Where Windows Malware Hides

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
Where Windows Malware Hides
When hackers or malware accomplish the initial exploit into a computer, the next thing the hacker or malware does is to modify the system so that the maliciousness is hidden and so that they can always re-access the system at will.

To do this, the hacker or malware will modify Windows in one of five places:

  • Files

  • Folders

  • Registry keys

  • Applications

  • Other areas and tricks

I have documented over 145 different locations and tricks that malware and hackers will use to hide and re-gain system access. It is the most complete table of its kind. It contains nearly 100 registry keys that can be used maliciously, over 32 files, and over 14 folders. You can download the complete table at It is frequently updated. Table 1 shows some highlighted values pulled from the larger available table.

Table 1: Common Windows Locations Modified by Malware
Open table as spreadsheet



Archive files

Malware can be hidden or launched from within archive file formats.

Auto-run application files

Malware can launch from any auto-running file associated with a particular application.

Embedded or linked files

Many applications and their file formats allow other document types to be embedded/executed.


Alternate Data Streams

Malware can hide itself in the Alternate Data Streams (ADS) of a Windows file.


Autorun file, runs commands or programs referenced by open= or shellexecute= after inserting (or choosing to Autoplay) media storage (CD-ROM discs).


Used to customize folder behavior. It is meant to allow users to customize folder appearance and behaviors, but can be used to hide files and auto-launch programs when referred-to folders are viewed.


Used to place static DNS resolution entries.

Non-printable characters in file name

Several computer defense programs (for example, antivirus) are unable to scan files using un-printable or extended ASCII characters in the name.

Long path name trick or program.exe trick

If long path names with space in the name are not included in quotes, many programs, will attempt a systematic execution search that could lead to the wrong file (possibly malicious) being executed.

Internet shortcut trick to run local code.

Can be used to override HOSTS and DNS resolution

OLE2 document trick

OLE2-formatted documents will be opened in their correct associated application if no extension is chosen.

Protected file names (Lsass.exe, System, and so on)

Several program names, when running, cannot be killed in Task Manager, complicating removal.


%Windir%\Start Menu\Programs\Startup

Default Startup folders; any program or command listed in one of these folders will be automatically executed when the user logs on.


Recycle Bin's temporary storage location for deleted files and folders.

System, System32, %Windir%

Malware often writes itself to Windows system directories.

System Volume Information

Can be used by hackers or malware to hide malicious programs.


Lists Task Scheduler Tasks.

Temporary Internet Files

Malicious files are often stored/hidden in Internet Explorer's Temporary Internet Files (TIF) folder.


ActiveX control

Installed ActiveX control.

Defensively positioned dialog boxes

Malware often uses various programming "tricks" to cover up legitimate warning boxes or to trick the user into accepting a command that allows malware to enter the system when it otherwise shouldn't.

Executable pathway

PATH statement determines what paths OS should try if file is not found in default directory it was called from (i.e. Frog.exe vs. C:\Program Files\Frog.exe).

Hidden files

Hidden (or system) files/folders will not appear to casual searches.

Layered Service Provider (LSP)

Malware can insert itself as an LSP program, which can intercept any network traffic heading into and out of a PC.

Task Scheduler

Will run listed programs and commands.

Unusual folder/file names

Hackers and malware often use unusual names to hide malicious files and folders.

URL Monikers

URL Monikers can be added to Internet Explorer to load associated programs when a particular keyword is typed.



Real file extensions can be hidden.

HKCU\Software\Microsoft\Internet Explorer\SearchURL

Redirects any URLs typed in Internet Explorer to defined URL.


HKLM\Software\Internet Explorer\Extensions

Adware/spyware can add buttons to IE that connect directly to malicious programs and scripts.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Runs commands or programs after user logs on.

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

Runs commands or programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Runs commands or programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System

Runs programs after user logs on.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

Runs programs in Task Manager after user logs on.


Runs programs after user logs on, when Windows default shell (explorer.exe) runs for the first time during every logon.


Runs programs or commands after user logs on.


Runs programs or commands after user logs on for the first time only after the key is created.


Runs commands or programs after user logs on, although typically points to the CLSID of the associated .DLL file. Links programs to explorer.exe process.


Can be modified to run additional commands or programs when a particular file type is executed.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

Loads Windows logon user interface, loaded interface passes interactive user's logon credentials to Winlogon.exe.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Specifies the programs that Winlogon runs when a user logs on.


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Programs are loaded when Internet Explorer loads; programs loaded are also known as Add-Ins.


Task scheduler programs that are launched when Windows starts.

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Determines location of Startup folders (i.e., Startup programs) and other common folders (for example, My Documents, My Favorites) for All Users profile.


Contains the list of the COM objects, listed by GUID, that trap execute commands.


Runs programs or commands after user logs on, in a controlled order. Runs listed value each time any user logs on until a user with admin permissions to registry key logs on; then it deletes the value after running.


Runs service after bootup prior to user logging on.


Runs service once after bootup prior to user logging on, and then deletes itself.


Used by Windows to determine what programs, services, and drivers are loaded in a Safe mode boot.

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\PathExt

Determines what file extensions are tried if program name is typed in without an extension (i.e., Frog vs. Frog.exe).


Will load program as service (i.e., prior to user being logged in).


Malware can add itself as an Outlook Add-in and manipulate incoming or outgoing e-mail.


HKCU\Identities\\Software\Microsoft\Outlook Express\\Signatures

Malware can add a malicious script to Outlook Express e-mail signatures that retrieves malware automatically when opened by recipient.


Adds any string value as a prefix for any URL typed in the browser, effectively redirecting all typed in URLs to an unauthorized Web site first.


Can be used to point to a new, unauthorized HOSTS file instead of the HOSTS file in the normal location (i.e., \%SystemRoot%\Drivers\Etc).


Sets overall TCP/IP communications values including DHCP, DNS, and TCP/IP stack. These values are used unless a specific value is set under the \Interfaces subkeys on a particular interface.

Microsoft has worked hard to make most of these areas less vulnerable in Windows Vista. You can run many different utilities to determine if programs are launching from the areas listed in Table 1 or from the larger list of items listed in its parent table. Sysinternals' Autoruns ( is probably the best all around utility for listing and removing programs from these areas. Sysinternals was purchased by Microsoft in July 2006. Andrew Aronoff's Silentrunner.vbs script ( can locate even more launching programs than Autoruns, but isn't as user friendly for removing them.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us