Explorer tools
Location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | User |
| Persistence type | Registry |
| Code type | EXE |
| Launch type | User initiated1 |
| Impact | Non-destructive |
| OS Version | All OS versions |
| Dependencies | OS only |
| Toolset | Scriptable |
Description:
Looking at the following location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputerwe can quickly guess that the keys listed underneath refer to a couple of utility tools that Windows occasionally runs. Exploring them we can find out that the settings are mapped to the following locations:
BackupPath=%SystemRoot%\system32\sdclt.execleanuppath=%SystemRoot%\System32\cleanmgr.exe /D %cDefragPath=%systemroot%\system32\dfrgui.exeObviously, replacing these settings with your own (read: malware) will end up with the replacement programs being executed at the time OS will decide to kick off the respective activity (or, the user triggers it).
References:
https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/
Credits:
See also:
Remarks:
-
Requires launching a tool like “Disk Cleanup” etc. ↩