Common Windows Trojan/Application Startup Locations

sidemenu

Restricted Access

Trying to find out where a trojan or other application has loaded itself to run automatically. Below are some of the common locations where Windows will auto-run an application at system startup or user login:

Users Start Menu
%windir%\systenm32\AUTOEXEC.NT
Registry Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)