Windows XP Startup Methods - Startup Registry Keys
(Page 2 of 4 )
There are far too many startup registry keys to cover in this article. I’m only going to focus on the most commonly used and exploited ones. You can find links to more information at the end of this article.
The most common of these registry keys are the ones commonly referred to as the Run Keys. These are keys specifically used to schedule program startup. There are three sets of them: one under the HKEY_LOCAL_MACHINE root, another under HKEY_CURRENT_USER, and the last under HKEY_USERS.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Setup
HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionRunOnce
The keys under HKEY_LOCAL_MACHINE are executed regardless of who logs on to the computer. These are system-wide startup settings. HKEY_CURRENT_USER houses the settings specific to the currently logged on user and HKEY_USERS houses each user profile.
The Run keys execute processes at every startup. The RunOnce keys are only executed once and then deleted upon successful execution. The same is true for the RunServices and RunServicesOnce keys except that they are executed as system services instead.
One commonly exploited key is the one seen below. Specifically, its Shell value is responsible for identifying the executable that starts the system shell, namely Explorer.exe. However, this key can be changed to execute unwanted programs unbeknownst to the user.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
The Winlogon process is responsible for much of Windows startup. It provides the user login system as well as starting the Windows environment. There are two other common locations used to exploit this process as well.
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
The first is a value that contains another setting used internally by Windows and should never be changed from its default.
The second is ended for use by Winlogon Notification Packages. These are programs designed to perform certain actions when Winlogon events, such as Logon or Logoff, are triggered. Placing a harmful executable in this key will cause the exploit code to be executed every time one of these events occurs.
As much as I would love to be complete, there are far too many of these to cover in this article. Please read the links provided for more information. If you have questions about specific keys or their intended purpose, please post those questions in this article’s blog.
Next: Startup Folders >>
More BrainDump Articles
More By Nilpo/Developer Shed Staff Writer
