| Windows Startup Locations |
 |
 |
 |
I am always fighting malware on someones home computer. I found this list helpful to remove autoruns. Thanks mstarks for this list.
Pop quiz: how many places can an application install itself to ensure it will survive a Windows reboot? If you named the usual suspects like the run and autorun locations in the registry, you would be correct, but have mentioned only a small subsection of the many places. I’m going to resist the urge to rant about how insane it is to have so many possible places for an application (i.e. trojan) to ensure its survivial. Instead, I’ll just give you the most comprehensive list I have come across, courtesy of the Autoruns utility from Microsoft (formerly SysInternals): C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\WINDOWS\Tasks HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Classes\Protocols\Filter HKLM\SOFTWARE\Classes\Protocols\Handler HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Directory\Shellex\DragDropHandlers HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers HKLM\Software\Classes\Folder\Shellex\ColumnHandlers HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks HKLM\Software\Microsoft\Internet Explorer\Toolbar HKLM\Software\Microsoft\Internet Explorer\Extensions HKLM\System\CurrentControlSet\Services HKLM\System\CurrentControlSet\Services HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify HKCU\Control Panel\Desktop\Scrnsave.exe HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
Advertisements
|
