This article is taken from http://www.governmentsecurity.org
you may find it a good read
1. START-UP FOLDER. This applies to all versions of Windows, Windows9x has a global startup folder and WinXP/2K has a per user and all users startup folder.
c:Documents and SettingsAll UsersStart MenuProgramsStartup
And
c:Documents and SettingsusernameStart MenuProgramsStartup
Windows opens every item in the Startup folder on startup/login, this folder is easy to find and you can just 'right click and delete' to remove items from it.
Note the above says 'open' not 'run' this means if there is a .txt file, notepad will open, if there is a .wav file the default program for handling .wav files will open and so on. Shortcuts are usually put in the startup folder but entire programs/documents/files can be put there.
STARTUP ORDER FOR WINDOWS NT4/2000/XP
User enters a password and logon to the system
2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.
All Run Keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunOnce]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRun]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunOnceEx]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunEx]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunOnce]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRun]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunOnceEx]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunEx]
3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.
Computer Management -> Services - items set to "Automatic"
4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.
5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)
7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOTexefileshellopencommand "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.
Other possibles:
[HKEY_CLASSES_ROOTexefileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTcomfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTbatfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOThtafileShellOpenCommand] =""%1" %*"
[HKEY_CLASSES_ROOTpiffileshellopencommand] =""%1" %*"
[HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESexefileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShell OpenCommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshell opencommand] =""%1"
%*"
If keys don't have the ""%1" %*" value as shown, and are changed to something like ""somefilename.exe %1" %*" than they are automatically invoking the specified file.
8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.
9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.
10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.
It also runs things in shell= in System.ini or c:windowssystem.ini:
[boot]
shell=explorer.exe C:windowsfilename
The file name following explorer.exe will start whenever Windows starts.
As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the Windows directory
11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)
12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.
13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.
14. C:EXPLORER.EXE METHOD.
C:Explorer.exe
Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.
If c:explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:explorer.exe
15. ADDITIONAL METHODS.
Additional autostart methods. The first two are used by Trojan SubSeven 2.2.
HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entversionexplorerUsershell folders
Icq Inet
[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApp stest]
"Path"="test.exe"
"Startup"="c:\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApp s]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.
[HKEY_LOCAL_MACHINESoftwareCLASSESShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetContro lSession ManagerBootExecute]
This is the first thing that is run.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCu rrentVersionWinlogonUserInit]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell]
you may find it a good read
1. START-UP FOLDER. This applies to all versions of Windows, Windows9x has a global startup folder and WinXP/2K has a per user and all users startup folder.
c:Documents and SettingsAll UsersStart MenuProgramsStartup
And
c:Documents and SettingsusernameStart MenuProgramsStartup
Windows opens every item in the Startup folder on startup/login, this folder is easy to find and you can just 'right click and delete' to remove items from it.
Note the above says 'open' not 'run' this means if there is a .txt file, notepad will open, if there is a .wav file the default program for handling .wav files will open and so on. Shortcuts are usually put in the startup folder but entire programs/documents/files can be put there.
STARTUP ORDER FOR WINDOWS NT4/2000/XP
User enters a password and logon to the system
2. REGISTRY. Windows executes all instructions in the "Run" section of the Windows Registry. Items in the "Run" section (and in other parts of the Registry listed below) can be programs or files that programs open (documents), as explained in No. 1 above.
All Run Keys:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunOnce]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRun]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunOnceEx]
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entVersionRunEx]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunOnce]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRun]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunOnceEx]
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurre ntVersionRunEx]
3. REGISTRY. Windows executes all instructions in the "RunServices" section of the Registry.
Computer Management -> Services - items set to "Automatic"
4. REGISTRY. Windows executes all instructions in the "RunOnce" part of the Registry.
5. REGISTRY. Windows executes instructions in the "RunServicesOnce" section of the Registry. (Windows uses the two "RunOnce" sections to run programs a single time only, usually on the next bootup after a program installation.)
7. REGISTRY. Windows executes instructions in the HKEY_CLASSES_ROOTexefileshellopencommand "%1" %* section of the Registry. Any command imbedded here will open when any exe file is executed.
Other possibles:
[HKEY_CLASSES_ROOTexefileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTcomfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOTbatfileshellopencommand] =""%1" %*"
[HKEY_CLASSES_ROOThtafileShellOpenCommand] =""%1" %*"
[HKEY_CLASSES_ROOTpiffileshellopencommand] =""%1" %*"
[HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESexefileshell opencommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShell OpenCommand] =""%1"
%*"
[HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshell opencommand] =""%1"
%*"
If keys don't have the ""%1" %*" value as shown, and are changed to something like ""somefilename.exe %1" %*" than they are automatically invoking the specified file.
8. BATCH FILE. Windows executes all instructions in the Winstart batch file, located in the Windows folder. (This file is unknown to nearly all Windows users and most Windows experts, and might not exist on your system. You can easily create it, however. Note that some versions of Windows call the Windows folder the "WinNT" folder.) The full filename is WINSTART.BAT.
9. INITIALIZATION FILE. Windows executes instructions in the "RUN=" line in the WIN.INI file, located in the Windows (or WinNT) folder.
10. INITIALIZATION FILE. Windows executes instructions in the "LOAD=" line in the WIN.INI file, located in the Windows (or WinNT) folder.
It also runs things in shell= in System.ini or c:windowssystem.ini:
[boot]
shell=explorer.exe C:windowsfilename
The file name following explorer.exe will start whenever Windows starts.
As with Win.ini, file names might be preceeded by considerable space on such a line, to reduce the chance that they will be seen. Normally, the full path of the file will be included in this entry. If not, check the Windows directory
11. RELAUNCHING. Windows reruns programs that were running when Windows shut down. Windows cannot do this with most non-Microsoft programs, but it will do it easily with Internet Explorer and with Windows Explorer, the file-and-folder manager built into Windows. If you have Internet Explorer open when you shut Windows down, Windows will reopen IE with the same page open when you boot up again. (If this does not happen on your Windows PC, someone has turned that feature off. Use Tweak UI, the free Microsoft Windows user interface manager, to reactivate "Remember Explorer settings," or whatever it is called in your version of Windows.)
12. TASK SCHEDULER. Windows executes autorun instructions in the Windows Task Scheduler (or any other scheduler that supplements or replaces the Task Scheduler). The Task Scheduler is an official part of all Windows versions except the first version of Windows 95, but is included in Windows 95 if the Microsoft Plus Pack was installed.
13. SECONDARY INSTRUCTIONS. Programs that Windows launches at startup are free to launch separate programs on their own. Technically, these are not programs that Windows launches, but they are often indistinguishable from ordinary auto-running programs if they are launched right after their "parent" programs run.
14. C:EXPLORER.EXE METHOD.
C:Explorer.exe
Windows loads explorer.exe (typically located in the Windows directory)during the boot process. However, if c:explorer.exe exists, it will be executed instead of the Windows explorer.exe. If c:explorer.exe is corrupt, the user will effectively be locked out of their system after they reboot.
If c:explorer.exe is a trojan, it will be executed. Unlike all other autostart methods, there is no need for any file or registry changes - the file just simply has to be named c:explorer.exe
15. ADDITIONAL METHODS.
Additional autostart methods. The first two are used by Trojan SubSeven 2.2.
HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurr entversionexplorerUsershell folders
Icq Inet
[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApp stest]
"Path"="test.exe"
"Startup"="c:\test"
"Parameters"=""
"Enable"="Yes"
[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApp s]
This key specifies that all applications will be executed if ICQNET Detects an Internet Connection.
[HKEY_LOCAL_MACHINESoftwareCLASSESShellScrap] ="Scrap object"
"NeverShowExt"=""
This key changes your file's specified extension.
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetContro lSession ManagerBootExecute]
This is the first thing that is run.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCu rrentVersionWinlogonUserInit]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell]
