Archive for November, 2013

Windows registry autorun locations

Operating Systems, Windows 7, Windows 8, Windows Explorer, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider November 17th, 2013

Many times people ask me to check their computers for malware or for the reason it is working slow. The first thing I do is to check all programs that automatically start with windows. Normally I remember 4 or 5 locations in registry where to look for such programs and almost all the time I must search the internet for another ones. That made me to write this post, which will allow me to always have the full (or almost full) list about the registry locations for auto startup purpose in one place.

In the below table I described all of the registry locations I know which programs are using to start automatically with Windows:

No.

Registry Location (blue ones are present in 64bit OS only)

Description

1

HKML\Software\Microsoft\Windows\CurrentVersion\Run\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when any user logs in.

2

HKML\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when any user logs in. After execution
the values are being deleted.

3

HKML\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\

All values
under this key are executed as services when any user logs in.

4

HKML\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\

All values
under this key are executed as services when any user logs in.
After execution the values are being deleted.

5

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when current user logs in.

6

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when current user logs in. After
execution the values are being deleted.

7

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\

Used only by
setup. A progress bar is being displayed.

8

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

Same as 5 but
applies to LOCAL SYSTEM user only.

9

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\

Same as 6 but
applies to LOCAL SYSTEM user only.

10

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when any user logs in.

11

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when current user logs in.

12

HKLM\Software\Microsoft\Active
Setup\Installed Components\

HKLM\Software\Wow6432Node\Microsoft\Active
Setup\Installed Components\

All subkeys
are evaluated for execution when any user logs in. The “StubPath”
value under each subkey describes the program being run.

13

HKCU\Control
Panel\Desktop

SCRNSAVE.EXE”
value is executed when screen saver is being displayed for current
user.

14

HKLM\System\CurrentControlSet\Control\Session
Manager\

The
„BootExecute” value is being executed at boot time.

15

HKLM\System\Control\WOW\cmdline

Value is
executed when 16 bit application is being run for all users.

16

HKLM\System\Control\WOW\wowcmdline

Value is
executed when 16 bit DOS application is being run for all users.

17

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\

Values
contains GUID for COM library which is being run after explorer
finished loading.

18

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Windows\

The „run”
and „load” values are executed when current user logs
in.

19

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

AppInit_DLLs
value contains dll file names separated with comma which are being
loaded into every process being run in the system.

IMPORTANT:
Very dangerous entry used by many malware programs.

20

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 5.
Normally values are named here as numbers starting from „1”.

21

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 1.
Normally values are named here as numbers starting from „1”.

Some information in the above table has been taken from this forum: Registry AutoStart Locations

No Comments »