At the start of my application i change the shell value of the registry to a custom shell and kill the explorer.exe (It is done outside the application), i want to allow a backdoor to return to the original shell and bring back the explorer.exe. brining the process back works fine for me but when i run my code to change the registry value no exception is thrown but the value doesn't change when i check in regedit, this is my code (saw it here on a different question) :
RegistryKey regKey = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
regKey.Close();
Please help
In your code, you are actually set the value of
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Because some registry keys are redirected by WOW64, please check MSDN to get more details.
Try this:
RegistryKey localMachine = RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, RegistryView.Registry64);
RegistryKey regKey = localMachine .OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon", true);
regKey.SetValue("Shell", "explorer.exe", RegistryValueKind.String);
regKey.Close();