Prepping for a CEH certification test. My question goes along these lines:
Situation: When attempting to add persistence to Windows malware, if the programmer chooses not to use one of the many existing RUN, AUTORUN, RUNONCE, etc. Windows registry entries ...
Question: Can he create an entirely new registry entry similar to \HKLM\SOFTWARE\My_Rootkit_Program\RUN and have it run automatically ... simply because it's named RUN?
Follow-On Question: Is the "magic" (repeatability) inherent in all registry entries named "RUN", OR does Windows use a concept similar to a PATH variable to locate and run those entries in registries named RUN (or similar)?
Follow-On Observation: If this latter hypothesis is correct, it follows that meddling with that registry PATH statement would be an advanced technique allowing programmers to build persistence into backwater places with names like \HKLM\SOFTWARE\CLASSES\7z\Updated_Compression_Routines.
Please forgive me (1) if this has been asked before and my searches didn't find the Q&A string (2) or I've misused specific terms.
Thanks ... Allen.