For your information and enjoyment, here's a list of autostart locations I've been collecting. Any of these startup locations can and will of course be used by both legitimate applications and by malware such as trojans, viruses, worms, spyware.
1. Autostart folder
In Windows 95, 98, Millennium
C:/windows/start menu/programs/startup
and the "Global" Startup folder:
C:/Windows/All Users/Start Menu/Programs/StartUp
In Win XP and 2000:
C:/Documents and Settings/Your User Name/Start Menu/Programs/Startup
C:/Documents and Settings/All Users/Start Menu/Programs/Startup
This Autostart Directory is saved in :
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders]
Startup="C:/windows/start menu/programs/startup"
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders]
Startup="C:/windows/start menu/programs/startup"
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer/User Shell Folders]
"Common Startup"="C:/windows/start menu/programs/startup"
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer/Shell Folders]
"Common Startup"="C:/windows/start menu/programs/startup"
By setting it to anything other then C:/windows/start menu/programs/startup will lead to execution of ALL and EVERY executable inside set directory. Examples of malware using this and related techniques:
http://sophos.com/virusinfo/analyses/trojwock32a.html
http://www.sophos.com/virusinfo/analyses/trojoptix03c.html
http://www.sophos.com/virusinfo/analyses/trojspywadc.html
2. Win.ini
In Win 9x
[windows]
load=file.exe
run=file.exe
In Windows NT/XP:
[HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Windows]
"run"=""
"load"=""
Programs Automatically Start When User Logs on to Windows
If, In NT based systems, Windows finds sections in .ini files which are not present in the registry, those sections will automatically be registered.
Examples:
http://www.trendmicro.com/vinfo/virusencyc...WORM_LOVGATE.AB
http://securityresponse.symantec.com/avcen...a/vbs.grez.html
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=36374
3a. System.ini (Windows 95/98/Millennium)
[boot]
Shell=Explorer.exe file.exe
3b. Winlogon//Shell (Windows XP/NT/2000)
During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon to determine the name of the executable that should be loaded as the Shell.
By default, this value specifies Explorer.exe.
This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).
Example of malware using this startup method:
http://www.symantec.com/avcenter/venc/data...or.nithsys.html
http://www.symantec.com/avcenter/venc/data...oor.nibu.h.html
http://www.trendmicro.com/vinfo/virusencyc...BDD&VSect=T
http://securityresponse.symantec.com/avcen...dss.trojan.html
In the following keys as well, a "Shell" string value can be used to specify an alternate user interface for Windows 2000 and XP:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system
HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/system
Additionally, Explorer.exe is searched by the system at boot, starting from the root C:/ and finishing at C:/windows/explorer.exe
If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.
4. c:/windows/winstart.bat (Windows 95, 98)
Behaves like a normal BAT file. Used for copying or deleting specific files. Autostarts every time.
Occasionally used by malware as well:
http://securityresponse.symantec.com/avcen...door.optix.html
http://vil.nai.com/vil/content/v_99196.htm
http://www.sophos.com/security/analyses/trojnettroja.html
5a. Registry Run/RunOnce/RunServices keys
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices]
"Whatever"="c:/runfolder/program.exe"
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServicesOnce]
"Whatever"="c:/runfolder/program.exe"
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run]
"Whatever"="c:/runfolder/program.exe"
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce]
"Whatever"="c:/runfolder/program.exe"
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run]
"Whatever"="c:/runfolder/program.exe"
[HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce]
"Whatever"="c:/runfolder/program.exe"
INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup (Q179365)
Definition of the RunOnce Keys in the Registry (Q137367)
A Definition of the Run Keys in the Windows XP Registry
5b. RunOnceEx Key
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnceEx
Description of the RunOnceEx Registry Key
Syntax for the RunOnceEx Registry Key
6a. wininit.ini (Win 9x)
Often Used by Setup-Programs; when the file exists it is run ONCE and then is deleted by windows.
Example content of wininit.ini :
[Rename]
NUL=c:/windows/picture.exe
This example sends c:/windows/picture.exe to NUL, which means that it is being deleted. This requires no interactivity with the user and runs totally stealth.
More info on Wininit.ini: HOWTO: Move Files That Are Currently in Use
Examples of malware using Wininit.ini:
http://www.symantec.com/avcenter/venc/data...en.12288.a.html
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99619
http://securityresponse.symantec.com/avcen...etlip.worm.html
6b. PendingFileRenameOperations (Windows NT/2000/XP)
Windows XP/NT does not use Wininit.ini. Instead it uses a "PendingFileRenameOperations" REG_MULTI_SZ value in the following Registry Key.
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager
"PendingFileRenameOperations"
More info on the PFRO reg value: How to replace in-use files at Windows restart
Examples of malware making use of PendingFileRenameOperations:
http://de.trendmicro-europe.com/enterprise...A.L&VSect=T
http://securityresponse.symantec.com/avcen...goner.a@mm.html
Another Possible Multi-String Value here to look at (thank you, Mosaic1) is: ExcludeFromKnownDlls
The reason is this: the KnownDlls key lists dlls which can only be run from the System Folder. If the same file is located in a program's folder it will not be run. The version in System32 will be run instead.
Here 's the MS article: INFO: Windows Uses KnownDLLs Registry Entry to Find DLLs
7. Autoexec.bat (Win 95, 98)
Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up.
Note that Windows Millennium ignores AutoExec.bat other than to lift Set, Path and Prompt statements from it and integrate these into the registry
8. Registry Shell Spawning
[HKEY_CLASSES_ROOT/exefile/shell/open/command]
[HKEY_CLASSES_ROOT/comfile/shell/open/command]
[HKEY_CLASSES_ROOT/cplfile/shell/cplopen/command
[HKEY_CLASSES_ROOT/batfile/shell/open/command]
[HKEY_CLASSES_ROOT/htafile/shell/open/command]
[HKEY_CLASSES_ROOT/http/shell/open/command
[HKEY_CLASSES_ROOT/htmlfile/shell/opennew/command]
[HKEY_CLASSES_ROOT/htmlfile/shell/print/command]
[HKEY_CLASSES_ROOT/inffile/shell/install/command]
[HKEY_CLASSES_ROOT/InternetShortcut/shell/open/command
[HKEY_CLASSES_ROOT/piffile/shell/open/command]
[HKEY_CLASSES_ROOT/regfile/shell/open/command]
[HKEY_CLASSES_ROOT/regfile/shell/merge/command]
[HKEY_CLASSES_ROOT/vbsfile/shell/open/command]
[HKEY_CLASSES_ROOT/vbefile/shell/open/command]
[HKEY_CLASSES_ROOT/jsfile/shell/open/command]
[HKEY_CLASSES_ROOT/jsefile/shell/open/command]
[HKEY_CLASSES_ROOT/wshfile/shell/open/command]
[HKEY_CLASSES_ROOT/wsffile/shell/open/command]
[HKEY_CLASSES_ROOT/scrfile/shell/open/command]
[HKEY_CLASSES_ROOT/scrfile/shell/config/command]
[HKEY_CLASSES_ROOT/txtfile/shell/open/command]
... and so on
The default value data for such a key should be "%1" %*; if this is changed to server.exe "%1 %*", the server.exe is executed EVERY TIME an exe/pif/com/bat/hta/txt is executed.
This startup method is used by a large number of worms and trojans:
http://securityresponse.symantec.com/avcen...s.qqpass.c.html
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99694
http://www.symantec.com/avcenter/venc/data/w32.nopir.d.html
Just a few examples of other subkeys the default value data of which have been seen to be exploited:
HKEY_CLASSES_ROOT/Unknown/shell/openas/command
HKEY_CLASSES_ROOT/Directory/Shell/"KeyName"/Command
HKEY_CLASSES_ROOT/Folder/shell/open/command
HKEY_CLASSES_ROOT/Folder/shell/explore/command
HKEY_CLASSES_ROOT/Drive/shell/find/command
HKEY_CLASSES_ROOT/Applications/iexplore.exe/shell/open/command
HKEY_CLASSES_ROOT/CLSID/{871C5380-42A0-1069-A2EA-08002B30309D}/shell/OpenHomePage/Command
HKEY_LOCAL_MACHINE/SOFTWARE/Clients/StartMenuInternet/IEXPLORE.EXE/shell/open/command
Some reading:
http://www.sarc.com/avcenter/venc/data/w32.autex.c.html
http://www.trendmicro.com/vinfo/virusencyc...R.A&VSect=T
http://www.avira.com/en/threats/section/fu...lmir.51944.html
... and the default value data of the "Command" string value in:
HKEY_CLASSES_ROOT/.lnk/ShellNew
HKEY_CLASSES_ROOT/.bfc/ShellNew
See here
Also, in NT based systems the HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts key can be used to associate a given file extension with another application.
For example, go to HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.txt
Click on .txt and in the right pane there will be a String Value named "Application". Modify its value to the name of the executable you want to use. No path. Just Notepad.exe or EditPad.exe or Wordpad.exe etc. If there is not a String Value named Application, create it.
Now doubleclick a txtfile, and it will be opened by the designated application. Likewise, malware could hack any subkey here in order to get itself to start when a file of that type is launched.
Some useful reading: Mastering File Types in Windows XP
An example of malware using this technique: url=http://www.avira.com/en/threats/section/fulldetails/id_vir/2256/tr_killfiles.ja.html
9. Icq Inet
[HKEY_CURRENT_USER/Software/Mirabilis/ICQ/Agent/Apps/test]
"Path"="test.exe"
"Startup"="c://test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USER/Software/Mirabilis/ICQ/Agent/Apps/
When ICQNET detects an Internet Connection ALL applications in this reg key are executed.
Examples of malware using this startup method:
http://www.sophos.com/virusinfo/analyses/w32ronoperg.html
http://www.srnmicro.com/virusinfo/stages.htm
10. Dosstart.bat (Win 95, 98 )
This is a regular text format batch file. It contains instructions identical to those contained in autoexec.bat but there is one important difference: when it is executed.
While autoexec.bat executes immediately upon boot-up, dosstart.bat executes only when you are running Windows 95/98 and select the "restart in MSDOS mode" option from the shutdown menu.
At that point Windows exits with instructions to reboot DOS but not the Windows interface, and DOS executes the dosstart.bat file which typically loads a mouse driver, CD ROM driver, and possibly a couple of others.
11. Active-X Component
HKEY_LOCAL_MACHINE/Software/Microsoft/Active Setup/Installed Components/KeyName
StubPath=C:/PathToFile/Filename.exe
This starts filename.exe BEFORE the shell and any other Program normally started over the Run Keys.
Each time a NEW user logs in, the HKLM/Software/Microsoft/Active Setup/Installed Components/{GUID} will be compared with the same CurrentUser Entry and the command defined in the StubPath (can be anything) will be executed
Examples of malware using this technique:
http://securityresponse.symantec.com/avcen...or.ftp_ana.html
http://www.sophos.com/security/analyses/trojproratq.html
http://www.sophos.com/security/analyses/trojbckdrput.html
12. UserInit reg value (NT/2000/XP)
[HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon]
"Userinit"="C:/WINDOWS/system32/userinit.exe,
Executed when a user logs in. A path to a program can be added after the comma. Examples of malware using this technique:
http://securityresponse.symantec.com/avcen...c.rpcbot.g.html
http://www.f-secure.com/v-descs/fagot.shtml
13. AppInit_DLLs
Reg Key: [HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows]
"AppInit_DLLs"=""
The DLLs specified in this value are loaded into the process memory of processes that run after the Registry change has been made.
Info: Working with the AppInit_DLLs Registry Value
Examples of malware using this technique:
http://www.symantec.com/avcenter/venc/data...oor.ginwui.html
http://vil.mcafee.com/dispVirus.asp?virus_k=99238
http://www.symantec.com/avcenter/venc/data...an.riler.e.html
14. RunOnce/Setup reg keys
Normally used only by Setup. A progress dialog box is displayed as the keys are run one at a time
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce/Setup
String Value > some program or file
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce/Setup
String Value > some program or file
15. HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/ShellServiceObjectDelayLoad
Executed by Explorer.exe as soon as it has loaded
The layout of the values in that key is somewhat like the one in the Run key, only it points to the InProcServer for the CLSID instead of pointing to a file.
Examples of malware using this startup method:
http://www.symantec.com/avcenter/venc/data...or.sedepex.html
http://securityresponse.symantec.com/avcen...r.berbew.q.html
http://securityresponse.symantec.com/avcen...e.eblaster.html
16. Task Scheduler startup
Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.
A .job file describing this task is placed in the %WinDir%/Tasks folder:
Example of malware using this technique: http://securityresponse.symantec.com/avcen....cone.d@mm.html
17. HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/SharedTaskScheduler (Windows 98/ME/NT/XP)
Dlls referenced in this registry key are loaded at boot.
For examples of malware using this autostart method, see here:
http://www.symantec.com/avcenter/venc/data...ware.topav.html
http://www.trendmicro.com/vinfo/virusencyc...BCB&VSect=T
18. Policies Run keys
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/policies/Explorer/Run
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
String Value > some program or file
Examples of malware using this Startup method:
http://www.sophos.com/security/analyses/trojagentbxq.html
http://www.trendmicro.com/vinfo/virusencyc....AK&VSect=T
http://www.sophos.com/virusinfo/analyses/trojproratd.html
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39429
19. HKEY_CLASSES_ROOT/PROTOCOLS/Filter
Not so much an autostart method, as a location where some foistware register a permanent filter in order to implement a hijack:
http://securityresponse.symantec.com/avcen...jan.popdis.html
http://uk.trendmicro-europe.com/consumer/s...ROJ_STARTPGE.AF
Here's the Microsoft technical article on Pluggable MIME Filters
20. Virtual Device Driver files (VXDs) in Win 9x systems
Loaded from System.ini ( [386enh] section)
And from the Registry key HKEY_LOCAL_MACHINE/System/CurrentControlSet/services/VxD
More info on VXDs here: The Windows 98 Startup Process
Examples of malware using this technique:
http://securityresponse.symantec.com/avcen...d.trojan.c.html
http://www.viruslibrary.com/virusinfo/Win95.MrKlunky.htm
http://hq.mcafeeasap.com/dispVirus.asp?virus_k=100242
21. Services in NT based systems ( Start > Run > Services.msc)
In the Registry: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
Many worms and trojans use this startup method as well:
http://www.symantec.com/enterprise/securit...-121314-2529-99
http://www.symantec.com/security_response/...-99&tabid=2
http://www.symantec.com/enterprise/securit...-99&tabid=2
Likewise, malware can compromise an existing service by modifying it's ServiceDLL string value, so that the baddie is executed instead of thew legitimate file once the service is started, as shown here
Related: In Win NT/2000/XP one can use the NT resource kit utility called AUTOEXNT (autoexec for NT)
The AutoExNT Service allows you to start a custom batch file, Autoexnt.bat, when you start a computer - without having to log onto the computer on which it will run
See: How to Run a Batch File Before Logging on to Your Computer
22. Layered Service Providers
Found in subkeys of HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries
Layered Service Providers (LSP) are small pieces of software that can be added or inserted into the Windows TCP/IP handler chain by other software. Data outward bound from your computer to a legitimate destination on the Internet can be intercepted by an LSP and sent somewhere other than where you intend it to go.
They are executed before user login.
Examples of malware implementing LSP's:
http://www.sarc.com/avcenter/venc/data/trojan.riler.c.html
http://www.avira.com/en/threats/section/fu....maran.g.5.html
http://vil.nai.com/vil/content/v_139590.htm
23. HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/WOW
Defines the command line that runs when an MS-DOS-based application runs under Windows NT. This command line continues to run until the related application is closed.
The wowcmdline value there defines the command line that runs when a 16-bit Windows-based application is started. The switches instruct Windows NT to start either an MS-DOS "VDM" (Virtual Dos Machine) or a WOW VDM.
More information: REG: CurrentControlSet Entries PART 3 and in this article.
24. Screensaver startup:
Windows NT/XP:
HKEY_CURRENT_USER/Control Panel/Desktop
String value: SCRNSAVE.EXE = badfile.scr
Example of malware using this technique: http://no.trendmicro-europe.com/consumer/s...me=WORM_PUROL.A
In systems running Win 9x, the System.ini file is used:
[boot]
SCRNSAVE.EXE=badfile.exe
Example of malware using this technique: http://securityresponse.symantec.com/avcen...hllp.lassa.html
25. Config.nt and Autoexec.nt in Windows NT4/2000/XP:
Files:
%SYSTEMROOT%/SYSTEM32/config.nt
%SYSTEMROOT%/SYSTEM32/autoexec.nt
See: http://www.esecurityplanet.com/alerts/article.php/3289911
26. The BootExecute registry value in HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager (NT/XP)
Contains the names and arguments of programs that are executed by Session Manager. Session Manager looks in the %WinDir%/system32 directory for the executables listed here.
Example of a trojan using this technique: http://www.ultrasoftware.net/viruslist/descr.asp?id=44
27. Winlogon/Notify (Win XP/2000/NT)
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify
Another well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; examples of malware using this technique:
http://vil.nai.com/vil/content/v_100441.htm
http://sarc.com/avcenter/venc/data/pf/adware.look2me.html
http://www.sophos.com/virusinfo/analyses/trojhaxdooru.html
http://www.symantec.com/avcenter/venc/data/w32.naras.html
28. The "AutoRun" reg value in the HKEY_LOCAL_MACHINE (and HKEY_CURRENT_USER)/Software/Microsoft/Command Processor (NT/XP/2000) Registry keys
When CMD.EXE starts, it looks for the above REG_SZ/REG_EXPAND_SZ registry variables, and if either or both are present, they are executed first.
An example of malware using this technique: http://www.trendmicro.com/vinfo/virusencyc...me=WORM_HITON.A
29. Script Policies: (Win NT/2000/XP)
[HKEY_LOCAL_MACHINE/Software/Policies/Microsoft/Windows/System/Scripts]
Startup = C:/winNT/system32/GroupPolicy/Machine/Scripts/Startup
Startup = C:/winNT/system32/GroupPolicy/User/Scripts/Logon
30. GinaDLL (Win NT/2000/XP)
Windows NT is shipped to load and execute the standard Microsoft GINA DLL (MSGina.dll). To load a different GINA (Graphical Identification and Authentication dynamic-link library) , a "GinaDLL" value in the following Registry key must be created:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon
The GinaDLL value must contain the name of a GINA DLL, which Winlogon will then load and use.
An example of malware using this technique: http://www.sophos.com/virusinfo/analyses/trojgina.html
31. GPExtensions (proposed by Philip Sloss) (Win NT/2000/XP)
The GUIDs for each Group Policy extension can be found under:
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/WinLogon/GPExtensions
When a computer in a domain starts up -- before any user can log in -- the domain policies are merged with the local computer's security policy. It's possible that this functionality is executed even for stand alone computers; if that's the case, then the GPExtensions key would be a potential startup location very similar to the "Startup" event with the Winlogon notification DLLs. (Currently under investigation)
See here and here
32. MPRServices (Win 95, 98, ME )
Somewhat analogously to the "Notify" subkey on NT systems, in Win 9x the following Registry key can be used to load a dll:
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/MPRServices/"Subkey"
DllName =
EntryPoint =
StackSize =
Examples:
http://securityresponse.symantec.com/avcen....haxdoor.b.html
http://www.trendmicro.com/vinfo/virusencyc...D.A&VSect=T
http://vil.nai.com/vil/content/v_138991.htm
33. "System" string value in HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon
"System"= "(Path to) Badfile.exe"
This value is present in Windows versions NT, 2000 and XP. It contains the list of executable files launched by Winlogon in the system context during the system initialisation. This list can be varied by modification of this value.
Examples of malware using this technique:
http://www.sophos.com/virusinfo/analyses/trojbeastdoh.html
http://nl.trendmicro-europe.com/enterprise...me=PE_PLUTO.A-O
34. VMApplet (Win NT/XP)
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon]
"VmApplet"=
This registry value stores the file which is launched by Winlogon process to let the user adjust the virtual memory settings in case the system volume misses the paging swap-file. The file extensions for the file name are not obligatory.
The default value for it is «rundll32 shell32, Control_RunDLL "sysdm.cpl"».
35. Browser Helper objects
A Browser Helper Object or BHO is in effect a small program that runs automatically every time you start your Internet browser.
Every time an instance of Internet Explorer is started, it looks in the registry for CLSIDs stored under the following key:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects
If this key exists and there are CLSIDs listed under it, Internet Explorer will try to create an instance of each object listed as a subkey under this key.
Here's the authoritative MS article:
Browser Helper Objects: The Browser the Way You Want It
Examples of malware using this technique:
http://www.sophos.com/virusinfo/analyses/trojpuperad.html
http://www.symantec.com/avcenter/venc/data...martallyes.html
http://www.sophos.com/virusinfo/analyses/trojlixyb.html
http://no.trendmicro-europe.com/enterprise...e=TROJ_BRIDGE.B
36. The HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options registry key (Windows NT/2000/XP)
A subkey can be added to this regkey by the name of a legitimate application, for example Explorer.exe. In the Explorer.exe subkey create a string value called Debugger, its value data containing the path to a file, say "%Windows%/baddie.exe" , and baddie.exe will be executed every time an instance of explorer.exe is launched.
Examples of malware using this method:
http://www.trendmicro.com/vinfo/virusencyc...2EA&VSect=T
http://www.sophos.com/virusinfo/analyses/trojcwsm.html
http://www.sophos.com/security/analyses/w32batera.html
http://www.eset.eu/buxus/generate_page.php?page_id=15027
http://www.symantec.com/enterprise/securit...-99&tabid=2
37. The HKEY_CLASSES_ROOT/*/shellex/ContextMenuHandlers registry key.
When a user right-clicks a "Shell object", its context menu is displayed. A Context menu handler is a Component Object Model (COM) object that adds commands to such a context menu.
An well known example is the "Open With" context menu entry when right-clicking a file. In the Registry it looks as follows:
[HKEY_CLASSES_ROOT/*/shellex/ContextMenuHandlers/Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"
The {09799AFB-AD67-11d1-ABCD-00C04FC30936} Class ID refers to a subkey of the same name in HKEY_CLASSES_ROOT/CLSID, whose InProcServer subkey holds the path to the context handler's dll, in this case Shell32.dll.
Recently this method has also been seen used by malware, for example the Qoologic trojan:
HKEY_CLASSES_ROOT/*/shellex/ContextMenuHandlers/gxmmxn]
@="{f1445181-385e-4b9f-ba55-4fec86b25d01}
The InProcServer subkey to HKEY_CLASSES_ROOT/CLSID/{f1445181-385e-4b9f-ba55-4fec86b25d01} will show the path to the 'rogue' dll that's loaded into memory.
Examples of malware making use of this launch point:
http://www.sophos.com/security/analyses/trojcimuze.html
http://www.trendmicro.com/vinfo/virusencyc...D.R&VSect=T
38. The HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer/ShellExecuteHooks registry key
The ShellExecuteHooks registry key contains the list of the COM objects (usually dlls) that trap execute commands. The value name equals the GUID (CLSID) of the COM object in question.
Some technical reading on the subject:
Creating a shell extension with C#
Logging the Shell Activity
Examples of malware using this technique:
http://www.symantec.com/avcenter/venc/data...er.jianghu.html
http://fr.trendmicro-europe.com/smb/securi...e=WORM_KORGO.AB
http://www.sophos.com/virusinfo/analyses/trojspytoolgk.html
http://www.sophos.com/security/analyses/trojpwsads.html
39. The 'Taskman' string value in HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
This value, not installed by default, can be used to launch Task Manager, see here: Have Ctrl-Esc Start Task Manager
You can replace Taskman.exe by any application, and it will be executed at boot!
40. The HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Accessibility/Utility Manager registry key.
The Utility Manager can be configured to start accessibility programs on Windows startup, so a trojan could be slipped in here by altering the Application Path and setting the "Start with..." field, in the way a legitimate application like Magnify.exe is shown to be registered in this example:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Accessibility/Utility Manager/Magnifier]
"Application path"="Magnify.exe"
"Application type"=dword:00000001
"Start with Utility Manager"=dword:00000001
"Start with Windows"=dword:00000001
41. The HKEY_CLASSES_ROOT/Folder/shellex/ColumnHandlers subkey
Basically this is a Shell Extension Handler called by Explorer in order to extend the Details view of a file system folder. here's the Microsoft technical article on the subject .
However, it has recently come to be used as another loading point for malware, notably some recent variants of the the Qoologic trojan.
It will add a subkey here where the default value data track back to the rogue dll.
See here: http://www.sophos.com/virusinfo/analyses/trojqoolaidan.html
42. The UseAlternateShell value in the HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/SafeBoot/Option subkey
At boot UserInit.exe checks the HKLM/SYSTEM/CurrentControlSet/Control/SafeBoot/Option subkey.
If a value UseAlternateShell is present with its value data set to "1", Userinit runs the program specified as the user's shell in the AlternateShell value in HKLM/SYSTEM/CurrentControlSet/Control/SafeBoot rather than executing Explorer.exe
Therefore, if malware creates this UseAlternateShell value and sets it to "1" it can modify AlternateShell to run any program at startup.
When this program is executed it can run explorer.exe to load the shell and the user will never know about the trojan.
Example of malware using this technique: http://www.symantec.com/enterprise/securit...-99&tabid=2
42. HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SecurityProviders (all Windows versions)
ALL dlls listed in the SecurityProviders string value in this key are loaded by Windows at startup!
An example of malware using this technique:
http://www3.ca.com/securityadvisor/virusin...s.aspx?id=58686
43. Autorun.inf files
Although the great majority of Flash drives do not automatically autorun on insertion, the addition of an autorun.inf file can cause them to spread infection. Accessing an infected flash drive through My Computer (Clicking on the drive) will cause that autorun.inf to run.
If the autorun.inf is written a certain way, when the autoplay screen comes up on insertion, the user can be tricked into running a nasty file. By clicking an icon in the "use this program to run"... dialog, a non legit program added to the autorun.inf file on that drive can be run:
shell/open/command=trojan.exe
At least as insidiously, some malware add autorun.inf files to the root and all logical drives.
Examples of malware using these techniques:
http://www.symantec.com/security_response/...-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyc...2EA&VSect=P
http://www.symantec.com/security_response/...-99&tabid=1
http://www.symantec.com/security_response/...-99&tabid=2
Sometimes (the Virus.Win32.Small.k aka W32/Autom-A Worm is a case in point), "MountPoints" subkeys are compromised:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints (Win 9x, Windows 2000)
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2 (Windows XP)
Example from an infected registry:
HKCU/.../MountPoints/{36e87055-e94f-11d9-8331-806d6172696f}/Shell/AutoRun/command]
@="C://"
[HKCU/.../MountPoints/{36e87055-e94f-11d9-8331-806d6172696f}/Shell/explore/Command]
@="WScript.exe .//autorun.vbs"
[HKCU/.../MountPoints/{36e87055-e94f-11d9-8331-806d6172696f}/Shell/open/Command]
@="WScript.exe .//autorun.vbs"
Here, an infector file (Autorun.vbs) is placed in the root of Drive C, and this file gets executed whenever the user either double-clicks on Drive C, or right-clicks the drive and chooses 'Explore'
44. App Paths
One major purpose of the “App Paths” registry key is to map the name of an application's executable file to the file's fully qualified path.
An App Paths subkey for a particular application (in this case iexplore.exe) will look something like this:
[HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/App Paths/IEXPLORE.EXE]
@="C://Program Files//Internet Explorer//IEXPLORE.EXE"
"Path"="C://Program Files//Internet Explorer;"
As a result one can type iexplore in the "Run" dialogue box without including the full path, and an instance of Internet Explorer will be started.
Malware could alter a file path by pointing to itself so that "trojan.exe" would be launched instead of the original application!
Some examples of malware using this technique:
http://www.symantec.com/security_response/...-99&tabid=2
http://www.sophos.co.uk/security/analyses/trojbckdrpuq.html
45. Print Monitors
The "driver" string value in a subkey of the following Registry key defines the DLL filename for the appropriate print monitor:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Print/Monitors
This too can be a launch point used by malware; examples:
http://www.trendmicro.com/vinfo/grayware/v....A&VSect=Td
转自 http://gladiator-antivirus.com/forum/index.php?sho...
关于Vista:
Introduction
It's a good practice to frequently inspect the startup locations, for better security. This is the first step to detect a trojan or a virus. As you know, the System Configuration Utility ( MSConfig.exe ) will not list applications loaded in all possible startup locations. Most other entry points are hidden and unknown to the end-user. This article will provide a clear picture about the start locations of applications and drivers. Some of the following locations are not applicable to Windows 95/98/ME systems.
Startup locations
HKCU refers to HKEY_CURRENT_USER
HKLM refers to HKEY_LOCAL_MACHINE
HKCU/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKCU/Software/Microsoft/Windows/CurrentVersion/RunServices
HKCU/Software/Microsoft/Windows/CurrentVersion/RunServicesOnce
HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
HKCU/Software/Microsoft/Windows/CurrentVersion/Run
HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows
(In right-pane, Value named "Run" & "Load")
HKLM/Software/Microsoft/Windows/CurrentVersion/Run
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServices
HKLM/Software/Microsoft/Windows/CurrentVersion/RunServicesOnce
HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
HKLM/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/Userinit
C:/Documents and Settings/All Users/Start Menu/Programs/Startup
C:/Documents and Settings/{Username}/Start Menu/Programs/Startup
Note Items marked in blue are those which MSCONFIG can manage.
Advanced stuff - additional Windows Startup launch-points
Silentrunners.org covers many more startup launch-points. It is possible that a malware is present in any of the locations described. Additionally, it's worth verifying the contents of ShellExecuteHooks key here:
HKEY_LOCAL_MACHINE / Software / Microsoft / Windows / CurrentVersion / Explorer / ShellExecuteHooks
Inspecting all the keys manually may be a tiring task. Your best bet is to use a third-party software to inspect the startup. Though there are many freeware utilities which can track/log the startup entries, the following tool is very impressive.
Autoruns - This utility covers most of the start locations. Recent versions of this product allows you edit the startup for other user profiles (Windows 2000/XP) as well. This is my personal favorite.
Additionally, you can enable or disable certain shell extensions, Browser Helper Objects, other Internet Explorer add-ons, drivers, Winsock providers etc.
Caution: Don't delete or disable the entry named Userinit, as you will be unable to logon to Windows.
Related Microsoft Knowledgebase articles
A Definition of the Run Keys in the Windows XP Registry
INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
Definition of the RunOnce Keys in the Registry
Kernel Mode components
[HKLM/SYSTEM/CurrentControlSet/Control/Session Manager/Subsystems] contains a list of available subsystems.
[HKLM/SYSTEM/CurrentControlSet/Services/servicename]. The Service Control Manager initializes services that the Start entry designates as Auto-load.
If a driver/service prevents you from starting Windows, load Recovery Console and use the listsvc command. This lists all the Services/drivers. To disable a service/driver, type disable
View and manage Windows XP Services and Drivers
ServiWin utility displays the list of installed drivers and services on your system. For some of them, additional useful information is displayed: file description, version, product name, company that created the driver file, and more. In addition, ServiWin allows you to easily stop, start, restart, pause, and continue service or driver, change the startup type of service or driver (automatic, manual, disabled, boot or system), save the list of services and drivers to file, or view HTML report of installed services/drivers in your default browser.
-
To view Services list, click the View menu and choose Services [F8 key]
-
To view Drivers list, click the View menu and choose Drivers [F7 key]
-
To find out the list of third-party drivers, sort the column named Company
You may also use DriverQuery command built-in with Windows XP, to view the list of all the device drivers installed in your system. You can transfer the list to a file for troubleshooting purposes. Type driverquery /? in Command Prompt for more information:
Usage / Examples
DRIVERQUERY /SI [This lists the drivers signing status, whether Signed or Unsigned]
DRIVERQUERY /V [ Generates a detailed report ]
DRIVERQUERY [ Lists all device drivers ]
To redirect the output to a file, use:DRIVERQUERY /SI >C:/driverslist.txt