Registry keys mostly used for initialization of viruses

Damir Dobric Posts

Next talks:

 

    

Follow me on Twitter: #ddobric



 

 

Archives

This post contains the list of registry keys, which are mostly used to start one program indirectly. For example, they could be used to start some application on system start, or immediately before one executable or script has to be started.

This can be useful to remove manually some viruses on the machine.

 

Immediately before start of:

-------------------------------------

HKEY_CLASSES_ROOT\exefile\shell\open\command\ @="%1" %*"

HKEY_CLASSES_ROOT\comfile\shell\open\command\ @="\"%1\" %*"

HKEY_CLASSES_ROOT\batfile\shell\open\command\ @="\"%1\" %*"

HKEY_CLASSES_ROOT\htafile\Shell\Open\Command\ @="\"%1\" %*"

HKEY_CLASSES_ROOT\piffile\shell\open\command\ @="\"%1\" %*"

 

Immediately before start of:

------------------------------------

HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\ @="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\ @="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\ @="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command\ @="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\ @="\"%1\" %*"

 

After System Start-Up

-------------------------------

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

 

After System Start-Up

------------------------------

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\Run\

HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Load\

HKEY_CURRENT_USER\Software\Policies\Microsoft\System\Scripts\

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts\Startup


Posted May 19 2006, 12:22 PM by Damir Dobric
developers.de is a .Net Community Blog powered by daenet GmbH.