Changing the Shell registry

Question

At the start of my application i change the shell value of the registry to a custom shell and kill the explorer.exe (It is done outside the application), i want to allow a backdoor to return to the original shell and bring back the explorer.exe. brining the process back works fine for me but when i run my code to change the registry value no exception is thrown but the value doesn't change when i check in regedit, this is my code (saw it here on a different question) :

        RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
        regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
        regKey.Close();

Please help

Answer 1

In your code, you are actually set the value of

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Because some registry keys are redirected by WOW64, please check MSDN to get more details.

Try this:

RegistryKey localMachine = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);

RegistryKey regKey = localMachine .OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
regKey.Close();