(From: http://www.cnblogs.com/geoff/archive/2007/03/25/687136.html)
I. Self-Starting project:
Start ---Program--- Start, add some applications or shortcuts.
This is the most common in windows and the simplest startup Method for applications. If you want to start a file during startup, you can also drag it in or create a shortcut to it. currently, this method is not applicable to common viruses. there are also some meetings.
Path: C: \ Documents and Settings \ owner \ Start Menu \ Program \ Start
II. The second self-starting project:
This is obviously ignored by people. The usage is exactly the same as that of the first self-starting directory. If you find this directory, drag and Drop the file to be started to start the file.
Path:
C: \ Documents ents and Settings \ User \ Start Menu \ Program \ Start
3. Start the system configuration file:
Many people may be unfamiliar with the system configuration file. Many viruses are started in this way.
1) Start Windows. ini:
Startup location (xxx.exe is the name of the file to be started ):
[Windows]
Load=xxx.exe [this method will run in the background]
Run=xxx.exe [This method file will be run by default]
2) Start system. ini:
Startup location (xxx.exe is the name of the file to be started ):
Default Value:
[Boot]
Shelljavaser.exe is a Windows program manager or Windows Resource Manager, which is normal]
After the file can be started:
[Boot]
Shell = assumer.exe xxx.exe [many viruses use this startup method now. It is well concealed when explorer is started]
Note: Because the system.iniand win.ini files are different, system.inican only start a specified file, but do not replace shell‑policer.exe xxx.exewith shell‑xxx.exe, which will paralyze windows!
3) Start wininit. ini:
Wininit is the Windows setup initialization utility.
Before windows is loaded, the system executes commands, including copying, deleting, and renaming, to update files.
File Format:
[Rename]
XXX1 = xxx2
Copy xxx2 to a file named XXX1, which overwrites the XXX1 file.
To delete an object, run the following command:
[Rename]
Nul = xxx2
The above file names must contain the complete path.
4) Start winstart. BAT:
This is the batch processing file started by the system. It is mainly used to copy and delete files. For example, some software may leave some residue in the system after it is detached, so its function is coming.
For example:
"@ If exist c: \ windows \ tempxxxx. Bat call C: \ WINDOWS \ tempxxxx. bat"
Here is the meaning of executing the XXXX. BAT file
5) Start USERINIT. ini [2/2 supplement]:
This startup method will also be started by some viruses, which is the same as system. ini.
6) Start autoexec. BAT:
This is a common startup method. The virus uses it for some actions. The autoexec. BAT file contains maliciousCode. For example, format C:/y.
4. Start the registry:
Using the Registry to start Windows is the most frequently used one.
Bytes -----------------------------------------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \
HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Session Manager \ bootexecute
HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Control \ Session Manager \ bootexecute
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Group Policy Objects \ Local User \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows \ appinit_dlls
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runonceex
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservicesonce \
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ runservices \
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce \ Setup \
HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ CurrentVersion \ Run \
HKEY_USERS \. Default \ Software \ Microsoft \ Windows \ CurrentVersion \ runonce \
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components \
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ VxD \
HKEY_CURRENT_USER \ Control Panel \ Desktop
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ userinit
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows \ Run
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ shellserviceobjectdelayload \
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ windows \ Load
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run \
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run \
HKLM \ SOFTWARE \ Classes \ Protocols \ Filter
HKLM \ SOFTWARE \ Classes \ Protocols \ Handler
HKLM \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ sharedtasksched.pdf
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ shellserviceobjectdelayload
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ shellexecutehooks
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ shell extensions \ approved
HKLM \ SOFTWARE \ Classes \ Folder \ shellex \ columnhandlers
Hkcu \ Software \ Microsoft \ Internet Explorer \ urlsearchhooks
HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ Toolbar
HKLM \ SOFTWARE \ Microsoft \ Internet Explorer \ extensions
HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ bootexecute
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options
HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ knowndlls
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ uihost
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ y
Hkcu \ Control Panel \ Desktop \ scrnsave.exe
HKLM \ System \ CurrentControlSet \ Services \ Winsock \ Parameters \ protocol_catalog9
HKLM \ System \ CurrentControlSet \ Control \ Print \ monitors
HKLM \ System \ CurrentControlSet \ Control \ LSA \ Authentication Packages
HKLM \ System \ CurrentControlSet \ Control \ LSA \ Notification Packages
HKLM \ System \ CurrentControlSet \ Control \ LSA \ Security packages
V. Other startup methods:
(1). c: \ assumer.exe startup method:
This method is rarely known.
Hosts file.
The search order is as follows:
(1). Search for the current directory.
(22.16.if no searcher.exe is found, the system will obtain
Obtain the relative path for the information of [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ executive \ path.
(3) If the file system still does not exist, the system will obtain the information of [HKEY_CURRENT_USER \ environment \ path] to obtain the relative path.
The key value of the relative path stored in [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ executive \ path] and [HKEY_CURRENT_USER \ environment \ path] is "% SystemRoot % system32; % SystemRoot % "and null.
Therefore, when the system starts, the "current directory" must be % systemdrive % (System Drive). In this way, the system searches for EXPLORER. EXE in the following order:
(1). % systemdrive % (for example, c :\)
(2). % SystemRoot % system32 (for example, c: \ winnt \ System32)
(3). % SystemRoot % (for example, c: \ WINNT)
Expired.
In the WINNT series, WindowsNT/windows2000add the file name of assumer.exeand set the name of the external shell file (assumer.exe):
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon \ shell] and Microsoft has changed this method in Windows 2000 sp2.
(2) Screen Protection Startup Mode:
Windows Screen Saver is *. the scr file is an executable PE file, if you put the screen saver *. SCR is renamed *. *. *. the scr file can still be started normally.
The file path is saved in the SCRNSAVE. EXE = file in system. ini. For example, scansave. EXE =/% system32 % XXXX. scr
This startup method is dangerous.
(3). scheduled task startup method:
In Windows, the scheduled task function means that a program is started at a specific time. This startup method is quite concealed.
[Start] --- [Program] --- [Attachment] --- [System Tools] --- [Schedule Tasks] and perform operations step by step.
(4). autorun. inf startup method:
The autorun. inf file appears when the disc is loaded. When the disc is attached, the optical drive determines whether to open the content of the disc based on the file content.
The content of autorun. inf is usually:
[Autorun]
Opentracing file name: .exe
Icon = icon (icon file). ICO
1.if a trojan is xxx.exe. Then autorun. inf can be as follows:
Open = Windows \ xxx.exe
Iconw.xxx.exe
In this case, you can run Trojan xxx.exe every time you double-hit the C drive.
2. If you put autorun. inf in the C root directory, the content is:
Open = D: \ xxx.exe
Iconw.xxx.exe
In this case, you can run xxx.exe on the d drive by double-hitting the C drive.
(5). Change the extension startup method:
Change the extension: (*. EXE)
For example, the *. EXE file can be changed to *. bat, *. Scr and other extensions to start.
6. VxD Virtual Device Driver Startup Mode:
The application uses the VxD Virtual Device Driver that is dynamically loaded, while the VxD virtual device driver is only applicable to Windows 95/98/ME ).
It can be used to manage 32-bit executable programs for system resources such as hardware devices or installed software, so that several applications can use these resources at the same time.
VII. Service [Service] startup method:
[Start] --- [run] --- enter "services. msc" without quotation marks --- to operate the service project.
Under the "Service Startup Mode" option, you can set the system startup mode: automatically run when the program starts, manually run, or permanently stop the startup, or pause (it will still start after restart ).
Registry location: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services
All programs started through services are run in the background. For example, the Chinese Trojan "gray pigeon" is used to start the background and steal user information.
8. Driver startup method:
Some viruses may pretend to be hardware drivers for startup purposes.
1. built-in drivers [start with the standard program provided by the operating system]
2. Drivers provided by the hardware. [start with the standard program provided by the hardware]
3. The driver disguised by the virus itself. [It refers to the standard program disguised by the virus itself to start]
06/3/11 supplement [from peter_yu]:
WinDir \ Start Menu \ Programs \ Startup \
User \ Startup \
All Users \ Startup \
WinDir \ System \ iosubsys \
WinDir \ System \ vmm32 \
WinDir \ Tasks \
C: \ assumer.exe
C: \ autoexec. bat
C: \ config. sys
WinDir \ wininit. ini
WinDir \ winstart. bat
WinDir \ win. ini-[windows] "LOAD"
WinDir \ win. ini-[windows] "run"
WinDir \ system. ini-[boot] "shell"
WinDir \ system. ini-[boot] "scrnsave.exe"
WinDir \ dosstart. bat
WinDir \ System \ autoexec. NT
WinDir \ System \ config. NT
06/3/25 supplement [from smzd2005]:
Folder. htt
Desktop. ini
C: \ Documents ents and Settings \ User Name \ Application Data \ Microsoft \ Internet Explorer \ Desktop. htt
06/8/1 supplement [Self-Supplement (Registry Startup Mode)]:
HKLM \ System \ CurrentControlSet \ Control \ mprservices
Hkcu \ FTP \ shell \ open \ command
Hkcr \ FTP \ shell \ open \ command
Hkcu \ Software \ Microsoft \ Ole
Hkcu \ Software \ Microsoft \ command processor
HKLM \ SOFTWARE \ Classes \ mailto \ shell \ open \ command
HKLM \ SOFTWARE \ Classes \ Protocols
Hkcr \ Protocols
Hkcu \ Control Panel \ Desktop
HKLM \ SOFTWARE \ Policies \ Microsoft \ WINDOWS \ SYSTEM \ scripts
HKLM \ SOFTWARE \ Microsoft \ code store database \ distribution units
HKLM \ System \ CurrentControlSet \ Services \ Winsock2
HKLM \ System \ CurrentControlSet \ Control \ LSA
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run
HKLM \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ app management \ arpcache
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ shellserviceobjectdelayload
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ sharedtasksched.pdf
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ shellexecutehooks
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Shell Folders
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Shell Folders \ Startup
HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ runservices
HKLM \ SOFTWARE \ Microsoft \ Active Setup \ Installed Components
Hkcu \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WINDOWS
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WINDOWS
supplement 06/8/6 [Self-Supplement (Registry Startup Mode)]:
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution options
HKLM \ System \ CurrentControlSet \ Control \ Session Manager \ knowndlls
HKLM \ SOFTWARE \ classes \ Protocols \ Handler
HKLM \ System \ CurrentControlSet \ Control \ Terminal Server \ WDS \ rdpwd \ startupprograms
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ shell