KVK Consultancy - Program Startup Location in the Registry and beyond

Startup Locations Guide

In the Registry (Background) :

The following list contains most of the 'popular' virus startup locations. It is to be noted that just because something appears under any of these locations that does not make it a virus, in order to be able to identify the good from the bad you idealy need to have an idea of the programs your running and of the default programs XP installs. The full list of possible locations could be massive. I leave this (for now) down to the individual to discover for themselves (NOTE: Registry Manager can assist with identifying 'good' and 'bad' programs, right clicking on a file reference held in the registry and select 'Files'->'Properties' (if you do not have a 'files' option then either the file(s) specified cannot be found). From the properties dialog you can inspect the 'claimed' manufacturer of the component. If the component does not specify a manufacturer (see Version tab) or its manufacturer is not one you would expect to have installed an application on your system you might consider removing the item).

Under HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER:

\SOFTWARE\Microsoft\Windows\CurrentVersion\Run		* (various) Any value data under any of these key paths will be run at least once on startup
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects		<GUID>
The now imfamous Browser Helper Objects (BHO). This application launch location was intended to provide for third party helper applications extensions for the Windows Explorer shell. Sadly, like all Virus entry points, the virus programmer has abused a feature of Microsoft Windows software that was ripe to provide for more competitive Windows products.		The GUID sub-key found here refers to a COM automation or .dll server registered under HKEY_CLASSES_ROOT.

\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows	AppInit_DLLs	AppInit_DLLs are attatched to any launched application.
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon	UserInit GinaDLL	UserInit is executed just after logon to setup the user environment. GinaDLL specifies a replacement / alternative logon provider.

\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders		CommonStartup or
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders		Startup

\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon		Various Startup Values

\SOFTWARE\Microsoft\Active Setup\Installed Components\<GUID>		KeyFileName

\SYSTEM\CurrentControlSet\Services\<Services>
There are many legitimate services so it takes good knowlegability to identify Spyware/Mal-ware here. Another common load location for malware is through VxD's specified under the VxD service.

\SYSTEM\CurrentControlSet\Services\VXD\JAVASUP		StaticVxD

\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters :		DataBasePath

\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
Any value under here can be set to start automatically, use the 'Services Manager' and the 'Device Manager' to manage these items more efficiently.

\SYSTEM\CurrentControlSet\Control\Session Manager		BootExecute
This value specifies what files will run BEFORE windows loads and AFTER the kernel has initilised. Mal-Ware and Viruses executing from this location may have unrecoverably compromised your system, mearly removing the reference may not fix the problem.

\SYSTEM\CurrentControlSet\Control\Lsa		Notification Packages, Security Packages
The LSA or Local Security Authority is a key element to Windows NT security. Windows NT security was designed to be extensible. The Notification Packages and Security Packages are loaded to extend the logon and system security.

Under HKEY_CLASSES_ROOT (which is an alias of HKEY_LOCAL_MACHINE\Classes Key) :

\<type>	\shell\open\command			The shell\open\command sub-key of keys under HKEY_CLASSES_ROOT defines the application that will be launched when a particular type of file is double-clicked from the shell. This even includes executable files, folders, batch files and other critical file types. In more general terms, the shell will look up file extension under HKEY_CLASSES_ROOT. If the shell finds a matching sub-key (e.g. .reg) then it looks at the (Default Value) date under this sub-key and performs a lookup for a sub-key of that name (again under HKEY_CLASSES_ROOT). The shell then uses various values under this location to determin how it will deal with the file type.
types:\scrfile, \exefile, \comfile, \batfile, \htafile, \piffile, \cmdfile, \file, \batfile, \dllfile

\Protocols\Filter\		<MIME>	CLSID	MIME type filter. MIME stands for Multi-purpose Internet Mail Extension. When email is sent it can be encoded in various ways, the type of encoding used is stored with the mail so it can be properly decoded. The simplest encoding is text/plain which is plain ASCII encoding. Each encoding type can be passed through a custom filter for third-party decoding or extended coding. The sub-keys under \Protocols\Filter\ are MIME names under each name is a CLSID entry which defines the COM object or DLL that will process the encoded file.
MIME: text/plain, application/octet-stream

References:

Microsoft Windows Startup Phases on x86 PC's

Return to Latest Links