Embedding an EXE inside a .REG file with automatic execution

Why doesn&#x27;t he keep the encoded .exe as an adjacent registry key, and have the powershell script open that key, decode the content and run it?<p>Anyway once you&#x27;ve persuaded the user to import a .reg file as administrator, it&#x27;s game over. There are so many registry entries with exploitable possibilities. (It&#x27;s similar to persuading a Linux user to unpack a tarball over &#x2F;etc)<p>While I&#x27;m here...<p>hivex is a Linux library for accessing and modifying the Windows registry (<a href="https:&#x2F;&#x2F;github.com&#x2F;libguestfs&#x2F;hivex" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;libguestfs&#x2F;hivex</a>), and virt-win-reg is a Linux tool for modifying the registry of a VM (<a href="https:&#x2F;&#x2F;libguestfs.org&#x2F;virt-win-reg.1.html" rel="nofollow">https:&#x2F;&#x2F;libguestfs.org&#x2F;virt-win-reg.1.html</a>). After many hours discovering how the registry works to write those, I also wrote this about why the registry sucks: <a href="https:&#x2F;&#x2F;rwmj.wordpress.com&#x2F;2010&#x2F;02&#x2F;18&#x2F;why-the-windows-registry-sucks-technically&#x2F;" rel="nofollow">https:&#x2F;&#x2F;rwmj.wordpress.com&#x2F;2010&#x2F;02&#x2F;18&#x2F;why-the-windows-regist...</a>

In my (admittedly biased) view, microsoft sacrificed security in the name of &quot;usability&quot;. The problem is with what they considered &quot;usability&quot;. It looks like in their view, &quot;easy of use&quot; simply meant &quot;keep it working the way users are used to do&quot;. This created many bad habits in windows users: always clicking next, installing software from untrusted sources, hiding extensions of files, need for the user to install drivers after pluging a device, use of administrator rights even for simple tasks, rebooting the computer to make something work, periodic reinstalling the OS to make it faster.... and many other behaviors that are very very strange for people who don&#x27;t use windows.<p>The other problem it created is that windows users expect things to be like that. Even if something is better they will have difficulty using it if it is different from how windows users are used to. Certainly this helps to keep windows market while making everybody pay a hefty price.<p>I&#x27;d bet if it wasn&#x27;t because of android, ios and smart tv&#x27;s; because they are different enough from what users think a &quot;computer&quot; is; windows users would expect a port to connect some form of media for software installation on these devices.<p>These habits afflict even power users, developers and administrators. Just consider how long windows lived without a reasonable powerful command line. I was more than once looked down from &quot;windows experts&quot; because for them, using a command line like is commonly done on linux is a &quot;thing of the past&quot;.<p>People should learn some windows behaviors are not normal. Your computer shouldn&#x27;t get slower over time, installing software from untrusted sources is not normal, an extension is part of the name of a file and it should not be hidden, using the computer as administrator should be reserved for administrator tasks only, your desktop area is not &#x2F;tmp&#x2F;, drivers belong to the kernel and devices should work as soon as they are plugged in, the command line is not a thing of the past...<p>We are all paying the price for not killing these myths.

The (base64-encoded) binary can even be stored directly in the Registry: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;tenrobots&#x2F;status&#x2F;1552179803121258496" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;tenrobots&#x2F;status&#x2F;1552179803121258496</a>

&quot;RunOnce&quot; isn&#x27;t even the preferred way to run EXEs with RegEdit.<p>See &quot;HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options&quot;. That stuff there is very powerful and scary. You can even use this feature to stop the Windows Telemetry from running.

This has been known for a long while.<p>I&#x27;m not sure the purpose - probably just for fun, but as an attack vector without 0day in pdf for example, to me at least it wouldn&#x27;t be too effective.<p>I&#x27;ve always been fascinated thought and been playing around with images with executable inside that could be triggered through the browser that you&#x27;re on, I have played with a personal chromium build that it &#x27;kind of&#x27; happens, but i digress.<p>Interesting article - I just don&#x27;t see a patch coming for it anytime soon.

• administrator privileges are required<p>• the main payload doesn&#x27;t execute until the next reboot<p>still an impressive demo

I admire this type of content where the creator take some concepts we [all] use and understand then combine them in a specific, but a new way, add some tweaks to get some never-seen results.<p>Here is another experience that, as a Windows developer, blows my mind for a while. <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ExwqNreocpg" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=ExwqNreocpg</a>

There surely is a better way to launch an exe having access to the registry, even if it is just HKEY_CURRENT_USER. Some directory handler or file handler, GUID for launching an exe when desktop is shown etc.<p>Anyone knows more about alternatives to Run&#x2F;RunOnce to start an exe? Or maybe, let&#x27;s leave it for the reader to investigate...

Any company that allows .reg files executed by non-admin users have bigger fish to fry. This method has been used for literally decades.