{Remote control software} in "Group Policy}

From: A friend's home

Loading {remote control software} using "Group Policy" is very concealed and difficult to detect. Click "run" in the "Start" menu and enter "Gpedit. msc and press enter to enable the Group Policy. In the Local Computer Policy, click "user configuration> Manage template> system> Logon" (figure 1 ), double-click the subitem "run these programs when the user logs on". The dialog box is displayed (figure 2). Set properties here and select "enabled" in "Settings ", next, click the "show" button. The "show content" window appears (Figure 3). Then, click the "add" button. The "add project" window appears (figure 4 ), enter the path of the file to be automatically run in the text box, click OK, and restart the computer, the system automatically starts the program we added upon logon. Note: If the self-starting file is not in the % Systemroot % directory, you must specify the full path of the file.

 

If {remote control software} is added to "Group Policy", an "invisible" {remote control software} will be created }! This is because you cannot find the {remote control software} in "System Configuration Utility" Msconfig, you cannot find the corresponding key values for registry items such as HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun and volume items in everyone's workshop. Therefore, this method of loading {remote control software} is very concealed, more threats to common users

 

Is this Boot Method for loading {remote control software} so impeccable? Of course not! In fact, the self-starting program added in this way is still recorded in the registry, but not under the registry keys we are familiar with, but in the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun entry of the Registry. Therefore, if you suspect that {remote control software} may be available on your computer, but you cannot find it, go to the registry project or group policy options above, and you may find something!

 

Secret registry entry

 

Loading {remote control software} using the registry key has always been a favorite of {remote control software}, and we are very familiar with these methods, however, you may not know a new method to hide {remote control software} using the registry. The specific method is: click "run" in the "Start" menu and enter Regedit and press Enter, open Registry Editor. Expand the registry to the HKEY_CURRENT_USERSoftwareMicrosoftWin dowsNTCurrentVersionWindows entry, create a new string value, name it "load", and change its key value to the path of the self-starting program. Note: use the short file name of the file, that is, "C: Program Files" should be written as "C: Progra ~ 1 ", and the self-starting program cannot be followed by any parameters. Note that this method is also valid for other users if you load the HKEY_USERS user ID in the Registry SoftwareMicrosoftWindows NTCurrentVersionWindows.

 

We recommend that you pay attention to this when checking {remote control software} and virus programs in the future, so that you do not have to take advantage of it. In addition, this method is only effective for Windows 2000/XP/2003, so you do not have to worry about using Windows 9x.

 

Use AutoRun. inf to load {remote control software}

 

Friends who often use CDs know that some CDs will automatically run after they are put into the optical drive. This function is mainly implemented by * two files, one of which is one of the system files. vxd. The first is the AutoRun on the CD. inf file. Cdsealing. vxd will detect whether there is any action in the optical drive at any time. If so, you can find the AutoRun. inf file under the root directory of the optical drive. If the AutoRun. inf file exists, execute the preset program in it.

 

This seemingly magical function is actually very simple. It can be applied not only to the disc, but also to the hard disk (note that AutoRun. inf must be stored in the root directory of the disk to take effect ). Let's take a look at the content of the AutoRun. inf file. Open notepad, create a new file, name it AutoRun. inf, and type the following content in AutoRun. inf:

 

[AutoRun]

 

Icon = C: WindowsSystemShell32.DLL, 21

 

Open = C: Program FilesACDSeeACDSee.exe

 

Explanation: a standard AutoRun file must start with [AutoRun], and the second line is Icon = C: WindowsSystemShell32.DLL, which is used to set an Icon for a hard disk or a CD. Shell32.DLL is a Windows system file that contains many Windows system icons. The number 21 indicates that the icon numbered 21 is displayed. The third line, Open = C: Program FilesACDSeeACDSee.exe, indicates the path of the Program to be run and the file name.

 

If you replace the Open line with the {remote control software} file. if the inf file is set to a hidden property (not easy to be found), {remote control software} is started when you click the hard disk }! In turn, this is indeed a very good method of self-starting the program.

 

To prevent such "ambush", you can disable the hard disk AutoRun function. Open the Registry Editor, expand to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExploer primary key, and find "NoDriveTypeAutoRun" in the right window, which determines whether to execute the AutoRun function of the CDROM or hard. Change its key value to 9D, 00 to disable the AutoRun function of the hard disk, and change its key value to B5, 00 to disable the AutoRun function of the disc. Note that you must restart the computer to make the change take effect.

 

Screen Protection may also become an accomplice of {remote control software}

 

Windows Screen Saver corresponds to the. scr file, which is stored in the Windows installation directory by default. If you change .scr..exe, the program can still be started normally. The. scr file can also be run! After renaming the. exe file to. com,. pif, And. bat, the exe file can still run freely! This is very useful after the loss of the exe file association. We can change the extension of the exe file to the above extension program to run.

 

In the screen saver, we can set the wait time, which can be set in the Registry: hkey_users.defacontrol Paneldesktop, the string value ScreenSaveTimeOut under the record is the waiting time of the screensaver program, the unit of time is seconds, records from 60 seconds, if the record time is less than 60 seconds, it is automatically set to 1 minute. Whether the Screen Saver is selected can be seen in the system. ini file. Enter msconfig in "run" in the "Start" menu, find the System tag, and find the [boot] section. You can see the line "SCRNSAVE. EXE =. Behind it is the path of the screen saver file. If you set the screen saver program, there will be a "√" before this line, otherwise there will be no "√ ".

 

The above introduction can produce an association: If you rename the. exe file. scr file (assume it is changed to RAT. scr), and in the SYSTEM. add "SCANSAVE. EXE = C: Program filesRAT. scr ", then modify the string value ScreenSaveTimeOut under the HKEY_USERS.DEFAULTControl Paneldesktop in the registry, and change its key value to 60, the file will be started as long as the system is idle for one minute! It can be seen that if this method is used by {remote control software} or virus or other malicious programs, the consequences are terrible. The screen protection function is disabled to prevent such attacks!