`alternateshell`#

$ target-query <path/to/target> -f alternateshell

Details#
Module	`os.windows.generic.GenericPlugin`
Output	`records`

Module documentation

Generic Windows plugin.

Provides some plugins that don’t fit in a separate plugin.

Function documentation

Return the AlternateShell registry key value.

The AlternateShell registry key, HKEY_LOCAL_MACHINESystemCurrentControlSetControlSafeboot, specifies the shell that is used when a Windows system is started in “Safe Mode with Command Prompt”. Can be leveraged as a persistence mechanism.

References:

https://technet.microsoft.com/en-us/library/cc976124.aspx

alternateshell#

`alternateshell`#