1. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \windows\currentversion\run\
All values in this key are executed.
2. hkey_local_machine\software\microsoft\windows\currentversion\runonce\
All values in this key are executed, and then their autostart reference is deleted.
3. hkey_local_machine\software\microsoft\windows\currentversion\runservices\
All values in this key are executed as services.
4. hkey_local_machine\software\microsoft\windows\currentversion\runservicesonce\
All values in this key are executed as services, and then their autostart reference is deleted.
5. hkey_current_user\software\microsoft\windows\currentversion\run\
All values in this key are executed.
6. hkey_current_user\software\microsoft\windows\currentversion\runonce\
All values in this key are executed, and then their autostart reference is deleted.
7. Hkey_current_user\software\microsoft\windows\currentversion\runonce\setup\
Used only by Setup. Displays a progress dialog box as the keys are run one at a time.
8. Hkey_users\. Default\software\microsoft\windows\currentversion\run\
Similar to the Run key from HKEY_CURRENT_USER.
9. Hkey_users\. Default\software\microsoft\windows\currentversion\runonce\
Similar to the RunOnce key from HKEY_CURRENT_USER.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" value is monitored. The this value is executed after your log in.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\.
All subkeys are monitored, with special attention paid to the ' Stubpath ' value in each subkey.
Hkey_local_machine\system\currentcontrolset\services\vxd\
All subkeys are monitored, with special attention paid to the ' StaticVXD ' value in each subkey.
HKEY_CURRENT_USER\Control Panel\Desktop
The "Scrnsave." EXE ' value is monitored. This value is launched when your screen saver activates.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
The "bootexecute" value is monitored. The Files listed here is are Native applications that are executed before Windows starts.
Hkey_classes_root\vbsfile\shell\open\command\
Executed whenever a. VBS file (visual Basic Script) is run.
Hkey_classes_root\vbefile\shell\open\command\
Executed whenever a. VBE file (encoded Visual Basic Script) is run.
Hkey_classes_root\jsfile\shell\open\command\
Executed whenever a. JS file (Javascript) is run.
Hkey_classes_root\jsefile\shell\open\command\
Executed whenever a. JSE file (encoded Javascript) is run.
Hkey_classes_root\wshfile\shell\open\command\
Executed whenever a. WSH file (Windows scripting Host) is run.
Hkey_classes_root\wsffile\shell\open\command\
Executed whenever a. WSF file (Windows scripting file) is run.
Hkey_classes_root\exefile\shell\open\command\.
Executed whenever a. EXE file (executable) is run.
Hkey_classes_root\comfile\shell\open\command\
Executed whenever a. COM file (Command) is run.
Hkey_classes_root\batfile\shell\open\command\
Executed whenever a. BAT file (Batch Command) is run.
Hkey_classes_root\scrfile\shell\open\command\
Executed whenever a. The SCR file (screen Saver) is run.
Hkey_classes_root\piffile\shell\open\command\
Executed whenever a. PIF file (Portable interchange Format) is run.
Hkey_local_machine\system\currentcontrolset\services\
Services marked to startup automatically are executed before user login.
Hkey_local_machine\system\currentcontrolset\services\winsock2\parameters\protocol_catalog\catalog_en tries\
Layered Service Providers, executed before user login.
Hkey_local_machine\system\control\wow\cmdline
Executed when a 16-bit the Windows executable is executed.
Hkey_local_machine\system\control\wow\wowcmdline.
Executed when a 16-bit DOS application is executed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Nt\currentversion\winlogon\userinit
Executed when a user logs in.
Hkey_local_machine\software\microsoft\windows\currentversion\shellserviceobjectdelayload\
Executed by Explorer.exe as soon as it has loaded.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
Executed when the user logs in.
HKEY_CURRENT_USER\Software\Microsoft\Windows Nt\currentversion\windows\load
Executed when the user logs in.
Hkey_current_user\software\microsoft\windows\currentversion\policies\explorer\run\
Subvalues are executed when Explorer initialises.
Hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run\
Subvalues are executed when Explorer initialises.
36.hkey_current_user\software\microsoft\windows\currentversion\group Policy objects\local USER\Software\Microsoft \windows\currentversion\policies\explorer\run
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.