DingleBerries Posted February 23, 2009 Share Posted February 23, 2009 Registry Autostart Locations 1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ Run \ All values in this key are executed. All values in this key are executed. 2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunOnce \ All values in this key are executed, and then their autostart reference is deleted. All values in this key are executed, and then their autostart reference is deleted. 3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunServices \ All values in this key are executed as services. All values in this key are executed as services. 4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunServicesOnce \ All values in this key are executed as services, and then their autostart reference is deleted. All values in this key are executed as services, and then their autostart reference is deleted. 5. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ Run \ All values in this key are executed. All values in this key are executed. 6. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ RunOnce \ All values in this key are executed, and then their autostart reference is deleted. All values in this key are executed, and then their autostart reference is deleted. 7. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\Setup\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ RunOnce \ Setup \ Used only by Setup. Used only by Setup. Displays a progress dialog box as the keys are run one at a time. Displays a progress dialog box as the keys are run one at a time. 8. HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\ HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run \ Similar to the Run key from HKEY_CURRENT_USER. Similar to the Run key from HKEY_CURRENT_USER. 9. HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce\ HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ Cur rentVersion \ RunOnce \ Similar to the RunOnce key from HKEY_CURRENT_USER. Similar to the RunOnce key from HKEY_CURRENT_USER. 10. 10. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon The "Shell" value is monitored. The "Shell" value is monitored. This value is executed after you log in. This value is executed after you login. 11. HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed Components \ All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. All subkeys are monitored, with particular attention paid to the "StubPath" value in each subkey. 12. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VxD\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \ VxD \ All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. All subkeys are monitored, with particular attention paid to the "StaticVXD value in each subkey. 13. HKEY_CURRENT_USER\Control Panel\Desktop HKEY_CURRENT_USER \ Control Panel \ Desktop The "SCRNSAVE.EXE" value is monitored. The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. This value is launched when your screen saver activates. 14. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Contro l \ Session Manager The "BootExecute" value is monitored. The "BootExecute value is monitored. Files listed here are Native Applications that are executed before Windows starts. Files listed here are Native Applications that are executed before Windows starts. 15. HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ HKEY_CLASSES_ROOT \ vbsfile \ shell \ open \ command \ Executed whenever a .VBS file (Visual Basic Script) is run. Executed whenever a. VBS file (Visual Basic Script) is run. 16. HKEY_CLASSES_ROOT\vbefile\shell\open\command\ HKEY_CLASSES_ROOT \ vbefile \ shell \ open \ command \ Executed whenever a .VBE file (Encoded Visual Basic Script) is run. Executed whenever a. Vbe file (encoded Visual Basic Script) is run. 17. HKEY_CLASSES_ROOT\jsfile\shell\open\command\ HKEY_CLASSES_ROOT \ jsfile \ shell \ open \ command \ Executed whenever a .JS file (Javascript) is run. Executed whenever a. JS file (JavaScript) is run. 18. HKEY_CLASSES_ROOT\jsefile\shell\open\command\ HKEY_CLASSES_ROOT \ jsefile \ shell \ open \ command \ Executed whenever a .JSE file (Encoded Javascript) is run. Executed whenever a. JSE file (encoded Javascript) is run. 19. HKEY_CLASSES_ROOT\wshfile\shell\open\command\ HKEY_CLASSES_ROOT \ wshfile \ shell \ open \ command \ Executed whenever a .WSH file (Windows Scripting Host) is run. Executed whenever a. File WSH (Windows Scripting Host) is run. 20. HKEY_CLASSES_ROOT\wsffile\shell\open\command\ HKEY_CLASSES_ROOT \ wsffile \ shell \ open \ command \ Executed whenever a .WSF file (Windows Scripting File) is run. Executed whenever a. WSF file (Windows Scripting File) is run. 21. HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command \ Executed whenever a .EXE file (Executable) is run. Executed whenever a. EXE file (Executable) is run. 22. HKEY_CLASSES_ROOT\comfile\shell\open\command\ HKEY_CLASSES_ROOT \ comfile \ shell \ open \ command \ Executed whenever a .COM file (Command) is run. Executed whenever a. COM file (Command) is run. 23. HKEY_CLASSES_ROOT\batfile\shell\open\command\ HKEY_CLASSES_ROOT \ batfile \ shell \ open \ command \ Executed whenever a .BAT file (Batch Command) is run. Executed whenever a. BAT file (Batch Command) is run. 24. HKEY_CLASSES_ROOT\scrfile\shell\open\command\ HKEY_CLASSES_ROOT \ scrfile \ shell \ open \ command \ Executed whenever a .SCR file (Screen Saver) is run. Executed whenever a. SCR file (Screen Saver) is run. 25. HKEY_CLASSES_ROOT\piffile\shell\open\command\ HKEY_CLASSES_ROOT \ piffile \ shell \ open \ command \ Executed whenever a .PIF file (Portable Interchange Format) is run. Executed whenever a. PIF file (Portable Interchange Format) is run. 26. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \ Services marked to startup automatically are executed before user login. Services marked to startup automatically are executed before user login. 27. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \ Winsock2 \ Parameters \ Protocol_Catalog \ Catalog_En tries \ Layered Service Providers, executed before user login. Layered Service Providers, executed before user login. 28. HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ cmdline Executed when a 16-bit Windows executable is executed. Executed when a 16-bit Windows executable is executed. 29. HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ wowcmdline Executed when a 16-bit DOS application is executed. Executed when a 16-bit DOS application is executed. 30. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit Executed when a user logs in. Executed when a user logs in. 31. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ ShellServiceObjectDelayLoad \ Executed by explorer.exe as soon as it has loaded. Executed by explorer.exe as soon as it has loaded. 32. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ run Executed when the user logs in. Executed when the user logs in. 33. HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ load Executed when the user logs in. Executed when the user logs in. 34. HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\run\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ Policies \ Explorer \ run \ Subvalues are executed when Explorer initialises. Subvalues are executed when Explorer initialises. 35. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\run\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ Policies \ Explorer \ run \ Subvalues are executed when Explorer initialises. Subvalues are executed when Explorer initialises. Folder Autostart Locations Folder Autostart Locations 1. windir\Start Menu\Programs\Startup\ windir \ Start Menu \ Programs \ Startup \ 2. User\Startup\ User \ Startup \ 3. All Users\Startup\ All Users \ Startup \ 4. windir\system\iosubsys\ windir \ system \ iosubsys \ 5. windir\system\vmm32\ windir \ system \ vmm32 \ 6. windir\Tasks\ windir \ Tasks \ File Autostart Locations Autostart File Locations 1. c:\explorer.exe c: \ explorer.exe 2. c:\autoexec.bat c: \ autoexec.bat 3. c:\config.sys c: \ Config.sys 4. windir\wininit.ini windir \ wininit.ini 5. windir\winstart.bat windir \ winstart.bat 6. windir\win.ini - [windows] "load" windir \ win.ini - [windows] "load" 7. windir\win.ini - [windows] "run" windir \ win.ini - [windows] run " 8. windir\system.ini - [boot] "shell" windir \ SYSTEM.INI - [boot] "shell" 9. windir\system.ini - [boot] "scrnsave.exe" windir \ SYSTEM.INI - [boot] "scrnsave.exe" 10. windir\dosstart.bat windir \ dosstart.bat 11. windir\system\autoexec.nt windir \ system \ Autoexec.nt 12. windir\system\config.nt windir \ system \ config.nt Quote Link to comment Share on other sites More sharing options...
ardnat Posted February 23, 2009 Share Posted February 23, 2009 nice, not very effictive if you have tcMonitor though (it checks changes to start up registry keys+start up locations) Also, are there any different ones just for vista? Quote Link to comment Share on other sites More sharing options...
will-wtf Posted February 26, 2009 Share Posted February 26, 2009 If you made this, nice work. My outlook now starts automatically! Would there be a way to have it delay 5 mins after startup? Another point, vnc starts way before any other program on my portable <laptop or whatever it is called> Is this simply due to it being at the ^top of the list^ as it were, or a special location? Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted February 28, 2009 Share Posted February 28, 2009 Create a task to start outlook five minutes after you've logged in or one to start a bat that in turn schedules a task to start outlook after 5 mins. Useful thread, thanks for posting. 35 different places in the registry alone for auto-start though? No wonder so many viruses are hard to counteract once they get on and deep into a system. Quote Link to comment Share on other sites More sharing options...
DingleBerries Posted February 28, 2009 Author Share Posted February 28, 2009 Look up the at commad for scheduling things. Quote Link to comment Share on other sites More sharing options...
SomethingToChatWith Posted February 28, 2009 Share Posted February 28, 2009 Or you could use schtasks: help schtasks for Vista/W7 Quote Link to comment Share on other sites More sharing options...
will-wtf Posted February 28, 2009 Share Posted February 28, 2009 Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.