Windows Autorun FAQs: List of autostart locations
Linked from the Original article- "
Windows Autorun FAQs: Description".
Que: Can you list all the autostart locations for windows?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:
NOTE : These are some abbreviations used in this list. Please note them carefully:
HKCU = HKEY_CURRENT_USER
HKLM = HKEY_LOCAL_MACHINE
HKCR = HKEY_CLASSES_ROOT
%windir% = C:\windows
%USERPROFILE% = C:\Documents and Settings\ambr
%ALLUSERSPROFILE% = C:\Documents and Settings\All Users
1. Folder:
- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
-
-
C:\Documents and Settings\<USER_NAME>\Start Menu\Programs\Startup
-
-
C:\WINDOWS\Tasks
-
This entry is for Task Scheduler for windows XP
Above mentioned autostart locations differ on Windows Vista. The locations on windows Vista are as follows:
- C:\Windows\System32\Tasks
-
This entry is for Task Scheduler for windows Vista
-
-
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
-
-
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Files:
c:\autoexec.bat
c:\config.sys
%windir%\winstart.bat
%windir%\wininit.ini
NOTE: Usually used by setup programs to have a file run once and then get deleted.
%windir%\win.ini
The file looks something like:
windir\win.ini
The file looks something like:
windir\system.ini
The file looks something like:
- [boot]
-
Shell=Explorer.exe file.exe
Note: Some of files that help auto-starting programs are available only in some older Windows OS. They are listed below:
windir\dosstart.bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
windir\system\autoexec.nt
windir\system\config.nt
3. Registry:
4. Registry Shell Spawning:
- [HKCR\exefile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .EXE file (Executable) is run.
-
-
[HKCR\comfile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .COM file (Command) is run.
-
-
[HKCR\batfile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .BAT file (Batch Command) is run.
-
-
[HKCR\htafile\Shell\Open\Command] @="\"%1\" %*"
-
Executed whenever a .hta file (HTML Application) is run.
-
-
[HKCR\piffile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .PIF file (Portable Interchange Format) is run.
-
-
[HKLM\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .BAT file (Batch Command) is run.
-
-
[HKLM\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .COM file (Command) is run.
-
-
[HKLM\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .EXE file (Executable) is run.
-
-
[HKLM\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
-
Executed whenever a .hta file (HTML Application) is run.
-
-
[HKLM\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
-
Executed whenever a .PIF file (Portable Interchange Format) is run.
NOTE: The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method and is currently used by Subseven.
NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit
wikipedia.
Some other similar entries include:
- HKCR\vbsfile\shell\open\command\
-
Executed whenever a .VBS file (Visual Basic Script) is run.
-
-
HKCR\vbefile\shell\open\command\
-
Executed whenever a .VBE file (Encoded Visual Basic Script) is run.
-
-
HKCR\jsfile\shell\open\command\
-
Executed whenever a .JS file (Javascript) is run.
-
-
HKCR\jsefile\shell\open\command\
-
Executed whenever a .JSE file (Encoded Javascript) is run.
-
-
HKCR\wshfile\shell\open\command\
-
Executed whenever a .WSH file (Windows Scripting Host) is run.
-
-
HKCR\wsffile\shell\open\command\
-
Executed whenever a .WSF file (Windows Scripting File) is run.
-
-
HKCR\scrfile\shell\open\command\
-
Executed whenever a .SCR file (Screen Saver) is run.
5. Active-X Component:
- [HKLM\Software\Microsoft\Active Setup\Installed Components\KeyName]
-
StubPath=C:\PathToFile\Filename.exe
You may be amazed but this does start filename.exe before windows explorer (explorer.exe) and any other Program is normally started from run keys.
6. Miscellaneous:
- HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_Entries
-
Layered Service Providers, executed before user login.
-
-
HKLM\System\Control\WOW\cmdline
-
Executed when a 16-bit Windows executable is executed.
-
-
HKLM\System\Control\WOW\wowcmdline
-
Executed when a 16-bit DOS application is executed.
-
-
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
-
Windows XP and Vista only
-
-
[Local Fixed Disk]\AUTORUN.INF open=, shellexecute=
-
Excluding Windows Me and Windows XP SP2.
-
-
[Local Fixed Disk]\[Any Folder with \u201cS\u201d Attribute]\DESKTOP.INI [.ShellClassInfo] CLSID= / UICLSID=
-
This launch point is checked by answering \u201cNo\u201d at the script's first message box and then \u201cYes\u201d at the message box that follows it or with the \u201c-supp\u201d or \u201c-all\u201d command line parameters.
-
-
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries
-
-
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
An entry which may be of interest to some is:
- [HKLM\Software\CLASSES\ShellScrap] @="Scrap object"
-
"NeverShowExt"=""
NOTE: The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Game.exe.shs" it displays as "Game.exe" in all programs including Explorer.
7. Hijack points:
These locations can be used to redirect the desktop, network and Internet Explorer.
- %WINDIR%\INF\IERESET.INF
- Note: Internet Explorer 5.01, 5.5 & 6.0 only
- %WINDIR%\HOSTS
-
%WINDIR%\System32\drivers\etc\HOSTS
-
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
-
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
-
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
-
HKLM\Software\Microsoft\Internet Explorer\AboutURLs
-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
-
HKLM\Software\Microsoft\Internet Explorer\Main
-
HKLM\Software\Microsoft\Internet Explorer\Search
-
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
-
HKCU\Software\Policies\Microsoft\Windows
-
HKCU\Software\Policies\Microsoft\Internet Explorer
-
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
-
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
-
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
-
HKCU\Software\Microsoft\Internet Explorer\SearchURL
-
HKCU\Software\Microsoft\Internet Explorer\Main
-
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
-
Other links:
1.
Windows Autorun FAQs: Overview
2.
Windows Autorun FAQs: Description
3.
Windows Autorun FAQs: Programs dealing with autoruns 
Windows Autorun FAQs: List of autostart locations 
