Przemysław Łukawski's blog » Windows Explorer http://p-lider.lideve.eu/wordpress Solutions for IT technical problems admins and developers may face with. Tue, 23 Sep 2014 18:29:49 +0000 en-US hourly 1 https://wordpress.org/?v=4.2.22 Windows registry autorun locations http://p-lider.lideve.eu/wordpress/?p=159 http://p-lider.lideve.eu/wordpress/?p=159#comments Sun, 17 Nov 2013 12:14:46 +0000 http://p-lider.lideve.eu/wordpress/?p=159 Many times people ask me to check their computers for malware or for the reason it is working slow. The first thing I do is to check all programs that automatically start with windows. Normally I remember 4 or 5 locations in registry where to look for such programs and almost all the time I must search the internet for another ones. That made me to write this post, which will allow me to always have the full (or almost full) list about the registry locations for auto startup purpose in one place.

In the below table I described all of the registry locations I know which programs are using to start automatically with Windows:

No.

Registry Location (blue ones are present in 64bit OS only)

Description

1

HKML\Software\Microsoft\Windows\CurrentVersion\Run\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when any user logs in.

2

HKML\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when any user logs in. After execution
the values are being deleted.

3

HKML\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\

All values
under this key are executed as services when any user logs in.

4

HKML\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\

All values
under this key are executed as services when any user logs in.
After execution the values are being deleted.

5

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when current user logs in.

6

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when current user logs in. After
execution the values are being deleted.

7

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\

Used only by
setup. A progress bar is being displayed.

8

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

Same as 5 but
applies to LOCAL SYSTEM user only.

9

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\

Same as 6 but
applies to LOCAL SYSTEM user only.

10

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when any user logs in.

11

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when current user logs in.

12

HKLM\Software\Microsoft\Active
Setup\Installed Components\

HKLM\Software\Wow6432Node\Microsoft\Active
Setup\Installed Components\

All subkeys
are evaluated for execution when any user logs in. The “StubPath”
value under each subkey describes the program being run.

13

HKCU\Control
Panel\Desktop

SCRNSAVE.EXE”
value is executed when screen saver is being displayed for current
user.

14

HKLM\System\CurrentControlSet\Control\Session
Manager\

The
„BootExecute” value is being executed at boot time.

15

HKLM\System\Control\WOW\cmdline

Value is
executed when 16 bit application is being run for all users.

16

HKLM\System\Control\WOW\wowcmdline

Value is
executed when 16 bit DOS application is being run for all users.

17

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\

Values
contains GUID for COM library which is being run after explorer
finished loading.

18

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Windows\

The „run”
and „load” values are executed when current user logs
in.

19

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

AppInit_DLLs
value contains dll file names separated with comma which are being
loaded into every process being run in the system.

IMPORTANT:
Very dangerous entry used by many malware programs.

20

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 5.
Normally values are named here as numbers starting from „1”.

21

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 1.
Normally values are named here as numbers starting from „1”.

Some information in the above table has been taken from this forum: Registry AutoStart Locations

]]> http://p-lider.lideve.eu/wordpress/?feed=rss2&p=159 0 Double clicking the disks icons opens search window instead of their contents http://p-lider.lideve.eu/wordpress/?p=87 http://p-lider.lideve.eu/wordpress/?p=87#comments Mon, 06 Sep 2010 08:10:25 +0000 http://p-lider.rootnode.net/wordpress/?p=87 If the default action for disk drives in “My Computer” window is “Search” instead of “Open” and you cannot change this behavior using “File Types” tab in “Folder Options” then you must set the default value for HKCR\Drive\Shell registry key to none and restart the explorer.exe process.

Mentioned problem sometimes arises after some malware installation – the disinfection not always repairs that problem automatically.

]]> http://p-lider.lideve.eu/wordpress/?feed=rss2&p=87 0