Windows Autorun FAQs: List of autostart locations
Linked from the Original article- "Windows Autorun FAQs: Description".
Que: Can you list all the autostart locations for windows?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:
NOTE : These are some abbreviations used in this list. Please note them carefully:
HKCU = HKEY_CURRENT_USER
HKLM = HKEY_LOCAL_MACHINE
HKCR = HKEY_CLASSES_ROOT
%windir% = C:\windows
%USERPROFILE% = C:\Documents and Settings\ambr
%ALLUSERSPROFILE% = C:\Documents and Settings\All Users
1. Folder:
Expand|Select|Wrap|Line Numbers
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
- C:\Documents and Settings\<USER_NAME>\Start Menu\Programs\Startup
- C:\WINDOWS\Tasks
- This entry is for Task Scheduler for windows XP
Expand|Select|Wrap|Line Numbers
- C:\Windows\System32\Tasks
- This entry is for Task Scheduler for windows Vista
- %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
- %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
c:\autoexec.bat
c:\config.sys
%windir%\winstart.bat
%windir%\wininit.ini
NOTE: Usually used by setup programs to have a file run once and then get deleted.
%windir%\win.ini
The file looks something like:
Expand|Select|Wrap|Line Numbers
- [windows]
- load=file.exe
The file looks something like:
Expand|Select|Wrap|Line Numbers
- [windows]
- run=file.exe
The file looks something like:
Expand|Select|Wrap|Line Numbers
- [boot]
- Shell=Explorer.exe file.exe
windir\dosstart.bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
windir\system\autoexec.nt
windir\system\config.nt
3. Registry:
Expand|Select|Wrap|Line Numbers
- HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
- HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
- HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
- HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
- HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
- HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
- HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
- HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\SOFTWARE\Classes\Protocols\Filter
- HKLM\SOFTWARE\Classes\Protocols\Handler
- HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
- HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
- HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
- HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
- HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
- HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
- HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
- HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
- HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
- HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
- HKCU\Software\Microsoft\Ctf\LangBarAddin
- HKLM\Software\Microsoft\Ctf\LangBarAddin
- HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
- HKLM\Software\Microsoft\Internet Explorer\Toolbar
- HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
- HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
- HKCU\Software\Microsoft\Internet Explorer\Extensions
- HKLM\Software\Microsoft\Internet Explorer\Extensions
- HKLM\System\CurrentControlSet\Services
- HKLM\System\CurrentControlSet\Services
- HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
- HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
- HKLM\System\CurrentControlSet\Control\Session Manager\Execute
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HKLM\Software\Microsoft\Command Processor\Autorun
- HKCU\Software\Microsoft\Command Processor\Autorun
- HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
- HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
- HKCU\Control Panel\Desktop\Scrnsave.exe
- HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
- HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
- HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
- HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
- HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
- HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
- HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
- HKCR\batfile\shell\open\command
- HKCR\comfile\shell\open\command
- HKCR\exefile\shell\open\command
- HKCR\htafile\shell\open\command
- HKCR\piffile\shell\open\command
- HKLM\Software\Classes\batfile\shell\open\command
- HKLM\Software\Classes\comfile\shell\open\command
- HKLM\Software\Classes\exefile\shell\open\command
- HKLM\Software\Classes\htafile\shell\open\command
- HKLM\Software\Classes\piffile\shell\open\command
- HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
- HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
- HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\Application
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\ProgID
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\ProgID
Expand|Select|Wrap|Line Numbers
- [HKCR\exefile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .EXE file (Executable) is run.
- [HKCR\comfile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .COM file (Command) is run.
- [HKCR\batfile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .BAT file (Batch Command) is run.
- [HKCR\htafile\Shell\Open\Command] @="\"%1\" %*"
- Executed whenever a .hta file (HTML Application) is run.
- [HKCR\piffile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .PIF file (Portable Interchange Format) is run.
- [HKLM\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .BAT file (Batch Command) is run.
- [HKLM\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .COM file (Command) is run.
- [HKLM\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .EXE file (Executable) is run.
- [HKLM\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
- Executed whenever a .hta file (HTML Application) is run.
- [HKLM\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
- Executed whenever a .PIF file (Portable Interchange Format) is run.
NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit wikipedia.
Some other similar entries include:
Expand|Select|Wrap|Line Numbers
- HKCR\vbsfile\shell\open\command\
- Executed whenever a .VBS file (Visual Basic Script) is run.
- HKCR\vbefile\shell\open\command\
- Executed whenever a .VBE file (Encoded Visual Basic Script) is run.
- HKCR\jsfile\shell\open\command\
- Executed whenever a .JS file (Javascript) is run.
- HKCR\jsefile\shell\open\command\
- Executed whenever a .JSE file (Encoded Javascript) is run.
- HKCR\wshfile\shell\open\command\
- Executed whenever a .WSH file (Windows Scripting Host) is run.
- HKCR\wsffile\shell\open\command\
- Executed whenever a .WSF file (Windows Scripting File) is run.
- HKCR\scrfile\shell\open\command\
- Executed whenever a .SCR file (Screen Saver) is run.
Expand|Select|Wrap|Line Numbers
- [HKLM\Software\Microsoft\Active Setup\Installed Components\KeyName]
- StubPath=C:\PathToFile\Filename.exe
6. Miscellaneous:
Expand|Select|Wrap|Line Numbers
- HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_Entries
- Layered Service Providers, executed before user login.
- HKLM\System\Control\WOW\cmdline
- Executed when a 16-bit Windows executable is executed.
- HKLM\System\Control\WOW\wowcmdline
- Executed when a 16-bit DOS application is executed.
- HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
- Windows XP and Vista only
- [Local Fixed Disk]\AUTORUN.INF open=, shellexecute=
- Excluding Windows Me and Windows XP SP2.
- [Local Fixed Disk]\[Any Folder with \u201cS\u201d Attribute]\DESKTOP.INI [.ShellClassInfo] CLSID= / UICLSID=
- This launch point is checked by answering \u201cNo\u201d at the script's first message box and then \u201cYes\u201d at the message box that follows it or with the \u201c-supp\u201d or \u201c-all\u201d command line parameters.
- HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries
- HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
Expand|Select|Wrap|Line Numbers
- [HKLM\Software\CLASSES\ShellScrap] @="Scrap object"
- "NeverShowExt"=""
7. Hijack points:
These locations can be used to redirect the desktop, network and Internet Explorer.
Expand|Select|Wrap|Line Numbers
- %WINDIR%\INF\IERESET.INF
- Note: Internet Explorer 5.01, 5.5 & 6.0 only
Expand|Select|Wrap|Line Numbers
- %WINDIR%\HOSTS
- %WINDIR%\System32\drivers\etc\HOSTS
- HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
- HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
- HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
- HKLM\Software\Microsoft\Internet Explorer\AboutURLs
- HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKLM\Software\Microsoft\Internet Explorer\Main
- HKLM\Software\Microsoft\Internet Explorer\Search
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
- HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKCU\Software\Policies\Microsoft\Windows
- HKCU\Software\Policies\Microsoft\Internet Explorer
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
- HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
- HKCU\Software\Microsoft\Internet Explorer\SearchURL
- HKCU\Software\Microsoft\Internet Explorer\Main
- HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
1. Windows Autorun FAQs: Overview
2. Windows Autorun FAQs: Description
3. Windows Autorun FAQs: Programs dealing with autoruns