Fermilab Computing Sector

Common Windows Trojan/Application Startup Locations

sidemenu
Policy Guidelines

Restricted Access
Trying to find out where a trojan or other application has loaded itself to run automatically. Below are some of the common locations where Windows will auto-run an application at system startup or user login:
  • Users Start Menu
  • %windir%\systenm32\AUTOEXEC.NT
  • Registry Keys:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
     

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)