The Avenger

Command Reference

Programs to launch on reboot:

The "Programs to launch on reboot:" command directive queues the programs listed to run once at next reboot.

How do I use it?

After the "Programs to launch on reboot:" line is read in a script, all successive lines will be interpreted as full paths to programs to be executed.

When do I use it?

  1. When there is cleanup to do after running The Avenger, or further steps to be taken back in normal user-mode Windows, as part of a larger malware fix. This command directive allows The Avenger to be extended to execute user-mode code later in the boot process. It can be used to queue not only programs, but also batches and other ordinary scripts. In fact, it can be used to queue nearly any valid command-line expression.

  2. Another use of this command directive is to get access to registry hives other than HKEY_LOCAL_MACHINE. The Avenger can only directly access keys under the HKEY_LOCAL_MACHINE hive, because the other hives are not constructed at the point in the boot process when The Avenger executes. However, to access HKEY_USERS, HKEY_CLASSES_ROOT, and HKEY_CURRENT_USER, it is instead possible to write a .REG file to make the desired registry modifications, and then queue this .REG file to execute using The Avenger's "Programs to launch on reboot:" command. The .REG file will be executed later in the boot process, when the appropriate registry hives have been built.

Anything else I should know?

  • In Windows Vista, any programs queued with "Programs to launch on reboot:" will automatically be granted elevated privileges.

Any special notes on syntax?

  • The "Programs to launch on reboot:" command will interpret environmental variables (%systemdrive%, %windir%, etc.) correctly.

Example Usage

Programs to launch on reboot:
C:\Documents and Settings\My User\Desktop\HijackThis.exe
%systemdrive%\my_fix.bat
c:\MyRegFile.reg
regedit.exe /s c:\MyRegFile.reg

FarCry - Mollio