Windows Auto Start Locations

Hi Folks,
this weekend I’ve been involved in a interesting Windows Forensic Analysis Process. There are lots of Forensic Analysis tools around here (just ask google to see a couple of that), but in some scenarios, like for example scenarios where you wont shutdown the machine, you might find some troubles to install new security tools because some malware make it impossible.
In these and other situations is still useful knowing where Auto Start Locations are in Windows XP and Windows VISTA (I dunno yet Windows 7, and for older Windows these location might be different).
Reading different blogs, forum and some good book, I learned some interesting places where find out malware and viruses,and today I wanna point out these interesting places where the penetrator should investigate. I don’t think the following list complete, but anyway… stay tuned for more upgrades.

Some useful variables to make the list shorter:
HKLM : HKEY_LOCAL_MACHINE
HKCU : HKEY_CURRENT_USER
HKCR : HKEY_CLASSES_ROOT
%windir% : The Windows Directory. Can be C:Windows or C:WINNT or anything, depending on the location, the OS & the customization of the OS!
%USERPROFILE% : Normally is C:Documents and Settings, depending on the installation location.
%ALLUSERSPROFILE% : Normally is C:Documents and SettingsAll Users, depending on the installation location.



Register locations:
1. HKLMSystemCurrentControlSetControlTerminal ServerWdsrdpwdStartupPrograms

2. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAppSetup

3. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsStartup

4. HKCUSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon

5. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon

6. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit

7. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

8. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

9. HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

10. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

11. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonTaskman

12. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce

13. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx

14. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun

15. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

16. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx

17. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

18. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad

19. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun

20. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

21. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

22. HKCUSoftwareMicrosoftWindowsCurrentVersionRun

23. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

24. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceSetup

25. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal
ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce

26. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx

27. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun

28. HKLMSOFTWAREClassesProtocolsFilter

29. HKLMSOFTWAREClassesProtocolsHandler

30. HKCUSOFTWAREMicrosoftInternet ExplorerDesktopComponents

31. HKLMSOFTWAREMicrosoftActive SetupInstalled Components

32. HKCUSOFTWAREMicrosoftActive SetupInstalled Components

33. HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler

34. HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

35. HKCUSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

36. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks

37. HKCUSoftwareClasses*ShellExContextMenuHandlers

38. HKLMSoftwareClassesShellExContextMenuHandlers

39. HKCUSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers

40. HKLMSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers

41. HKCUSoftwareClassesFolderShellExContextMenuHandlers

42. HKLMSoftwareClassesFolderShellExContextMenuHandlers

43. HKCUSoftwareClassesDirectoryShellExContextMenuHandlers

44. HKLMSoftwareClassesDirectoryShellExContextMenuHandlers

45. HKCUSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers

46. HKLMSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers

47. HKCUSoftwareClassesFolderShellexColumnHandlers

48. HKLMSoftwareClassesFolderShellexColumnHandlers

49. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers

50. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers

51. HKCUSoftwareMicrosoftCtfLangBarAddin

52. HKLMSoftwareMicrosoftCtfLangBarAddin

53. HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved

54. HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved

55. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

56. HKCUSoftwareMicrosoftInternet ExplorerUrlSearchHooks

57. HKLMSoftwareMicrosoftInternet ExplorerToolbar

58. HKCUSoftwareMicrosoftInternet ExplorerExplorer Bars

59. HKLMSoftwareMicrosoftInternet ExplorerExplorer Bars

60. HKCUSoftwareMicrosoftInternet ExplorerExtensions

61. HKLMSoftwareMicrosoftInternet ExplorerExtensions

62. HKLMSystemCurrentControlSetServices

63. HKLMSystemCurrentControlSetServices

64. HKLMSystemCurrentControlSetControlSession ManagerBootExecute

65. HKLMSystemCurrentControlSetControlSession ManagerSetupExecute

66. HKLMSystemCurrentControlSetControlSession ManagerExecute

67. HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options

68. HKLMSoftwareMicrosoftCommand ProcessorAutorun

69. HKCUSoftwareMicrosoftCommand ProcessorAutorun

70. HKLMSOFTWAREClassesExefileShellOpenCommand(Default)

71. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppinit_Dlls

72. HKLMSystemCurrentControlSetControlSession ManagerKnownDlls

73. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSystem

74. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUIHost

75. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

76. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGinaDLL

77. HKCUControl PanelDesktopScrnsave.exe

78. HKLMSystemCurrentControlSetControlBootVerificationProgramImagePath

79. HKLMSystemCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9

80. HKLMSYSTEMCurrentControlSetControlPrintMonitors

81. HKLMSYSTEMCurrentControlSetControlSecurityProvidersSecurityProviders

82. HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages

83. HKLMSYSTEMCurrentControlSetControlLsaNotification Packages

84. HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages

85. HKLMSYSTEMCurrentControlSetControlNetworkProviderOrder

86. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload

87. HKCRbatfileshellopencommand @=“”%1” %


88. HKCRcomfileshellopencommand @=“”%1” %

89. HKCRexefileshellopencommand @=“”%1” %


90. HKCRhtafileShellOpenCommand @=“”%1” %

91. HKCRpiffileshellopencommand @=“”%1” %


92. HKLMSoftwareClassesbatfileshellopencommand

93. HKLMSoftwareClassescomfileshellopencommand

94. HKLMSoftwareClassesexefileshellopencommand

95. HKLMSoftwareClasseshtafileshellopencommand

96. HKLMSoftwareClassespiffileshellopencommand

97. HKLMSystemCurrentControlSetControlClass{4D36E96B-E325-11CE-BFC1-08002BE10318}UpperFilters

98. HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonVmApplet

99. HKLMSoftwareMicrosoftWindows NTCurrentVersionInitFileMapping

100. HKLMSoftwareMicrosoftWindows NTCurrentVersionAedebug

101. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021493-0000-0000-C000-000000000046}

102. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021494-0000-0000-C000-000000000046}

103. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batApplication

104. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdApplication

105. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comApplication

106. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeApplication

107. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaApplication

108. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifApplication

109. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrApplication

110. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batProgID

111. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdProgID

112. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comProgID

113. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeProgID

114. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaProgID

115. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifProgID

116. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrProgID

117. HKLMSoftwareCLASSESbatfileshellopencommand @=“”%1” %

118. HKLMSoftwareCLASSEScomfileshellopencommand @=“”%1” %


119. HKLMSoftwareCLASSESexefileshellopencommand @=“”%1” %

120. HKLMSoftwareCLASSEShtafileShellOpenCommand @=“”%1” %


121. HKLMSoftwareCLASSESpiffileshellopencommand @=“”%1” %*”

122. HKCRvbsfileshellopencommand

123. HKCRvbefileshellopencommand

124. HKCRjsfileshellopencommand

125. HKCRjsefileshellopencommand

126. HKCRwshfileshellopencommand

127. HKCRwsffileshellopencommand

128. HKCRscrfileshellopencommand

129. HKLMSoftwareMicrosoftActive SetupInstalled ComponentsKeyNameStubPath=C:PathToFileFilename.exe



Folders Locations


1. %ALLUSERSPROFILE%Start MenuProgramsStartup
2. %USERPROFILE%Start MenuProgramsStartup
3. %windir%Tasks
4. %windir%System32Tasks - Windows Vista
5. %ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup
6. %USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup