List of Windows Auto Start Locations

最新推荐文章于 2024-08-08 19:51:42 发布
最新推荐文章于 2024-08-08 19:51:42 发布
阅读量915 收藏
点赞数
文章标签: windows list components methods system shell

This is a list of auto-start locations that malware’s normally use to restart themselves on a system reboot. It was with us since the time we basically started working on malware analysis.

We have tried to find their Windows Vista entries too. Windows 7, we don’t know yet. Now, some might not work on all platforms. They might not work on Windows 98, 95, ME, etc. as they are not Windows NT bases and the NT’s work differently. Some will also work without any registry key manipulation.

We have maintained a few known abbreviations just to shorten the post. They are as follows:
HKLM : HKEY_LOCAL_MACHINE
HKCU : HKEY_CURRENT_USER
HKCR : HKEY_CLASSES_ROOT
%windir% : The Windows Directory. Can be C:/Windows or C:/WINNT or anything, depending on the location, the OS & the customization of the OS!
%USERPROFILE% : Normally is C:/Documents and Settings/, depending on the installation location.
%ALLUSERSPROFILE% : Normally is C:/Documents and Settings/All Users, depending on the installation location.

Please keep in mind that the Windows registry is very sensitive and you should fiddle with it only if you know how to get out of it! We should not be held responsible for any harm coming out of their usage!

Beginning with registry methods:

1. HKLM/System/CurrentControlSet/Control/Terminal Server/Wds/rdpwd/StartupPrograms
2. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/AppSetup
3. HKLM/Software/Policies/Microsoft/Windows/System/Scripts/Startup
4. HKCU/Software/Policies/Microsoft/Windows/System/Scripts/Logon
5. HKLM/Software/Policies/Microsoft/Windows/System/Scripts/Logon
6. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Userinit
7. HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/System/Shell
8. HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell
9. HKLM/Software/Microsoft/Windows/CurrentVersion/Policies/System/Shell
10. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Shell
11. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Taskman
12. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Runonce
13. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunonceEx
14. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
15. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run
16. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnceEx
17. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/RunOnce
18. HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Load
19. HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/Run
20. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
21. HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run
22. HKCU/Software/Microsoft/Windows/CurrentVersion/Run
23. HKCU/Software/Microsoft/Windows/CurrentVersion/RunOnce
24. HKCU/Software/Microsoft/Windows/CurrentVersion/RunOnce/Setup/
25. HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Runonce
26. HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/RunonceEx
27. HKCU/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Terminal Server/Install/Software/Microsoft/Windows/CurrentVersion/Run
28. HKLM/SOFTWARE/Classes/Protocols/Filter
29. HKLM/SOFTWARE/Classes/Protocols/Handler
30. HKCU/SOFTWARE/Microsoft/Internet Explorer/Desktop/Components
31. HKLM/SOFTWARE/Microsoft/Active Setup/Installed Components
32. HKCU/SOFTWARE/Microsoft/Active Setup/Installed Components
33. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Explorer/SharedTaskScheduler
34. HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/ShellServiceObjectDelayLoad
35. HKCU/SOFTWARE/Microsoft/Windows/CurrentVersion/ShellServiceObjectDelayLoad
36. HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/ShellExecuteHooks
37. HKCU/Software/Classes/*/ShellEx/ContextMenuHandlers
38. HKLM/Software/Classes/*/ShellEx/ContextMenuHandlers
39. HKCU/Software/Classes/AllFileSystemObjects/ShellEx/ContextMenuHandlers
40. HKLM/Software/Classes/AllFileSystemObjects/ShellEx/ContextMenuHandlers
41. HKCU/Software/Classes/Folder/ShellEx/ContextMenuHandlers
42. HKLM/Software/Classes/Folder/ShellEx/ContextMenuHandlers
43. HKCU/Software/Classes/Directory/ShellEx/ContextMenuHandlers
44. HKLM/Software/Classes/Directory/ShellEx/ContextMenuHandlers
45. HKCU/Software/Classes/Directory/Background/ShellEx/ContextMenuHandlers
46. HKLM/Software/Classes/Directory/Background/ShellEx/ContextMenuHandlers
47. HKCU/Software/Classes/Folder/Shellex/ColumnHandlers
48. HKLM/Software/Classes/Folder/Shellex/ColumnHandlers
49. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/ShellIconOverlayIdentifiers
50. HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/ShellIconOverlayIdentifiers
51. HKCU/Software/Microsoft/Ctf/LangBarAddin
52. HKLM/Software/Microsoft/Ctf/LangBarAddin
53. HKCU/Software/Microsoft/Windows/CurrentVersion/Shell Extensions/Approved
54. HKLM/Software/Microsoft/Windows/CurrentVersion/Shell Extensions/Approved
55. HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/Browser Helper Objects
56. HKCU/Software/Microsoft/Internet Explorer/UrlSearchHooks
57. HKLM/Software/Microsoft/Internet Explorer/Toolbar
58. HKCU/Software/Microsoft/Internet Explorer/Explorer Bars
59. HKLM/Software/Microsoft/Internet Explorer/Explorer Bars
60. HKCU/Software/Microsoft/Internet Explorer/Extensions
61. HKLM/Software/Microsoft/Internet Explorer/Extensions
62. HKLM/System/CurrentControlSet/Services
63. HKLM/System/CurrentControlSet/Services
64. HKLM/System/CurrentControlSet/Control/Session Manager/BootExecute
65. HKLM/System/CurrentControlSet/Control/Session Manager/SetupExecute
66. HKLM/System/CurrentControlSet/Control/Session Manager/Execute
67. HKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options
68. HKLM/Software/Microsoft/Command Processor/Autorun
69. HKCU/Software/Microsoft/Command Processor/Autorun
70. HKLM/SOFTWARE/Classes/Exefile/Shell/Open/Command/(Default)
71. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Windows/Appinit_Dlls
72. HKLM/System/CurrentControlSet/Control/Session Manager/KnownDlls
73. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/System
74. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/UIHost
75. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/Notify
76. HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon/GinaDLL
77. HKCU/Control Panel/Desktop/Scrnsave.exe
78. HKLM/System/CurrentControlSet/Control/BootVerificationProgram/ImagePath
79. HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9
80. HKLM/SYSTEM/CurrentControlSet/Control/Print/Monitors
81. HKLM/SYSTEM/CurrentControlSet/Control/SecurityProviders/SecurityProviders
82. HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages
83. HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Notification Packages
84. HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Security Packages
85. HKLM/SYSTEM/CurrentControlSet/Control/NetworkProvider/Order
86. HKCU/Software/Microsoft/Windows NT/CurrentVersion/Windows/load
87. HKCR/batfile/shell/open/command @="/"%1/" %*"
88. HKCR/comfile/shell/open/command @="/"%1/" %*"
89. HKCR/exefile/shell/open/command @="/"%1/" %*"
90. HKCR/htafile/Shell/Open/Command @="/"%1/" %*"
91. HKCR/piffile/shell/open/command @="/"%1/" %*"
92. HKLM/Software/Classes/batfile/shell/open/command
93. HKLM/Software/Classes/comfile/shell/open/command
94. HKLM/Software/Classes/exefile/shell/open/command
95. HKLM/Software/Classes/htafile/shell/open/command
96. HKLM/Software/Classes/piffile/shell/open/command
97. HKLM/System/CurrentControlSet/Control/Class/{4D36E96B-E325-11CE-BFC1-08002BE10318}/UpperFilters
98. HKLM/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/VmApplet
99. HKLM/Software/Microsoft/Windows NT/CurrentVersion/InitFileMapping
100. HKLM/Software/Microsoft/Windows NT/CurrentVersion/Aedebug
101. HKLM/Software/Classes/CLSID/{CLSID}/Implemented Categories/{00021493-0000-0000-C000-000000000046}
102. HKLM/Software/Classes/CLSID/{CLSID}/Implemented Categories/{00021494-0000-0000-C000-000000000046}
103. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.bat/Application
104. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.cmd/Application
105. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.com/Application
106. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.exe/Application
107. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.hta/Application
108. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.pif/Application
109. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.scr/Application
110. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.bat/ProgID
111. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.cmd/ProgID
112. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.com/ProgID
113. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.exe/ProgID
114. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.hta/ProgID
115. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.pif/ProgID
116. HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/FileExts/.scr/ProgID
117. HKLM/Software/CLASSES/batfile/shell/open/command @="/"%1/" %*"
118. HKLM/Software/CLASSES/comfile/shell/open/command @="/"%1/" %*"
119. HKLM/Software/CLASSES/exefile/shell/open/command @="/"%1/" %*"
120. HKLM/Software/CLASSES/htafile/Shell/Open/Command @="/"%1/" %*"
121. HKLM/Software/CLASSES/piffile/shell/open/command @="/"%1/" %*"
122. HKCR/vbsfile/shell/open/command/
123. HKCR/vbefile/shell/open/command/
124. HKCR/jsfile/shell/open/command/
125. HKCR/jsefile/shell/open/command/
126. HKCR/wshfile/shell/open/command/
127. HKCR/wsffile/shell/open/command/
128. HKCR/scrfile/shell/open/command/
129. HKLM/Software/Microsoft/Active Setup/Installed Components/KeyName
StubPath=C:/PathToFile/Filename.exe

Now, we will start with folder auto start locations.
%ALLUSERSPROFILE%/Start Menu/Programs/Startup
%USERPROFILE%/Start Menu/Programs/Startup
%windir%/Tasks
%windir%/System32/Tasks - Windows Vista
%ALLUSERSPROFILE%/Microsoft/Windows/Start Menu/Programs/Startup
%USERPROFILE%/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup

In addition to this, there are some more files which when added an entry, will restart the file.
win.ini:
[windows]
load=file.exe

OR

[windows]
run=file.exe

system.ini:
[boot]
Shell=Explorer.exe file.exe

windir/dosstart.bat (Windows 95 or Windows 98 only)
windir/system/autoexec.nt
windir/system/config.nt

cnbird2008
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
autohotkey_如何编写一个AutoHotkey脚本
culintai3473的博客
09-17 2238
autohotkeyAutoHotkey 自动热键 AutoHotkey is a fantastic but complicated piece of software. It was initially intended to rebind custom hotkeys to different actions but is now a full Windows automation suit...
获取Windows 10上文件资源管理器的帮助
热门推荐
09-18 2万+
Windows 10 no longer has built-in help for File Explorer, as Windows 7 does. Microsoft makes you search the web for information, so here’s what you need to know about using Windows 10’s file manager. ...
Windows Program Automatic Startup Locations
xymyeah
12-05 1171
Many programs that you install are automatically run when you start your computer and load Windows. For the majority of cases, this type of behavior is fine. Unfortunately, there are programs that a
使用 Windows Sysinternals 工具进行故障排除
鹿鸣天涯
02-24 685
Sysinternals 网站由Mark Russinovich于 1996 年创建,用于托管他的高级系统实用程序和技术信息。无论您是 IT 专业人员还是开发人员,您都可以找到 Sysinternals 实用程序来帮助您管理、排除故障和诊断您的 Windows 系统和应用程序。 阅读 Sysinternals 工具的官方指南,使用 Windows Sysinternals 工具进行故障排除 阅读Sysinternals 博客以获取工具更新的详细更改源 在 YouTube 上观看 Mark 的Sysin
List of all Oracle Server Parameters
IS2120
05-11 1261
<!-- .sty_new {color:#009900; font-weight:bold} .sty_old {color:#888888; font-weight:bold} .sty_static_new {color:#009900} --> List of all Oracle Server Parameters for Oracle 9i
解决supervisor报错:entered FATAL state, too many start retries too quickly
地理信息系统、摄影测量与遥感、人工智能
05-22 2万+
报错日志显示:entered FATAL state, too many start retries too quickly 解决方法:因为配置文件的默认用户是root,而容器限制了启动用户为ocpuser,故检查配置文件中的用户是否是ocpuser,若不是则改为ocpuser ......
遇见 mysql Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggre 问题
Tz.的博客
07-08 4149
这是因为mysql5.7及以上版本的mysql中,对于 group by 的这种聚合操作,如果在select 中的列, 没有在group by 中出现,那么这个SQL是不合法的,因为列不在group by的从句中,所以对于设置了这个mode的数据库,在使用group by 的时候,就要用MAX(),SUM(),ANT_VALUE()的这种聚合函数,才能完成GROUP BY 的聚合操作。 查询以后发现是因为only_full_group_by设置的原因,下边我们将其进行关闭: 1. 第一种的解决办法是.
Windows下搭建EFK实例
Ray
02-21 898
注意如果显示执行脚本未签名,更新windows ExecutionPolicy为RemoteSigned,执行指令Set-ExecutionPolicy RemoteSigned。更新filebeat.yml: 命令行执行 install-service-filebeat.ps1 把filebeat安装为windows服务,在service中搜索。elastic执行:命令行到解压后的bin文件夹 ./elasticsearch。kibana: 命令行到解压后的bin文件夹 ./kibana.bat。
解决MySQL报错Expression #1 of SELECT list is not in GROUP BY clause and contains nonag...
Jitwxs
02-25 4698
一、问题描述 运行 sql 后报错: Expression #1 of SELECT list is not in GROUP BY clause and contains nonaggregated column ‘day_offset’ which is not functionally dependent on columns in GROUP BY clause; this is in...
Distribution of Codon Locations in DNA Sequence
02-19
密码子在DNA序列中的位置的分布,吴小霞,,本文在DNA序列分析中引入了m阶平稳的马氏链来研究遗传密码子的位置分布。其中参数的估计通过最大似然估计获得,对于相同密码子之�
Stock Transfer between Storage Locations of the Same Plant
05-31
在SAP系统中,"Stock Transfer between Storage Locations of the Same Plant"是一个关键的物流操作,用于在同一工厂内的不同存储地点之间转移库存。这个功能对于那些拥有多个存储区域,例如批量存储和销售发货存储...
Learning Time-Aware Distributed Representations of Locations from Spatio-Temporal Trajectories
02-08
Learning Time-Aware Distributed Representations of Locations from Spatio-Temporal Trajectories
applocale_Windows编程_Different_
10-02
描述中的“For starting programs at different locations”可能指的是在不同的路径或者环境上下文中启动程序。在Windows中,程序的执行可能受到当前用户环境变量、注册表设置、系统路径等因素的影响。开发者需要...
ipfs-locations:JavaScript中的IPFS位置轮询器
02-03
$ npm install --save ipfs-locations 浏览器:Browserify,Webpack,其他捆绑软件 实际上,发布到npm并需要加载的代码是ES5转译版本,其中添加了正确的垫片。 这意味着您可以要求它并与您喜欢的捆绑器一起使用,而...
python运维(twenty-four day)
m0_75005437的博客
08-08 874
最终在计算是在python内存中计算的,必须要有指定内存空间保存数据,这些内存空间其实就是变量;{"name":"小江","age":"39","gender":"male"}[]中的每个()中都是2个值,一个是key,一个是value自动解析为一个字典了。字典中的每个k-v组成元组,这些元组组成一个新个列表。也可以从dict中提取,也可以将列表直接转成元组。list()可以把dict的key生成一个列表。元组不可以修改,但是可以查看;字典中的value组成的列表。创建空元组,创建有初始值的元组。
最近在写的支付模块
weixin_67865831的博客
08-08 737
redis监听器 订单模块
Python3安装
十四的博客
08-08 397
'zhangsan', 'mm', '李四', '玉兰', 'tom']['zhangsan', 'mm', 'mm', '李四', '玉兰', 'tom']>>> lista=["zhangsan","李四","玉兰"]11. [ ] :列表,{ } :字典,():元组。['zhangsan', '李四', '玉兰']1、不能修改,只能查看。1.安装Python3。4.登录Python3。
8.8-配置python3环境+python语法的使用
最新发布
qq_70752758的博客
08-08 940
功能指令说明创建列表[ ]符号本身就是列表list(元组)将元组转成列表list(字典)提取字典的key转成列表字典.keys()字典中的key返回一个列表字典.values()字典中的value组成列表字典.Items()字典中的每个键值对组成员组,每个元组组成一个新的列表修改列表在索引值为index的元素之前添加一个元素在所有元素之后添加一个元素将索引为index元素的值修改为valueL.pop()删除最后一个元素del L释放L内存查看列表L。
pip is configured with locations that require TLS/SSL windows
09-06
当在Windows系统中使用pip时,如果出现"WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available."的警告信息,这意味着Python中的ssl模块不可用。...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值