RunServicesOnce key
RunServices key
RunOnce/RunOnceEx key
Run key
All Users Startup Folder
User Profile Startup Folder
RunOnce Current User Key
Explorer Run
UserInit value
Load value
Notify key
AppInit_DLLs value
SharedTaskScheduler key
Other Files
My Training Period: xx hours. Before you begin, read someinstruction here. This is a continuation from previousWindows Registry Tutorial 3.
The expected abilities:
Checking the Registry for Policies and Preferences
The following code sample illustrates how your application can check the registry for policy and preference information.
// #define _WIN32_WINNT 0x0502 // Windows Server 2003 family // For Win Xp, change accordingly... #define _WIN32_WINNT 0x0501 // #define _WIN32_WINNT 0x0500 // Windows 2000 // #define _WIN32_WINNT 0x0400 // Windows NT 4.0 // #define _WIN32_WINDOWS 0x0500 // Windows ME // #define _WIN32_WINDOWS 0x0410 // Windows 98 // #define _WIN32_WINDOWS 0x0400 // Windows 95 #include <windows.h> #include <stdio.h> // Change accordingly... #define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer") #define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer") DWORD ReadValue(LPTSTR lpValueName, DWORD dwDefault) { HKEY hKey; LONG lResult; DWORD dwValue, dwType, dwSize = sizeof(dwValue); // First, check for a policy. lResult = RegOpenKeyEx(HKEY_CURRENT_USER, POLICY_KEY, 0, KEY_READ, &hKey);
|
if(lResult == ERROR_SUCCESS)
{
lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);
RegCloseKey(hKey);
}
// Exit if a policy value was found.
if(lResult == ERROR_SUCCESS)
{
// return the data value
return dwValue;
}
else
printf("Policy: value not found!\n");
// Second, check for a preference.
lResult = RegOpenKeyEx(HKEY_CURRENT_USER, PREFERENCE_KEY, 0, KEY_READ, &hKey);
if(lResult == ERROR_SUCCESS)
{
lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);
RegCloseKey (hKey);
}
// Exit if a preference was found.
if(lResult == ERROR_SUCCESS)
{
// Return the data value
return dwValue;
}
else
printf("Preference: value not found!\n");
// Neither a policy nor a preference was found; return the default value.
return dwDefault;
}
int main()
{
LPTSTR lpValueName = "Browse For Folder Height";
DWORD dwDefault = 0x00000000;
DWORD ret = ReadValue(lpValueName, dwDefault);
printf("The value data for the \'%s\' value name is 0X%.8X(%d).\n", lpValueName, ret, ret);
return 0;
}
A sample output:
Policy: value not found!
The value data for the 'Browse For Folder Height' value name is 0X00000120(288).
Press any key to continue
Figure 3: Getting the Registry values.
The performance data contains information for a variable number of object types, instances per object, and counters per object type. Therefore, the number and size of blocks in the performance data varies. To ensure that your application correctly receives the performance data, you must use the offsets included in the performance structures to navigate through the data. Every offset is a count of bytes relative to the structure containing it. The reason the system uses offsets instead of pointers is that pointers are not valid across process boundaries. The addresses that the process that installs the counters would store would not be valid for the process that reads the counters. The following example displays the index and name of each object, along with the indexes and names of its counters. The object and counter names are stored in the registry, by index. This example creates a function, GetNameStrings(), to load the indexes and names of each object and counter from the registry into an array, so that they can be easily accessed. GetNameStrings() uses the following standard registry functions to access the data:RegOpenKey(),RegCloseKey(),RegQueryInfoKey(), and RegQueryValueEx().
This example creates the following functions for navigating the performance data: FirstObject,FirstInstance,FirstCounter,NextCounter,NextInstance, andNextCounter. These functions navigate the performance data by using the offsets stored in the performance structures.
// #define _WIN32_WINNT 0x0502 // Windows Server 2003 family
// For Win Xp, change accordingly...
#define _WIN32_WINNT 0x0501
// #define _WIN32_WINNT 0x0500 // Windows 2000
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>
#include <string.h>
#define TOTALBYTES 20000
#define BYTEINCREMENT 2048
LPSTR lpNameStrings;
LPSTR *lpNamesArray;
// Functions used to navigate through the performance data.
PPERF_OBJECT_TYPE FirstObject(PPERF_DATA_BLOCK PerfData)
{
return((PPERF_OBJECT_TYPE)((PBYTE)PerfData + PerfData->HeaderLength));
}
PPERF_OBJECT_TYPE NextObject(PPERF_OBJECT_TYPE PerfObj)
{
return((PPERF_OBJECT_TYPE)((PBYTE)PerfObj + PerfObj->TotalByteLength));
}
PPERF_INSTANCE_DEFINITION FirstInstance(PPERF_OBJECT_TYPE PerfObj)
{
return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfObj + PerfObj->DefinitionLength));
}
PPERF_INSTANCE_DEFINITION NextInstance(PPERF_INSTANCE_DEFINITION PerfInst)
{
PPERF_COUNTER_BLOCK PerfCntrBlk;
PerfCntrBlk = (PPERF_COUNTER_BLOCK)((PBYTE)PerfInst + PerfInst->ByteLength);
return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfCntrBlk + PerfCntrBlk->ByteLength));
}
PPERF_COUNTER_DEFINITION FirstCounter(PPERF_OBJECT_TYPE PerfObj)
{
return((PPERF_COUNTER_DEFINITION) ((PBYTE)PerfObj + PerfObj->HeaderLength));
}
PPERF_COUNTER_DEFINITION NextCounter(PPERF_COUNTER_DEFINITION PerfCntr)
{
return((PPERF_COUNTER_DEFINITION)((PBYTE)PerfCntr + PerfCntr->ByteLength));
}
// Load the counter and object names from the registry to the
// global variable lpNamesArray.
BOOL GetNameStrings()
{
HKEY hKeyPerflib; // handle to registry key
HKEY hKeyPerflib009; // handle to registry key
DWORD dwMaxValueLen; // maximum size of key values
DWORD dwBuffer; // bytes to allocate for buffers
DWORD dwBufferSize; // size of dwBuffer
LPSTR lpCurrentString; // pointer for enumerating data strings
DWORD dwCounter; // current counter index
// Get the number of Counter items.
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib",
0,
KEY_READ,
&hKeyPerflib) != ERROR_SUCCESS)
return FALSE;
else
printf("RegOpenKeyEx() is OK.\n");
dwBufferSize =sizeof(dwBuffer);
if(RegQueryValueEx(
hKeyPerflib,
"Last Counter",
NULL,
NULL,
(LPBYTE) &dwBuffer,
&dwBufferSize) != ERROR_SUCCESS)
return FALSE;
else
printf("RegQueryValueEx() is OK.\n");
RegCloseKey(hKeyPerflib);
// Allocate memory for the names array.
lpNamesArray = (LPTSTR *)malloc((dwBuffer+1) * sizeof(LPSTR));
if(lpNamesArray == NULL)
return FALSE;
// Open the key containing the counter and object names.
if(RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009",
0,
KEY_READ,
&hKeyPerflib009) != ERROR_SUCCESS)
return FALSE;
else
printf("RegOpenKeyEx() is OK.\n");
// Get the size of the largest value in the key (Counter or Help).
if(RegQueryInfoKey(
hKeyPerflib009,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
&dwMaxValueLen,
NULL,
NULL) != ERROR_SUCCESS
)
return FALSE;
else
printf("RegQueryInfoKey() is OK.\n");
// Allocate memory for the counter and object names.
dwBuffer = dwMaxValueLen + 1;
lpNameStrings = (LPTSTR)malloc(dwBuffer * sizeof(CHAR));
if(lpNameStrings == NULL)
{
free(lpNamesArray);
return FALSE;
}
else
printf("Memory allocated for lpNameStrings.\n");
// Read the Counter value.
if(RegQueryValueEx(
hKeyPerflib009,
"Counter",
NULL,
NULL,
(LPBYTE)lpNameStrings,
&dwBuffer) != ERROR_SUCCESS)
return FALSE;
else
printf("RegQueryValueEx() is OK.\n");
printf("Please wait...\n");
// Load names into an array, by index.
for(lpCurrentString = lpNameStrings; *lpCurrentString;
lpCurrentString += (lstrlen(lpCurrentString)+1))
{
dwCounter = atol(lpCurrentString);
lpCurrentString += (lstrlen(lpCurrentString)+1);
lpNamesArray[dwCounter] = (LPSTR)lpCurrentString;
}
return TRUE;
}
// Display the indexes and/or names for all performance objects, instances, and counters.*
int main()
{
PPERF_DATA_BLOCK PerfData = NULL;
PPERF_OBJECT_TYPE PerfObj;
PPERF_INSTANCE_DEFINITION PerfInst;
PPERF_COUNTER_DEFINITION PerfCntr, CurCntr;
PPERF_COUNTER_BLOCK PtrToCntr;
DWORD BufferSize = TOTALBYTES;
DWORD i, j;
LONG k;
// Get the name strings through the registry.
if(!GetNameStrings())
return FALSE;
// Allocate the buffer for the performance data.
PerfData = (PPERF_DATA_BLOCK) malloc(BufferSize);
if(PerfData == NULL)
return FALSE;
while(RegQueryValueEx(
HKEY_PERFORMANCE_DATA,
"Global",
NULL,
NULL,
(LPBYTE) PerfData,
&BufferSize) == ERROR_MORE_DATA)
{
// Get a buffer that is big enough.
BufferSize += BYTEINCREMENT;
PerfData = (PPERF_DATA_BLOCK) realloc(PerfData, BufferSize);
}
// Get the first object type.
PerfObj = FirstObject(PerfData);
// Process all objects.
for(i=0; i < PerfData->NumObjectTypes; i++)
{
// Display the object by index and name.
printf("\nObject %ld: %s\n", PerfObj->ObjectNameTitleIndex, lpNamesArray[PerfObj->ObjectNameTitleIndex]);
// Get the first counter.
PerfCntr = FirstCounter(PerfObj);
if(PerfObj->NumInstances > 0)
{
// Get the first instance.
PerfInst = FirstInstance(PerfObj);
// Retrieve all instances.
for(k=0; k < PerfObj->NumInstances; k++)
{
// Display the instance by name.
printf("\n\tInstance %S: \n", (char *)((PBYTE)PerfInst + PerfInst->NameOffset));
CurCntr = PerfCntr;
// Retrieve all counters.
for(j=0; j < PerfObj->NumCounters; j++)
{
// Display the counter by index and name.
printf("\t\tCounter %ld: %s\n", CurCntr->CounterNameTitleIndex, lpNamesArray[CurCntr->CounterNameTitleIndex]);
// Get the next counter.
CurCntr = NextCounter(CurCntr);
}
// Get the next instance.
PerfInst = NextInstance(PerfInst);
}
}
else
{
// Get the counter block.
PtrToCntr = (PPERF_COUNTER_BLOCK)((PBYTE)PerfObj + PerfObj->DefinitionLength);
// Retrieve all counters.
for(j=0; j < PerfObj->NumCounters; j++)
{
// Display the counter by index and name.
printf("\tCounter %ld: %s\n", PerfCntr->CounterNameTitleIndex,
lpNamesArray[PerfCntr->CounterNameTitleIndex]);
// Get the next counter.
PerfCntr = NextCounter(PerfCntr);
}
}
// Get the next object type.
PerfObj = NextObject(PerfObj);
}
// Release all the memory back to system...
free(lpNamesArray);
free(lpNameStrings);
free(PerfData);
return TRUE;
}
A sample output:
|
Object 2922: .NET CLR Networking
Counter 2924: Connections Established
Counter 2926: Bytes Received
Counter 2928: Bytes Sent
Counter 2930: Datagrams Received
Counter 2932: Datagrams Sent
Object 2934: .NET CLR Memory
Instance _Global_:
Counter 2936: # Gen 0 Collections
Counter 2938: # Gen 1 Collections
Counter 2940: # Gen 2 Collections
Counter 2942: Promoted Memory from Gen 0
...
...
...
[trimmed]
Windows Registry and Automatic Program Running
In general, there are seven Run (this Run term used here as a general term) keys in the registry that cause programs to be run automatically as listed below:
Keys 1 through 7 apply to Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me). Keys 1 through 4 also apply to Windows NT 4.0 and Windows 2000. For Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 SP3 or later, and Windows 2000, an additional rule is available; for keys 3 and 4, the value name can be prefixed with an asterisk (*) to force the program to run even in Safe mode. Keys 1 through 4 are run each time a new user logs in. Keys 5 and 6 are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon. These keys are for background services such as remote registry service and are run only once per boot. Key 7 is run as part of Setup's first-boot activities, or after you use the Add/Remove Programs Wizard. Under each of these keys is a series of values. The values are used to allow multiple subentries to exist without overwriting one another. The data value for a value is a command line. By default, Run keys are ignored in Safe mode. For keys 3 and 4, the value name can be prefixed with an exclamation point (!) to defer deletion of the value until after the command has been completed. For keys 3, 4, and 6, the value is deleted before the command line is run unless overridden as noted above. As a result, if aRunOnce operation fails to run properly, the component that failed will not be asked to run again the next time you start the computer. Key 7 is used only by Setup. This key displays the progress dialog box as the keys are run one at a time. For key 7, the name of the value is the name that is displayed in the dialog box.
Windows Registry and Automatic Program Startup Sequence
Registry keys settings normally done during the programs installation (Setup). Many programs that you install are automatically run when you start your computer and load Windows. Unfortunately, there are programs that are not legitimate such as spyware, hijackers, trojans, bots, worms and viruses that load in this manner as well. Many malware scanner programs try to search the Registry keys and folders where these programs will start automatically during the boot process and Windows loading. Windows’s Msconfig.exe, can be used to list programs that are automatically started from some of these locations unfortunately, it only lists programs from a limited amount of startup keys. In the following section there are the various list of registry keys, values and files under certain folders that can be used to start a program when Windows boots. The keys have been arranged in the order they load whenever possible. Keep in mind, that some of the keys are set to load at the same time (asynchronous), so it is possible that the order will change on each boot up. These keys generally apply to Windows 95, 98, ME, NT, XP, and 2000 except whenever mentioned.
<Turning on the computer>
The keys start in the following order as Windows loads:
RunServicesOnce key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This key is designed to start services when a computer boots up. These entries can also continue running even after you log on, but must be completed before theHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce registry can start loading its programs.
RunServices key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
This key is designed to start services as well. These entries can also continue running even after you log on, but must be completed before theHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceregistry can start loading its programs.
<Logon dialog box is displayed on the screen>
After a user logs in the rest of the keys continue loading. The RunServicesOnce and RunServices keys are loaded before the user logs into Windows 95, Windows 98, and Windows Me. Because these two keys run asynchronously with the Logon dialog box, they can continue to run after the user has logged on. However, sinceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce must load synchronously, its entries will not begin loading until after theRunServicesOnce andRunServices keys have finished loading.
RunOnce/RunOnceEx key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
These keys are designed to be used primarily by Setup programs. Entries in these keys are started once and then are deleted from the key. If there is an exclamation point (!) preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted. All entries in this key are started synchronously in an undefined order. Due to this, all programs in this key must be finished before any entries in:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, and Startup Folders,
can be loaded. TheRunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. TheRunOnce keys are not supported by Windows NT 3.51.
Run key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
These are the most common startup locations for programs to install auto start from. By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk (*), it is forced to run in Safe Mode.
All Users Startup Folder:
For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer. It is generally can be found at:
Windows XP | C:\Documents and Settings\All Users\Start Menu\Programs\Startup |
Windows NT | C:\Winnt\Profiles\All Users\Start Menu\Programs\Startup |
Windows 2000 | C:\Documents and Settings\All Users\Start Menu\Programs\Startup |
User Profile Startup Folder:
This folder will be executed for the particular user who logs in. This folder is usually can be found in:
Win 9X, ME | C:\windows\start menu\programs\startup |
Windows XP | C:\Documents and Settings\LoginName\Start Menu\Programs\Startup |
RunOnce Current User Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
This key is designed to be used primarily by Setup programs. Entries in these keys are started once and then are deleted from the key. If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not use, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted. The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. TheRunOnce keys are not supported by Windows NT 3.51.
Explorer Run:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
These keys are generally used to load programs as part of a policy set in place on the computer or user if any.
UserInit value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\system32\otherbadprogram.exe,
This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.
Load value:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
This key is not commonly used anymore, but can be used to auto start programs.
Notify key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
This key is used to add a program that will run when a particular event occurs. Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver. WhenWinlogon.exe generates an event such as mentioned above, Windows will look in theNotify registry key for a DLL that will handle this event. Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the malware program to load in such a way that it is not easy to stop.
AppInit_DLLs value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
This value corresponds to files being loaded through theAppInit_DLLs Registry value. The AppInit_DLLs registry value contains a list ofdlls that will be loaded when user32.dll is loaded. As most Windows executables use theuser32.dll, which means that any DLL that is listed in theAppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. Theuser32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in theAppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
ShellServiceObjectDelayLoad key: This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used. The files under this key are loaded automatically byExplorer.exe when your computer starts. BecauseExplorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.
Note: CLSID Key - A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, then you need to register a CLSID for each supported class of objects. The Registry entry is:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID =
SharedTaskScheduler key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines. The entries in this registry run automatically when you start windows.
Other Files:
Other files that programs can use to autostart during the bootup, generally used by older Windows OSes such as Win 95 and Win 98 that may still functional in some of the newer Windows OSes are listed in the following (the default %SystemRoot% normally C:\Windows or C:\WINNT):
Well, a lot of location that can be used to start our program automatically and unfortunately these locations also shared by a lot of malware, viruses and worms :o).
Windows XP
The following information is specific to Windows XP. Its registry includes the following four Run keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Each of these keys has a series of values. The values allow multiple entries to exist without overwriting one another. The data value for a value is a command line. There are some special considerations for the third and fourth keys in the list, theRunOnce keys:
Beginning with Windows XP, the values in theRunOnce keys are run only if the user has permission to delete entries from the respective key.
The programs in the RunOnce key are run sequentially. Explorer waits until each one has exited before continuing with normal startup.
By default, Run keys are ignored when the computer starts in Safe mode. Under theRunOnce keys, you can prefix a value name with an asterisk (*) to force the associated program to run even in Safe mode.
You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs.
Without the exclamation point prefix, aRunOnce value is deleted before the command runs. As a result, if aRunOnce operation does not run properly, the associated program is not asked to run the next time you start the computer.
If more than one program is registered under any particular key, the order in which those programs are run is indeterminate. A program run from any of these keys should not write to the key during its execution. Doing so will interfere with the execution of other programs registered under the key. Furthermore, applications should use theRunOnce keys only for transient conditions (such as to complete application setup); an application must not continually re-create entries underRunOnce. Doing so will interfere with Windows Setup.
Windows XP has two separate Run policies:
The items that you added to the Items to run at logon list through the Group Policy, start automatically the next time that you log on to Windows on your computer. A list of these items is located in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
The legacy programs that are configured to start when you log on to your computer are listed in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Many third-party programs, such as Adobe, can be included in this category. You can either enable or disable the legacy run list. You cannot modify it directly from within the Group Policy snap-in. The RunOnceEx key has the following features:
Status: A dialog box is displayed while the items contained in the registry key are being processed. The entries to be processed are grouped into sections and the dialog box highlights the current section being processed. You can disable the status dialog box feature.
Performance: The majority of the commands contained in theRun andRunOnce registry keys create separate processes, which is inefficient. TheRunOnceEx registry key does not create a separate process. TheRunOnceEx registry key also supports a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.
Error Handling: If an exception occurs while calling a function in a DLL, the exception is caught and an error dialog box is displayed to the user. You can suppress this error dialog box by using a flag in theRunOnceEx registry key. You can also set a flag to enable log errors and run theRunOnceEx registry key.
Deterministic: TheRunOnceEx registry key sorts the entries and sections alphabetically to force a deterministic order.
--------------------------- Windows Registry: Examples and Exploits, Part II-----------------------
Further reading and digging:
Microsoft C references, online MSDN.
Microsoft Visual C++, online MSDN.
ReactOS - Windows binary compatible OS - C/C++ source code repository, Doxygen.
Linux Access Control Lists (ACL) info can be found atAccess Control Lists.
2003-2010 © Tenouk. All rights reserved.