In reading about forensics its mentioned that malware could be found in the Software HKCU. My question is if malware installs will Windows definitely put it in this registry section? I always assumed malware could hide anywhere, but what I'm reading makes it seem as if it will be in this location. Does Windows put all installed software here / can it be changed by malware?
1 Answers
Malware is a malicious piece of code running on a computer.
If by "found in Software HKCU" you refer to the malware's persistence technique, then YES - one of the techniques that malware authors use for persistency is to take advantage of registry keys that will allow their processes to startup when the user is logged in.
"I always assumed malware could hide anywhere, but what I'm reading makes it seem as if it will be in this location"\ Malware can indeed hide itself in different manners, and there is no "requirement" for malware to use the registry for persistence or to hide itself.
"Does Windows put all installed software here" - No. HKCU stands for HKEY_CURRENT_USER, i.e it contains configuration information for Windows and software specific to the currently logged in user.
Given the right permissions, malware can definitely change keys and values under HKCU.
Hope that helps. If you are interested, I highly recommend Practical Malware Analysis, it's a great book.
- 11
- 1