ZHPDiag – Module O34 – BootExecute (BEX)

For its operation, Microsoft Windows NT uses to start a session manager (Session Manager).

The LSA authentication describes the parts of the local security authority (LSA) that applications can use to authenticate and register users on the local system. It also describes how to create and call packages of authentication and security packages. LSA authentication features allow you to write an authentication package or a combined package of authentication/security support provider (SSP/AP).

Some healthy software use this feature to perform specific operations like for example a defragmentation of disks, This is the case for example of O&O Software (O&O Defrag) Raxco Software or (Boot Time defragment PerfectDisk). Other software can do a cleaning, This is the case for example of Lavasoft AB (Ad-Aware Boot Cleaner) SurfRight B.V. or. (Hitman BootDelete)

However, improper use of this vulnerability enables execution of a malware program when the system starts.

The research focuses on the key basis of registers [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager], with insertion of data into the Bootexecute value.

Overview ZHPDiag

—\\ BootExecute (O34)
O34 – HKLM BootExecute: (autocheck autochk *) – File not found
O34 – HKLM BootExecute: (OODBS) (.O&Software GmbH – O&O BootTimeDefrag.) — C:\Windowssystem32OODBS.exe

Action ZHPFix

O34 – HKLM BootExecute: ( {DataName} )- (…) — {FileName}

{Key} : Key to the Base of registers [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
{DataName} : "The value of the key data ' BootExecute '.

1) The tool deletes the file {FileName}

Example of detection

O34 – HKLM BootExecute: (1028560) (…) — C:\Windowssystem321028560.exe


* Local Security Authority Subsystem Service
* LSA Authentication (Microsoft)
* LSA Secrets