Analysis of Windows 2000/XP self-starting Program

Analysis of Windows 2000/XP self-starting program Author: Source: rising community responsibility Editor: wilderness

When Windows completes the login process, the mouse pointer goes from busy to quiet. In addition to the icon on the desktop, what else do you see? There may be no changes on the surface, but have you noticed that there are many more icons in your system tray area, and there are a lot of processes in your progress table! Many programs are automatically loaded when Windows is started. Do you know where they are loaded?

It is an indisputable fact that the self-start of many programs bring us a lot of convenience. But is it useful for every self-Start program? What's more, there may be viruses or Trojans on your own, but you don't know!

Do you think it is necessary to understand the hiding position of the self-starting file? Well, I will point them out one by one so that they can be hidden!

In fact, in Windows/XP, apart from loading the Autoexec. bat file left over from the previous system, the program is automatically loaded according to two folders and nine core registry subkeys.

1) "Boot" folder-the most common self-Start Program folder. It is located in the "Documents and Settings --> User --> [start] menu --> program" directory of the system partition. At this time, the User refers to the User name you log on.

2) "All Users" in the self-starting Program Folder-another common self-starting Program folder. It is located in the "Documents and Settings --> All User --> [start] menu --> program" directory of the system partition. The "Startup" folder mentioned above runs the self-starting program of the login user, the programs started in "All Users" are valid for All Users (no matter which user you use to log on ).

3) "Load" key value-a deeply buried registry key value. Located in the primary key of [HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/Windows/load.

4) The "Userinit" key value is located in the primary key of [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/Userinit] and is also used to load programs when the system starts. Generally, the value of the subkey is named "Login userinit.exe". Because the values of this subkey can be separated by commas (,), you can add other programs to the value of the key.

5) "Explorer/Run" key value -- different from "load" and "Userinit, "Explorer/Run" is located in both the [HKEY_CURRENT_USER] and [HKEY_LOCAL_MACHINE] root keys. It is located in [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/ run.

6) "RunServicesOnce" sub-key-it is loaded before the user logs on and other registry self-start programs load. This key is also located under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunServicesOnce] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServicesOnce.

7) "RunServices" subkey-it is also loaded before the user logs on and other registry self-start programs load. The key is also located under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunServices] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunServices.

8) "RunOnce/Setup" subkey-the default value is the program loaded after the user logs on. This key is also located under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce/Setup] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce/Setup.

9) "RunOnce" subkey-many self-start programs use the RunOnce subkey to complete the first loading. This key is also located under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce. The RunOnce sub-key located under the root key of [HKEY_CURRENT_USER] loads the relevant program before the user logon button and the Run key value of other registries are loaded into the program, the Runonce sub-key located under the primary key of [HKEY_LOCAL_MACHINE] is loaded after the operating system processes the Run sub-Key of other registries and programs in the self-starting folder. In Windows XP, another [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnceEX] sub-key exists.

10) "Run" subkey-currently the most common self-starting program used for loading. This key is also located under [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run] and [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run. The Run key value located under the root key of [HKEY_CURRENT_USER] is followed by the Run key value under the primary key of [HKEY_LOCAL_MACHINE], but both key values are loaded before the "Start" folder.

11) In addition, it is a service loaded in Windows. It has a high level and is used for loading first. It is located in [HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services]. Have you seen all your service loaders here!

12) Windows Shell -- it is located in the shelldeskstring value under [HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon/login, and the base value is assumer.exe, of course, the trojan program may add itself here and call the resource manager as a Trojan parameter to fool the user.

13) BootExecute -- it is located under [HKEY_LOCAL_MACHINE/System/ControlSet001/Session Manager/] in the registry, and has a multi-string value Key named BootExecute, its default value is "autocheck autochk *", which is used for automatic checks when the system starts. The program in this startup project is executed before the GUI is complete, so it has a high priority.

14) Policy Group loader -- open Gpedit. choose "user configuration"> "management template"> "system"> "Log on", and you will be able to see the project "run these programs upon user logon". You can add the project in it. In the registry, [HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Group Policy Objects/Local User/Software/Microsoft/Windows/CurrentVersion/Policies/Explorer/Run] key value.