English

dinsdag 26 juli 2011

ShellServiceObjectDelayLoad

ShellServiceObjectDelayLoad


Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

Instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.


Windows Registry Editor Version 5.00


[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
@="C:\\Windows\\System32\\webcheck.dll"="WebCheck"

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
@="C:\\Windows\\System32\\webcheck.dll"
"ThreadingModel"="Apartment"

The trouble is that with Windows 7, the CLSID's InProcServer {E6FB5E20-DE35-11CF-9C87-00AA005127ED} doesn't exist.
If we try too look for {E6FB5E20-DE35-11CF-9C87-00AA005127ED} in
[HKEY_CLASSES_ROOT\CLSID\] we won't find it.
So, where did it go ?



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00C6D95F-329C-409a-81D7-C46C66EA7F33}"=""
"{80009818-f38f-4af1-87b5-eadab9433e58}"="MF ADTS Property Handler"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler" <<<< This is interesting !!!
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck" <<<< Here we have our "old" CLSID
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"


So lets check out "{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
@="WebCheckWebCrawler"

[HKEY_CLASSES_ROOT\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}\InProcServer32]
@="C:\\Windows\\System32\\webcheck.dll" <<<< There we have it !!!!
"ThreadingModel"="Apartment"


So MS changed the CLSID for webcheck.dll, thats why we couldn't find webcheck.dll on his "old" place.

Emphyrio :)

Gepost door op
Labels: ,
Abonneren op: Posts (Atom)