What evil can malware do within the Documents and Settings folder?

I would like to learn what malware can do within the Documents and Settings folder (and sub folders) only.
The folder contains one of the Windows XP registry hives NTUSER.DAT (HKEY_CURRENT_USER).
It also contains the desktop folder and the Start Menu (which contains the Startup folder).

Only considering this folder with subfolders(and its contents), what are the main malicious actions that malware can perform here?

 

Almost everything.

It offers startup location and room for exploits (Active Desktop)
Lots of nice hidden folders (by default) where you can store files.
For example Brontok variants used the Local Settings\Application Data folder.

Regards,

Pieter

 

Thank you Pieter!

 

You're welcome.

Was there a particular reason for asking?
Looking at attack vectors against specific users of a computer?

Regards,

Pieter

 

Yes, your answer has helped to settle a problem of risks vs. benefits.

There is an ongoing thread about the nLite Windows XP slipstreaming utility here:
Updating WinXPproSP2 Install CD - nLite
nLite can make a windows clean reinstall faster, easier, more secure, and customized.
It also has the option to move the entire Documents and Settings folder to a different partition (for example, a data partition).
This option was very tempting (to me at least) because it would let me automatically move My Documents, Favorites, Firefox and Thunderbird Profiles, as well as the profiles and settings for every single installed (and future installed) program to my Data partition.
This would mean that I would not need to manually move these and could save a lot of time.
If one needed to restore a backup image of the OS in case of some regular corruption or compatibility issue, all the customized settings for the different programs would not be lost.

But the big negative is that malware could persist in the Documents and Settings folder and even become automatically active again after a restore.
This takes away the security benefit of making backup images in regards to malware.

Right now it seems much better (security wise) to just manually move the selected folders and profiles like My Documents, Favorites, Firefox, Opera, and Thunderbird Profiles.
Would you agree?

Would you happen to know if the list of installed programs (as shown in the Add/Remove Programs control Panel applet) is stored in NTUSER.DAT(HKEY_CURRENT_USER)?
NTUSER.DAT is stored within the Documents and Settings\[CURRENTUSER] folder.

 

The majority of the items listed under Add/Remove Programs is fetched from this key in the registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Only if you get the option to "Install for the current user only" and you choose to do so, the information will be written to:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Personally I also use an .inf file to quickly change a few personal settings to my liking on a freshly installed system.
(I often re-install my Virtual Machines)
This can of course also be done with a .reg file or whatever you prefer.

Regards,

Pieter

 

Thanks again Pieter!