Hey guys have you ever thought that why “Msn Messenger” or “Yahoo Messenger” or any other software open as your Windows starts?????
This is due to “Windows Startups”
Even malwares uses this facility to run every time Windows starts.It's a good practice to frequently inspect the startup entries for security.Now lets see how it works......
Even malwares uses this facility to run every time Windows starts.It's a good practice to frequently inspect the startup entries for security.Now lets see how it works......
Startup using Windows Registry
Before saying about “Windows Startups” will give you a brief introduction to “Windows Registry”
Every OS needs place to store settings and options. Windows Registry is a database where Windows OS stores all configuration settings and user preferences. It contains information and settings for all the hardware, software, users, and preferences of the PC. It stores different kinds of data in a hierarchical manner. You cannot edit this database directly, you must use "Registry Editor" to make any changes.
To open "Registry Editor" type “regedit” in Run command.
You will notice five subtrees(HIVE), which appear as follows:
HKCU - HKEY_CURRENT_USER
HKLM - HKEY_LOCAL_MACHINE
You will notice five subtrees(HIVE), which appear as follows:
- HKEY_LOCAL_MACHINE
- HKEY_CURRENT_USER
- HKEY_CURRENT_CONFIG
- HKEY_USERS
- HKEY_CLASSES_ROOT
Following registry entry are used for Windows Startup :
HKCU - HKEY_CURRENT_USER
HKLM - HKEY_LOCAL_MACHINE
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows :"Load" [VALUE]
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- HKLM\Software\Microsoft\Active Setup\Installed Components
- HKCU\Software\Microsoft\Internet Explorer\Main, Start Page [VALUE]
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
- HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows, AppInit_DLLs [VALUE]
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, UserInit [VALUE]
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager, BootExecute [VALUE]
Here is an example for "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
1. Type “regedit” in Run command.
2. Click [+]HKEY_CURRENT_USER
3. Click [+]Software then [+]Microsoft then [+]Windows then [+]CurrentVersion
4. Finally Click on Run.
Malwares can use such facility and start next time windows reboot...There are third party softwares available which shows all startups entries and ease your work.One of them is"Autoruns for Windows v10.01"
Autoruns :
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.
Caution:
Do NOT delete or disable the entry named Userinit. Doing so will result in your inability to logon to any user account in the system.
No comments:
Post a Comment
Wanna Say Something!!!!