back to article Microsoft details how China-linked crew's malware hides scheduled Windows tasks

The China-linked Hafnium cyber-gang is using a strain of malware to maintain a persistent presence in compromised Windows systems by creating hidden tasks that maintain backdoor access even after reboots. Researchers within Microsoft's Detection and Response Team (DART) and Threat Intelligence Center (MTIC) spotted the …

  1. Anonymous Coward
    Anonymous Coward

    The registry !

    Again !

    give me cron anyday.

    1. Potemkine! Silver badge

      Re: The registry !

      You're comparing phone cabins to potatoes.

      The registry is much more than a cron table. It has good sides: it avoids having parameter files all over the file system and provide a common mean for all applications to easily save settings rather than having anyone designing its own.

      Here the problem comes not from the registry, but from the task scheduler.

      1. DJV Silver badge

        Re: The registry is much more than a cron table

        And that's one of the problems right there!

      2. Ken Hagan Gold badge

        Re: The registry !

        Imagine a Linux system where /etc was a mount of a filesystem type optimised for lots of small files. In essence, that's the registry.

        Would that be so awful? Clearly not. Would people blame every configuration error on the underlying filesystem, rather than the end-user who wrote the wrong values into a file? Clearly.

  2. Pascal Monett Silver badge

    How about replacing the Registry ?

    Text files work fine.

    Ah, but DRM wouldn't be possible any more. So we get to keep the Registry, an abomination of an excuse that is more useful to miscreants than to users.

    1. DJO Silver badge

      Re: How about replacing the Registry ?

      To be fair having a central database instead of a zillion ini files makes a lot of sense.

      Implementing it in the absolute worst way possible made no sense whatsoever.

      Allowing it to have (easily spoofed) elevated execution rights goes beyond "no sense" all the way to "are you fucking mad?"

    2. Fruit and Nutcase Silver badge

      Re: How about replacing the Registry ?

      No all text files are created equal - some good, some cause more problems than they solve. But the issue here is the behaviour/ability to hide a scheduled task by removing the security descriptor registry values. If configuration was via text files, the same vulnerability would no doubt exist. As mentioned elsewhere, need to fix the GUI and schtasks. And in the short term, develop/use tools to scan scheduled tasks with missing security descriptors

  3. druck Silver badge

    How about fixing scheduler

    So it displays all entries regardless of any tweaking of the registry.

  4. DJV Silver badge


    ...if Microsoft can detect this and they know exactly how it works, then does that mean that the current version of Windows Defender can detect it and remove it automatically? And, if it can't, then why not?

  5. Anonymous Coward
    Anonymous Coward

    The registry is like a public toilet -

    you have no idea who has done what in it.

    1. eldakka Silver badge

      Re: The registry is like a public toilet -

      It's worse than a public toilet because in a public toilet you can at least smell when someone has shit in the corner.

  6. Anonymous Coward
    Anonymous Coward

    So what is the use case for Windows allowing runnable tasks with no security descriptors ?

    My guess would be backward compatibility and/or things-they-dont-want-you-to-know-about [TM]

    1. Tom Chiverton 1

      TM more like TLA amirite

  7. Potemkine! Silver badge

    As I understand, for me, it's a bug: the interface should display all tasks that are registered to be executed, or a task that cannot be displayed because of missing security descriptor should not be executed. There's an incoherence here: why can a task be executed but not displayed?

    1. elDog

      Perhaps because Microsoft itself uses this technique to hide tasks it doesn't want its "users" to know about?

      1. DJV Silver badge

        Go wash your mouth out right now - as if lovely, kind-hearted Microsoft would ever do anything like that!

      2. Potemkine! Silver badge

        "Never attribute to malice that which is adequately explained by stupidity" ^^

  8. Gene Cash Silver badge

    "enabling and centralizing Task Scheduler logs"

    So wait a minute... I'm not a Windows guy... but wouldn't that have all your machines pounding one disk and single point of failure? And generating a ton more network traffic?

    Plus aren't these just more logs that no one is going to look at?

  9. Anonymous Coward
    Anonymous Coward

    I can guess ...

    I will guarantee that what happened was, there were no security descriptors.

    Then they added security descriptors, and all the code was designed to expect ttem.

    Then - a few days/months after release, they realised that legacy non-security descriptor jobs existed and were causing errors because NULLs weren't expected.

    So they removed the requirement for non-null descriptors.


    Now, if I were running that project, there would have been some sort of upgrade process INSIDE THE APP (so as you can't evade it) that at least created a default descriptor (maybe name+date) so that future code worked properly.

  10. Anonymous Coward
    Anonymous Coward

    "It can be time-consuming if done manually, and there are automated tools that can examine the registry to highlight or automatically remove suspicious entries."

    @ElReg: Would you mind being more specific about such tools?

    Moreover, the MS blog only mentions Microsoft 365 Defender (Microsoft Defender for Endpoint) or Microsoft Sentinel as detection tools. What about the plain vanilla MS Defender Antivirus?

  11. FlamingDeath Silver badge

    Isn't hiding scheduled tasks a m$ pasttime?

  12. Missing Semicolon Silver badge

    Hang on

    So the OS scans the registry for scheduled tasks and runs them. But the GUI uses a different algorithm to find them, so some are invisible? How dumb is that?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like