A forum for reverse engineering, OS internals and malware analysis 

Startup location : Where to put my program?

Ask your beginner questions here.

Startup location : Where to put my program?

 #15950  by Tigzy
 Thu Oct 11, 2012 10:21 am
Hello

I need to perform some operation at reboot (like file deletion, for example)
I saw this : http://www.bleepingcomputer.com/tutoria ... locations/
and wondered what would be the best and easiest way to restart my program automatically after a reboot?

I got a driver, but don't know if it's possible to start a user-mode process from the kernel. Don't know if it's safe as well.
I thought about the winlogon key, which would be the best compromise?

What do you think about it?

Re: Startup location : Where to put my program?

 #15954  by Tigzy
 Thu Oct 11, 2012 6:20 pm
Yeah that would be in the best practices for any program, but for a security software I was wondering.
RunOnce is loaded after every system file, and after services. In my operations to perform, there would have file moves, file deletion. I know that I should use the MoveAtReboot API, but I was wondering if they were a place in the startup sequence where system files are free to replace, where most drivers are free to delete, and so on.
What Combofix does to be in a strategic position for file deletion? (It reboots the box and then open it's gui right after logon and before the system finished to start)

Re: Startup location : Where to put my program?

 #15957  by EP_X0FF
 Fri Oct 12, 2012 4:54 am
Tigzy wrote:What Combofix does to be in a strategic position for file deletion? (It reboots the box and then open it's gui right after logon and before the system finished to start)
Hard to trace?

Re: Startup location : Where to put my program?

 #15963  by EP_X0FF
 Fri Oct 12, 2012 11:04 am
Tigzy wrote:But I don't know everything I just asked to be sure there wasn't something less trivial
Create Native application, set it in BootExecute and perform all op's you need. Example - PageDefrag from Sysinternals.
 Return to “Newbie Questions”