Windows Program Automatic Startup Locations
Many programs that you install are automatically run when you
start your computer and load Windows. For the majority of cases, this type
of behavior is fine. Unfortunately, there are programs that are not legitimate,
such as spyware, hijackers, trojans, worms, viruses, that load is this manner
as well. It is therefore important that you check regularly your startup registry
keys regularly. Windows does offer a program that will list programs that
are automatically started from
SOME of these locations.
This program, Msconfig.exe, unfortunately, though, only lists programs from
a limited amount of startup keys.
Below are the various list of registry keys that can start a
program when Windows boots. I have tried to keep the keys in the exact order
that they load. Keep in mind, that some of the keys are set to load at the
same time, so it is possible that the order will change on each boot up. These
keys generally apply to Windows 95, 98, ME, NT, XP, and 2000, and I will note
when it is otherwise.
Upon turning on the computer the keys start in this order as
Windows loads:
RunServicesOnce - This key is designed to start
services when a computer boots up. These entries can also continue running
even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\...\RunOnce
registry can start loading its programs.
| Registry
Keys: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
| |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
RunServices - This key is designed to start
services as well. These entries can also continue running even after you log
on, but must be completed before the HKEY_LOCAL_MACHINE\...\RunOnce registry
can start loading its programs.
| Registry
Keys: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
|
| |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices |
Logon Prompt is placed on Screen. After a user logs
in the rest of the keys continue.
RunOnce Local Machine Key - These keys are
designed to be used primarily by Setup programs. Entries in these keys are
started once and then are deleted from the key. If there a exclamation point
preceding the value of the key, the entry will not be deleted until after
the program completes, otherwise it will be deleted before the program runs.
This is important, because if the exclamation point is not used, and the program
referenced in this key fails to complete, it will not run again as it will
have already been deleted. All entries in this key are started synchronously
in an undefined order. Due to this, all programs in this key must be finished
before any entries in HKEY_LOCAL_MACHINE\...\Run, HKEY_CURRENT_USER\...\Run,
HKEY_CURRENT_USER\...\RunOnce, and Startup Folders can be loaded. The RunOnce
keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce
keys are not supported by Windows NT 3.51.
| Registry
Keys: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
|
| |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
Run - These are the most common startup locations
for programs to install auto start from. By default these keys are not executed
in Safe mode. If you prefix the value of these keys with an asterisk, *, is
will run in Safe Mode.
| Registry
Keys: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
registry key |
| |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key |
All Users Startup Folder - For Windows XP,
2000, and NT, this folder is used for programs that should be auto started
for all users who will login to this computer. It is generally found at:
| Windows XP |
C:\Documents and Settings\All Users\Start Menu\Programs\Startup |
| Windows NT |
C:\wont\Profiles\All Users\Start Menu\Programs\Startup |
| Windows 2000 |
C:\Documents and Settings\All Users\Start Menu\Programs\Startup |
User Profile Startup Folder - This folder will
be executed for the particular user who logs in. This folder is usually found
in:
| Win 9X, ME |
c:\windows\start menu\programs\startup |
| Windows XP |
C:\Documents and Settings\LoginName\Start Menu\Programs\Startup |
RunOnce Current User Key - These keys are designed
to be used primarily by Setup programs. Entries in these keys are started
once and then are deleted from the key. If there a exclamation point preceding
the value of the key, the entry will not be deleted until after the program
completes, otherwise it will be deleted before the program runs. This is important,
because if the exclamation point is not use, and the program referenced in
this key fails to complete, it will not run again as it will have already
been deleted. The RunOnce keys are ignored under Windows 2000 and Windows
XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
| Registry
Key: |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
Explorer Run - These keys is generally used
to load programs as part of a policy set in place on the computer or user.
| Registry
Keys: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
| |
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
UserInit Key - This key specifies what program
should be launched right after a user logs into Windows. The default program
for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program
that restores your profile, fonts, colors, etc for your username. It is possible
to add further programs that will launch from this key by separating the programs
with a comma. For example:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
=C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.
This will make both programs launch when you log in and is a
common place for trojans, hijackers, and spyware to launch from.
| Registry
Key: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit |
Load Key - This key is not commonly used anymore,
but can be used to auto start programs.
| Registry
Key: |
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\load |
Notify - This key is used to add a program
that will run when a particular event occurs. Events include logon, logoff,
startup, shutdown, startscreensaver, and stopscreensaver. When Winlogon.exe
generates an event such as the ones listed, Windows will look in the Notify
registry key for a DLL that will handle this event. Malware has been known
to use this method to load itself when a user logs on to their computer. Loading
in such a way allows the malware program to load in such a way that it is
not easy to stop.
| Registry
Key: |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify |
AppInit_DLLs - This value corresponds to files
being loaded through the AppInit_DLLs Registry value.
The AppInit_DLLs registry value contains a list of dlls that
will be loaded when user32.dll is loaded. As most Windows executables use
the user32.dll, that means that any DLL that is listed in the AppInit_DLLs
registry key will be loaded also. This makes it very difficult to remove the
DLL as it will be loaded within multiple processes, some of which can not
be stopped without causing system instability. The user32.dll file is also
used by processes that are automatically started by the system when you log
on. This means that the files loaded in the AppInit_DLLs value will be loaded
very early in the Windows startup routine allowing the DLL to hide itself
or protect itself before we have access to the system.
| Registry
Key: |
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows |
ShellServiceObjectDelayLoad - This Registry
contains values in a similar way as the Run key does. The difference is that
instead of pointing to the file itself, it points to the CLSID's InProcServer,
which contains the information about the particular DLL file that is being
used.
The files under this key are loaded automatically by Explorer.exe
when your computer starts. Because Explorer.exe is the shell for your computer,
it will always start, thus always loading the files under this key. These
files are therefore loaded early in the startup process before any human intervention
occurs.
| Registry
Key: |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
SharedTaskScheduler - This section corresponds
to files being loaded through the SharedTaskScheduler registry value for XP,
NT, 2000 machines..
The entries in this registry run automatically when you start
windows.
| Registry
Key: |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler |
The following are files that programs can autostart
from on bootup:
1. c:\autoexec.bat
2. c:\config.sys
3 . windir\wininit.ini - Usually used by setup programs to have a file run
once and then get deleted.
4. windir\winstart.bat
5. windir\win.ini - [windows] "load"
6. windir\win.ini - [windows] "run"
7. windir\system.ini - [boot] "shell"
8 . windir\system.ini - [boot] "scrnsave.exe"
9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart
in MS-DOS mode" in the shutdown menu.
10. windir\system\autoexec.nt
11. windir\system\config.nt
Though it is good to know these details, if you just need a
program to quickly scan these keys and produce a list for you, you can use
Sysinternals
Autoruns program. While you are at that site, you should browse some of
the other excellent utilities.
--
Lawrence Abrams
Bleeping Computer Microsoft Concepts Series
BleepingComputer.com: Computer Support & Tutorials
for the beginning computer
user.
Have a problem and would like to ask us for help? To learn how to ask your question Click Here!
Do you have popups or other malware infecting your computer? If so, Start Here!
Are you having trouble using this site? Then you should visit the New User Orientation Center!
BleepingComputer.com -> Tutorials -> Microsoft General Tutorials -> Windows Program Automatic Startup Locations
