|
Value Name |
Description |
|
UserInit |
Specifies program(s) to be executed when a user logs into Windows. |
|
UIHost |
Specifis host application for Logon user interface? |
|
VmApplet |
Unknown? Specifies an applet for editing virtual memory prehaps? Executing the command summons the "System Properties" dialog.
|
Sub-Key:
\GPExtensions
Group Policy Extensions (GPExtensions) normally provide custom machine lockdown parameters to furthur control the way a system can be used. As Viruses become more and more sophisticated they are beginning to use this location for system infection. GPE's are executed just before Logon.
Under GPExtensions are sub-keys representing GUID Sub-Key's :There are squencially numbered decimal sub-keys under each Catalog_Enteries sub-key 12 Digits long under each of which is either a PackedCatalogItem Value and/or a other values representing the entry. The items of interest to a Spy/Trogen hunter are the Value which is referenced in LibraryFile and/or the first few bytes of value data for the value PackedCatalogItembytes of the PackedCatalogItem value data.