NT Gatekeeper: Discovering Code That Automatically Runs at Boot or Logon Time

Intruders often download malicious code to a target machine, then exploit a Windows feature to automatically run the intruder's code when the system boots or a user logs on. Where does Windows NT store files that the OS automatically executes at boot time or at logon time?

Windows stores programs that automatically run at boot time in several places. The most obvious location is the Windows Start menu's Startup folders. The Start menu shows two Startup folders: one that NT stores in the user profile that the user can configure (i.e., the user startup folder) and another one NT stores in the All Users profile that applies to all users that log on to a particular machine (i.e., the common startup folder).

Also, the Windows registry stores several containers that can hold programs that will automatically run at boot time. Check out the Run, RunOnce, and RunOnceEx containers in both the machine- and user-specific registry areas. The user-specific containers are under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion registry subkey. The machine-specific containers are under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion registry subkey.

Don't forget about the classic DOS and Windows OS file content that an intruder can automatically execute at boot time. Look for an autoexec.bat file in %systemdrive% and a win.ini file in %systemroot%. User logon scripts are another target for adding content that an intruder can automatically execute. Finally, consider disabling the Scheduler service on machines on which the service is rarely or never used.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.