Press Play To Restart - Under the Hood of the Windows Restart Manager

Dive into the inner workings of the Windows Restart Manager in this 36-minute conference talk from Recon 2023. Explore how this often-overlooked Windows component, introduced in Vista to reduce reboots during software updates, can be exploited for malicious purposes. Learn about the Restart Manager's architecture and mechanisms, observe its legitimate use in installers, and examine real-world examples of its misuse. Participate in a live demo showcasing the Restart Manager's functionalities and discover a unique application. Conclude with insights into defensive methods against potential threats. Presented by Mathilde Venault, a CrowdStrike security researcher specializing in Windows operating systems, this talk offers valuable knowledge for those interested in malware analysis, EDR detection, and undocumented Windows mechanisms.

Recon 2023 - Mathilde Venault - Press Play To Restart: Under the Hood of the Windows Restart Manager