Windows Startup Locations

Pop quiz: how many places can an application install itself to ensure it will survive a Windows reboot? If you named the usual suspects like the run and autorun locations in the registry, you would be correct, but have mentioned only a small subsection of the many places. I’m going to resist the urge to rant about how insane it is to have so many possible places for an application (i.e. trojan) to ensure its survivial. Instead, I’ll just give you the most comprehensive list I have come across, courtesy of the Autoruns utility from Microsoft (formerly SysInternals):

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

C:\WINDOWS\Tasks

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Classes\Protocols\Filter

HKLM\SOFTWARE\Classes\Protocols\Handler

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Directory\Shellex\DragDropHandlers

HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers

HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers

HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

HKLM\Software\Microsoft\Internet Explorer\Toolbar

HKLM\Software\Microsoft\Internet Explorer\Extensions

HKLM\System\CurrentControlSet\Services

HKLM\System\CurrentControlSet\Services

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKCU\Control Panel\Desktop\Scrnsave.exe

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

Tagged with:
Posted in Secure Administration, Secure Design

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>