|
This
guide will help you understand the importance of inspecting your “startup”
locations. Most people don’t realize the other locations where startup items are
and hide. The one location, where almost everyone knows about is: Start
Menu\Programs\Startup.
Reasons to inspect these locations are to remove Spyware/Adware/Malware, viruses
(including Trojans) & and any other programs that you believe shouldn’t be
there! In the near future I will compile a list of registry entries that can and
should be removed.
The following
locations are all located in the windows registry. Some of these locations do
not apply to Windows
95/98/ME
(Entries highlighted in blue can be managed in the
"msconfig" utility, which can be accessed by typing in msconfig under the run
program utility)
C:\Documents and Settings\All Users\Start
Menu\Programs\Startup
C:\Documents and Settings\{Username}\Start Menu\Programs\Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows
(In right-pane, look under Value named "Run" & "Load")
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
(Caution:
Don't delete or disable the entry named Userinit, as you will be unable to logon
to Windows XP.)
It's worth checking
the contents of ShellExecuteHooks key for “Spyware/AdWare/Malware” here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Additional
Windows Startup launch-points can be found here @
Silentrunners.org
Related Microsoft Knowledgebase articles
A Definition of the Run Keys in the Windows XP Registry
INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
Definition of the RunOnce Keys in the Registry
Kernel Mode components
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\Subsystems] contains a list of available subsystems. For example,
Csrss.exe contains the user-mode portion of the Windows subsystem.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename].
The Service Control Manager initializes services that the Start entry designates
as Auto-load.
If a
driver/service prevents you from starting Windows, load Recovery Console and use
the listsvc command. This lists all the Services/drivers. To disable a
service/driver, type disable <service/driver name> in the Recovery Console.
| 
