🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Red Cloak™ Endpoint Agent Technical Details

integrations endpoints red cloak secureworks edr


This topic contains information about the Red Cloak™ Endpoint Agent and the types of information collected for the purpose of threat identification.

The Red Cloak™ Endpoint Agent consists of multiple modules that provide distinct functionality and features. As with any software it is impossible to test all possible system configurations, which is why we recommend installing and testing on multiple images within your environment before deployment.

Agent Overview

Windows Agent Modules

All modules are currently available for the Red Cloak™ Endpoint Agent for Windows. Navigate to the Module Overview section to view details for each.

Linux Agent Modules

The following modules are currently available for the Red Cloak™ Endpoint Agent for Linux. Click each module to navigate to the corresponding module details.

System Resources

The disk usage limit is configurable, but we recommend leaving the default configuration. You can also disable certain modules as part of the build process or by working with Product Support to use a host command for configuration changes, but Secureworks recommends leaving all modules enabled to provide the highest level of visibility and detection capabilities.

Network Connectivity

The Red Cloak™ Endpoint Agent communicates with the cluster over port 443 using TLS v1.2 with a strong cipher suite. By default, the agent checks in every 20 minutes and keeps the connection alive for ten minutes. Known vulnerabilities in SSL/TLS are either not applicable to Red Cloak™ Endpoint Agent or are mitigated through the following:

Open Source Software

The Red Cloak™ Endpoint Agent makes use of open source software. The following is a list of the open source packages used and where to download the software.

Component Reference
bzip2 http://www.bzip.org
curl http://curl.haxx.se/
libevent http://libevent.org/
libchromium https://www.chromium.org/Home
openssl https://www.openssl.org/source/
pefile https://github.com/erocarrera/pefile
protobuf https://developers.google.com/protocol-buffers/
pugixml https://pugixml.org/
python https://www.python.org
sqlcipher https://www.zetetic.net/sqlcipher/open-source/
sqlite https://www.sqlite.org/
modp_b64 https://doc.qt.io/qt-5/qtwebengine-3rdparty-modp-base64-decoder.html
gmock https://code.google.com/p/googlemock/
gtest https://code.google.com/p/googletest/
libcrypto.so https://wiki.openssl.org/index.php/Libcrypto_API
libssl.so https://www.openssl.org/source/
libstdc++.so https://gcc.gnu.org/onlinedocs/libstdc++/
libblkid.so https://github.com/karelzak/util-linux/tree/master/libblkid
zlib https://zlib.net/
libuuid https://github.com/karelzak/util-linux/tree/master/libuuid
libcom_err http://e2fsprogs.sourceforge.net/
libkrb5 http://web.mit.edu/kerberos/
libkeyutils http://people.redhat.com/~dhowells/keyutils
sqlite3 https://www.sqlite.org/
glibc https://www.gnu.org/software/libc/

Module Overview

AuthTap Module

The AuthTap module is designed to capture all events related to authentication of users and the explicit use of credentials on a host. While the module is capable of capturing other Windows events, this is generally only used in specific Targeted Threat Hunt situations. In addition, the module is capable of capturing past events from the system, which is useful for looking at historical Windows event log data.

By default, the AuthTap module of the most recent agent version captures the following Windows Events:

WID Description
21 Remote Desktop Services: Session logon succeeded
22 Remote Desktop Services: Shell start notification received
104 The Application log file was cleared
106 This event is logged when the user registered the Task Scheduler task
141 This event is logged when user deleted Task Scheduler task
1102 The audit log was cleared
1104 The security log is now full
4624 An account was successfully logged on
4625 An account failed to log on
4648 A logon was attempted using explicit credentials
4672 Special privileges assigned to new logon
4720 A user account was created
4722 A user account was enabled
4724 An attempt was made to reset an account’s password
4725 A user account was disabled
4726 A user account was deleted
4728 A member was added to a security-enabled global group
4732 A member was added to a security-enabled local group
4735 A security-enabled local group was changed
4738 A user account was changed
4739 Domain Policy was changed
4740 A user account was locked out
4742 A computer account was changed
4756 A member was added to a security-enabled universal group
4768 A Kerberos authentication ticket (TGT) was requested (Logged on domain controllers)
4769 A Kerberos service ticket was requested
4770 A Kerberos service ticket was renewed
4771 Kerberos pre-authentication failed
4776 The domain controller attempted to validate the credentials for an account
4777 The domain controller failed to validate the credentials for an account
4794 An attempt was made to set the Directory Services Restore Mode administrator password

In addition, the following data fields are collected from the events:

Cyclorama Module

The Cyclorama module is responsible for monitoring thread injection events and collecting information related to the injection. When a remote thread injection occurs, Cyclorama tries to grab the first 256 bytes of data from the beginning execution address of the new thread; however, the event will be dropped at the server if the event does not contain data in the first 256 bytes or if the first 256 bytes are null. It is also important to point out that if the name lsass is in the target process name, the event is never dropped, as we still want to record any injection attempts against lsass. The Cyclorama module collects the following information:

Entwine Module

The Entwine Module collects Event Tracing for Windows (ETW) events, which provide a rich source of data for Windows operating systems from various providers, applications that contain event tracing instrumentation. Entwine collects these events and reports them as JSON to Red Cloak™ Endpoint Agent to aid in advanced threat hunting by allowing early identification of suspicious and malicious behavior. More information on ETW can be found here: https://docs.microsoft.com/en-us/windows/desktop/etw/about-event-tracing.

The module currently monitors DNS with support to configure other user mode and kernel mode ETW providers in the future. The providers that Entwine subscribes to are defined in config.bin. Entwine also supports filtering based on event_ids per provider, explained in detail for DNS monitoring in the following section.

Supported Platforms: Entwine runs only on endpoints running Windows 7 or later.

ETW DNS Monitoring

ETW Provider for DNS Query Events

Interested Events

    {
      "allowed_domain": [
        "62e1ad52"
      ],
      "chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
      "color": "UNKNOWN",
      "event_data": [
        {
          "data": "client.wns.windows.com",
          "name": "QueryName"
        },
        {
          "data": "16",
          "name": "AddressLength"
        },
        {
          "data": "10.0.0.254:53",
          "name": "Address"
        }
      ],
      "event_id": 1015,
      "event_info": {
        "dns_query_name": "client.wns.windows.com"
      },
      "event_msg": "Name resolution for the name client.wns.windows.com timed out after the DNS server 10.0.0.254:53 did not respond. ",
      "id": {
        "host_id": "62e1ad528d83dae27f9d270b5517d985",
        "instance_id": "fed5fc2a-e56c-4252-a8f4-c852a1d07914"
      },
      "keyword": "0x8000000000000000",
      "level": 4,
      "pid": 1216,
      "provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
      "provider_name": "Microsoft-Windows-DNS-Client",
      "task": 1015,
      "tid": 3248,
      "timestamp": "2018-10-18T15:31:22.331081"
     }

    {
      "allowed_domain": [
        "62e1ad52"
      ],
      "chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
      "color": "UNKNOWN",
      "event_data": [
        {
          "data": "wpad.test.net",
          "name": "QueryName"
        },
        {
          "data": "16",
          "name": "AddressLength"
        },
        {
          "data": "10.0.0.254:53",
          "name": "Address"
        }
      ],
      "event_id": 1016,
      "event_info": {
        "dns_query_name": "wpad.test.net"
      },
      "event_msg": "A name not found error was returned for the name wpad.test.net. Check to ensure that the name is correct. The response was sent by the server at 10.0.0.254:53. ",
      "id": {
        "host_id": "62e1ad528d83dae27f9d270b5517d985",
        "instance_id": "25368a70-ce64-4f5d-9699-9d771d3519e5"
      },
      "keyword": "0x8000000000000000",
      "level": 4,
      "pid": 1216,
      "provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
      "provider_name": "Microsoft-Windows-DNS-Client",
      "task": 1016,
      "tid": 6560,
      "timestamp": "2018-10-18T14:43:23.524524"
    }

    {
      "allowed_domain": [
        "62e1ad52"
      ],
      "chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
      "color": "UNKNOWN",
      "event_data": [
        {
          "data": "v10.vortex-win.data.microsoft.com",
          "name": "QueryName"
        },
        {
          "data": "28",
          "name": "QueryType"
        },
        {
          "data": "2251800888107008",
          "name": "QueryOptions"
        },
        {
          "data": "9701",
          "name": "Status"
        },
        {
          "name": "QueryResults"
        }
      ],
      "event_id": 3018,
      "event_info": {
        "dns_query_name": "v10.vortex-win.data.microsoft.com",
        "dns_query_result": ""
      },
      "event_msg": "Cache lookup for name v10.vortex-win.data.microsoft.com, type 28 and option 2251800888107008 returned 9701 with results  ",
      "id": {
        "host_id": "62e1ad528d83dae27f9d270b5517d985",
        "instance_id": "9934e99c-66c6-4148-af94-0229facb9580"
      },
      "keyword": "0x8000000000000000",
      "level": 4,
      "pid": 1216,
      "provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
      "provider_name": "Microsoft-Windows-DNS-Client",
      "tid": 3248,
      "timestamp": "2018-10-18T15:10:19.099102"
    }

    {
      "allowed_domain": [
        "62e1ad52"
      ],
      "chan_name": "Microsoft-Windows-DNS Client Events/Operational ",
      "color": "UNKNOWN",
      "event_data": [
        {
          "data": "cluster.rcdaily.cloudops.ctudev.com",
          "name": "QueryName"
        },
        {
          "data": "1",
          "name": "QueryType"
        },
        {
          "data": "0",
          "name": "NetworkIndex"
        },
        {
          "data": "0",
          "name": "InterfaceIndex"
        },
        {
          "data": "0",
          "name": "Status"
        },
        {
          "data": "34.238.81.39;type:  2 ns-1883.awsdns-43.co.uk;type:  2 ns-139.awsdns-17.com;type:  2 ns-646.awsdns-16.net;type:  2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1;",
          "name": "QueryResults"
        }
      ],
      "event_id": 3020,
      "event_info": {
        "dns_query_name": "cluster.rcdaily.cloudops.ctudev.com",
        "dns_query_result": "34.238.81.39;type:  2 ns-1883.awsdns-43.co.uk;type:  2 ns-139.awsdns-17.com;type:  2 ns-646.awsdns-16.net;type:  2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1;"
      },
      "event_msg": "Query response for name cluster.rcdaily.cloudops.ctudev.com, type 1, interface index 0 and network index 0 returned 0 with results 34.238.81.39;type:  2 ns-1883.awsdns-43.co.uk;type:  2 ns-139.awsdns-17.com;type:  2 ns-646.awsdns-16.net;type:  2 ns-1175.awsdns-18.org;205.251.192.139;2600:9000:5300:8b00::1;205.251.194.134;2600:9000:5302:8600::1;205.251.196.151;2600:9000:5304:9700::1;205.251.199.91;2600:9000:5307:5b00::1; ",
      "id": {
        "host_id": "62e1ad528d83dae27f9d270b5517d985",
        "instance_id": "c5d19822-8854-494d-ad89-f3dc7bde1e29"
      },
      "keyword": "0x8000000000000000",
      "level": 4,
      "pid": 1216,
      "provider_guid": "{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}",
      "provider_name": "Microsoft-Windows-DNS-Client",
      "tid": 3248,
      "timestamp": "2018-10-18T15:34:58.885911"
    }

Groundling Module

Upon installation, the Groundling module captures all persistent programs and monitors persistence locations for any modifications. When a persistence change is detected, the agent collects information related to the change and sends a message back to the Red Cloak™ Endpoint Agent cluster. The Groundling module collects the following types of information. Please note, this is an abbreviated list due to the size.

Program Information

Signature Information

Registry Information

Service Information

Scheduled Task Information

Shortcut Information

The following are examples of locations monitored for persistence changes; the full list can be viewed in the Appendix.

Registry keys

Program locations

Scheduled tasks

Configuration Settings

Red Cloak™ Endpoint Agent prevents external scripts from removing Windows domain user profiles, as the Groundling and Inspector™ modules load profiles for monitoring. To allow external scripts to remove domain user profiles, work with Product Support to alter the Windows Profile loading pattern for Groundling and Inspector™ via Host Command. The default value for Groundling is Always, with Always and Smart as recommended.

String Value Description
groundling.profile_load Always Groundling loads all profiles upon startup, never unloading them
Smart Groundling loads all profiles upon startup, but unloads them right after initial scan (10-30 minutes on average)
Never Groundling does not load additional user profiles, thus losing effectiveness

Note

This setting must be coordinated with the inspector.profile_load value if both modules are enabled; for example, use the Always/Always, Smart/Smart or Never/Never values for each module. Smart (Groundling) may also be combined with Never (Inspector™). The Smart value in Inspector™ is not recommended as it can cause Windows profile issues.

Hostel Module

The Hostel module on the Red Cloak™ Endpoint Agent agent is the software that is responsible for performing Host Isolation. Isolating an endpoint from network communication (except to Secureworks® Taegis™ XDR) is performed to prevent lateral spreading of threats from an infected host to healthy hosts. Once a host has been isolated and its threat removed, it can be reintegrated and connected back to full network access.

Isolation

Isolating an endpoint from network communication (except to the Secureworks backend itself) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have had their threat removed, they can be reintegrated, regaining their full network access. The Hostel module on the agent is the component responsible for performing the isolation tasks.

The agent will not retain the state of isolation in permanent memory across restarts, it will always restart with isolation disabled. Upon the agent's first connection with the platform, it will be instructed as to the desired isolation state.

When isolation module is enabled and running, an icon will be displayed in the Windows system tray off each endpoint.

Prerequisites for Using Host Isolation with the Red Cloak™ Endpoint Agent

For more details on using the Host Isolation feature, see Isolate a Host.

Ignition Module

The Ignition module is the software that is responsible for performing Remote Agent Upgrade, and is available beginning with Windows Agent version 2.1.4.0.

Once installed, the agent checks in with the Red Cloak™ Endpoint Agent backend server. At this time the agent configuration specific to that endpoint is uploaded to the server, giving the server visibility to the agent configuration on all endpoints in your domain. When Remote Agent Update is made available and is initiated, the Ignition module pulls down the MSI installer needed, performs the update, and reports back the configuration to the server.

Inspector™ Module

The Inspector™ module runs Python based rules that are designed to detect malware, malicious artifacts, or known behaviors and patterns on a host. This module is used with periodic scans in order to scan the host for malicious activity on a recurring basis. By default, periodic scans run every 12 hours. The data collected by this module varies based upon the rule that detects malicious artifacts, but it is similar to what is collected by other modules:

Configuration Settings

Red Cloak™ Endpoint Agent prevents external scripts from removing Windows domain user profiles, as the Inspector™ and Groundling modules load profiles for monitoring. To allow external scripts to remove domain user profiles, work with Product Support to alter the Windows Profile loading pattern for Inspector™ and Groundling via Host Command. The default value for Inspector™ is Always, with Always and Never as recommended.

String Value Description
inspector.profile_load Always Inspector™ loads all profiles upon startup, never unloading them
Smart Inspector™ loads profiles before scan (periodic or regular), and unloads them right after
Never Inspector™ does not load additional user profiles, thus losing effectiveness

Note

This setting must be coordinated with the groundling.profile_load value if both modules are enabled; for example, use the Always/Always, Smart/Smart or Never/Never values for each module. Smart (Groundling) may also be combined with Never (Inspector™). The Smart value in Inspector™ is not recommended as it can cause the Windows profiles issue.

Lacuna Module

The Lacuna module is responsible for capturing inbound and outbound network connection data, both TCP and UDP. It is also responsible for capturing DNS resolution and queries. The Lacuna module collects the following information:

Network Data (IP)**

Network Data (DNS)

Mukluk Module

The Mukluk module is the core Red Cloak™ Endpoint Agent module. It is responsible for coordinating and managing all of the modules and settings for the agent. Mukluk is required for all deployments and handles the following tasks:

Procwall Module

The Procwall module is responsible for monitoring process creation events. The Procwall module collects the following information:

Process Information**

Program Information**

Signature Information**

Appendix

Groundling Monitored Persistence Locations

# Category Sub-Category Bases Key
1 APPINIT DLL APP CERT DLL HKLM System\CurrentControlSet\Control\Session Manager\AppCertDlls
2 APPINIT DLL APP INIT DLL HKLM Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
3 APPINIT DLL APP INIT DLL HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
4 BOOT EXECUTE BOOT EXECUTE HKLM System\CurrentControlSet\Control\Session Manager\BootExecute
5 BOOT EXECUTE EXECUTE HKLM System\CurrentControlSet\Control\Session Manager\Execute
6 BOOT EXECUTE S0 INITAL COMMAND HKLM System\CurrentControlSet\Control\Session Manager\S0InitialCommand
7 BOOT EXECUTE SERVICE CONTROL MANAGER EXTENSION HKLM System\CurrentControlSet\Control\ServiceControlManagerExtension
8 BOOT EXECUTE SETUP EXECUTE HKLM System\CurrentControlSet\Control\Session Manager\SetupExecute
9 CODEC CODEC INSTANCE HKCU HKLM Software\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*
10 CODEC CODEC INSTANCE HKCU HKLM Software\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*
11 CODEC CODEC INSTANCE HKCU HKLM Software\Classes\CLSID{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*
12 CODEC CODEC INSTANCE HKCU HKLM Software\Classes\CLSID{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*
13 CODEC CODEC INSTANCE HKCU HKLM Software\Wow6432Node\Classes\CLSID{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance*
14 CODEC CODEC INSTANCE HKCU HKLM Software\Wow6432Node\Classes\CLSID{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance*
15 CODEC CODEC INSTANCE HKCU HKLM Software\Wow6432Node\Classes\CLSID{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance*
16 CODEC CODEC INSTANCE HKCU HKLM Software\Wow6432Node\Classes\CLSID{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance*
17 CODEC DRIVER HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
18 CODEC DRIVER HKCU Software\Microsoft\Windows NT\CurrentVersion\Drivers32
19 CODEC DRIVER HKCU HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
20 CODEC FILTER HKCU HKLM Software\Classes\Filter*
21 EXPLORER COLUMN HANDLER HKCU HKLM Software\Classes*\ShellEx\ColumnHandlers*
22 EXPLORER COLUMN HANDLER HKLM Software\Wow6432Node\Classes*\ShellEx\ColumnHandlers*
23 EXPLORER CONTEXT MENU HKCU HKLM Software\Classes*\ShellEx\ContextMenuHandlers*
24 EXPLORER CONTEXT MENU HKLM Software\Wow6432Node\Classes*\ShellEx\ContextMenuHandlers*
25 EXPLORER COPY HOOK HKCU HKLM Software\Classes*\ShellEx\CopyHookHandlers*
26 EXPLORER COPY HOOK HKLM Software\Wow6432Node\Classes*\ShellEx\CopyHookHandlers*
27 EXPLORER DRAG DROP HKCU HKLM Software\Classes*\ShellEx\DragDropHandlers*
28 EXPLORER DRAG DROP HKLM Software\Wow6432Node\Classes*\ShellEx\DragDropHandlers*
29 EXPLORER EXT SHELL FOLDER VIEW HKCU HKLM Software\Classes*\ShellEx\ExtShellFolderViews*
30 EXPLORER EXT SHELL FOLDER VIEW HKLM Software\Wow6432Node\Classes*\ShellEx\ExtShellFolderViews*
31 EXPLORER PROPERTY SHEET HKCU HKLM Software\Classes*\ShellEx\PropertySheetHandlers*
32 EXPLORER PROPERTY SHEET HKLM Software\Wow6432Node\Classes*\ShellEx\PropertySheetHandlers*
33 EXPLORER PROTOCOL FILTER HKCU HKLM Software\Classes\Protocols\Filter*\CLSID
34 EXPLORER PROTOCOL FILTER HKLM Software\Wow6432Node\Classes\Protocols\Filter*\CLSID
35 EXPLORER SHELL ICON OVERLAY HKCU HKLM Software\Classes*\ShellEx\ShellIconOverlayIdentifiers*
36 EXPLORER SHELL ICON OVERLAY HKLM Software\Wow6432Node\Classes*\ShellEx\ShellIconOverlayIdentifiers*
37 EXPLORER STARTMENUINTERNET HKCU HKLM Software\Clients\StartMenuInternet*\shell\open\command
38 EXPLORER STARTMENUINTERNET HKLM Software\Wow6432Node\Clients\StartMenuInternet*\shell\open\command
39 EXPLORER PROTOCOL HANDLER HKCU HKLM Software\Classes\Protocols\Handler*\CLSID
40 EXPLORER PROTOCOL HANDLER HKLM Software\Wow6432Node\Classes\Protocols\Handler*\CLSID
41 EXPLORER PROTOCOL HANDLER EXPLORER APPLICATION SHELL HKCU HKLM Software\Classes\Applications*\shell*
42 EXPLORER PROTOCOL HANDLER EXPLORER APPLICATION SHELL HKLM Software\Wow6432Node\Classes\Applications*\shell*
43 EXPLORER PROTOCOL HANDLER EXPLORER APPROVED SHELL EXTENSION HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved*
44 EXPLORER PROTOCOL HANDLER EXPLORER APPROVED SHELL EXTENSION HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved*
45 EXPLORER PROTOCOL HANDLER EXPLORER CTF LANGBARADDIN HKCU HKLM Software\Microsoft\Ctf\LangBarAddin*\Enable
46 EXPLORER PROTOCOL HANDLER EXPLORER DESKTOP COMPONENT HKCU SOFTWARE\Microsoft\Internet Explorer\Desktop\Components*\Source
47 EXPLORER PROTOCOL HANDLER EXPLORER NETWORK SHARING HANDLER HKLM SOFTWARE\Classes\Network\SharingHandler\
48 EXPLORER PROTOCOL HANDLER EXPLORER SHARED TASK SCHEDULER HKLM Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
49 EXPLORER PROTOCOL HANDLER EXPLORER SHARED TASK SCHEDULER HKLM Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
50 EXPLORER PROTOCOL HANDLER EXPLORER SHARED TASK SCHEDULER HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
51 EXPLORER PROTOCOL HANDLER EXPLORER SHARED TASK SCHEDULER HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
52 EXPLORER PROTOCOL HANDLER EXPLORER SHELLEXECUTE HOOK HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*
53 EXPLORER PROTOCOL HANDLER EXPLORER SHELLEXECUTE HOOK HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks*
54 EXPLORER PROTOCOL HANDLER EXPLORER SHELLSERVICE OBJECT HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects*
55 EXPLORER PROTOCOL HANDLER EXPLORER SHELLSERVICE OBJECT HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects*
56 EXPLORER PROTOCOL HANDLER EXPLORER SHELLSERVICE OBJECT DELAYLOAD HKCU HKLM Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*
57 EXPLORER PROTOCOL HANDLER EXPLORER SHELLSERVICE OBJECT DELAYLOAD HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*
58 IMAGE HIJACK CMD AUTORUN HKCU HKLM Software\Microsoft\Command Processor\Autorun
59 IMAGE HIJACK CMD AUTORUN HKCU HKLM Software\Wow6432Node\Microsoft\Command Processor\Autorun
60 IMAGE HIJACK CMD STARTUP HKCU HKLM Software\Microsoft\Command Processor\Startup
61 IMAGE HIJACK CMD STARTUP HKCU HKLM Software\Wow6432Node\Microsoft\Command Processor\Startup
62 IMAGE HIJACK DEBUGGER HKLM Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
63 IMAGE HIJACK DEBUGGER HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
64 INTERNET EXPLORER BHO HKLM Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*
65 INTERNET EXPLORER BHO HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects*
66 INTERNET EXPLORER DEFAULT ICON HKCU HKLM Software\Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command\
67 INTERNET EXPLORER DEFAULT ICON HKCU HKLM Software\Wow6432Node\Classes\CLSID{871C5380-42A0-1069-A2EA-08002B30309D}\shell\NoAddOns\Command\
68 INTERNET EXPLORER EXPLORER BAR HKCU HKLM Software\Microsoft\Internet Explorer\Explorer Bars**
69 INTERNET EXPLORER EXPLORER BAR HKCU HKLM Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars**
70 INTERNET EXPLORER EXTENSION HKCU HKLM Software\Microsoft\Internet Explorer\Extensions**
71 INTERNET EXPLORER EXTENSION HKCU HKLM Software\Wow6432Node\Microsoft\Internet Explorer\Extensions**
72 INTERNET EXPLORER TOOLBAR HKCU HKLM Software\Microsoft\Internet Explorer\Toolbar**
73 INTERNET EXPLORER TOOLBAR HKCU HKLM Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar**
74 INTERNET EXPLORER URLSEARCHHOOK HKCU HKLM Software\Microsoft\Internet Explorer\UrlSearchHooks*
75 INTERNET EXPLORER URLSEARCHHOOK HKCU HKLM Software\Wow6432Node\Microsoft\Internet Explorer\UrlSearchHooks*
76 KNOWN DLL HKLM System\CurrentControlSet\Control\Session Manager\KnownDlls
77 LOGON HKLM Software\Microsoft\Windows CE Services\AutoStartOnConnect
78 LOGON HKLM Software\Microsoft\Windows CE Services\AutoStartOnDisconnect
79 LOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
80 LOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Windows\Logon
81 LOGON HKLM Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnConnect
82 LOGON HKLM Software\Wow6432Node\Microsoft\Windows CE Services\AutoStartOnDisconnect
83 LOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
84 LOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Logon
85 LOGON ALTERNATE SHELL HKLM SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell
86 LOGON APPSETUP HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
87 LOGON GROUP POLICY SCRIPT HKCU HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logoff**\Script
88 LOGON GROUP POLICY SCRIPT HKCU HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon**\Script
89 LOGON GROUP POLICY SCRIPT HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Shutdown**\Script
90 LOGON GROUP POLICY SCRIPT HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup**\Script
91 LOGON GROUP POLICY SCRIPT HKCU HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Logoff**\Script
92 LOGON GROUP POLICY SCRIPT HKCU HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Logon**\Script
93 LOGON GROUP POLICY SCRIPT HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown**\Script
94 LOGON GROUP POLICY SCRIPT HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup**\Script
95 LOGON GROUP POLICY SCRIPT HKCU HKLM Software\Policies\Microsoft\Windows\System\Scripts\Logoff**\Script
96 LOGON GROUP POLICY SCRIPT HKCU HKLM Software\Policies\Microsoft\Windows\System\Scripts\Logon**\Script
97 LOGON GROUP POLICY SCRIPT HKLM Software\Policies\Microsoft\Windows\System\Scripts\Shutdown**\Script
98 LOGON GROUP POLICY SCRIPT HKLM Software\Policies\Microsoft\Windows\System\Scripts\Startup**\Script
99 LOGON RUN HKLM SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
100 LOGON RUN HKCU HKLM Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*
101 LOGON RUN HKCU HKLM Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce*
102 LOGON RUN HKCU HKLM Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run*
103 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*
104 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\RunOnceEx*
105 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\RunOnce*
106 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\RunServicesOnce*
107 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\RunServices*
108 LOGON RUN HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Run*
109 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx*
110 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce*
111 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run*
112 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*
113 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx*
114 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce*
115 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce*
116 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices*
117 LOGON RUN HKCU HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run*
118 LOGON SHELL HKCU HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
119 LOGON SHELL HKCU HKLM Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
120 LOGON TASKMAN HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
121 LOGON TERMINAL SERVER HKLM System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
122 LOGON USERINIT HKCU Environment\UserInitLogonScript
123 LOGON USERINIT HKCU Environment\UserInitMprLogonScript
124 LOGON USERINIT HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
125 LOGON USERINIT HKLM System\CurrentControlSet\Control\Session Manager\Environment\UserInitLogonScript
126 LOGON USERINIT HKLM System\CurrentControlSet\Control\Session Manager\Environment\UserInitMprLogonScript
127 LOGON VMAPPLET HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
128 LOGON ACTIVE SETUP HKCU HKLM Software\Microsoft\Active Setup\Installed Components*\StubPath
129 LOGON ACTIVE SETUP HKCU HKLM Software\Wow6432Node\Microsoft\Active Setup\Installed Components*\StubPath
130 LSA PROVIDER HKLM SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
131 LSA PROVIDER HKLM SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
132 LSA PROVIDER HKLM SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
133 LSA PROVIDER HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
134 NETWORK PROVIDER HKLM SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder
135 NETWORK PROVIDER HKLM SYSTEM\CurrentControlSet\Services*\NetworkProvider\ProviderPath
136 PRINT MONITOR HKLM SYSTEM\CurrentControlSet\Control\Print\Monitors*\Driver
137 SERVICE OR DRIVER HKLM SYSTEM\CurrentControlSet\Services*\ImagePath
138 SERVICE OR DRIVER HKLM SYSTEM\CurrentControlSet\Services*\Parameters\ServiceDll
139 SERVICE OR DRIVER HKLM SYSTEM\CurrentControlSet\Services*\Performance\Library
140 SERVICE OR DRIVER HKLM SYSTEM\CurrentControlSet\Services*\Type
141 WINLOGON HKCU Control Panel\Desktop\Scrnsave.exe
142 WINLOGON HKLM SYSTEM\Setup\CmdLine
143 WINLOGON HKCU Software\Microsoft\Windows NT\CurrentVersion\Windows\load
144 WINLOGON HKCU Software\Microsoft\Windows NT\CurrentVersion\Windows\run
145 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDll
146 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart
147 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify*\DLLName
148 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart
149 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart
150 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
151 WINLOGON HKLM Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
152 WINLOGON HKLM Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters*
153 WINLOGON HKLM Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers*
154 WINLOGON HKLM Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers*
155 WINLOGON HKLM Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
156 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDll
157 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart
158 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify*\DLLName
159 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart
160 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart
161 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\System
162 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
163 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters*
164 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers*
165 WINLOGON HKLM Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers*
166 WINLOGON HKLM Software\Wow6432Node\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
167 WINLOGON HKLM System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
168 WINSOCK PROVIDER HKLM System\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL
169 WINSOCK PROVIDER HKLM System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64*\LibraryPath
170 WINSOCK PROVIDER HKLM System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries*\LibraryPath
171 WINSOCK PROVIDER HKLM System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64*\PackedCatalogItem
172 WINSOCK PROVIDER HKLM System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries*\PackedCatalogItem

 

On this page: