HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Run
WINLOGON then checks the following value and executes the program(s) found there:
HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / Userinit
The default is "userinit.exe".
Userinit.exe checks this registry key to see which shell (desktop) to launch:
HKLM / SOFTWARE / Microsoft / Windows NT / CurrentVersion / Winlogon / Shell
This key does not exist by default, and it defaults "explorer.exe".
Once the shell is launched, userinit exits - which is why explorer.exe appears to have no parent process in a session.
Next, the scripts from the following 3 locations are executed concurrently:
i. HKLM / Software / Microsoft / Windows / CurrentVersion / RunOnceEx
The keys exist under this location and have string values under them which are executed - the names of the values themselves are irrelevant, but the keys are processed synchronously in alphabetical order.
The values are removed from the registry immediately on being executed.
ii. User Properties / Profile / Logon Script
In the Profile tab of the properties of the user object in AD, the script referenced in the "Logon script" field is executed.
The default location is %systemroot%\sysvol\sysvol\{domain name}\scripts for any script not explicitly given a path.
iii. Group policy/policies - user configuration
Processes that are to run just once and then be deleted (e.g. installation completion routines) are governed by the registry key:
HKLM / Software / Microsoft / Windows / CurrentVersion / RunOnce
The values under this location are executed synchronously in the order in which they were created.
The values are also removed from the registry immediately on being executed, unless the name begins with a "!" in which case it is removed once the process has completed.
Processes that are common for all users who log onto the local machine are governed by the registry key:
HKLM / Software / Microsoft / Windows / CurrentVersion / Run
The values under this location are executed synchronously in the order in which they were created.
Entries that begin with a "*" are executed even when the machine starts in Safe Mode.
Processes that are specific to the user currently logging on are governed by the registry key:
HKCU / Software / Microsoft / Windows / CurrentVersion / Run
The values under this location are executed synchronously in the order in which they were created.
Entries that begin with a "*" are executed even when the machine starts in Safe Mode.
Finally we get to the Startup folder - the shortcuts in the "All Users" and current user profiles are executed concurrently (Start Menu\Programs\Startup).
"All Users" profile is always on the local machine, but the user profile location can be on a network resource (defined in the user properties) or the local machine.