This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 79%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
Hi All,
While researching the startup behavior of Windows Container (Windows Metro) Apps , like the ones installed through Microsoft Store or native to System (xbox/phone, etc),
I came across a new registry key location (different from the known standard Startup locations in HKCU/HKLM)
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData
I used whatsapp to create/install/remove startup behavior in my testing
Since its non-standard startup registry key location, and DOES NOT show up in autoruns, it will evade persistence detection from a lot of AV/EDR's that leverage autoruns internally to enumerate persistence.
Like Crowdstrke, Tanium, Defender ATP , etc
So if exploited, this potentially could become a blindspot for security controls that rely on autoruns
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
This still an issue almost 2 years later after Rahat Sanghoi created this question. I am typing this on 8/25/2024.
The work around I found for WhatsApp in Windows 11 is as follows:
This is not a solution. This is a work around. The real exploitable problem is still there which means a malicious app could be running in the background using this "hidden" background feature and the user will never know about it.
The way I personally found out that WhatsApp was running in the background was by running the CCleaner software and the CCleaner prompted me that WhatsApp must be closed in order to be able to cleanup the WhatsApp cache.
That's when I started researching "whatsapp running in the background without user permission" and I stumble with this question after being linked in another website.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELA%3C/text%3E%3C/svg%3E)
Thanks for posting this, saved me a lot of time.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 80%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Thank you so much for this discovery! Try HiBit Startup Manager: https://www.hibitsoft.ir/StartupManager.html
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 88%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
thank you very much! searching for it for a while ;-)