Startup Applications

Checking File/Directory Access

If we have full directory access or access, or FILE_ALL_ACCESS on a file that runs at startup, we can add/replace those with a malicious file to get a shell

Create the payload with msfvenom
Create a listener
Wait for the file to be executed

icacls.exe [file or directory]

Checking Registry Access

To check write access for the registry, AccessChk from Sysinternals is the best option:

AccessChk - SysinternalsMicrosoftLearn

accesschk.exe -k [Key_Path] [Username]

The startup applications in Windows can be stored in specific registry locations.

For applications that run at startup for all users, the registry paths are:
- HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
For applications that run at startup for the current user, the registry path is:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Adding File to Run at Startup in Registry

For Current User (Run as Normal User):

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "MyApp" /t REG_SZ /F /D "C:\Path\To\Your\File.exe"

For All Users (Requires Admin):

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "MyApp" /t REG_SZ /F /D "C:\Path\To\Your\File.exe"

PreviousRunAs NextDDL Hijacking

Last updated 1 month ago

hashtagChecking File/Directory Access

hashtagChecking Registry Access

hashtagAdding File to Run at Startup in Registry

Checking File/Directory Access

Checking Registry Access

Adding File to Run at Startup in Registry