GCIH · Question #41
GCIH Question #41: Real Exam Question with Answer & Explanation
The correct answer is C: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices. To persist a Trojan across reboots, attackers edit specific Windows registry Run keys that execute programs at startup. The RunServices key is a legacy Windows registry entry used to launch services automatically on system boot.
Question
Options
- AHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Startup
- BHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto
- CHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- DHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Start
Explanation
To persist a Trojan across reboots, attackers edit specific Windows registry Run keys that execute programs at startup. The RunServices key is a legacy Windows registry entry used to launch services automatically on system boot.
Common mistakes.
- A. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Startup is not a valid registry key used by Windows to launch programs at boot.
- B. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Auto is not a recognized Windows registry startup key and does not exist in the standard Windows registry structure.
- D. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Start is not a valid registry key used for automatic program execution at startup.
Concept tested. Windows registry persistence via RunServices key
Reference. https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
Topics
Community Discussion
No community discussion yet for this question.