Jump to content
Hak5 Forums

Archived

This topic is now archived and is closed to further replies.

DingleBerries

Registry AutoStart Locations

Recommended Posts

Registry Autostart Locations

1.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ Run \

All values in this key are executed. All values in this key are executed.

2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunOnce \

All values in this key are executed, and then their autostart reference is deleted. All values in this key are executed, and then their autostart reference is deleted.

3.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunServices \

All values in this key are executed as services. All values in this key are executed as services.

4.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ RunServicesOnce \

All values in this key are executed as services, and then their autostart reference is deleted. All values in this key are executed as services, and then their autostart reference is deleted.

5.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ Run \

All values in this key are executed. All values in this key are executed.

6.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ RunOnce \

All values in this key are executed, and then their autostart reference is deleted. All values in this key are executed, and then their autostart reference is deleted.

7.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\Setup\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ RunOnce \ Setup \

Used only by Setup. Used only by Setup. Displays a progress dialog box as the keys are run one at a time. Displays a progress dialog box as the keys are run one at a time.

8.

HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\ HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ Cur rentVersion \ Run \

Similar to the Run key from HKEY_CURRENT_USER. Similar to the Run key from HKEY_CURRENT_USER.

9.

HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce\ HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ Cur rentVersion \ RunOnce \

Similar to the RunOnce key from HKEY_CURRENT_USER. Similar to the RunOnce key from HKEY_CURRENT_USER.

10. 10.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

The "Shell" value is monitored. The "Shell" value is monitored. This value is executed after you log in. This value is executed after you login.

11.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Active Setup \ Installed Components \

All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. All subkeys are monitored, with particular attention paid to the "StubPath" value in each subkey.

12.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VxD\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \ VxD \

All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. All subkeys are monitored, with particular attention paid to the "StaticVXD value in each subkey.

13.

HKEY_CURRENT_USER\Control Panel\Desktop HKEY_CURRENT_USER \ Control Panel \ Desktop

The "SCRNSAVE.EXE" value is monitored. The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. This value is launched when your screen saver activates.

14.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Contro l \ Session Manager

The "BootExecute" value is monitored. The "BootExecute value is monitored. Files listed here are Native Applications that are executed before Windows starts. Files listed here are Native Applications that are executed before Windows starts.

15.

HKEY_CLASSES_ROOT\vbsfile\shell\open\command\ HKEY_CLASSES_ROOT \ vbsfile \ shell \ open \ command \

Executed whenever a .VBS file (Visual Basic Script) is run. Executed whenever a. VBS file (Visual Basic Script) is run.

16.

HKEY_CLASSES_ROOT\vbefile\shell\open\command\ HKEY_CLASSES_ROOT \ vbefile \ shell \ open \ command \

Executed whenever a .VBE file (Encoded Visual Basic Script) is run. Executed whenever a. Vbe file (encoded Visual Basic Script) is run.

17.

HKEY_CLASSES_ROOT\jsfile\shell\open\command\ HKEY_CLASSES_ROOT \ jsfile \ shell \ open \ command \

Executed whenever a .JS file (Javascript) is run. Executed whenever a. JS file (JavaScript) is run.

18.

HKEY_CLASSES_ROOT\jsefile\shell\open\command\ HKEY_CLASSES_ROOT \ jsefile \ shell \ open \ command \

Executed whenever a .JSE file (Encoded Javascript) is run. Executed whenever a. JSE file (encoded Javascript) is run.

19.

HKEY_CLASSES_ROOT\wshfile\shell\open\command\ HKEY_CLASSES_ROOT \ wshfile \ shell \ open \ command \

Executed whenever a .WSH file (Windows Scripting Host) is run. Executed whenever a. File WSH (Windows Scripting Host) is run.

20.

HKEY_CLASSES_ROOT\wsffile\shell\open\command\ HKEY_CLASSES_ROOT \ wsffile \ shell \ open \ command \

Executed whenever a .WSF file (Windows Scripting File) is run. Executed whenever a. WSF file (Windows Scripting File) is run.

21.

HKEY_CLASSES_ROOT\exefile\shell\open\command\ HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command \

Executed whenever a .EXE file (Executable) is run. Executed whenever a. EXE file (Executable) is run.

22.

HKEY_CLASSES_ROOT\comfile\shell\open\command\ HKEY_CLASSES_ROOT \ comfile \ shell \ open \ command \

Executed whenever a .COM file (Command) is run. Executed whenever a. COM file (Command) is run.

23.

HKEY_CLASSES_ROOT\batfile\shell\open\command\ HKEY_CLASSES_ROOT \ batfile \ shell \ open \ command \

Executed whenever a .BAT file (Batch Command) is run. Executed whenever a. BAT file (Batch Command) is run.

24.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ HKEY_CLASSES_ROOT \ scrfile \ shell \ open \ command \

Executed whenever a .SCR file (Screen Saver) is run. Executed whenever a. SCR file (Screen Saver) is run.

25.

HKEY_CLASSES_ROOT\piffile\shell\open\command\ HKEY_CLASSES_ROOT \ piffile \ shell \ open \ command \

Executed whenever a .PIF file (Portable Interchange Format) is run. Executed whenever a. PIF file (Portable Interchange Format) is run.

26.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \

Services marked to startup automatically are executed before user login. Services marked to startup automatically are executed before user login.

27.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\ HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Service es \ Winsock2 \ Parameters \ Protocol_Catalog \ Catalog_En tries \

Layered Service Providers, executed before user login. Layered Service Providers, executed before user login.

28.

HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ cmdline

Executed when a 16-bit Windows executable is executed. Executed when a 16-bit Windows executable is executed.

29.

HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline HKEY_LOCAL_MACHINE \ System \ Control \ WOW \ wowcmdline

Executed when a 16-bit DOS application is executed. Executed when a 16-bit DOS application is executed.

30.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ Userinit

Executed when a user logs in. Executed when a user logs in.

31.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ ShellServiceObjectDelayLoad \

Executed by explorer.exe as soon as it has loaded. Executed by explorer.exe as soon as it has loaded.

32.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ run

Executed when the user logs in. Executed when the user logs in.

33.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ load

Executed when the user logs in. Executed when the user logs in.

34.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\run\ HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ Currie ntVersion \ Policies \ Explorer \ run \

Subvalues are executed when Explorer initialises. Subvalues are executed when Explorer initialises.

35.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\run\ HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Currie entVersion \ Policies \ Explorer \ run \

Subvalues are executed when Explorer initialises. Subvalues are executed when Explorer initialises.

Folder Autostart Locations Folder Autostart Locations

1. windir\Start Menu\Programs\Startup\ windir \ Start Menu \ Programs \ Startup \

2. User\Startup\ User \ Startup \

3. All Users\Startup\ All Users \ Startup \

4. windir\system\iosubsys\ windir \ system \ iosubsys \

5. windir\system\vmm32\ windir \ system \ vmm32 \

6. windir\Tasks\ windir \ Tasks \

File Autostart Locations Autostart File Locations

1. c:\explorer.exe c: \ explorer.exe

2. c:\autoexec.bat c: \ autoexec.bat

3. c:\config.sys c: \ Config.sys

4. windir\wininit.ini windir \ wininit.ini

5. windir\winstart.bat windir \ winstart.bat

6. windir\win.ini - [windows] "load" windir \ win.ini - [windows] "load"

7. windir\win.ini - [windows] "run" windir \ win.ini - [windows] run "

8. windir\system.ini - [boot] "shell" windir \ SYSTEM.INI - [boot] "shell"

9. windir\system.ini - [boot] "scrnsave.exe" windir \ SYSTEM.INI - [boot] "scrnsave.exe"

10. windir\dosstart.bat windir \ dosstart.bat

11. windir\system\autoexec.nt windir \ system \ Autoexec.nt

12. windir\system\config.nt windir \ system \ config.nt

Share this post


Link to post
Share on other sites
ardnat   

nice,

not very effictive if you have tcMonitor though (it checks changes to start up registry keys+start up locations)

Also, are there any different ones just for vista?

Share this post


Link to post
Share on other sites
will-wtf   

If you made this, nice work. My outlook now starts automatically! Would there be a way to have it delay 5 mins after startup?

Another point, vnc starts way before any other program on my portable <laptop or whatever it is called> Is this simply due to it being at the ^top of the list^ as it were, or a special location?

Share this post


Link to post
Share on other sites

Create a task to start outlook five minutes after you've logged in or one to start a bat that in turn schedules a task to start outlook after 5 mins.

Useful thread, thanks for posting. 35 different places in the registry alone for auto-start though? No wonder so many viruses are hard to counteract once they get on and deep into a system.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×