种新的架构更易于开发和部署。然而，这种新的架构也带来了新的安全风险，因为这些加载项现在可以在浏览器的沙箱环境中运行。这使得恶意软件可以更容易地将自己的代码注入到这些加载项中，并通过Office应用程序来执行。
浏览器辅助对象（BHO）：BHO是一种用于增强Internet Explorer功能的DLL文件。这些DLL文件需要注册到HKLM/Software/Windows/CurrentVersion/Explorer/Browser Helper Objects注册表项中。当Internet Explorer启动时，它会加载所有注册的BHO，并允许这些BHO与浏览器进行交互。由于BHO需要管理员权限才能注册，因此这种扩展点也需要管理员权限才能进行攻击。

系统行为滥用

系统行为滥用是指通过滥用Windows操作系统的一些特性来实现恶意软件的自动启动。这种滥用通常是通过修改系统的注册表或配置文件来实现的。下面是一些系统行为滥用的扩展点：

Winlogon：Winlogon是一个Windows进程，它在用户登录系统时启动，并负责加载用户的配置文件。除了加载用户配置文件外，Winlogon还可以通过注册表项来配置一些行为，例如启动特定的程序。这些注册表项可以在HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon路径下找到。用户可以通过修改这些注册表项的值来更改Winlogon的行为，例如更改默认的登录程序或启动特定的程序。
DLL劫持：DLL劫持攻击是指通过修改Windows的DLL搜索顺序来实现。这种攻击会将一个合法的DLL文件替换成一个恶意的DLL文件，当其他程序需要加载这个DLL文件时，就会加载恶意的DLL文件。由于这种技术需要修改系统的DLL搜索顺序，因此可能会影响到整个系统的稳定性。
AppInit DLLs：AppInit DLLs是一种Windows特性，它允许任何DLL文件在系统启动时加载到每个具有用户界面的应用程序的地址空间中。这个特性可以被滥用，通过将一个恶意的DLL文件加载到系统中，来实现恶意软件的自动启动。与其他基于注册表的扩展点不同，AppInit DLLs不需要管理员权限，并且可以影响到整个系统。
主动安装：主动安装是一种Windows特性，它允许程序在用户登录系统时自动启动。这种技术可以通过在HKLM或HKCU的SOFTWAREMicrosoft/Active Setup/Installed Components注册表项中创建一个新的注册表项来实现。与其他扩展点不同，主动安装可以在系统或用户级别进行配置，并且可以影响到整个系统。

Winesap：一个用于检测Windows自动启动扩展点的工具

本文介绍了一种名为Winesap的工具，它可以帮助内存取证分析人员快速检测Windows ASEPs。Winesap是基于Volatility框架开发的，它可以在内存中查找和分析与自动启动扩展点相关的注册表项和值。
Winesap的工作原理如下：首先，它会获取内存中的所有注册表项和值，并将其与已知的ASEP相关的注册表项和值进行比较。如果找到匹配的项或值，Winesap会将其标记为可疑，并输出相关的信息，如扩展点的名称、位置和值等。此外，Winesap还可以根据用户提供的配置文件来忽略某些特定的扩展点或值，以减少误报率。
为了评估Winesap的性能，我们对其进行了一些实验。我们在一台安装了Windows 7 SP1 64位操作系统的虚拟机上进行了测试，使用了一些常见的恶意软件样本和一些正常的系统文件。我们发现，Winesap可以准确地检测到大多数常见的Windows ASEPs，并将其标记为可疑。然而，我们也发现，Winesap在处理一些复杂的情况时可能会出现一些误报，例如当系统中存在大量的注册表项和值时。
总的来说，Winesap是一种有用的工具，可以帮助内存取证分析人员快速检测Windows ASEPs。然而，由于内存取证本身的复杂性，Winesap并不能保证100%的准确性，因此在使用时需要谨慎。

https://attack.mitre.org/techniques/T1547/001/

posted @ 2024-02-18 08:24 suv789 阅读(90) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

suv789

1. ASEP（Autoruns Entry Points）

2. ASEP (Auto-Start Extensibility Points)

3. ASEP（Automatic Startup Extension Points）

区别总结

小结

ASEP（Auto-Start Extensibility Points）

自动启动扩展点（Automatic Startup Extension Points）

相同点

细微区别

小结

Explorer

Internet Explorer

Scheduled Tasks

Services

Drivers

Codecs

Boot Execute

Image hijacks

AppInit

KnownDLLs

Winlogon

Winsock providers

Print monitors

LSA providers

Network providers

WMI

Sidebar gadgets

Office

ASEPs list

Current Capabilities

Autopsy Autoruns Plugin

Overall Idea

Current Capabilities

ASEPs list

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Other sub-techniques of Boot or Logon Autostart Execution (14)

基于Windows自动启动扩展点的特征与检测

引言

相关工作

Windows自动启动扩展点的分类

系统持久性机制

程序加载器滥用

应用程序滥用

系统行为滥用

Winesap：一个用于检测Windows自动启动扩展点的工具

公告