Lynx Wiki >> windows:startup

Startup folder

Registry

“Run”, “RunServices”, “RunOnce”, “RunServicesOnce”, “HKEY_CLASSES_ROOT\exefile\shell\open\command ”%1” %*”.

Other possibles:

[HKEY_CLASSES_ROOT\exefile\shell\open\command] =“\”%1\” %*” [HKEY_CLASSES_ROOT\comfile\shell\open\command] =“\”%1\” %*” [HKEY_CLASSES_ROOT\batfile\shell\open\command] =“\”%1\” %*” [HKEY_CLASSES_ROOT\htafile\Shell\Open\Command] =“\”%1\” %*” [HKEY_CLASSES_ROOT\piffile\shell\open\command] =“\”%1\” %*” [HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command] =“\”%1\” %*” [HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command] =“\”%1\” %*” [HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command] =“\”%1\” %*” [HKEY_LOCAL_MACHINE\Software\CLASSES\htafile\Shell\Open\Command] =“\”%1\” %*” [HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command] =“\”%1\” %*”

Batch file

WINSTART.BAT in %systemroot% folder

%systemroot%\WIN.INI

“RUN=”, “LOAD” line in %systemroot%\WIN.INI “LOAD=”

%systemroot%\SYSTEM.INI

“shell=” line

[boot] shell=explorer.exe C:\windows\filename

Task scheduler

Windows Explorer is located in %systemroot%\explorer.exe however during boot the priority falls to c:\explorer.exe if found.

Very straight forward, locating a file here avoids accessing registry.

If c:\explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:\explorer.exe

15. ADDITIONAL METHODS.

Additional autostart methods. The first two are used by Trojan SubSeven 2.2.

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\explorer\Usershell folders

Icq Inet [HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\test] “Path”=“test.exe” “Startup”=“c:\\test” “Parameters”=”” “Enable”=“Yes”

[HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\] This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.

[HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap] =“Scrap object” “NeverShowExt”=”” This key changes your file's specified extension.