All Known and Unknown Autostart Methods

[Sub_Zero]

1. Autostart folder

Everything in here will restart.

C:windowsstart menuprogramsstartup {english}

C:windowsMenu DémarrerProgrammesDémarrage {french}

This Autostart Directory is saved in HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell

Folders Startup="C:windowsstart menuprogramsstartup"

'So it could be easily changed by any program.

2. Win.ini

[windows]

load=file.exe

run=file.exe

3. System.ini [boot]

Shell=Explorer.exe file.exe

4. c:windowswinstart.bat

'Note behaves like an usual BAT file. Used for copying deleting specific files. Autostarts

everytime

5. Registry

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices]

6. c:windowswininit.ini

'Often Used by Setup-Programs when the file exists it is run ONCE and then is deleted by windows

Example: (content of wininit.ini)

[Rename]

NUL=c:windowspicture.exe

'This example sends c:windowspicture.exe to NUL, which means that it is deleted. This

requires no interactivity with the user and runs totaly stealth.

7. Autoexec.bat

Starts everytime at Dos Level.

8. Registry Shell Spawning

[HKEY_CLASSES_ROOTexefileshellopencommand] @=""%1" %*"

[HKEY_CLASSES_ROOTcomfileshellopencommand] @=""%1" %*"

[HKEY_CLASSES_ROOTbatfileshellopencommand] @=""%1" %*"

[HKEY_CLASSES_ROOThtafileShellOpenCommand] @=""%1" %*"

[HKEY_CLASSES_ROOTpiffileshellopencommand] @=""%1" %*"

[HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshellopencommand] @=""%1" %*"

[HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand] @=""%1" %*"

[HKEY_LOCAL_MACHINESoftwareCLASSESexefileshellopencommand] @=""%1" %*"

[HKEY_LOCAL_MACHINESoftwareCLASSEShtafileShellOpenCommand] @=""%1" %*"

[HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand] @=""%1" %*"

The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*",

the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed.

Known as Unkown Starting Method and is currently used by Subseven.

9. Icq Inet

[HKEY_CURRENT_USERSoftwareMirabilisICQAgentAppstest]

"Path"="test.exe"

"Startup"="c:test"

"Parameters"=""

"Enable"="Yes"

[HKEY_CURRENT_USERSoftwareMirabilisICQAgentApps

This key includes all the APPS which are executed IF ICQNET Detects an Internet Connection.

9. Misc Information

[HKEY_LOCAL_MACHINESoftwareCLASSESShellScrap]

@="Scrap object" "NeverShowExt"=""

The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS.

This means if you rename a file as "Girl.jpg.shs" it displays as "Girl.jpg" in all programs

including Explorer.

Your registry should be full of NeverShowExt keys, simply delte the key to get the real

extension to show up.