Where Windows Malware Hides

7/28/2010 9:32:01 AM
Where Windows Malware Hides
When hackers or malware accomplish the initial exploit into a computer, the next thing the hacker or malware does is to modify the system so that the maliciousness is hidden and so that they can always re-access the system at will.

To do this, the hacker or malware will modify Windows in one of five places:

  • Files

  • Folders

  • Registry keys

  • Applications

  • Other areas and tricks

I have documented over 145 different locations and tricks that malware and hackers will use to hide and re-gain system access. It is the most complete table of its kind. It contains nearly 100 registry keys that can be used maliciously, over 32 files, and over 14 folders. You can download the complete table at It is frequently updated. Table 1 shows some highlighted values pulled from the larger available table.

Table 1: Common Windows Locations Modified by Malware
Open table as spreadsheet



Archive files

Malware can be hidden or launched from within archive file formats.

Auto-run application files

Malware can launch from any auto-running file associated with a particular application.

Embedded or linked files

Many applications and their file formats allow other document types to be embedded/executed.


Alternate Data Streams

Malware can hide itself in the Alternate Data Streams (ADS) of a Windows file.


Autorun file, runs commands or programs referenced by open= or shellexecute= after inserting (or choosing to Autoplay) media storage (CD-ROM discs).


Used to customize folder behavior. It is meant to allow users to customize folder appearance and behaviors, but can be used to hide files and auto-launch programs when referred-to folders are viewed.


Used to place static DNS resolution entries.

Non-printable characters in file name

Several computer defense programs (for example, antivirus) are unable to scan files using un-printable or extended ASCII characters in the name.

Long path name trick or program.exe trick

If long path names with space in the name are not included in quotes, many programs, will attempt a systematic execution search that could lead to the wrong file (possibly malicious) being executed.

Internet shortcut trick to run local code.

Can be used to override HOSTS and DNS resolution

OLE2 document trick

OLE2-formatted documents will be opened in their correct associated application if no extension is chosen.

Protected file names (Lsass.exe, System, and so on)

Several program names, when running, cannot be killed in Task Manager, complicating removal.


%Windir%\Start Menu\Programs\Startup

Default Startup folders; any program or command listed in one of these folders will be automatically executed when the user logs on.


Recycle Bin's temporary storage location for deleted files and folders.

System, System32, %Windir%

Malware often writes itself to Windows system directories.

System Volume Information

Can be used by hackers or malware to hide malicious programs.


Lists Task Scheduler Tasks.

Temporary Internet Files

Malicious files are often stored/hidden in Internet Explorer's Temporary Internet Files (TIF) folder.


ActiveX control

Installed ActiveX control.

Defensively positioned dialog boxes

Malware often uses various programming "tricks" to cover up legitimate warning boxes or to trick the user into accepting a command that allows malware to enter the system when it otherwise shouldn't.

Executable pathway

PATH statement determines what paths OS should try if file is not found in default directory it was called from (i.e. Frog.exe vs. C:\Program Files\Frog.exe).

Hidden files

Hidden (or system) files/folders will not appear to casual searches.

Layered Service Provider (LSP)

Malware can insert itself as an LSP program, which can intercept any network traffic heading into and out of a PC.

Task Scheduler

Will run listed programs and commands.

Unusual folder/file names

Hackers and malware often use unusual names to hide malicious files and folders.

URL Monikers

URL Monikers can be added to Internet Explorer to load associated programs when a particular keyword is typed.



Real file extensions can be hidden.

HKCU\Software\Microsoft\Internet Explorer\SearchURL

Redirects any URLs typed in Internet Explorer to defined URL.


HKLM\Software\Internet Explorer\Extensions

Adware/spyware can add buttons to IE that connect directly to malicious programs and scripts.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Runs commands or programs after user logs on.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

Runs commands or programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Runs commands or programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System

Runs programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

Runs programs in Task Manager after user logs on.


Runs programs after user logs on, when Windows default shell (explorer.exe) runs for the first time during every logon.


Runs programs or commands after user logs on.


Runs programs or commands after user logs on for the first time only after the key is created.


Runs commands or programs after user logs on, although typically points to the CLSID of the associated .DLL file. Links programs to explorer.exe process.


Can be modified to run additional commands or programs when a particular file type is executed.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

Loads Windows logon user interface, loaded interface passes interactive user's logon credentials to Winlogon.exe.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Specifies the programs that Winlogon runs when a user logs on.


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Programs are loaded when Internet Explorer loads; programs loaded are also known as Add-Ins.


Task scheduler programs that are launched when Windows starts.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Determines location of Startup folders (i.e., Startup programs) and other common folders (for example, My Documents, My Favorites) for All Users profile.


Contains the list of the COM objects, listed by GUID, that trap execute commands.


Runs programs or commands after user logs on, in a controlled order. Runs listed value each time any user logs on until a user with admin permissions to registry key logs on; then it deletes the value after running.


Runs service after bootup prior to user logging on.


Runs service once after bootup prior to user logging on, and then deletes itself.


Used by Windows to determine what programs, services, and drivers are loaded in a Safe mode boot.

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PathExt

Determines what file extensions are tried if program name is typed in without an extension (i.e., Frog vs. Frog.exe).


Will load program as service (i.e., prior to user being logged in).


Malware can add itself as an Outlook Add-in and manipulate incoming or outgoing e-mail.


HKCU\Identities\\Software\Microsoft\Outlook Express\\Signatures

Malware can add a malicious script to Outlook Express e-mail signatures that retrieves malware automatically when opened by recipient.


Adds any string value as a prefix for any URL typed in the browser, effectively redirecting all typed in URLs to an unauthorized Web site first.


Can be used to point to a new, unauthorized HOSTS file instead of the HOSTS file in the normal location (i.e., \%SystemRoot%\Drivers\Etc).


Sets overall TCP/IP communications values including DHCP, DNS, and TCP/IP stack. These values are used unless a specific value is set under the \Interfaces subkeys on a particular interface.

Microsoft has worked hard to make most of these areas less vulnerable in Windows Vista. You can run many different utilities to determine if programs are launching from the areas listed in Table 1 or from the larger list of items listed in its parent table. Sysinternals' Autoruns ( is probably the best all around utility for listing and removing programs from these areas. Sysinternals was purchased by Microsoft in July 2006. Andrew Aronoff's Silentrunner.vbs script ( can locate even more launching programs than Autoruns, but isn't as user friendly for removing them.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8