How do anti-virus programs start at Windows boot?Mysterious .tmp files generated in C:WindowsSystem32 folder upon bootingFlash Player Automatic Updater on Windows StartupWindows 7 says Avast is off, but it's not! Am I infected?Prevent applications from automatically startingFake anti-virus?Anti-virus Software downloadsVista Startup - Cannot Find the File SpecifiedMost programs not visible in Programs and Features in windows 7Windows - Automatic log-in, then log off after first log-in onlySystem misbehaving because of a program “Search the Web (Yahoo)”

Why doesn't the EU now just force the UK to choose between referendum and no-deal?

Is having access to past exams cheating and, if yes, could it be proven just by a good grade?

Property of summation

Software described as 香ばしい

Make a transparent 448*448 image

How to explain that I do not want to visit a country due to personal safety concern?

How to simplify this time periods definition interface?

Are the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?

At what level can a dragon innately cast its spells?

What's causing this power spike in STM32 low power mode

PTIJ: Who should I vote for? (21st Knesset Edition)

Instead of Universal Basic Income, why not Universal Basic NEEDS?

How do anti-virus programs start at Windows boot?

Why would a flight no longer considered airworthy be redirected like this?

How could a scammer know the apps on my phone / iTunes account?

Problems with making formula look great

If curse and magic is two sides of the same coin, why the former is forbidden?

What is the significance behind "40 days" that often appears in the Bible?

If I can solve Sudoku can I solve TSP? If yes, how?

Fibers of the morphism from the free Heyting algebra to the free Boolean algebra

What are substitutions for coconut in curry?

AG Cluster db upgrade by vendor

It's a yearly task, alright

What options are left, if Britain cannot decide?



How do anti-virus programs start at Windows boot?


Mysterious .tmp files generated in C:WindowsSystem32 folder upon bootingFlash Player Automatic Updater on Windows StartupWindows 7 says Avast is off, but it's not! Am I infected?Prevent applications from automatically startingFake anti-virus?Anti-virus Software downloadsVista Startup - Cannot Find the File SpecifiedMost programs not visible in Programs and Features in windows 7Windows - Automatic log-in, then log off after first log-in onlySystem misbehaving because of a program “Search the Web (Yahoo)”













55















When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










share|improve this question



















  • 3





    What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

    – Gizmo
    2 days ago












  • Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

    – eckes
    yesterday















55















When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










share|improve this question



















  • 3





    What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

    – Gizmo
    2 days ago












  • Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

    – eckes
    yesterday













55












55








55


24






When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?










share|improve this question
















When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?







windows boot anti-virus






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago









Kolappan Nathan

437413




437413










asked 2 days ago









elliott94elliott94

38627




38627







  • 3





    What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

    – Gizmo
    2 days ago












  • Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

    – eckes
    yesterday












  • 3





    What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

    – Gizmo
    2 days ago












  • Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

    – eckes
    yesterday







3




3





What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

– Gizmo
2 days ago






What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).

– Gizmo
2 days ago














Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

– eckes
yesterday





Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.

– eckes
yesterday










2 Answers
2






active

oldest

votes


















102














Where do the majority of anti-virus programs start from at OS boot time?




after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




There are many other start up locations you need to check (see later).



Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



enter image description here



The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



enter image description here




There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



There are a few programs that allow easy checking of the startup locations.




  1. msconfig (Startup tab):



    enter image description here




  2. Autoruns from SysInternals:



    enter image description here




  3. WhatInStartup from NirSoft:



    enter image description here




  4. WinPatrol:



    enter image description here



    Note:



    • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

    • You can specify the delay time if you do this.


    enter image description here]12




How many ways are there for a program to be run at Startup in Windows?



There are at least 17 locations from where programs can be started. See below.




Windows Program Automatic Startup Locations




Upon turning on the computer the following autostart locations are
processed in the following order:




  1. Windows Boot Device Drivers



    • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

    • Boot device drivers will be located under the following key and have a Start value equal to 0.


    Registry Keys:



    HKEY_LOCAL_MACHINESystemCurrentControlSetServices


    Windows will now perform various tasks and then start the Winlogon
    process. Winlogon eventually starts the service control manager that
    loads services and drivers that are set for auto-start.




  2. Windows Auto-start Services & Drivers



    • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
      drivers that are marked with a Start value of 2.


    Registry Keys:



    HKEY_LOCAL_MACHINESystemCurrentControlSetServices



  3. RunServicesOnce



    • This key is designed to start services when a computer boots up.

    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
      can start loading its programs.


    Registry Keys:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



  4. RunServices



    • This key is designed to start services as well.

    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
      can start loading its programs.


    Registry Keys:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


    The Windows logon prompt is shown on the Screen. After a user logs in
    the rest of the keys continue.




  5. Notify



    • This key is used to add a program that will run when a particular event occurs.

    • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

    • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
      handle this event.

    • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
      malware program to load in such a way that it is not easy to stop.


    Registry Key:



    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



  6. UserInit Key



    • This key specifies what program should be launched right after a user logs into Windows.

    • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
      restores your profile, fonts, colors, etc for your user name.


    • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



      HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
      =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.



    This will make both programs launch when you log in and is a common
    place for trojans, hijackers, and spyware to launch from.
    Registry Key:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



  7. Shell Value



    • This value contains a list of comma separated values that Userinit.exe will launch.

    • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
      the shell, it will first launch the Shell value found in
      HKEY_CURRENT_USER. If this value is not present, it will then launch
      the value found in HKEY_LOCAL_MACHINE.


    Registry Key:



    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


    The rest of the Autostart locations will now be processed.




  8. RunOnce Local Machine Key



    • These keys are designed to be used primarily by Setup programs.

    • Entries in these keys are started once and then are deleted from the key.

    • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
      otherwise it will be deleted before the program runs. This is
      important, because if the exclamation point is not used, and the
      program referenced in this key fails to complete, it will not run
      again as it will have already been deleted.

    • All entries in this key are started synchronously in an undefined order.

    • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
      HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


    Registry Keys:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



  9. Run



    • These are the most common startup locations for programs to install auto start from.

    • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


    Registry Keys:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



  10. All Users Startup Folder



    • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


    It is generally found at:



    • Windows XP C:Documents and SettingsAll UsersStart
      MenuProgramsStartup


    • Windows NT C:wontProfilesAll UsersStart
      MenuProgramsStartup


    • Windows 2000 C:Documents and SettingsAll
      UsersStart MenuProgramsStartup




  11. User Profile Startup Folder



    • This folder will be executed for the particular user who logs in.


    This folder is usually found in:



    • Win 9X, ME c:windowsstart menuprogramsstartup

    • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup



  12. RunOnce Current User Key



    • These keys are designed to be used primarily by Setup programs.

    • Entries in these keys are started once and then are deleted from the key.

    • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
      otherwise it will be deleted before the program runs. This is
      important, because if the exclamation point is not used, and the
      program referenced in this key fails to complete, it will not run
      again as it will have already been deleted.

    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

    • The RunOnce keys are not supported by Windows NT 3.51.


    Registry Key:



    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



  13. Explorer Run



    • These keys are generally used to load programs as part of a policy set in place on the computer or user.


    Registry Keys:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
    HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



  14. Load Key



    • This key is not commonly used anymore, but can be used to auto start programs.


    Registry Key:



    HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



  15. AppInit_DLLs



    • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

    • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

    • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
      also. This makes it very difficult to remove the DLL as it will be
      loaded within multiple processes, some of which can not be stopped
      without causing system instability.

    • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
      the files loaded in the AppInit_DLLs value will be loaded very early
      in the Windows startup routine allowing the DLL to hide itself or
      protect itself before we have access to the system.


    Registry Key:



    HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



  16. ShellServiceObjectDelayLoad



    • This Registry value contains values in a similar way as the Run key does.

    • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
      about the particular DLL file that is being used.

    • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
      computer, it will always start, thus always loading the files under
      this key. These files are therefore loaded early in the startup
      process before any human intervention occurs.


    Registry Key:



    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



  17. SharedTaskScheduler



    • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

    • The entries in this registry value run automatically when you start windows.


    Registry Key:



    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



  18. Miscellaneous



    The following are files that programs can autostart from on bootup:



    1. c:autoexec.bat

    2. c:config.sys

    3. windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

    4. windirwinstart.bat

    5. windirwin.ini - [windows] "load"

    6. windirwin.ini - [windows] "run"

    7. windirsystem.ini - [boot] "shell"

    8. windirsystem.ini - [boot] "scrnsave.exe"

    9. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

    10. windirsystemautoexec.nt

    11. windirsystemconfig.nt




Source Windows Program Automatic Startup Locations




Disclaimer



I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






share|improve this answer




















  • 3





    I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

    – Simon Baars
    yesterday







  • 1





    @SimonBaars for comparison linux settings files move all the time (from distro to distro)

    – qwr
    18 hours ago











  • @qwr but at least with modern systemd, all startup programs can be queried with one command

    – lights0123
    16 hours ago











  • Plus ELAM and drivers, both actually used by malware suites.

    – eckes
    16 hours ago











  • Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

    – eckes
    15 hours ago



















12














Security products typically have a number of components, for example:



  • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

  • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

  • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

  • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.

So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices






share|improve this answer
























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "3"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    102














    Where do the majority of anti-virus programs start from at OS boot time?




    after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




    There are many other start up locations you need to check (see later).



    Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



    enter image description here



    The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



    enter image description here




    There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



    There are a few programs that allow easy checking of the startup locations.




    1. msconfig (Startup tab):



      enter image description here




    2. Autoruns from SysInternals:



      enter image description here




    3. WhatInStartup from NirSoft:



      enter image description here




    4. WinPatrol:



      enter image description here



      Note:



      • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

      • You can specify the delay time if you do this.


      enter image description here]12




    How many ways are there for a program to be run at Startup in Windows?



    There are at least 17 locations from where programs can be started. See below.




    Windows Program Automatic Startup Locations




    Upon turning on the computer the following autostart locations are
    processed in the following order:




    1. Windows Boot Device Drivers



      • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

      • Boot device drivers will be located under the following key and have a Start value equal to 0.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices


      Windows will now perform various tasks and then start the Winlogon
      process. Winlogon eventually starts the service control manager that
      loads services and drivers that are set for auto-start.




    2. Windows Auto-start Services & Drivers



      • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
        drivers that are marked with a Start value of 2.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices



    3. RunServicesOnce



      • This key is designed to start services when a computer boots up.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



    4. RunServices



      • This key is designed to start services as well.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


      The Windows logon prompt is shown on the Screen. After a user logs in
      the rest of the keys continue.




    5. Notify



      • This key is used to add a program that will run when a particular event occurs.

      • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

      • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
        handle this event.

      • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
        malware program to load in such a way that it is not easy to stop.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



    6. UserInit Key



      • This key specifies what program should be launched right after a user logs into Windows.

      • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
        restores your profile, fonts, colors, etc for your user name.


      • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



        HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
        =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.



      This will make both programs launch when you log in and is a common
      place for trojans, hijackers, and spyware to launch from.
      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



    7. Shell Value



      • This value contains a list of comma separated values that Userinit.exe will launch.

      • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
        the shell, it will first launch the Shell value found in
        HKEY_CURRENT_USER. If this value is not present, it will then launch
        the value found in HKEY_LOCAL_MACHINE.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


      The rest of the Autostart locations will now be processed.




    8. RunOnce Local Machine Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • All entries in this key are started synchronously in an undefined order.

      • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
        HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



    9. Run



      • These are the most common startup locations for programs to install auto start from.

      • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



    10. All Users Startup Folder



      • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


      It is generally found at:



      • Windows XP C:Documents and SettingsAll UsersStart
        MenuProgramsStartup


      • Windows NT C:wontProfilesAll UsersStart
        MenuProgramsStartup


      • Windows 2000 C:Documents and SettingsAll
        UsersStart MenuProgramsStartup




    11. User Profile Startup Folder



      • This folder will be executed for the particular user who logs in.


      This folder is usually found in:



      • Win 9X, ME c:windowsstart menuprogramsstartup

      • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup



    12. RunOnce Current User Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

      • The RunOnce keys are not supported by Windows NT 3.51.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



    13. Explorer Run



      • These keys are generally used to load programs as part of a policy set in place on the computer or user.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



    14. Load Key



      • This key is not commonly used anymore, but can be used to auto start programs.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



    15. AppInit_DLLs



      • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

      • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

      • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
        also. This makes it very difficult to remove the DLL as it will be
        loaded within multiple processes, some of which can not be stopped
        without causing system instability.

      • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
        the files loaded in the AppInit_DLLs value will be loaded very early
        in the Windows startup routine allowing the DLL to hide itself or
        protect itself before we have access to the system.


      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



    16. ShellServiceObjectDelayLoad



      • This Registry value contains values in a similar way as the Run key does.

      • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
        about the particular DLL file that is being used.

      • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
        computer, it will always start, thus always loading the files under
        this key. These files are therefore loaded early in the startup
        process before any human intervention occurs.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



    17. SharedTaskScheduler



      • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

      • The entries in this registry value run automatically when you start windows.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



    18. Miscellaneous



      The following are files that programs can autostart from on bootup:



      1. c:autoexec.bat

      2. c:config.sys

      3. windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

      4. windirwinstart.bat

      5. windirwin.ini - [windows] "load"

      6. windirwin.ini - [windows] "run"

      7. windirsystem.ini - [boot] "shell"

      8. windirsystem.ini - [boot] "scrnsave.exe"

      9. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

      10. windirsystemautoexec.nt

      11. windirsystemconfig.nt




    Source Windows Program Automatic Startup Locations




    Disclaimer



    I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






    share|improve this answer




















    • 3





      I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

      – Simon Baars
      yesterday







    • 1





      @SimonBaars for comparison linux settings files move all the time (from distro to distro)

      – qwr
      18 hours ago











    • @qwr but at least with modern systemd, all startup programs can be queried with one command

      – lights0123
      16 hours ago











    • Plus ELAM and drivers, both actually used by malware suites.

      – eckes
      16 hours ago











    • Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

      – eckes
      15 hours ago
















    102














    Where do the majority of anti-virus programs start from at OS boot time?




    after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




    There are many other start up locations you need to check (see later).



    Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



    enter image description here



    The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



    enter image description here




    There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



    There are a few programs that allow easy checking of the startup locations.




    1. msconfig (Startup tab):



      enter image description here




    2. Autoruns from SysInternals:



      enter image description here




    3. WhatInStartup from NirSoft:



      enter image description here




    4. WinPatrol:



      enter image description here



      Note:



      • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

      • You can specify the delay time if you do this.


      enter image description here]12




    How many ways are there for a program to be run at Startup in Windows?



    There are at least 17 locations from where programs can be started. See below.




    Windows Program Automatic Startup Locations




    Upon turning on the computer the following autostart locations are
    processed in the following order:




    1. Windows Boot Device Drivers



      • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

      • Boot device drivers will be located under the following key and have a Start value equal to 0.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices


      Windows will now perform various tasks and then start the Winlogon
      process. Winlogon eventually starts the service control manager that
      loads services and drivers that are set for auto-start.




    2. Windows Auto-start Services & Drivers



      • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
        drivers that are marked with a Start value of 2.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices



    3. RunServicesOnce



      • This key is designed to start services when a computer boots up.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



    4. RunServices



      • This key is designed to start services as well.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


      The Windows logon prompt is shown on the Screen. After a user logs in
      the rest of the keys continue.




    5. Notify



      • This key is used to add a program that will run when a particular event occurs.

      • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

      • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
        handle this event.

      • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
        malware program to load in such a way that it is not easy to stop.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



    6. UserInit Key



      • This key specifies what program should be launched right after a user logs into Windows.

      • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
        restores your profile, fonts, colors, etc for your user name.


      • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



        HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
        =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.



      This will make both programs launch when you log in and is a common
      place for trojans, hijackers, and spyware to launch from.
      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



    7. Shell Value



      • This value contains a list of comma separated values that Userinit.exe will launch.

      • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
        the shell, it will first launch the Shell value found in
        HKEY_CURRENT_USER. If this value is not present, it will then launch
        the value found in HKEY_LOCAL_MACHINE.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


      The rest of the Autostart locations will now be processed.




    8. RunOnce Local Machine Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • All entries in this key are started synchronously in an undefined order.

      • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
        HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



    9. Run



      • These are the most common startup locations for programs to install auto start from.

      • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



    10. All Users Startup Folder



      • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


      It is generally found at:



      • Windows XP C:Documents and SettingsAll UsersStart
        MenuProgramsStartup


      • Windows NT C:wontProfilesAll UsersStart
        MenuProgramsStartup


      • Windows 2000 C:Documents and SettingsAll
        UsersStart MenuProgramsStartup




    11. User Profile Startup Folder



      • This folder will be executed for the particular user who logs in.


      This folder is usually found in:



      • Win 9X, ME c:windowsstart menuprogramsstartup

      • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup



    12. RunOnce Current User Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

      • The RunOnce keys are not supported by Windows NT 3.51.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



    13. Explorer Run



      • These keys are generally used to load programs as part of a policy set in place on the computer or user.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



    14. Load Key



      • This key is not commonly used anymore, but can be used to auto start programs.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



    15. AppInit_DLLs



      • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

      • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

      • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
        also. This makes it very difficult to remove the DLL as it will be
        loaded within multiple processes, some of which can not be stopped
        without causing system instability.

      • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
        the files loaded in the AppInit_DLLs value will be loaded very early
        in the Windows startup routine allowing the DLL to hide itself or
        protect itself before we have access to the system.


      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



    16. ShellServiceObjectDelayLoad



      • This Registry value contains values in a similar way as the Run key does.

      • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
        about the particular DLL file that is being used.

      • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
        computer, it will always start, thus always loading the files under
        this key. These files are therefore loaded early in the startup
        process before any human intervention occurs.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



    17. SharedTaskScheduler



      • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

      • The entries in this registry value run automatically when you start windows.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



    18. Miscellaneous



      The following are files that programs can autostart from on bootup:



      1. c:autoexec.bat

      2. c:config.sys

      3. windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

      4. windirwinstart.bat

      5. windirwin.ini - [windows] "load"

      6. windirwin.ini - [windows] "run"

      7. windirsystem.ini - [boot] "shell"

      8. windirsystem.ini - [boot] "scrnsave.exe"

      9. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

      10. windirsystemautoexec.nt

      11. windirsystemconfig.nt




    Source Windows Program Automatic Startup Locations




    Disclaimer



    I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






    share|improve this answer




















    • 3





      I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

      – Simon Baars
      yesterday







    • 1





      @SimonBaars for comparison linux settings files move all the time (from distro to distro)

      – qwr
      18 hours ago











    • @qwr but at least with modern systemd, all startup programs can be queried with one command

      – lights0123
      16 hours ago











    • Plus ELAM and drivers, both actually used by malware suites.

      – eckes
      16 hours ago











    • Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

      – eckes
      15 hours ago














    102












    102








    102







    Where do the majority of anti-virus programs start from at OS boot time?




    after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




    There are many other start up locations you need to check (see later).



    Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



    enter image description here



    The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



    enter image description here




    There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



    There are a few programs that allow easy checking of the startup locations.




    1. msconfig (Startup tab):



      enter image description here




    2. Autoruns from SysInternals:



      enter image description here




    3. WhatInStartup from NirSoft:



      enter image description here




    4. WinPatrol:



      enter image description here



      Note:



      • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

      • You can specify the delay time if you do this.


      enter image description here]12




    How many ways are there for a program to be run at Startup in Windows?



    There are at least 17 locations from where programs can be started. See below.




    Windows Program Automatic Startup Locations




    Upon turning on the computer the following autostart locations are
    processed in the following order:




    1. Windows Boot Device Drivers



      • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

      • Boot device drivers will be located under the following key and have a Start value equal to 0.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices


      Windows will now perform various tasks and then start the Winlogon
      process. Winlogon eventually starts the service control manager that
      loads services and drivers that are set for auto-start.




    2. Windows Auto-start Services & Drivers



      • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
        drivers that are marked with a Start value of 2.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices



    3. RunServicesOnce



      • This key is designed to start services when a computer boots up.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



    4. RunServices



      • This key is designed to start services as well.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


      The Windows logon prompt is shown on the Screen. After a user logs in
      the rest of the keys continue.




    5. Notify



      • This key is used to add a program that will run when a particular event occurs.

      • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

      • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
        handle this event.

      • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
        malware program to load in such a way that it is not easy to stop.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



    6. UserInit Key



      • This key specifies what program should be launched right after a user logs into Windows.

      • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
        restores your profile, fonts, colors, etc for your user name.


      • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



        HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
        =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.



      This will make both programs launch when you log in and is a common
      place for trojans, hijackers, and spyware to launch from.
      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



    7. Shell Value



      • This value contains a list of comma separated values that Userinit.exe will launch.

      • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
        the shell, it will first launch the Shell value found in
        HKEY_CURRENT_USER. If this value is not present, it will then launch
        the value found in HKEY_LOCAL_MACHINE.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


      The rest of the Autostart locations will now be processed.




    8. RunOnce Local Machine Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • All entries in this key are started synchronously in an undefined order.

      • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
        HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



    9. Run



      • These are the most common startup locations for programs to install auto start from.

      • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



    10. All Users Startup Folder



      • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


      It is generally found at:



      • Windows XP C:Documents and SettingsAll UsersStart
        MenuProgramsStartup


      • Windows NT C:wontProfilesAll UsersStart
        MenuProgramsStartup


      • Windows 2000 C:Documents and SettingsAll
        UsersStart MenuProgramsStartup




    11. User Profile Startup Folder



      • This folder will be executed for the particular user who logs in.


      This folder is usually found in:



      • Win 9X, ME c:windowsstart menuprogramsstartup

      • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup



    12. RunOnce Current User Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

      • The RunOnce keys are not supported by Windows NT 3.51.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



    13. Explorer Run



      • These keys are generally used to load programs as part of a policy set in place on the computer or user.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



    14. Load Key



      • This key is not commonly used anymore, but can be used to auto start programs.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



    15. AppInit_DLLs



      • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

      • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

      • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
        also. This makes it very difficult to remove the DLL as it will be
        loaded within multiple processes, some of which can not be stopped
        without causing system instability.

      • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
        the files loaded in the AppInit_DLLs value will be loaded very early
        in the Windows startup routine allowing the DLL to hide itself or
        protect itself before we have access to the system.


      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



    16. ShellServiceObjectDelayLoad



      • This Registry value contains values in a similar way as the Run key does.

      • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
        about the particular DLL file that is being used.

      • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
        computer, it will always start, thus always loading the files under
        this key. These files are therefore loaded early in the startup
        process before any human intervention occurs.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



    17. SharedTaskScheduler



      • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

      • The entries in this registry value run automatically when you start windows.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



    18. Miscellaneous



      The following are files that programs can autostart from on bootup:



      1. c:autoexec.bat

      2. c:config.sys

      3. windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

      4. windirwinstart.bat

      5. windirwin.ini - [windows] "load"

      6. windirwin.ini - [windows] "run"

      7. windirsystem.ini - [boot] "shell"

      8. windirsystem.ini - [boot] "scrnsave.exe"

      9. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

      10. windirsystemautoexec.nt

      11. windirsystemconfig.nt




    Source Windows Program Automatic Startup Locations




    Disclaimer



    I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.






    share|improve this answer















    Where do the majority of anti-virus programs start from at OS boot time?




    after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.




    There are many other start up locations you need to check (see later).



    Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:



    enter image description here



    The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun:



    enter image description here




    There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.



    There are a few programs that allow easy checking of the startup locations.




    1. msconfig (Startup tab):



      enter image description here




    2. Autoruns from SysInternals:



      enter image description here




    3. WhatInStartup from NirSoft:



      enter image description here




    4. WinPatrol:



      enter image description here



      Note:



      • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

      • You can specify the delay time if you do this.


      enter image description here]12




    How many ways are there for a program to be run at Startup in Windows?



    There are at least 17 locations from where programs can be started. See below.




    Windows Program Automatic Startup Locations




    Upon turning on the computer the following autostart locations are
    processed in the following order:




    1. Windows Boot Device Drivers



      • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.

      • Boot device drivers will be located under the following key and have a Start value equal to 0.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices


      Windows will now perform various tasks and then start the Winlogon
      process. Winlogon eventually starts the service control manager that
      loads services and drivers that are set for auto-start.




    2. Windows Auto-start Services & Drivers



      • The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
        drivers that are marked with a Start value of 2.


      Registry Keys:



      HKEY_LOCAL_MACHINESystemCurrentControlSetServices



    3. RunServicesOnce



      • This key is designed to start services when a computer boots up.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce



    4. RunServices



      • This key is designed to start services as well.

      • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
        can start loading its programs.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices


      The Windows logon prompt is shown on the Screen. After a user logs in
      the rest of the keys continue.




    5. Notify



      • This key is used to add a program that will run when a particular event occurs.

      • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.

      • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
        handle this event.

      • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
        malware program to load in such a way that it is not easy to stop.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify



    6. UserInit Key



      • This key specifies what program should be launched right after a user logs into Windows.

      • The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
        restores your profile, fonts, colors, etc for your user name.


      • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:



        HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
        =C:windowssystem32userinit.exe,c:windowsbadprogram.exe.



      This will make both programs launch when you log in and is a common
      place for trojans, hijackers, and spyware to launch from.
      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit



    7. Shell Value



      • This value contains a list of comma separated values that Userinit.exe will launch.

      • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
        the shell, it will first launch the Shell value found in
        HKEY_CURRENT_USER. If this value is not present, it will then launch
        the value found in HKEY_LOCAL_MACHINE.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell


      The rest of the Autostart locations will now be processed.




    8. RunOnce Local Machine Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • All entries in this key are started synchronously in an undefined order.

      • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
        HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx



    9. Run



      • These are the most common startup locations for programs to install auto start from.

      • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun



    10. All Users Startup Folder



      • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


      It is generally found at:



      • Windows XP C:Documents and SettingsAll UsersStart
        MenuProgramsStartup


      • Windows NT C:wontProfilesAll UsersStart
        MenuProgramsStartup


      • Windows 2000 C:Documents and SettingsAll
        UsersStart MenuProgramsStartup




    11. User Profile Startup Folder



      • This folder will be executed for the particular user who logs in.


      This folder is usually found in:



      • Win 9X, ME c:windowsstart menuprogramsstartup

      • Windows XP C:Documents and SettingsLoginNameStart MenuProgramsStartup



    12. RunOnce Current User Key



      • These keys are designed to be used primarily by Setup programs.

      • Entries in these keys are started once and then are deleted from the key.

      • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
        otherwise it will be deleted before the program runs. This is
        important, because if the exclamation point is not used, and the
        program referenced in this key fails to complete, it will not run
        again as it will have already been deleted.

      • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.

      • The RunOnce keys are not supported by Windows NT 3.51.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce



    13. Explorer Run



      • These keys are generally used to load programs as part of a policy set in place on the computer or user.


      Registry Keys:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
      HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun



    14. Load Key



      • This key is not commonly used anymore, but can be used to auto start programs.


      Registry Key:



      HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload



    15. AppInit_DLLs



      • This value corresponds to files being loaded through the AppInit_DLLs Registry value.

      • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.

      • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
        also. This makes it very difficult to remove the DLL as it will be
        loaded within multiple processes, some of which can not be stopped
        without causing system instability.

      • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
        the files loaded in the AppInit_DLLs value will be loaded very early
        in the Windows startup routine allowing the DLL to hide itself or
        protect itself before we have access to the system.


      Registry Key:



      HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows



    16. ShellServiceObjectDelayLoad



      • This Registry value contains values in a similar way as the Run key does.

      • The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
        about the particular DLL file that is being used.

      • The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
        computer, it will always start, thus always loading the files under
        this key. These files are therefore loaded early in the startup
        process before any human intervention occurs.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad



    17. SharedTaskScheduler



      • This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.

      • The entries in this registry value run automatically when you start windows.


      Registry Key:



      HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler



    18. Miscellaneous



      The following are files that programs can autostart from on bootup:



      1. c:autoexec.bat

      2. c:config.sys

      3. windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.

      4. windirwinstart.bat

      5. windirwin.ini - [windows] "load"

      6. windirwin.ini - [windows] "run"

      7. windirsystem.ini - [boot] "shell"

      8. windirsystem.ini - [boot] "scrnsave.exe"

      9. windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

      10. windirsystemautoexec.nt

      11. windirsystemconfig.nt




    Source Windows Program Automatic Startup Locations




    Disclaimer



    I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited yesterday

























    answered 2 days ago









    DavidPostillDavidPostill

    107k27232267




    107k27232267







    • 3





      I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

      – Simon Baars
      yesterday







    • 1





      @SimonBaars for comparison linux settings files move all the time (from distro to distro)

      – qwr
      18 hours ago











    • @qwr but at least with modern systemd, all startup programs can be queried with one command

      – lights0123
      16 hours ago











    • Plus ELAM and drivers, both actually used by malware suites.

      – eckes
      16 hours ago











    • Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

      – eckes
      15 hours ago













    • 3





      I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

      – Simon Baars
      yesterday







    • 1





      @SimonBaars for comparison linux settings files move all the time (from distro to distro)

      – qwr
      18 hours ago











    • @qwr but at least with modern systemd, all startup programs can be queried with one command

      – lights0123
      16 hours ago











    • Plus ELAM and drivers, both actually used by malware suites.

      – eckes
      16 hours ago











    • Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

      – eckes
      15 hours ago








    3




    3





    I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

    – Simon Baars
    yesterday






    I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!

    – Simon Baars
    yesterday





    1




    1





    @SimonBaars for comparison linux settings files move all the time (from distro to distro)

    – qwr
    18 hours ago





    @SimonBaars for comparison linux settings files move all the time (from distro to distro)

    – qwr
    18 hours ago













    @qwr but at least with modern systemd, all startup programs can be queried with one command

    – lights0123
    16 hours ago





    @qwr but at least with modern systemd, all startup programs can be queried with one command

    – lights0123
    16 hours ago













    Plus ELAM and drivers, both actually used by malware suites.

    – eckes
    16 hours ago





    Plus ELAM and drivers, both actually used by malware suites.

    – eckes
    16 hours ago













    Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

    – eckes
    15 hours ago






    Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)

    – eckes
    15 hours ago














    12














    Security products typically have a number of components, for example:



    • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

    • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

    • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

    • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.

    So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices






    share|improve this answer





























      12














      Security products typically have a number of components, for example:



      • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

      • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

      • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

      • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.

      So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices






      share|improve this answer



























        12












        12








        12







        Security products typically have a number of components, for example:



        • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

        • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

        • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

        • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.

        So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices






        share|improve this answer















        Security products typically have a number of components, for example:



        • One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.

        • There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.

        • One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.

        • Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.

        So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited yesterday

























        answered 2 days ago









        HelpingHandHelpingHand

        1,125410




        1,125410



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Adding axes to figuresAdding axes labels to LaTeX figuresLaTeX equivalent of ConTeXt buffersRotate a node but not its content: the case of the ellipse decorationHow to define the default vertical distance between nodes?TikZ scaling graphic and adjust node position and keep font sizeNumerical conditional within tikz keys?adding axes to shapesAlign axes across subfiguresAdding figures with a certain orderLine up nested tikz enviroments or how to get rid of themAdding axes labels to LaTeX figures

            Tähtien Talli Jäsenet | Lähteet | NavigointivalikkoSuomen Hippos – Tähtien Talli

            Do these cracks on my tires look bad? The Next CEO of Stack OverflowDry rot tire should I replace?Having to replace tiresFishtailed so easily? Bad tires? ABS?Filling the tires with something other than air, to avoid puncture hassles?Used Michelin tires safe to install?Do these tyre cracks necessitate replacement?Rumbling noise: tires or mechanicalIs it possible to fix noisy feathered tires?Are bad winter tires still better than summer tires in winter?Torque converter failure - Related to replacing only 2 tires?Why use snow tires on all 4 wheels on 2-wheel-drive cars?