New startup registry key in Windows 10/11, NOT captured within autoruns

Rahat Sanghoi 1 Reputation point
2022-10-17T07:21:39.64+00:00

Hi All,
While researching the startup behavior of Windows Container (Windows Metro) Apps , like the ones installed through Microsoft Store or native to System (xbox/phone, etc),
I came across a new registry key location (different from the known standard Startup locations in HKCU/HKLM) 

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData
  • This Key evades detection within Autoruns/Autoruns64
  • The only references (Based on what I could gather) to this key were the Read/Write Ops within Procmon, or the taskmanager startup tab

I used whatsapp to create/install/remove startup behavior in my testing

  • Attached 2 snips with the Procmon output and Autoruns search result

250977-image.png
250983-image.png

Since its non-standard startup registry key location, and DOES NOT show up in autoruns, it will evade persistence detection from a lot of AV/EDR's that leverage autoruns internally to enumerate persistence.
Like Crowdstrke, Tanium, Defender ATP , etc
So if exploited, this potentially could become a blindspot for security controls that rely on autoruns

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,093 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ricardo Almada 5 Reputation points
    2024-02-26T15:41:46.04+00:00

    Thank you so much for this discovery! Try HiBit Startup Manager: https://www.hibitsoft.ir/StartupManager.html

    1 person found this answer helpful.
    0 comments
  2. Klaus A 0 Reputation points
    2024-01-18T09:34:44.1566667+00:00

    thank you very much! searching for it for a while ;-)

    0 comments