Skip to content

Simple Windows Forms App to deceive users into rebooting the system upon login. Useful when you have updated a registry key such as PPL and need a safe reboot

Notifications You must be signed in to change notification settings

ricardojoserf/FakeRebootAlert

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 

Repository files navigation

FakeRebootAlert

This is a basic Windows Forms App designed to display a popup asking users to reboot their machine. It can be useful in scenarios where a system restart is necessary for changes to take effect, such as when modifications have been made to registry keys (e.g., Protected Process Light (PPL) settings).

To make it look legitimate, the popup message includes the system's hostname and the icon of a program installed in the machine. The icon is included as a base64 blob and can be updated for the icon of any other program using the variable "base64Icon" in Program.cs file.

img1


Motivation

It is increasingly common to find PPL protection enabled by default in Windows systems. Even with administrator privileges, modifying the corresponding registry key requires a system restart for the changes to take effect.

However, restarting the computer can be risky in certain scenarios. In such cases, waiting for users to reboot naturally may seem like a safer option, but it is not always feasible to wait for weeks or months. To address this, we can use this tool to prompt users to reboot prematurely, encouraging them to restart the system on their own.


Usage example: Startup Folder

The tool can be configured to launch automatically when a user logs in using Auto Start Extensibility Points (ASEPs) such as the Startup Folder.

To do this, place a shortcut or the executable itself in the Startup Folder for a specific user:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

Or use the System-wide Startup folder, which would make the message prompt for any user who logs in:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Similar mechanisms are documented in the MITRE ATT&CK framework under technique T1547.

About

Simple Windows Forms App to deceive users into rebooting the system upon login. Useful when you have updated a registry key such as PPL and need a safe reboot

Topics

Resources

Stars

Watchers

Forks

Sponsor this project

 

Languages