3

I'm a trainee who writes malware samples to later be tested. A basic piece I wrote in C++ kills explorer.exe, taskmgr.exe and repeats this every second. I used a bit of code to add my application to the registry under HKLM\Software\Microsoft\Windows\CurrentVersion\Run so that it runs automatically when the test machine is started.

Because the test machine is a VM, I can restore to the last snapshot and be on my merry way. If this happened in a real world situation, how would one fix this problem? Killing explorer and task manager leaves the user with only the desktop with no icons to look at. I know Windows 7 will do a system restore before the boot but is this true for XP? BIOS? Or would they have to try and reinstall Windows cleanly?

Son of a Sailor
  • 133
  • 3

1 Answers1

6

In Microsoft's documentation about run keys on Windows XP, it is stated that:

By default, Run keys are ignored when the computer starts in Safe mode. Under the RunOnce keys, you can prefix a value name with an asterisk (*) to force the associated program to run even in Safe mode.

If not added under RunOnce with the force character, one could start in Safe mode and remove the key.

Simon
  • 3,182
  • 4
  • 26
  • 38
  • And if he adds the force character, the user is doomed? – o0'. Jun 29 '13 at 07:25
  • 2
    As far as my knowledge goes, it seems so. One user suggested to hit Win+R command, which lets you open an application, file or folder but it is dependent of the explorer.exe process. – Simon Jun 29 '13 at 14:23