472,993 Members | 2,653 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes and contribute your articles to a community of 472,993 developers and data experts.

Windows Autorun FAQs: List of autostart locations

884 Expert 512MB
Windows Autorun FAQs: List of autostart locations

Linked from the Original article- "Windows Autorun FAQs: Description".

Que: Can you list all the autostart locations for windows?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:

NOTE : These are some abbreviations used in this list. Please note them carefully:
%windir% = C:\windows
%USERPROFILE% = C:\Documents and Settings\ambr
%ALLUSERSPROFILE% = C:\Documents and Settings\All Users

1. Folder:
Expand|Select|Wrap|Line Numbers
  1. C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  3. C:\Documents and Settings\<USER_NAME>\Start Menu\Programs\Startup
  5. C:\WINDOWS\Tasks
  6. This entry is for Task Scheduler for windows XP
Above mentioned autostart locations differ on Windows Vista. The locations on windows Vista are as follows:
Expand|Select|Wrap|Line Numbers
  1. C:\Windows\System32\Tasks
  2. This entry is for Task Scheduler for windows Vista
  4. %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  6. %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2. Files:

NOTE: Usually used by setup programs to have a file run once and then get deleted.

The file looks something like:
Expand|Select|Wrap|Line Numbers
  1. [windows]
  2. load=file.exe
The file looks something like:
Expand|Select|Wrap|Line Numbers
  1. [windows]
  2. run=file.exe
The file looks something like:
Expand|Select|Wrap|Line Numbers
  1. [boot]
  2. Shell=Explorer.exe file.exe
Note: Some of files that help auto-starting programs are available only in some older Windows OS. They are listed below:

windir\dosstart.bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.



3. Registry:

Expand|Select|Wrap|Line Numbers
  1. HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
  2. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
  3. HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
  4. HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
  5. HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
  6. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  7. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
  8. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  9. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
  10. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  11. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
  12. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
  13. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx    
  14. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
  15. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  16. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
  17. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  18. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
  19. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
  20. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  21. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  22. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  23. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  24. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
  25. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
  26. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx    
  27. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
  28. HKLM\SOFTWARE\Classes\Protocols\Filter
  29. HKLM\SOFTWARE\Classes\Protocols\Handler
  30. HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
  31. HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
  32. HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
  33. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
  34. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  35. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  36. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  37. HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
  38. HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
  39. HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
  40. HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
  41. HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
  42. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
  43. HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  44. HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
  45. HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  46. HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
  47. HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
  48. HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
  49. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  50. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
  51. HKCU\Software\Microsoft\Ctf\LangBarAddin
  52. HKLM\Software\Microsoft\Ctf\LangBarAddin
  53. HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  54. HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
  55. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  56. HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
  57. HKLM\Software\Microsoft\Internet Explorer\Toolbar
  58. HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
  59. HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
  60. HKCU\Software\Microsoft\Internet Explorer\Extensions
  61. HKLM\Software\Microsoft\Internet Explorer\Extensions
  62. HKLM\System\CurrentControlSet\Services
  63. HKLM\System\CurrentControlSet\Services
  64. HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
  65. HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
  66. HKLM\System\CurrentControlSet\Control\Session Manager\Execute
  67. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  68. HKLM\Software\Microsoft\Command Processor\Autorun
  69. HKCU\Software\Microsoft\Command Processor\Autorun
  70. HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
  71. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
  72. HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
  73. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
  74. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
  75. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  76. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
  77. HKCU\Control Panel\Desktop\Scrnsave.exe
  78. HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
  79. HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
  80. HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
  81. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
  82. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
  83. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
  84. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
  85. HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
  86. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  87. HKCR\batfile\shell\open\command
  88. HKCR\comfile\shell\open\command
  89. HKCR\exefile\shell\open\command
  90. HKCR\htafile\shell\open\command
  91. HKCR\piffile\shell\open\command
  92. HKLM\Software\Classes\batfile\shell\open\command
  93. HKLM\Software\Classes\comfile\shell\open\command
  94. HKLM\Software\Classes\exefile\shell\open\command
  95. HKLM\Software\Classes\htafile\shell\open\command
  96. HKLM\Software\Classes\piffile\shell\open\command
  97. HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
  98. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
  99. HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping
  100. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
  101. HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
  102. HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
  103. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\Application
  104. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\Application
  105. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\Application
  106. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\Application
  107. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\Application
  108. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\Application
  109. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\Application
  110. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\ProgID
  111. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\ProgID
  112. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\ProgID
  113. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\ProgID
  114. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\ProgID
  115. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\ProgID
  116. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\ProgID
4. Registry Shell Spawning:

Expand|Select|Wrap|Line Numbers
  1. [HKCR\exefile\shell\open\command] @="\"%1\" %*"
  2. Executed whenever a .EXE file (Executable) is run.
  4. [HKCR\comfile\shell\open\command] @="\"%1\" %*"
  5. Executed whenever a .COM file (Command) is run.
  7. [HKCR\batfile\shell\open\command] @="\"%1\" %*"
  8. Executed whenever a .BAT file (Batch Command) is run.
  10. [HKCR\htafile\Shell\Open\Command] @="\"%1\" %*" 
  11. Executed whenever a .hta file (HTML Application) is run.
  13. [HKCR\piffile\shell\open\command] @="\"%1\" %*"
  14. Executed whenever a .PIF file (Portable Interchange Format) is run.
  16. [HKLM\Software\CLASSES\batfile\shell\open\command] @="\"%1\" %*"
  17. Executed whenever a .BAT file (Batch Command) is run.
  19. [HKLM\Software\CLASSES\comfile\shell\open\command] @="\"%1\" %*"
  20. Executed whenever a .COM file (Command) is run.
  22. [HKLM\Software\CLASSES\exefile\shell\open\command] @="\"%1\" %*"
  23. Executed whenever a .EXE file (Executable) is run.
  25. [HKLM\Software\CLASSES\htafile\Shell\Open\Command] @="\"%1\" %*"
  26. Executed whenever a .hta file (HTML Application) is run.
  28. [HKLM\Software\CLASSES\piffile\shell\open\command] @="\"%1\" %*"
  29. Executed whenever a .PIF file (Portable Interchange Format) is run.
NOTE: The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method and is currently used by Subseven.

NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit wikipedia.

Some other similar entries include:

Expand|Select|Wrap|Line Numbers
  1. HKCR\vbsfile\shell\open\command\
  2. Executed whenever a .VBS file (Visual Basic Script)  is run.
  4. HKCR\vbefile\shell\open\command\
  5. Executed whenever a .VBE file (Encoded Visual Basic Script) is run.
  7. HKCR\jsfile\shell\open\command\
  8. Executed whenever a .JS file (Javascript) is run.
  10. HKCR\jsefile\shell\open\command\
  11. Executed whenever a .JSE file (Encoded Javascript) is run.
  13. HKCR\wshfile\shell\open\command\
  14. Executed whenever a .WSH file (Windows Scripting Host) is run.
  16. HKCR\wsffile\shell\open\command\
  17. Executed whenever a .WSF file (Windows Scripting File) is run.
  19. HKCR\scrfile\shell\open\command\
  20. Executed whenever a .SCR file (Screen Saver) is run.
5. Active-X Component:

Expand|Select|Wrap|Line Numbers
  1. [HKLM\Software\Microsoft\Active Setup\Installed Components\KeyName]
  2. StubPath=C:\PathToFile\Filename.exe
You may be amazed but this does start filename.exe before windows explorer (explorer.exe) and any other Program is normally started from run keys.

6. Miscellaneous:

Expand|Select|Wrap|Line Numbers
  1. HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_Entries
  2. Layered Service Providers, executed before user login.
  4. HKLM\System\Control\WOW\cmdline
  5. Executed when a 16-bit Windows executable is executed.
  7. HKLM\System\Control\WOW\wowcmdline
  8. Executed when a 16-bit DOS application is executed.
  10. HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore
  11. Windows XP and Vista only
  13. [Local Fixed Disk]\AUTORUN.INF open=, shellexecute=
  14. Excluding Windows Me and Windows XP SP2.
  16. [Local Fixed Disk]\[Any Folder with \u201cS\u201d Attribute]\DESKTOP.INI [.ShellClassInfo] CLSID= / UICLSID=
  17. This launch point is checked by answering \u201cNo\u201d at the script's first message box and then \u201cYes\u201d at the message box that follows it or with the \u201c-supp\u201d or \u201c-all\u201d command line parameters.
  19. HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries
  21. HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries
An entry which may be of interest to some is:
Expand|Select|Wrap|Line Numbers
  1. [HKLM\Software\CLASSES\ShellScrap] @="Scrap object"
  2. "NeverShowExt"=""
NOTE: The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Game.exe.shs" it displays as "Game.exe" in all programs including Explorer.

7. Hijack points:

These locations can be used to redirect the desktop, network and Internet Explorer.
Expand|Select|Wrap|Line Numbers
  2. Note: Internet Explorer 5.01, 5.5 & 6.0 only
Expand|Select|Wrap|Line Numbers
  2. %WINDIR%\System32\drivers\etc\HOSTS
  3. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath
  4. HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
  5. HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
  6. HKLM\Software\Microsoft\Internet Explorer\AboutURLs
  7. HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  8. HKLM\Software\Microsoft\Internet Explorer\Main
  9. HKLM\Software\Microsoft\Internet Explorer\Search
  10. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
  11. HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  12. HKCU\Software\Policies\Microsoft\Windows
  13. HKCU\Software\Policies\Microsoft\Internet Explorer
  14. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies
  15. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
  16. HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks
  17. HKCU\Software\Microsoft\Internet Explorer\SearchURL
  18. HKCU\Software\Microsoft\Internet Explorer\Main
  19. HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
Other links:
1. Windows Autorun FAQs: Overview
2. Windows Autorun FAQs: Description
3. Windows Autorun FAQs: Programs dealing with autoruns
Jan 14 '09 #1
0 29977

Sign in to post your reply or Sign up for a free account.

Similar topics

by: tschulz | last post by:
In emacs' python-mode, a file can be executed by pressing Ctrl-C Ctrl-C. If the code execution terminates with an Exception, emacs swaps the source code window and the python output window. Is...
by: Matt_Matt | last post by:
My application has a blank freindly name in the windows firewall exception list when windows automatically registers it via user prompt that says: Do you want to keep blocking this program? ...
by: Reza | last post by:
Hello I am not sure this is possible, but I have webapp that will run inside the interanet. I have been able to take the advantage of Windows Authentication, but the idea of having a hardcoded...
by: APA | last post by:
I have a desktop application (.NET 1.1) that accesses a web service. Many users now have XP and the Windows Firewall and sometimes when the application first starts that don't properly get the app...
by: AmberJain | last post by:
Windows Autorun FAQs: Overview NOTE- This complete article on "Windows Autorun FAQs" applies theoretically to all Windows NT-based OSes till Windows Vista (and probably Vista's successors too)....
by: AmberJain | last post by:
Windows Autorun FAQs: Description NOTE- If you are unfamiliar with the concept of autoruns, then read "Windows Autorun FAQs: Overview". Que-1: How can I safely remove or edit the autorun...
by: AmberJain | last post by:
Windows Autorun FAQs: Programs dealing with autoruns Linked from the Original article- "Windows Autorun FAQs: Description". Que: Can you list programs that help me to view/modify the autoruns...
by: lllomh | last post by:
Define the method first this.state = { buttonBackgroundColor: 'green', isBlinking: false, // A new status is added to identify whether the button is blinking or not } autoStart=()=>{
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM) The start time is equivalent to 19:00 (7PM) in Central...
by: Aliciasmith | last post by:
In an age dominated by smartphones, having a mobile app for your business is no longer an option; it's a necessity. Whether you're a startup or an established enterprise, finding the right mobile app...
by: tracyyun | last post by:
Hello everyone, I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
by: Teri B | last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course. 0ne-to-many. One course many roles. Then I created a report based on the Course form and...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM) Please note that the UK and Europe revert to winter time on...
by: nia12 | last post by:
Hi there, I am very new to Access so apologies if any of this is obvious/not clear. I am creating a data collection tool for health care employees to complete. It consists of a number of...
by: NeoPa | last post by:
Introduction For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
by: GKJR | last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.