Hal Pomeranz · Oct 15, 2020 · 8:32 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

15 Oct 2020

I summon the collective #DFIR wisdom of Twitter. User attempts to launch Windows Explorer and another program starts instead. I'm assuming a registry setting, but which one?

Jake Williams · Oct 15, 2020 · 8:56 PM UTC

Jake Williams @MalwareJake

15 Oct 2020

Shell

Jake Williams · Oct 15, 2020 · 8:57 PM UTC

Jake Williams @MalwareJake

15 Oct 2020

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Hal Pomeranz · Oct 15, 2020 · 9:26 PM UTC

Hal Pomeranz · Oct 15, 2020 · 9:26 PM UTC

Hal Pomeranz @hal_pomeranz

15 Oct 2020

Replying to @MalwareJake

Sadly, Shell is set to explorer.exe

Oct 15, 2020 · 9:26 PM UTC

Jake Williams · Oct 15, 2020 · 9:29 PM UTC

Jake Williams @MalwareJake

15 Oct 2020

Replying to @hal_pomeranz

Then I'd guess HKCR with the possibility of a shell handler override in HKCU