资料来源: http://www.greatis.com/security/registrytracer.htm
List of the registry keys monitored by default.
- HKEY_CURRENT_USER/Control Panel/Desktop
Value: SCRNSAVE.EXE
Type: REG_SZ
Description: Screen saver program. If the screen saver is not specified, the value may not exist. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Code Store Database/Distribution Units
Description: Internet software distribution units are packages consisting of a cabinet file (.cab) that contains an INF file and/or an Open Software Description (OSD) file, with or without a software component. One or more distribution units may be needed to distribute a single software component.
The software provider or Web master, can create distribution units that, when placed on your Web server, enable the Microsoft Internet Explorer Internet Component Download services to pull down and install software on users' computers. - HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Main
Value: Start Page
Type: REG_SZ
Description: Internet Explorer start page. - HKEY_CURRENT_USER/Software/Microsoft/Internet Explorer/Styles
Description: A user can set his/her own style sheet file for Internet Explorer.
Value: User Stylesheet
Type: REG_SZ
Default: Empty. It contains the full path to user style file.
Value: Use My Stylesheet
Type: REG_DWORD
Default: 1 - use. 0 - do not use user stylesheet. - HKEY_LOCAL_MACHINESOFTWARE/Microsoft/Windows NT/CurrentVersion/IniFileMapping/system.ini
Description: System.ini is not used in Windows NT4/2000/XP.
This key is used to map file sections to the registry keys. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/IniFileMapping/win.ini
Description: Win.ini is not used in Windows NT4/2000/XP.
This key is used to map file sections to the registry keys. - HKEY_LOCAL_MACHINESOFTWARE/Microsoft/Windows NT/CurrentVersion/SvcHost
Description: Svchost.exe is a generic host process name for services that are run from dynamic-link libraries (DLLs). The Svchost.exe file is located in the %SystemRoot%/System32 folder. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load. There can be multiple instances of Svchost.exe running at the same time. Each Svchost.exe session can contain a grouping of services, so that separate services can be run depending on how and where Svchost.exe is started. This allows for better control and debugging. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows
Value: AppInit_DLLs
Type: REG_SZ
Description: All of the DLLs specified in the AppInit_DLLs value are loaded by each Windows-based application running within the current logon session. Only the first 32 characters of the AppInit_DLLs value are picked up by the system.
Default:empty. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
Value: System
Type: REG_SZ
Description: The programs listed in this value launch in the protected system context.
Looks like this value is not used by Winlogon at this moment. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
Value: TaskMan
Type: REG_SZ
Description: Specifies the task manager that the system uses during logon. It does not exist by default. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
Value: UserInit
Type: REG_SZ - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon
Value: VMApplet
Type: REG_SZ
Description: Specifies programs that Winlogon runs for the user so that the user can adjust the configuration of virtual memory when there is no paging file on the system volume. These programs run only when the system volume does not include a paging file. - HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify
Description: Winlogon loads any notification packages listed in this key. Each package uses own subkey under Notify key. The DllName value(REG_EXPAND_SZ) contains the DLL file name. - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer/Browser Helper Objects
Description: Browser Helper Objects are the COM components-that Internet Explorer will load each time it starts up. For example, a BHO could spy all browser events, access the browser's menu and toolbar and make changes, create windows to display additional information, etc. There are no default objects. - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Explorer/SharedTaskScheduler
Description: The key contains the list of the GUIDs automatically loaded by Explorer
Type of values: REG_SZ
Value Name: GUID of COM object.
Value: description.
Default for Windows XP:
{438755C2-A8BA-11D1-B96B-00A0C90312E1} (Browseui)
{8C7461EF-2B13-11d2-BE35-3078302C2030} (Cache daemon). - HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/Shell Folders
Value: Startup
Type: REG_SZ
Location of the user startup folder. - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/explorer/ShellExecuteHooks
Description: The ShellExecuteHooks registry key contains the list of COM objects that trap execute commands.
Each object has the GUID.
By default you must have the "shell32.dll".
If you don't see sheel32.dll GUID "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" it is not fatal. Your computer will work. - HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/User Shell Folders
Description: Location of the user folders.
It has priority to "Shell Folders" keys. - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System
Description: The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them. - HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/System
Description: The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them.
This subkey stores policy-related entries that are configured separately for each user. There is also a Software/Microsoft/Windows/CurrentVersion/Policies/System subkey in HKEY_LOCAL_MACHINE that stores entries applying to all users of this computer. - HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/ShellServiceObjectDelayLoad
Description: The ShellServiceObject DelayLoad key is used to automatically load DLL, required for Explorer.
This key is used by the new generation of viruses.
Usually, this key contains: CDBurn, PostBootReminder, SysTray, WebCheck items. But these items are not required for normal processing. - HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Session Manager
Value: BootExecute
Type: REG_MULTI_SZ
Description: BootExecute is configured to execute programs on the Kernel phase boot. Usually it is used to check disks. Default: autocheck autochk *. - HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/WinSock2
Description: WinSock2 LSP stack.
Note!
以下的是一些prefedined registry keys.
- HKLM/Software/Microsoft/Windows/CurrentVersion/RunEx
- HKLM/Software/Microsoft/Windows/CurrentVersion/Run
- HKCU/Software/Microsoft/Windows/CurrentVersion/Run
- HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnceEx
- HKLM/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKCU/Software/Microsoft/Windows/CurrentVersion/RunOnce
- HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon
Values: Shell, Run, Load - HKLM/Software/Microsoft/Active Setup/Installed Components
There is no reason to trace these keys using Registry Tracer again.