How do anti-virus programs start at Windows boot?Mysterious .tmp files generated in C:WindowsSystem32 folder upon bootingFlash Player Automatic Updater on Windows StartupWindows 7 says Avast is off, but it's not! Am I infected?Prevent applications from automatically startingFake anti-virus?Anti-virus Software downloadsVista Startup - Cannot Find the File SpecifiedMost programs not visible in Programs and Features in windows 7Windows - Automatic log-in, then log off after first log-in onlySystem misbehaving because of a program “Search the Web (Yahoo)”
Why doesn't the EU now just force the UK to choose between referendum and no-deal?
Is having access to past exams cheating and, if yes, could it be proven just by a good grade?
Property of summation
Software described as 香ばしい
Make a transparent 448*448 image
How to explain that I do not want to visit a country due to personal safety concern?
How to simplify this time periods definition interface?
Are the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?
At what level can a dragon innately cast its spells?
What's causing this power spike in STM32 low power mode
PTIJ: Who should I vote for? (21st Knesset Edition)
Instead of Universal Basic Income, why not Universal Basic NEEDS?
How do anti-virus programs start at Windows boot?
Why would a flight no longer considered airworthy be redirected like this?
How could a scammer know the apps on my phone / iTunes account?
Problems with making formula look great
If curse and magic is two sides of the same coin, why the former is forbidden?
What is the significance behind "40 days" that often appears in the Bible?
If I can solve Sudoku can I solve TSP? If yes, how?
Fibers of the morphism from the free Heyting algebra to the free Boolean algebra
What are substitutions for coconut in curry?
AG Cluster db upgrade by vendor
It's a yearly task, alright
What options are left, if Britain cannot decide?
How do anti-virus programs start at Windows boot?
Mysterious .tmp files generated in C:WindowsSystem32 folder upon bootingFlash Player Automatic Updater on Windows StartupWindows 7 says Avast is off, but it's not! Am I infected?Prevent applications from automatically startingFake anti-virus?Anti-virus Software downloadsVista Startup - Cannot Find the File SpecifiedMost programs not visible in Programs and Features in windows 7Windows - Automatic log-in, then log off after first log-in onlySystem misbehaving because of a program “Search the Web (Yahoo)”
When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?
windows boot anti-virus
add a comment |
When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?
windows boot anti-virus
3
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday
add a comment |
When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?
windows boot anti-virus
When performing some testing, I noticed that after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location. Taking this into account, in which location do the majority of anti-virus programs locate themselves so that they will automatically start at OS boot time?
windows boot anti-virus
windows boot anti-virus
edited 2 days ago
Kolappan Nathan
437413
437413
asked 2 days ago
elliott94elliott94
38627
38627
3
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday
add a comment |
3
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday
3
3
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday
add a comment |
2 Answers
2
active
oldest
votes
Where do the majority of anti-virus programs start from at OS boot time?
after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.
There are many other start up locations you need to check (see later).
Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:
The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun
:
There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.
There are a few programs that allow easy checking of the startup locations.
msconfig (Startup tab):
Autoruns from SysInternals:
WhatInStartup from NirSoft:
WinPatrol:
Note:
- WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
- You can specify the delay time if you do this.
]12
How many ways are there for a program to be run at Startup in Windows?
There are at least 17 locations from where programs can be started. See below.
Windows Program Automatic Startup Locations
Upon turning on the computer the following autostart locations are
processed in the following order:
Windows Boot Device Drivers
- These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
- Boot device drivers will be located under the following key and have a Start value equal to 0.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Windows will now perform various tasks and then start the Winlogon
process. Winlogon eventually starts the service control manager that
loads services and drivers that are set for auto-start.
Windows Auto-start Services & Drivers
- The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
drivers that are marked with a Start value of 2.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
RunServicesOnce
- This key is designed to start services when a computer boots up.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
RunServices
- This key is designed to start services as well.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
The Windows logon prompt is shown on the Screen. After a user logs in
the rest of the keys continue.
Notify
- This key is used to add a program that will run when a particular event occurs.
- Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
- When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
handle this event.
- Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
malware program to load in such a way that it is not easy to stop.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
UserInit Key
- This key specifies what program should be launched right after a user logs into Windows.
- The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
restores your profile, fonts, colors, etc for your user name.
It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
=C:windowssystem32userinit.exe,c:windowsbadprogram.exe.
This will make both programs launch when you log in and is a common
place for trojans, hijackers, and spyware to launch from.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Shell Value
- This value contains a list of comma separated values that Userinit.exe will launch.
- The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
the shell, it will first launch the Shell value found in
HKEY_CURRENT_USER. If this value is not present, it will then launch
the value found in HKEY_LOCAL_MACHINE.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
The rest of the Autostart locations will now be processed.
RunOnce Local Machine Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- All entries in this key are started synchronously in an undefined order.
- Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
Run
- These are the most common startup locations for programs to install auto start from.
- By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All Users Startup Folder
- For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.
It is generally found at:
Windows XP
C:Documents and SettingsAll UsersStart
MenuProgramsStartup
Windows NT
C:wontProfilesAll UsersStart
MenuProgramsStartup
Windows 2000
C:Documents and SettingsAll
UsersStart MenuProgramsStartup
User Profile Startup Folder
- This folder will be executed for the particular user who logs in.
This folder is usually found in:
- Win 9X, ME
c:windowsstart menuprogramsstartup
- Windows XP
C:Documents and SettingsLoginNameStart MenuProgramsStartup
RunOnce Current User Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
- The RunOnce keys are not supported by Windows NT 3.51.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Explorer Run
- These keys are generally used to load programs as part of a policy set in place on the computer or user.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Load Key
- This key is not commonly used anymore, but can be used to auto start programs.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
AppInit_DLLs
- This value corresponds to files being loaded through the AppInit_DLLs Registry value.
- The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
- As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
also. This makes it very difficult to remove the DLL as it will be
loaded within multiple processes, some of which can not be stopped
without causing system instability.
- The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
the files loaded in the AppInit_DLLs value will be loaded very early
in the Windows startup routine allowing the DLL to hide itself or
protect itself before we have access to the system.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows
ShellServiceObjectDelayLoad
- This Registry value contains values in a similar way as the Run key does.
- The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
about the particular DLL file that is being used.
- The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
computer, it will always start, thus always loading the files under
this key. These files are therefore loaded early in the startup
process before any human intervention occurs.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
SharedTaskScheduler
- This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
- The entries in this registry value run automatically when you start windows.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
Miscellaneous
The following are files that programs can autostart from on bootup:
- c:autoexec.bat
- c:config.sys
- windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
- windirsystemautoexec.nt
- windirsystemconfig.nt
Source Windows Program Automatic Startup Locations
Disclaimer
I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
add a comment |
Security products typically have a number of components, for example:
- One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.
- There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.
- One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.
- Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.
So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "3"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Where do the majority of anti-virus programs start from at OS boot time?
after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.
There are many other start up locations you need to check (see later).
Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:
The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun
:
There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.
There are a few programs that allow easy checking of the startup locations.
msconfig (Startup tab):
Autoruns from SysInternals:
WhatInStartup from NirSoft:
WinPatrol:
Note:
- WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
- You can specify the delay time if you do this.
]12
How many ways are there for a program to be run at Startup in Windows?
There are at least 17 locations from where programs can be started. See below.
Windows Program Automatic Startup Locations
Upon turning on the computer the following autostart locations are
processed in the following order:
Windows Boot Device Drivers
- These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
- Boot device drivers will be located under the following key and have a Start value equal to 0.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Windows will now perform various tasks and then start the Winlogon
process. Winlogon eventually starts the service control manager that
loads services and drivers that are set for auto-start.
Windows Auto-start Services & Drivers
- The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
drivers that are marked with a Start value of 2.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
RunServicesOnce
- This key is designed to start services when a computer boots up.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
RunServices
- This key is designed to start services as well.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
The Windows logon prompt is shown on the Screen. After a user logs in
the rest of the keys continue.
Notify
- This key is used to add a program that will run when a particular event occurs.
- Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
- When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
handle this event.
- Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
malware program to load in such a way that it is not easy to stop.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
UserInit Key
- This key specifies what program should be launched right after a user logs into Windows.
- The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
restores your profile, fonts, colors, etc for your user name.
It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
=C:windowssystem32userinit.exe,c:windowsbadprogram.exe.
This will make both programs launch when you log in and is a common
place for trojans, hijackers, and spyware to launch from.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Shell Value
- This value contains a list of comma separated values that Userinit.exe will launch.
- The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
the shell, it will first launch the Shell value found in
HKEY_CURRENT_USER. If this value is not present, it will then launch
the value found in HKEY_LOCAL_MACHINE.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
The rest of the Autostart locations will now be processed.
RunOnce Local Machine Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- All entries in this key are started synchronously in an undefined order.
- Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
Run
- These are the most common startup locations for programs to install auto start from.
- By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All Users Startup Folder
- For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.
It is generally found at:
Windows XP
C:Documents and SettingsAll UsersStart
MenuProgramsStartup
Windows NT
C:wontProfilesAll UsersStart
MenuProgramsStartup
Windows 2000
C:Documents and SettingsAll
UsersStart MenuProgramsStartup
User Profile Startup Folder
- This folder will be executed for the particular user who logs in.
This folder is usually found in:
- Win 9X, ME
c:windowsstart menuprogramsstartup
- Windows XP
C:Documents and SettingsLoginNameStart MenuProgramsStartup
RunOnce Current User Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
- The RunOnce keys are not supported by Windows NT 3.51.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Explorer Run
- These keys are generally used to load programs as part of a policy set in place on the computer or user.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Load Key
- This key is not commonly used anymore, but can be used to auto start programs.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
AppInit_DLLs
- This value corresponds to files being loaded through the AppInit_DLLs Registry value.
- The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
- As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
also. This makes it very difficult to remove the DLL as it will be
loaded within multiple processes, some of which can not be stopped
without causing system instability.
- The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
the files loaded in the AppInit_DLLs value will be loaded very early
in the Windows startup routine allowing the DLL to hide itself or
protect itself before we have access to the system.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows
ShellServiceObjectDelayLoad
- This Registry value contains values in a similar way as the Run key does.
- The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
about the particular DLL file that is being used.
- The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
computer, it will always start, thus always loading the files under
this key. These files are therefore loaded early in the startup
process before any human intervention occurs.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
SharedTaskScheduler
- This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
- The entries in this registry value run automatically when you start windows.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
Miscellaneous
The following are files that programs can autostart from on bootup:
- c:autoexec.bat
- c:config.sys
- windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
- windirsystemautoexec.nt
- windirsystemconfig.nt
Source Windows Program Automatic Startup Locations
Disclaimer
I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
add a comment |
Where do the majority of anti-virus programs start from at OS boot time?
after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.
There are many other start up locations you need to check (see later).
Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:
The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun
:
There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.
There are a few programs that allow easy checking of the startup locations.
msconfig (Startup tab):
Autoruns from SysInternals:
WhatInStartup from NirSoft:
WinPatrol:
Note:
- WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
- You can specify the delay time if you do this.
]12
How many ways are there for a program to be run at Startup in Windows?
There are at least 17 locations from where programs can be started. See below.
Windows Program Automatic Startup Locations
Upon turning on the computer the following autostart locations are
processed in the following order:
Windows Boot Device Drivers
- These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
- Boot device drivers will be located under the following key and have a Start value equal to 0.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Windows will now perform various tasks and then start the Winlogon
process. Winlogon eventually starts the service control manager that
loads services and drivers that are set for auto-start.
Windows Auto-start Services & Drivers
- The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
drivers that are marked with a Start value of 2.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
RunServicesOnce
- This key is designed to start services when a computer boots up.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
RunServices
- This key is designed to start services as well.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
The Windows logon prompt is shown on the Screen. After a user logs in
the rest of the keys continue.
Notify
- This key is used to add a program that will run when a particular event occurs.
- Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
- When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
handle this event.
- Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
malware program to load in such a way that it is not easy to stop.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
UserInit Key
- This key specifies what program should be launched right after a user logs into Windows.
- The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
restores your profile, fonts, colors, etc for your user name.
It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
=C:windowssystem32userinit.exe,c:windowsbadprogram.exe.
This will make both programs launch when you log in and is a common
place for trojans, hijackers, and spyware to launch from.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Shell Value
- This value contains a list of comma separated values that Userinit.exe will launch.
- The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
the shell, it will first launch the Shell value found in
HKEY_CURRENT_USER. If this value is not present, it will then launch
the value found in HKEY_LOCAL_MACHINE.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
The rest of the Autostart locations will now be processed.
RunOnce Local Machine Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- All entries in this key are started synchronously in an undefined order.
- Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
Run
- These are the most common startup locations for programs to install auto start from.
- By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All Users Startup Folder
- For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.
It is generally found at:
Windows XP
C:Documents and SettingsAll UsersStart
MenuProgramsStartup
Windows NT
C:wontProfilesAll UsersStart
MenuProgramsStartup
Windows 2000
C:Documents and SettingsAll
UsersStart MenuProgramsStartup
User Profile Startup Folder
- This folder will be executed for the particular user who logs in.
This folder is usually found in:
- Win 9X, ME
c:windowsstart menuprogramsstartup
- Windows XP
C:Documents and SettingsLoginNameStart MenuProgramsStartup
RunOnce Current User Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
- The RunOnce keys are not supported by Windows NT 3.51.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Explorer Run
- These keys are generally used to load programs as part of a policy set in place on the computer or user.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Load Key
- This key is not commonly used anymore, but can be used to auto start programs.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
AppInit_DLLs
- This value corresponds to files being loaded through the AppInit_DLLs Registry value.
- The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
- As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
also. This makes it very difficult to remove the DLL as it will be
loaded within multiple processes, some of which can not be stopped
without causing system instability.
- The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
the files loaded in the AppInit_DLLs value will be loaded very early
in the Windows startup routine allowing the DLL to hide itself or
protect itself before we have access to the system.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows
ShellServiceObjectDelayLoad
- This Registry value contains values in a similar way as the Run key does.
- The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
about the particular DLL file that is being used.
- The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
computer, it will always start, thus always loading the files under
this key. These files are therefore loaded early in the startup
process before any human intervention occurs.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
SharedTaskScheduler
- This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
- The entries in this registry value run automatically when you start windows.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
Miscellaneous
The following are files that programs can autostart from on bootup:
- c:autoexec.bat
- c:config.sys
- windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
- windirsystemautoexec.nt
- windirsystemconfig.nt
Source Windows Program Automatic Startup Locations
Disclaimer
I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
add a comment |
Where do the majority of anti-virus programs start from at OS boot time?
after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.
There are many other start up locations you need to check (see later).
Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:
The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun
:
There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.
There are a few programs that allow easy checking of the startup locations.
msconfig (Startup tab):
Autoruns from SysInternals:
WhatInStartup from NirSoft:
WinPatrol:
Note:
- WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
- You can specify the delay time if you do this.
]12
How many ways are there for a program to be run at Startup in Windows?
There are at least 17 locations from where programs can be started. See below.
Windows Program Automatic Startup Locations
Upon turning on the computer the following autostart locations are
processed in the following order:
Windows Boot Device Drivers
- These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
- Boot device drivers will be located under the following key and have a Start value equal to 0.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Windows will now perform various tasks and then start the Winlogon
process. Winlogon eventually starts the service control manager that
loads services and drivers that are set for auto-start.
Windows Auto-start Services & Drivers
- The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
drivers that are marked with a Start value of 2.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
RunServicesOnce
- This key is designed to start services when a computer boots up.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
RunServices
- This key is designed to start services as well.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
The Windows logon prompt is shown on the Screen. After a user logs in
the rest of the keys continue.
Notify
- This key is used to add a program that will run when a particular event occurs.
- Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
- When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
handle this event.
- Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
malware program to load in such a way that it is not easy to stop.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
UserInit Key
- This key specifies what program should be launched right after a user logs into Windows.
- The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
restores your profile, fonts, colors, etc for your user name.
It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
=C:windowssystem32userinit.exe,c:windowsbadprogram.exe.
This will make both programs launch when you log in and is a common
place for trojans, hijackers, and spyware to launch from.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Shell Value
- This value contains a list of comma separated values that Userinit.exe will launch.
- The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
the shell, it will first launch the Shell value found in
HKEY_CURRENT_USER. If this value is not present, it will then launch
the value found in HKEY_LOCAL_MACHINE.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
The rest of the Autostart locations will now be processed.
RunOnce Local Machine Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- All entries in this key are started synchronously in an undefined order.
- Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
Run
- These are the most common startup locations for programs to install auto start from.
- By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All Users Startup Folder
- For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.
It is generally found at:
Windows XP
C:Documents and SettingsAll UsersStart
MenuProgramsStartup
Windows NT
C:wontProfilesAll UsersStart
MenuProgramsStartup
Windows 2000
C:Documents and SettingsAll
UsersStart MenuProgramsStartup
User Profile Startup Folder
- This folder will be executed for the particular user who logs in.
This folder is usually found in:
- Win 9X, ME
c:windowsstart menuprogramsstartup
- Windows XP
C:Documents and SettingsLoginNameStart MenuProgramsStartup
RunOnce Current User Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
- The RunOnce keys are not supported by Windows NT 3.51.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Explorer Run
- These keys are generally used to load programs as part of a policy set in place on the computer or user.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Load Key
- This key is not commonly used anymore, but can be used to auto start programs.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
AppInit_DLLs
- This value corresponds to files being loaded through the AppInit_DLLs Registry value.
- The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
- As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
also. This makes it very difficult to remove the DLL as it will be
loaded within multiple processes, some of which can not be stopped
without causing system instability.
- The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
the files loaded in the AppInit_DLLs value will be loaded very early
in the Windows startup routine allowing the DLL to hide itself or
protect itself before we have access to the system.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows
ShellServiceObjectDelayLoad
- This Registry value contains values in a similar way as the Run key does.
- The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
about the particular DLL file that is being used.
- The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
computer, it will always start, thus always loading the files under
this key. These files are therefore loaded early in the startup
process before any human intervention occurs.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
SharedTaskScheduler
- This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
- The entries in this registry value run automatically when you start windows.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
Miscellaneous
The following are files that programs can autostart from on bootup:
- c:autoexec.bat
- c:config.sys
- windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
- windirsystemautoexec.nt
- windirsystemconfig.nt
Source Windows Program Automatic Startup Locations
Disclaimer
I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.
Where do the majority of anti-virus programs start from at OS boot time?
after installing Avast and checking in both my "Run" registry key and my "Startup" folder that a startup entry wasn't present in either location.
There are many other start up locations you need to check (see later).
Many antivirus programs (including Avast) are started as a Windows service, which enables them to be up and running very early in the start up process so providing maximum protection:
The Avast GUI (which includes the system tray icon) is started from HKLMSoftwareMicrosoftWindowsCurrentVersionRun
:
There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.
There are a few programs that allow easy checking of the startup locations.
msconfig (Startup tab):
Autoruns from SysInternals:
WhatInStartup from NirSoft:
WinPatrol:
Note:
- WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"
- You can specify the delay time if you do this.
]12
How many ways are there for a program to be run at Startup in Windows?
There are at least 17 locations from where programs can be started. See below.
Windows Program Automatic Startup Locations
Upon turning on the computer the following autostart locations are
processed in the following order:
Windows Boot Device Drivers
- These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
- Boot device drivers will be located under the following key and have a Start value equal to 0.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Windows will now perform various tasks and then start the Winlogon
process. Winlogon eventually starts the service control manager that
loads services and drivers that are set for auto-start.
Windows Auto-start Services & Drivers
- The Service Control Manager (SCM) process (WindowsSystem32services.exe), will now launch any services or
drivers that are marked with a Start value of 2.
Registry Keys:HKEY_LOCAL_MACHINESystemCurrentControlSetServices
RunServicesOnce
- This key is designed to start services when a computer boots up.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
RunServices
- This key is designed to start services as well.
- These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...RunOnce registry
can start loading its programs.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
The Windows logon prompt is shown on the Screen. After a user logs in
the rest of the keys continue.
Notify
- This key is used to add a program that will run when a particular event occurs.
- Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
- When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will
handle this event.
- Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the
malware program to load in such a way that it is not easy to stop.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify
UserInit Key
- This key specifies what program should be launched right after a user logs into Windows.
- The default program for this key is C:windowssystem32userinit.exe. Userinit.exe is a program that
restores your profile, fonts, colors, etc for your user name.
It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
=C:windowssystem32userinit.exe,c:windowsbadprogram.exe.
This will make both programs launch when you log in and is a common
place for trojans, hijackers, and spyware to launch from.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Shell Value
- This value contains a list of comma separated values that Userinit.exe will launch.
- The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts
the shell, it will first launch the Shell value found in
HKEY_CURRENT_USER. If this value is not present, it will then launch
the value found in HKEY_LOCAL_MACHINE.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon\Shell
The rest of the Autostart locations will now be processed.
RunOnce Local Machine Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- All entries in this key are started synchronously in an undefined order.
- Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...Run, HKEY_CURRENT_USER...Run,
HKEY_CURRENT_USER...RunOnce, and Startup Folders can be loaded.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
Run
- These are the most common startup locations for programs to install auto start from.
- By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All Users Startup Folder
- For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.
It is generally found at:
Windows XP
C:Documents and SettingsAll UsersStart
MenuProgramsStartup
Windows NT
C:wontProfilesAll UsersStart
MenuProgramsStartup
Windows 2000
C:Documents and SettingsAll
UsersStart MenuProgramsStartup
User Profile Startup Folder
- This folder will be executed for the particular user who logs in.
This folder is usually found in:
- Win 9X, ME
c:windowsstart menuprogramsstartup
- Windows XP
C:Documents and SettingsLoginNameStart MenuProgramsStartup
RunOnce Current User Key
- These keys are designed to be used primarily by Setup programs.
- Entries in these keys are started once and then are deleted from the key.
- If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes,
otherwise it will be deleted before the program runs. This is
important, because if the exclamation point is not used, and the
program referenced in this key fails to complete, it will not run
again as it will have already been deleted.
- The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
- The RunOnce keys are not supported by Windows NT 3.51.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
Explorer Run
- These keys are generally used to load programs as part of a policy set in place on the computer or user.
Registry Keys:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
Load Key
- This key is not commonly used anymore, but can be used to auto start programs.
Registry Key:HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
AppInit_DLLs
- This value corresponds to files being loaded through the AppInit_DLLs Registry value.
- The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
- As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded
also. This makes it very difficult to remove the DLL as it will be
loaded within multiple processes, some of which can not be stopped
without causing system instability.
- The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that
the files loaded in the AppInit_DLLs value will be loaded very early
in the Windows startup routine allowing the DLL to hide itself or
protect itself before we have access to the system.
Registry Key:HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindows
ShellServiceObjectDelayLoad
- This Registry value contains values in a similar way as the Run key does.
- The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information
about the particular DLL file that is being used.
- The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your
computer, it will always start, thus always loading the files under
this key. These files are therefore loaded early in the startup
process before any human intervention occurs.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
SharedTaskScheduler
- This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.
- The entries in this registry value run automatically when you start windows.
Registry Key:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler
Miscellaneous
The following are files that programs can autostart from on bootup:
- c:autoexec.bat
- c:config.sys
- windirwininit.ini - Usually used by setup programs to have a file run once and then get deleted.
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
- windirsystemautoexec.nt
- windirsystemconfig.nt
Source Windows Program Automatic Startup Locations
Disclaimer
I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.
edited yesterday
answered 2 days ago
DavidPostill♦DavidPostill
107k27232267
107k27232267
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
add a comment |
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
3
3
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
I don't understand why they make it so hard to control simple things in Windows, like what starts when your computer boots. Thanks for providing programs that help in finding entries in all locations!
– Simon Baars
yesterday
1
1
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@SimonBaars for comparison linux settings files move all the time (from distro to distro)
– qwr
18 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
@qwr but at least with modern systemd, all startup programs can be queried with one command
– lights0123
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Plus ELAM and drivers, both actually used by malware suites.
– eckes
16 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
Systemd does not show kernel threads or xsession scripts, udev, automounter, nscd or bus events. It is not much less complicated (but certainly less compatible)
– eckes
15 hours ago
add a comment |
Security products typically have a number of components, for example:
- One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.
- There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.
- One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.
- Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.
So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices
add a comment |
Security products typically have a number of components, for example:
- One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.
- There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.
- One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.
- Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.
So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices
add a comment |
Security products typically have a number of components, for example:
- One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.
- There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.
- One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.
- Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.
So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices
Security products typically have a number of components, for example:
- One or more file system filter drivers that sits in the kernel. Typically these are mini-filters that can be listed using the command line tool fltmc.exe. You can also see drivers loaded into the "System" process using a tool such as Process Explorer. They are likely responsible for filtering the opening and closing of files and making requests of the user mode services for scanning of the file before letting the file be accessed.
- There maybe other drivers for filtering network traffic. NDIS filter drives on older platforms, say Win 7 and WFP drivers for newer platforms, e.g. Win 8.1 and later.
- One or more user mode services. One of which typically loads virus data and performs the actually scanning. There are typically other services for management, updating, etc.
- Additional processes that may start from the "Run" key of the registry and run in the context of the logged on user. These typically provide the user interface and take care of user messaging.
So in short they are usually a combination of services, drivers and processes running as the logged on user. From your question, it sounds like you're looking at the later. By running services.msc you will see the user mode services and running a tool such driverquery.exe, or even misnfo32, you can see the drivers. User mode services and kernel drivers all are referenced in the Service Control Manager's (SCM) database under: hklmsystemcurrentcontrolsetservices
edited yesterday
answered 2 days ago
HelpingHandHelpingHand
1,125410
1,125410
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1413524%2fhow-do-anti-virus-programs-start-at-windows-boot%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
What boot "time" are you actually referring to, directly after the boot loader or when you see the black screen (or not) just before the login screen appears? This is a very important distinction. The "directly after boot loader" approach is done with drivers and happens before windows even loads (e.g. rebooting your pc to remove viruses that can't be removed while windows is running).
– Gizmo
2 days ago
Typically the on-access drivers are filter drivers (devices). There is also a new function for early launch malware detection called ELAM docs.microsoft.com/en-us/windows-hardware/drivers/install/…. Besides that normal Autorun, services and explorer extensions are used mostly for UI and supporting stuff like refreshing signatures and drivers. Behavior detection often works by injecting dlls.
– eckes
yesterday