There are literally dozens of ways for programs to be launched when Windows starts. While these methods all have valid uses, many are often exploited by malware and viruses. Therefore, it’s a good idea to become familiar with them.
You can classify start up methods into three basic categories: the registry, startup directories, and startup file. We’re going to take each of these categories one at a time and look and the most common methods for each of them.
The Windows Registry is a combination of files that work as a sort of database to hold system configuration settings. This provides an interface similar to a directory hierarchy that houses keys with data/value pairs to store the information.
Changing the wrong settings in your registry can have catastrophic effects that render your system completely unusable. Always take precautions; follow directions and back up your registry before making any changes.
The second method of starting applications is by the use of startup folders. These are folders on your system that contain either programs or shortcuts to programs. Each of the items in these folders is executed at a certain stage of the startup process.
The last method of starting applications is the file method. In most cases this is considered a legacy method. Certain system files contain entries that are executed during startup. While the registry should generally be used for this, these methods remain largely available for reverse compatibility with software designed for use in older versions of Windows.
There are far too many startup registry keys to cover in this article. I’m only going to focus on the most commonly used and exploited ones. You can find links to more information at the end of this article.
The most common of these registry keys are the ones commonly referred to as the Run Keys. These are keys specifically used to schedule program startup. There are three sets of them: one under the HKEY_LOCAL_MACHINE root, another under HKEY_CURRENT_USER, and the last under HKEY_USERS.
The keys under HKEY_LOCAL_MACHINE are executed regardless of who logs on to the computer. These are system-wide startup settings. HKEY_CURRENT_USER houses the settings specific to the currently logged on user and HKEY_USERS houses each user profile.
The Run keys execute processes at every startup. The RunOnce keys are only executed once and then deleted upon successful execution. The same is true for the RunServices and RunServicesOnce keys except that they are executed as system services instead.
One commonly exploited key is the one seen below. Specifically, its Shell value is responsible for identifying the executable that starts the system shell, namely Explorer.exe. However, this key can be changed to execute unwanted programs unbeknownst to the user.
The Winlogon process is responsible for much of Windows startup. It provides the user login system as well as starting the Windows environment. There are two other common locations used to exploit this process as well.
The first is a value that contains another setting used internally by Windows and should never be changed from its default.
The second is ended for use by Winlogon Notification Packages. These are programs designed to perform certain actions when Winlogon events, such as Logon or Logoff, are triggered. Placing a harmful executable in this key will cause the exploit code to be executed every time one of these events occurs.
As much as I would love to be complete, there are far too many of these to cover in this article. Please read the links provided for more information. If you have questions about specific keys or their intended purpose, please post those questions in this article’s blog.
As with the Registry, there are startup folders with legitimate uses and those that are commonly exploited. Let’s take a look.
Most likely the first one of these folders that comes to mind is the one so appropriately named Startup. Each user has his/her own and there is one that is common to all users in the All Users profile.
As I just eluded, these are located in user profile directories found in the Documents and Settings folder. A typical location might look like this:
C:Documents and SettingsUsernameStart MenuProgramsStartup
Any program or shortcut placed in this folder will be executed as soon as the Desktop is initialized. You can see these easily by looking in the Startup folder on your Start Menu.
Keep in mind that it is very easy to hide unwanted programs in these locations on a default Windows installation. Unless you have enabled viewing of hidden files and folders, any shortcut with a hidden attribute will not appear on your start menu but will still be executed.
Unless you are a power user, this next location probably goes overlooked. But it shouldn’t. Not only is it a huge security vulnerability but it’s also commonly exploited.
%windir%Tasks
This is the folder responsible for housing Scheduled Tasks. While traditional scheduled tasks are specialized shortcuts designed to include information about when and how often a process should be executed, dropping anything in this folder is likely to make it execute.
windirsystemiosubsys
windirsystemvmm32
These final two locations are intended for internal use by the operating system for housing processes related to Windows functionality such as hardware drivers. Identifying rogue programs in these folders is generally very difficult unless you really know what you’re looking for.
While older versions of Windows had many startup file locations, this is much less common in Windows XP. Again, they are provided for reverse compatibility, but in my experience are much less reliable than registry entries.
%windir%systemautoexec.nt
%windir%systemconfig.nt
These are essentially the Windows NT equivalents of the Autoexec.bat and Config.sys files found in older versions of Windows.
%windir%system.ini
%windir%win.ini
As in older versions of Windows, these files house some basic startup configuration settings. In win.ini pay close attention to the [load] and [run] sections. In system.ini you’ll want to watch the [boot] section.
Again, the possibilities don’t stop here, but unfortunately I’m out of space. For more information about Windows startup methods, check out these very informative links:
Thanks for reading. I hope you found this article at least a bit informative. For every one of the dozens of startup methods available there is probably at least that many viruses that target it.
Educating yourself with the inner workings of Windows is the only true way to become a power user. Until next time…
/ 7 
Implement Gzip and Deflate Compression in ASP.Net
