How do anti-virus programs start at Windows boot?












2















When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










share|improve this question



























    2















    When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










    share|improve this question

























      2












      2








      2








      When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










      share|improve this question














      When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?







      anti-virus






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 7 hours ago









      elliott94elliott94

      163




      163






















          2 Answers
          2






          active

          oldest

          votes


















          2














          Where do the majority of anti-virus programs start from at OS boot time?




          after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




          There are many other start up locations you need to check (see later).



          Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



          enter image description here



          The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



          enter image description here





          There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



          There are a few programs that allow easy checking of the startup locations.





          1. msconfig (Startup tab):



            enter image description here




          2. Autoruns from SysInternals:



            enter image description here




          3. WhatInStartup from NirSoft:



            enter image description here




          4. WinPatrol:



            enter image description here



            Note:




            • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

            • You can specify the delay time if you do this.




            enter image description here]12






          How many ways are there for a program to be run at Startup in Windows?



          There are at least 17 locations from where programs can be started. See below.





          Windows Program Automatic Startup Locations




          Upon turning on the computer the following autostart locations are
          processed in the following order:





          1. Windows Boot Device Drivers




            • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

            • Boot device drivers will be located under the following key and have a Start value equal to 0.



            Registry Keys:



            HKEY_LOCAL_MACHINESystemCurrentControlSetServices


            Windows will now perform various tasks and then start the Winlogon
            process. Winlogon eventually starts the service control manager that
            loads services and drivers that are set for auto-start.




          2. Windows Auto-start Services & Drivers




            • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
              drivers that are marked with a Start value of 2.



            Registry Keys:



            HKEY_LOCAL_MACHINESystemCurrentControlSetServices



          3. RunServicesOnce




            • This key is designed to start services when a computer boots up.

            • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
              can start loading its programs.



            Registry Keys:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
            HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



          4. RunServices




            • This key is designed to start services as well.

            • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
              can start loading its programs.



            Registry Keys:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
            HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


            The Windows logon prompt is shown on the Screen. After a user logs in
            the rest of the keys continue.




          5. Notify




            • This key is used to add a program that will run when a particular event occurs.

            • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

            • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
              handle this event.

            • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
              malware program to load in such a way that it is not easy to stop.



            Registry Key:



            HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



          6. UserInit Key




            • This key specifies what program should be launched right after a user logs into Windows.

            • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
              restores your profile, fonts, colors, etc for your user name.


            • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



              HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
              =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.




            This will make both programs launch when you log in and is a common
            place for trojans, hijackers, and spyware to launch from.
            Registry Key:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



          7. Shell Value




            • This value contains a list of comma separated values that Userinit.exe will launch.

            • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
              the shell, it will first launch the Shell value found in
              HKEY_CURRENT_USER. If this value is not present, it will then launch
              the value found in HKEY_LOCAL_MACHINE.



            Registry Key:



            HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
            HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


            The rest of the Autostart locations will now be processed.




          8. RunOnce Local Machine Key




            • These keys are designed to be used primarily by Setup programs.

            • Entries in these keys are started once and then are deleted from the key.

            • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
              otherwise it will be deleted before the program runs. This is
              important, because if the exclamation point is not used, and the
              program referenced in this key fails to complete, it will not run
              again as it will have already been deleted.

            • All entries in this key are started synchronously in an undefined order.

            • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
              HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

            • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.



            Registry Keys:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



          9. Run




            • These are the most common startup locations for programs to install auto start from.

            • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.



            Registry Keys:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
            HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



          10. All Users Startup Folder




            • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.



            It is generally found at:




            • Windows XP C:Documents and SettingsAll UsersStart
              MenuProgramsStartup


            • Windows NT C:wontProfilesAll UsersStart
              MenuProgramsStartup


            • Windows 2000 C:Documents and SettingsAll
              UsersStart MenuProgramsStartup





          11. User Profile Startup Folder




            • This folder will be executed for the particular user who logs in.



            This folder is usually found in:




            • Win 9X, ME c:windowsstart menuprogramsstartup

            • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup




          12. RunOnce Current User Key




            • These keys are designed to be used primarily by Setup programs.

            • Entries in these keys are started once and then are deleted from the key.

            • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
              otherwise it will be deleted before the program runs. This is
              important, because if the exclamation point is not used, and the
              program referenced in this key fails to complete, it will not run
              again as it will have already been deleted.

            • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

            • The RunOnce keys are not supported by Windows NT 3.51.



            Registry Key:



            HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



          13. Explorer Run




            • These keys are generally used to load programs as part of a policy set in place on the computer or user.



            Registry Keys:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
            HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



          14. Load Key




            • This key is not commonly used anymore, but can be used to auto start programs.



            Registry Key:



            HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



          15. AppInit_DLLs




            • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

            • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

            • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
              also. This makes it very difficult to remove the DLL as it will be
              loaded within multiple processes, some of which can not be stopped
              without causing system instability.

            • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
              the files loaded in the AppInit_DLLs value will be loaded very early
              in the Windows startup routine allowing the DLL to hide itself or
              protect itself before we have access to the system.



            Registry Key:



            HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



          16. ShellServiceObjectDelayLoad




            • This Registry value contains values in a similar way as the Run key does.

            • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
              about the particular DLL file that is being used.

            • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
              computer, it will always start, thus always loading the files under
              this key. These files are therefore loaded early in the startup
              process before any human intervention occurs.



            Registry Key:



            HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



          17. SharedTaskScheduler




            • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

            • The entries in this registry value run automatically when you start windows.



            Registry Key:



            HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



          The following are files that programs can autostart from on bootup:




          1. c:autoexec.bat

          2. c:config.sys 3 . windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

          3. windirwinstart.bat

          4. windirwin.ini - [windows] "load"

          5. windirwin.ini - [windows] "run"

          6. windirsystem.ini - [boot] "shell" 8 . windirsystem.ini - [boot] "scrnsave.exe"

          7. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

          8. windirsystemautoexec.nt

          9. windirsystemconfig.nt




          Source Windows Program Automatic Startup Locations





          Disclaimer



          I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






          share|improve this answer































            2














            Security products typically have a number of components, for example:




            • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likley responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

            • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

            • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

            • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.


            So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolset






            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              2














              Where do the majority of anti-virus programs start from at OS boot time?




              after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




              There are many other start up locations you need to check (see later).



              Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



              enter image description here



              The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



              enter image description here





              There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



              There are a few programs that allow easy checking of the startup locations.





              1. msconfig (Startup tab):



                enter image description here




              2. Autoruns from SysInternals:



                enter image description here




              3. WhatInStartup from NirSoft:



                enter image description here




              4. WinPatrol:



                enter image description here



                Note:




                • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

                • You can specify the delay time if you do this.




                enter image description here]12






              How many ways are there for a program to be run at Startup in Windows?



              There are at least 17 locations from where programs can be started. See below.





              Windows Program Automatic Startup Locations




              Upon turning on the computer the following autostart locations are
              processed in the following order:





              1. Windows Boot Device Drivers




                • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

                • Boot device drivers will be located under the following key and have a Start value equal to 0.



                Registry Keys:



                HKEY_LOCAL_MACHINESystemCurrentControlSetServices


                Windows will now perform various tasks and then start the Winlogon
                process. Winlogon eventually starts the service control manager that
                loads services and drivers that are set for auto-start.




              2. Windows Auto-start Services & Drivers




                • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
                  drivers that are marked with a Start value of 2.



                Registry Keys:



                HKEY_LOCAL_MACHINESystemCurrentControlSetServices



              3. RunServicesOnce




                • This key is designed to start services when a computer boots up.

                • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                  can start loading its programs.



                Registry Keys:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
                HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



              4. RunServices




                • This key is designed to start services as well.

                • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                  can start loading its programs.



                Registry Keys:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
                HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


                The Windows logon prompt is shown on the Screen. After a user logs in
                the rest of the keys continue.




              5. Notify




                • This key is used to add a program that will run when a particular event occurs.

                • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

                • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
                  handle this event.

                • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
                  malware program to load in such a way that it is not easy to stop.



                Registry Key:



                HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



              6. UserInit Key




                • This key specifies what program should be launched right after a user logs into Windows.

                • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
                  restores your profile, fonts, colors, etc for your user name.


                • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



                  HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
                  =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.




                This will make both programs launch when you log in and is a common
                place for trojans, hijackers, and spyware to launch from.
                Registry Key:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



              7. Shell Value




                • This value contains a list of comma separated values that Userinit.exe will launch.

                • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
                  the shell, it will first launch the Shell value found in
                  HKEY_CURRENT_USER. If this value is not present, it will then launch
                  the value found in HKEY_LOCAL_MACHINE.



                Registry Key:



                HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
                HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


                The rest of the Autostart locations will now be processed.




              8. RunOnce Local Machine Key




                • These keys are designed to be used primarily by Setup programs.

                • Entries in these keys are started once and then are deleted from the key.

                • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                  otherwise it will be deleted before the program runs. This is
                  important, because if the exclamation point is not used, and the
                  program referenced in this key fails to complete, it will not run
                  again as it will have already been deleted.

                • All entries in this key are started synchronously in an undefined order.

                • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
                  HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

                • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.



                Registry Keys:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



              9. Run




                • These are the most common startup locations for programs to install auto start from.

                • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.



                Registry Keys:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
                HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



              10. All Users Startup Folder




                • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.



                It is generally found at:




                • Windows XP C:Documents and SettingsAll UsersStart
                  MenuProgramsStartup


                • Windows NT C:wontProfilesAll UsersStart
                  MenuProgramsStartup


                • Windows 2000 C:Documents and SettingsAll
                  UsersStart MenuProgramsStartup





              11. User Profile Startup Folder




                • This folder will be executed for the particular user who logs in.



                This folder is usually found in:




                • Win 9X, ME c:windowsstart menuprogramsstartup

                • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup




              12. RunOnce Current User Key




                • These keys are designed to be used primarily by Setup programs.

                • Entries in these keys are started once and then are deleted from the key.

                • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                  otherwise it will be deleted before the program runs. This is
                  important, because if the exclamation point is not used, and the
                  program referenced in this key fails to complete, it will not run
                  again as it will have already been deleted.

                • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

                • The RunOnce keys are not supported by Windows NT 3.51.



                Registry Key:



                HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



              13. Explorer Run




                • These keys are generally used to load programs as part of a policy set in place on the computer or user.



                Registry Keys:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
                HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



              14. Load Key




                • This key is not commonly used anymore, but can be used to auto start programs.



                Registry Key:



                HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



              15. AppInit_DLLs




                • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

                • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

                • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
                  also. This makes it very difficult to remove the DLL as it will be
                  loaded within multiple processes, some of which can not be stopped
                  without causing system instability.

                • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
                  the files loaded in the AppInit_DLLs value will be loaded very early
                  in the Windows startup routine allowing the DLL to hide itself or
                  protect itself before we have access to the system.



                Registry Key:



                HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



              16. ShellServiceObjectDelayLoad




                • This Registry value contains values in a similar way as the Run key does.

                • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
                  about the particular DLL file that is being used.

                • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
                  computer, it will always start, thus always loading the files under
                  this key. These files are therefore loaded early in the startup
                  process before any human intervention occurs.



                Registry Key:



                HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



              17. SharedTaskScheduler




                • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

                • The entries in this registry value run automatically when you start windows.



                Registry Key:



                HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



              The following are files that programs can autostart from on bootup:




              1. c:autoexec.bat

              2. c:config.sys 3 . windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

              3. windirwinstart.bat

              4. windirwin.ini - [windows] "load"

              5. windirwin.ini - [windows] "run"

              6. windirsystem.ini - [boot] "shell" 8 . windirsystem.ini - [boot] "scrnsave.exe"

              7. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

              8. windirsystemautoexec.nt

              9. windirsystemconfig.nt




              Source Windows Program Automatic Startup Locations





              Disclaimer



              I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






              share|improve this answer




























                2














                Where do the majority of anti-virus programs start from at OS boot time?




                after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




                There are many other start up locations you need to check (see later).



                Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



                enter image description here



                The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



                enter image description here





                There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



                There are a few programs that allow easy checking of the startup locations.





                1. msconfig (Startup tab):



                  enter image description here




                2. Autoruns from SysInternals:



                  enter image description here




                3. WhatInStartup from NirSoft:



                  enter image description here




                4. WinPatrol:



                  enter image description here



                  Note:




                  • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

                  • You can specify the delay time if you do this.




                  enter image description here]12






                How many ways are there for a program to be run at Startup in Windows?



                There are at least 17 locations from where programs can be started. See below.





                Windows Program Automatic Startup Locations




                Upon turning on the computer the following autostart locations are
                processed in the following order:





                1. Windows Boot Device Drivers




                  • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

                  • Boot device drivers will be located under the following key and have a Start value equal to 0.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESystemCurrentControlSetServices


                  Windows will now perform various tasks and then start the Winlogon
                  process. Winlogon eventually starts the service control manager that
                  loads services and drivers that are set for auto-start.




                2. Windows Auto-start Services & Drivers




                  • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
                    drivers that are marked with a Start value of 2.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESystemCurrentControlSetServices



                3. RunServicesOnce




                  • This key is designed to start services when a computer boots up.

                  • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                    can start loading its programs.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
                  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



                4. RunServices




                  • This key is designed to start services as well.

                  • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                    can start loading its programs.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
                  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


                  The Windows logon prompt is shown on the Screen. After a user logs in
                  the rest of the keys continue.




                5. Notify




                  • This key is used to add a program that will run when a particular event occurs.

                  • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

                  • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
                    handle this event.

                  • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
                    malware program to load in such a way that it is not easy to stop.



                  Registry Key:



                  HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



                6. UserInit Key




                  • This key specifies what program should be launched right after a user logs into Windows.

                  • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
                    restores your profile, fonts, colors, etc for your user name.


                  • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



                    HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
                    =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.




                  This will make both programs launch when you log in and is a common
                  place for trojans, hijackers, and spyware to launch from.
                  Registry Key:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



                7. Shell Value




                  • This value contains a list of comma separated values that Userinit.exe will launch.

                  • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
                    the shell, it will first launch the Shell value found in
                    HKEY_CURRENT_USER. If this value is not present, it will then launch
                    the value found in HKEY_LOCAL_MACHINE.



                  Registry Key:



                  HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


                  The rest of the Autostart locations will now be processed.




                8. RunOnce Local Machine Key




                  • These keys are designed to be used primarily by Setup programs.

                  • Entries in these keys are started once and then are deleted from the key.

                  • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                    otherwise it will be deleted before the program runs. This is
                    important, because if the exclamation point is not used, and the
                    program referenced in this key fails to complete, it will not run
                    again as it will have already been deleted.

                  • All entries in this key are started synchronously in an undefined order.

                  • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
                    HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

                  • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



                9. Run




                  • These are the most common startup locations for programs to install auto start from.

                  • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
                  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



                10. All Users Startup Folder




                  • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.



                  It is generally found at:




                  • Windows XP C:Documents and SettingsAll UsersStart
                    MenuProgramsStartup


                  • Windows NT C:wontProfilesAll UsersStart
                    MenuProgramsStartup


                  • Windows 2000 C:Documents and SettingsAll
                    UsersStart MenuProgramsStartup





                11. User Profile Startup Folder




                  • This folder will be executed for the particular user who logs in.



                  This folder is usually found in:




                  • Win 9X, ME c:windowsstart menuprogramsstartup

                  • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup




                12. RunOnce Current User Key




                  • These keys are designed to be used primarily by Setup programs.

                  • Entries in these keys are started once and then are deleted from the key.

                  • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                    otherwise it will be deleted before the program runs. This is
                    important, because if the exclamation point is not used, and the
                    program referenced in this key fails to complete, it will not run
                    again as it will have already been deleted.

                  • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

                  • The RunOnce keys are not supported by Windows NT 3.51.



                  Registry Key:



                  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



                13. Explorer Run




                  • These keys are generally used to load programs as part of a policy set in place on the computer or user.



                  Registry Keys:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
                  HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



                14. Load Key




                  • This key is not commonly used anymore, but can be used to auto start programs.



                  Registry Key:



                  HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



                15. AppInit_DLLs




                  • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

                  • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

                  • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
                    also. This makes it very difficult to remove the DLL as it will be
                    loaded within multiple processes, some of which can not be stopped
                    without causing system instability.

                  • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
                    the files loaded in the AppInit_DLLs value will be loaded very early
                    in the Windows startup routine allowing the DLL to hide itself or
                    protect itself before we have access to the system.



                  Registry Key:



                  HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



                16. ShellServiceObjectDelayLoad




                  • This Registry value contains values in a similar way as the Run key does.

                  • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
                    about the particular DLL file that is being used.

                  • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
                    computer, it will always start, thus always loading the files under
                    this key. These files are therefore loaded early in the startup
                    process before any human intervention occurs.



                  Registry Key:



                  HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



                17. SharedTaskScheduler




                  • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

                  • The entries in this registry value run automatically when you start windows.



                  Registry Key:



                  HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



                The following are files that programs can autostart from on bootup:




                1. c:autoexec.bat

                2. c:config.sys 3 . windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

                3. windirwinstart.bat

                4. windirwin.ini - [windows] "load"

                5. windirwin.ini - [windows] "run"

                6. windirsystem.ini - [boot] "shell" 8 . windirsystem.ini - [boot] "scrnsave.exe"

                7. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

                8. windirsystemautoexec.nt

                9. windirsystemconfig.nt




                Source Windows Program Automatic Startup Locations





                Disclaimer



                I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






                share|improve this answer


























                  2












                  2








                  2







                  Where do the majority of anti-virus programs start from at OS boot time?




                  after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




                  There are many other start up locations you need to check (see later).



                  Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



                  enter image description here



                  The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



                  enter image description here





                  There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



                  There are a few programs that allow easy checking of the startup locations.





                  1. msconfig (Startup tab):



                    enter image description here




                  2. Autoruns from SysInternals:



                    enter image description here




                  3. WhatInStartup from NirSoft:



                    enter image description here




                  4. WinPatrol:



                    enter image description here



                    Note:




                    • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

                    • You can specify the delay time if you do this.




                    enter image description here]12






                  How many ways are there for a program to be run at Startup in Windows?



                  There are at least 17 locations from where programs can be started. See below.





                  Windows Program Automatic Startup Locations




                  Upon turning on the computer the following autostart locations are
                  processed in the following order:





                  1. Windows Boot Device Drivers




                    • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

                    • Boot device drivers will be located under the following key and have a Start value equal to 0.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESystemCurrentControlSetServices


                    Windows will now perform various tasks and then start the Winlogon
                    process. Winlogon eventually starts the service control manager that
                    loads services and drivers that are set for auto-start.




                  2. Windows Auto-start Services & Drivers




                    • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
                      drivers that are marked with a Start value of 2.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESystemCurrentControlSetServices



                  3. RunServicesOnce




                    • This key is designed to start services when a computer boots up.

                    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                      can start loading its programs.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



                  4. RunServices




                    • This key is designed to start services as well.

                    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                      can start loading its programs.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


                    The Windows logon prompt is shown on the Screen. After a user logs in
                    the rest of the keys continue.




                  5. Notify




                    • This key is used to add a program that will run when a particular event occurs.

                    • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

                    • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
                      handle this event.

                    • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
                      malware program to load in such a way that it is not easy to stop.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



                  6. UserInit Key




                    • This key specifies what program should be launched right after a user logs into Windows.

                    • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
                      restores your profile, fonts, colors, etc for your user name.


                    • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



                      HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
                      =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.




                    This will make both programs launch when you log in and is a common
                    place for trojans, hijackers, and spyware to launch from.
                    Registry Key:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



                  7. Shell Value




                    • This value contains a list of comma separated values that Userinit.exe will launch.

                    • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
                      the shell, it will first launch the Shell value found in
                      HKEY_CURRENT_USER. If this value is not present, it will then launch
                      the value found in HKEY_LOCAL_MACHINE.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


                    The rest of the Autostart locations will now be processed.




                  8. RunOnce Local Machine Key




                    • These keys are designed to be used primarily by Setup programs.

                    • Entries in these keys are started once and then are deleted from the key.

                    • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                      otherwise it will be deleted before the program runs. This is
                      important, because if the exclamation point is not used, and the
                      program referenced in this key fails to complete, it will not run
                      again as it will have already been deleted.

                    • All entries in this key are started synchronously in an undefined order.

                    • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
                      HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

                    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



                  9. Run




                    • These are the most common startup locations for programs to install auto start from.

                    • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



                  10. All Users Startup Folder




                    • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.



                    It is generally found at:




                    • Windows XP C:Documents and SettingsAll UsersStart
                      MenuProgramsStartup


                    • Windows NT C:wontProfilesAll UsersStart
                      MenuProgramsStartup


                    • Windows 2000 C:Documents and SettingsAll
                      UsersStart MenuProgramsStartup





                  11. User Profile Startup Folder




                    • This folder will be executed for the particular user who logs in.



                    This folder is usually found in:




                    • Win 9X, ME c:windowsstart menuprogramsstartup

                    • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup




                  12. RunOnce Current User Key




                    • These keys are designed to be used primarily by Setup programs.

                    • Entries in these keys are started once and then are deleted from the key.

                    • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                      otherwise it will be deleted before the program runs. This is
                      important, because if the exclamation point is not used, and the
                      program referenced in this key fails to complete, it will not run
                      again as it will have already been deleted.

                    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

                    • The RunOnce keys are not supported by Windows NT 3.51.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



                  13. Explorer Run




                    • These keys are generally used to load programs as part of a policy set in place on the computer or user.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



                  14. Load Key




                    • This key is not commonly used anymore, but can be used to auto start programs.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



                  15. AppInit_DLLs




                    • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

                    • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

                    • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
                      also. This makes it very difficult to remove the DLL as it will be
                      loaded within multiple processes, some of which can not be stopped
                      without causing system instability.

                    • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
                      the files loaded in the AppInit_DLLs value will be loaded very early
                      in the Windows startup routine allowing the DLL to hide itself or
                      protect itself before we have access to the system.



                    Registry Key:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



                  16. ShellServiceObjectDelayLoad




                    • This Registry value contains values in a similar way as the Run key does.

                    • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
                      about the particular DLL file that is being used.

                    • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
                      computer, it will always start, thus always loading the files under
                      this key. These files are therefore loaded early in the startup
                      process before any human intervention occurs.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



                  17. SharedTaskScheduler




                    • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

                    • The entries in this registry value run automatically when you start windows.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



                  The following are files that programs can autostart from on bootup:




                  1. c:autoexec.bat

                  2. c:config.sys 3 . windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

                  3. windirwinstart.bat

                  4. windirwin.ini - [windows] "load"

                  5. windirwin.ini - [windows] "run"

                  6. windirsystem.ini - [boot] "shell" 8 . windirsystem.ini - [boot] "scrnsave.exe"

                  7. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

                  8. windirsystemautoexec.nt

                  9. windirsystemconfig.nt




                  Source Windows Program Automatic Startup Locations





                  Disclaimer



                  I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






                  share|improve this answer













                  Where do the majority of anti-virus programs start from at OS boot time?




                  after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




                  There are many other start up locations you need to check (see later).



                  Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



                  enter image description here



                  The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



                  enter image description here





                  There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



                  There are a few programs that allow easy checking of the startup locations.





                  1. msconfig (Startup tab):



                    enter image description here




                  2. Autoruns from SysInternals:



                    enter image description here




                  3. WhatInStartup from NirSoft:



                    enter image description here




                  4. WinPatrol:



                    enter image description here



                    Note:




                    • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

                    • You can specify the delay time if you do this.




                    enter image description here]12






                  How many ways are there for a program to be run at Startup in Windows?



                  There are at least 17 locations from where programs can be started. See below.





                  Windows Program Automatic Startup Locations




                  Upon turning on the computer the following autostart locations are
                  processed in the following order:





                  1. Windows Boot Device Drivers




                    • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

                    • Boot device drivers will be located under the following key and have a Start value equal to 0.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESystemCurrentControlSetServices


                    Windows will now perform various tasks and then start the Winlogon
                    process. Winlogon eventually starts the service control manager that
                    loads services and drivers that are set for auto-start.




                  2. Windows Auto-start Services & Drivers




                    • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
                      drivers that are marked with a Start value of 2.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESystemCurrentControlSetServices



                  3. RunServicesOnce




                    • This key is designed to start services when a computer boots up.

                    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                      can start loading its programs.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



                  4. RunServices




                    • This key is designed to start services as well.

                    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
                      can start loading its programs.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


                    The Windows logon prompt is shown on the Screen. After a user logs in
                    the rest of the keys continue.




                  5. Notify




                    • This key is used to add a program that will run when a particular event occurs.

                    • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

                    • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
                      handle this event.

                    • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
                      malware program to load in such a way that it is not easy to stop.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



                  6. UserInit Key




                    • This key specifies what program should be launched right after a user logs into Windows.

                    • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
                      restores your profile, fonts, colors, etc for your user name.


                    • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



                      HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
                      =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.




                    This will make both programs launch when you log in and is a common
                    place for trojans, hijackers, and spyware to launch from.
                    Registry Key:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



                  7. Shell Value




                    • This value contains a list of comma separated values that Userinit.exe will launch.

                    • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
                      the shell, it will first launch the Shell value found in
                      HKEY_CURRENT_USER. If this value is not present, it will then launch
                      the value found in HKEY_LOCAL_MACHINE.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


                    The rest of the Autostart locations will now be processed.




                  8. RunOnce Local Machine Key




                    • These keys are designed to be used primarily by Setup programs.

                    • Entries in these keys are started once and then are deleted from the key.

                    • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                      otherwise it will be deleted before the program runs. This is
                      important, because if the exclamation point is not used, and the
                      program referenced in this key fails to complete, it will not run
                      again as it will have already been deleted.

                    • All entries in this key are started synchronously in an undefined order.

                    • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
                      HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

                    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



                  9. Run




                    • These are the most common startup locations for programs to install auto start from.

                    • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



                  10. All Users Startup Folder




                    • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.



                    It is generally found at:




                    • Windows XP C:Documents and SettingsAll UsersStart
                      MenuProgramsStartup


                    • Windows NT C:wontProfilesAll UsersStart
                      MenuProgramsStartup


                    • Windows 2000 C:Documents and SettingsAll
                      UsersStart MenuProgramsStartup





                  11. User Profile Startup Folder




                    • This folder will be executed for the particular user who logs in.



                    This folder is usually found in:




                    • Win 9X, ME c:windowsstart menuprogramsstartup

                    • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup




                  12. RunOnce Current User Key




                    • These keys are designed to be used primarily by Setup programs.

                    • Entries in these keys are started once and then are deleted from the key.

                    • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
                      otherwise it will be deleted before the program runs. This is
                      important, because if the exclamation point is not used, and the
                      program referenced in this key fails to complete, it will not run
                      again as it will have already been deleted.

                    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

                    • The RunOnce keys are not supported by Windows NT 3.51.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



                  13. Explorer Run




                    • These keys are generally used to load programs as part of a policy set in place on the computer or user.



                    Registry Keys:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
                    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



                  14. Load Key




                    • This key is not commonly used anymore, but can be used to auto start programs.



                    Registry Key:



                    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



                  15. AppInit_DLLs




                    • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

                    • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

                    • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
                      also. This makes it very difficult to remove the DLL as it will be
                      loaded within multiple processes, some of which can not be stopped
                      without causing system instability.

                    • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
                      the files loaded in the AppInit_DLLs value will be loaded very early
                      in the Windows startup routine allowing the DLL to hide itself or
                      protect itself before we have access to the system.



                    Registry Key:



                    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



                  16. ShellServiceObjectDelayLoad




                    • This Registry value contains values in a similar way as the Run key does.

                    • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
                      about the particular DLL file that is being used.

                    • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
                      computer, it will always start, thus always loading the files under
                      this key. These files are therefore loaded early in the startup
                      process before any human intervention occurs.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



                  17. SharedTaskScheduler




                    • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

                    • The entries in this registry value run automatically when you start windows.



                    Registry Key:



                    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



                  The following are files that programs can autostart from on bootup:




                  1. c:autoexec.bat

                  2. c:config.sys 3 . windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

                  3. windirwinstart.bat

                  4. windirwin.ini - [windows] "load"

                  5. windirwin.ini - [windows] "run"

                  6. windirsystem.ini - [boot] "shell" 8 . windirsystem.ini - [boot] "scrnsave.exe"

                  7. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

                  8. windirsystemautoexec.nt

                  9. windirsystemconfig.nt




                  Source Windows Program Automatic Startup Locations





                  Disclaimer



                  I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 7 hours ago









                  DavidPostillDavidPostill

                  106k26228263




                  106k26228263

























                      2














                      Security products typically have a number of components, for example:




                      • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likley responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

                      • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

                      • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

                      • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.


                      So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolset






                      share|improve this answer




























                        2














                        Security products typically have a number of components, for example:




                        • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likley responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

                        • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

                        • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

                        • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.


                        So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolset






                        share|improve this answer


























                          2












                          2








                          2







                          Security products typically have a number of components, for example:




                          • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likley responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

                          • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

                          • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

                          • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.


                          So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolset






                          share|improve this answer













                          Security products typically have a number of components, for example:




                          • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likley responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

                          • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

                          • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

                          • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.


                          So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolset







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered 7 hours ago









                          HelpingHandHelpingHand

                          1,02549




                          1,02549






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Accessing regular linux commands in Huawei's Dopra Linux

                              Can't connect RFCOMM socket: Host is down

                              Kernel panic - not syncing: Fatal Exception in Interrupt