Ghost Clink in CMD: Forensic Diagnosis and Definitive Removal on Windows 10
In this incident, Clink v1.7.6 was injected into cmd.exe at startup, while where clink returned nothing and uninstall commands were unavailable. That combination indicates startup persistence outside PATH.
Investigation workflow
- Check standard AutoRun keys:
reg query "HKCU\Software\Microsoft\Command Processor" /v AutoRun
reg query "HKLM\Software\Microsoft\Command Processor" /v AutoRun- Check global DLL injection vector:
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs- Inspect Windows Terminal JSON profile for hidden inject commands:
"commandline": "cmd.exe /k %LOCALAPPDATA%\\clink\\clink_x64.exe inject"- Perform recursive binary search:
where /r C:\ clink_x64.exe
where /r C:\ clink*.dll- Check policy-controlled AutoRun keys (common in managed environments):
reg query "HKLM\Software\Policies\Microsoft\Windows\Command Processor" /v AutoRun
reg query "HKCU\Software\Policies\Microsoft\Windows\Command Processor" /v AutoRunDefinitive remediation
- Remove startup triggers from registry/policy when present.
- Remove
clink ... injectfrom Windows Terminal profiles. - Delete orphaned binaries only after source path validation.
- Use Sysinternals Autoruns (
Logon,Command Processor) for residual persistence.
Operational conclusion
This was not a random bug. It was technical residue with hidden startup hooks. Layered forensics (registry, policy, terminal profile, filesystem) is what makes removal permanent and reproducible.
Strategic recommendation
Treat classic cmd.exe as a legacy compatibility shell. For day-to-day engineering workflows, standardize on PowerShell 7 or Windows Terminal + WSL to reduce hidden startup customizations and improve operational predictability.
This post is licensed under CC BY-NC.
Comments
Join the discussion below.
Comments are not configured yet. Add Cusdis settings in /assets/json/config/blog-comments-config.json.