Run Spyware with Startup Folder

Data Security: Resource

 Search Resources
Hot Words
Key Words
In Field


 By Chris Gudy
Run Spyware with Startup Folder
Startup folder is a typical mechanism to let users arrange their automatic starting programs. When some specific events occur, such as system boot or a user logging in, Windows will try to activate arbitrary executables or scripts in several locations. These locations are called startup folder. In the view of Windows, startup folder is an interface to common users but not to developers. So there is little functionalities of operating system to rely on it. In other words, Windows do not consider compatibility for startup folder among different versions. Specially, there is an obvious difference between Windows 95/98/ME and Windows 2K/XP. If developers are interested in utilizing them, at least, they have to program for each group.

With Windows 95/98/ME you can inspect startup folders at following locations by default.
  • %windows directory%\Main menu\Programs\StartUp\ : for current user
  • %windows directory%\All Users\Main menu\Programs\StartUp\ : for all users

By default, startup folders are placed as followings in Windows 2K/XP.
  • \\Documents and Settings\[user-name]\Start Menu\Programs\Startup\ : for current user
  • \\Documents and Settings\All Users\Start Menu\Programs\Startup\ : for all users
The items stored in startup folders can be applications or documents shortcuts. Basically, you can view what are in these folders and learn what will be activated when booting through desktop. For example, from submenu Program you can get the corresponding content of Current User.

It seems simple to read or write the contents in startup folders. As we mentioned repeatedly, spyware needs to hide its activities. So developers might want to store starting files in relation to spyware at an unfamiliar directory but not default folders. Indeed, developers are able to cancel default folders by appending the substituting directories upon following registry sub-keys under Startup entries.
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders
The first one keeps the startup folder in Startup entry for current user. When booting, the computer will check it to activate its items. If the needed value is missing, the computer will continue to check Startup entry of the second sub-key that usually contains the default folder. Together with them, another pair of sub-key as following offers similar mechanism in multi-user mode.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders.
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders
The entries to keep assigned folders are named Common Start, so these folders are also called Common Startup Folder. Obviously, their items will be launched when booting for every users. If developers are deploying a spyware and they want to utilize the startup folders, they definitely do not put the spyware into startup folders directly. It is not a job of spy, and will be uncovered almost immediately. To disguise the starting, you need more complicated method. Fortunately, the four sub-keys in registry make it possible.

In general, developers need two steps to hack the startup folder mechanism to activate own spyware. At first, create a new folder that will replace default startup folder in any location of disk. This new startup folder can be at any location in the infected computer, but will be found mostly buried deep into directory structure so that it may be unnoticed by the user. Secondly, change relative values of sub-keys to add this second startup folder. To guarantee new folder will be effective in all and every situation, they had better to modify all above sub-keys.

Now we go through two main types of automatic starting for normal usage. Although they all are activated when booting, there is still a sequence of execution among them. Knowing the activating order is useful to help you choose or design methods of automatic starting. Simply stated, the usual starting sub-keys and startup folders are processed in the following order. At first, the RunServices and RunServicesOnce content of HKLM hive is processed. Further the logon dialog box for user registration in system appears. After this, the operating system begins to deal with the RunOnce and Run sub-keys of HKLM hive, further, Run of HKCU hive. The items stored in StartUp folder are the next to get launched. After this is the turn of values in RunOnce sub-key of HKCU hive.