🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page
  • Shell Folders
  • UserInit Key
  • Examples of Suspicious Entries
  • Detection and Analysis

Was this helpful?

  1. Windows Artifacts
  2. Persistence
  3. Registry

Shell Folders and UserInit Key

Registry keys like Shell Folders and UserInit are integral to Windows operating systems, impacting user environments and the login process

Shell Folders

The Shell Folders key in the Windows Registry is used to specify the paths to various user-specific system folders, such as the Desktop, Start Menu, Programs, Startup, and so on. These paths dictate where certain files and shortcuts should be stored and accessed within the user's profile.

  • Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

  • Legitimate Use: Applications and the operating system use these paths to save and retrieve user-specific files and settings. For example, adding a program shortcut to the Startup folder ensures the program launches whenever the user logs in.

  • Abuse by Threat Actors: Malicious software might alter these paths to point to directories under their control or insert shortcuts to malware in directories such as the Startup folder, ensuring malware execution at user login. Modifying the path to the Desktop or Documents folder could redirect access to these locations, tricking users into executing malicious files unknowingly.

UserInit Key

The UserInit key is crucial for the Windows logon process. It specifies the program that is executed during the user login sequence to initialize the user's environment, typically userinit.exe.

  • Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

  • Legitimate Use: The default value is C:\Windows\system32\userinit.exe,, which is responsible for setting up the user session, launching the shell (usually explorer.exe), and managing logon scripts. It ensures the user's desktop and environment are correctly initialized after logging in.

  • Abuse by Threat Actors: Threat actors can append malicious executables or scripts to the UserInit value, ensuring their code runs each time a user logs into the system. By adding paths to malicious executables or scripts alongside the legitimate userinit.exe path, attackers achieve persistence and immediate execution after login without disrupting the normal login process.

Examples of Suspicious Entries

  • Shell Folders: A suspicious entry might redirect the Startup folder to a malicious location:

    "Startup"="C:\\Users\\user\\AppData\\Roaming\\Malicious\\"

    This change means any program placed in this malicious directory would run upon the user's login.

  • UserInit: An altered UserInit key might include additional executables:

    "Userinit"="C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\malicious.exe,"

    This entry ensures malicious.exe runs every time a user logs on, right after the standard initialization process.

Detection and Analysis

Detecting unauthorized modifications to these keys involves monitoring for unexpected changes and verifying the legitimacy of paths and executables referenced. Tools like the Windows Registry Editor (Regedit) and third-party utilities can help visualize and audit these keys. Security professionals often rely on endpoint protection platforms that monitor registry modifications in real-time to detect and alert on suspicious activities.

It's essential for forensic analysts and security professionals to understand the standard behavior and content of these registry keys. Knowing what is normal allows them to identify deviations that may indicate compromise. For instance, additional paths in the UserInit key or unusual directory paths in Shell Folders should be investigated, requiring a thorough examination of the files involved and their provenance.

In summary, while the Shell Folders and UserInit registry keys serve legitimate and critical functions within the Windows environment, their misuse by threat actors can provide effective mechanisms for achieving persistence and stealth. Awareness and monitoring of these keys are vital components of a robust security posture and forensic analysis toolkit.

PreviousRun and Run OnceNextServices

Last updated 1 year ago

Was this helpful?