|< Windows Registry Tutorial 3 | Main | Windows Share Programming 1 >|Site Index |Download |Disclaimer |Privacy |

MODULE P1

WINDOWS OS

.:: REGISTRY:  EXAMPLES AND EXPLOITS::.

PART 4

What do we have in this Module?

1. Program example to check the Registry for policies and preferences

2. Program example to retrieve and display object, instance, and counter names

3. Windows Registry and Windows (Automatic) Program Running

4. Windows Registry and Automatic Program Startup Sequence:

1. RunServicesOnce key

2. RunServices key

3. RunOnce/RunOnceEx key

4. Run key

5. All Users Startup Folder

6. User Profile Startup Folder

7. RunOnce Current User Key

8. Explorer Run

9. UserInit value

10. Load value

11. Notify key

12. AppInit_DLLs value

13. SharedTaskScheduler key

14. Other Files

5. Some Windows XP boot sequence issue

    if(lResult == ERROR_SUCCESS)

    {

        lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);

        RegCloseKey(hKey);

    }

   // Exit if a policy value was found.

    if(lResult == ERROR_SUCCESS)

    {

      // return the data value

       return dwValue;

    }

    else

       printf("Policy: value not found!\n");

   // Second, check for a preference.

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, PREFERENCE_KEY, 0, KEY_READ, &hKey);

    if(lResult == ERROR_SUCCESS)

    {

        lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);

        RegCloseKey (hKey);

    }

   // Exit if a preference was found.

    if(lResult == ERROR_SUCCESS)

    {

      // Return the data value

       return dwValue;

    }

    else

       printf("Preference: value not found!\n");

   // Neither a policy nor a preference was found; return the default value.

    return dwDefault;

}

int main()

{

       LPTSTR lpValueName = "Browse For Folder Height";

       DWORD dwDefault = 0x00000000;

       DWORD ret = ReadValue(lpValueName, dwDefault);

       printf("The value data for the \'%s\' value name is 0X%.8X(%d).\n", lpValueName, ret, ret);

      return 0;

}

A sample output:

Policy: value not found!

The value data for the 'Browse For Folder Height' value name is 0X00000120(288).

Press any key to continue

Figure 3: Getting the Registry values.

Retrieving and Displaying Object, Instance, and Counter Names

The performance data contains information for a variable number of object types, instances per object, and counters per object type.  Therefore, the number and size of blocks in the performance data varies.  To ensure that your application correctly receives the performance data, you must use the offsets included in the performance structures to navigate through the data.  Every offset is a count of bytes relative to the structure containing it. The reason the system uses offsets instead of pointers is that pointers are not valid across process boundaries.  The addresses that the process that installs the counters would store would not be valid for the process that reads the counters. The following example displays the index and name of each object, along with the indexes and names of its counters.  The object and counter names are stored in the registry, by index.  This example creates a function, GetNameStrings(), to load the indexes and names of each object and counter from the registry into an array, so that they can be easily accessed. GetNameStrings() uses the following standard registry functions to access the data:RegOpenKey(),RegCloseKey(),RegQueryInfoKey(), and RegQueryValueEx().

This example creates the following functions for navigating the performance data: FirstObject,FirstInstance,FirstCounter,NextCounter,NextInstance, andNextCounter.  These functions navigate the performance data by using the offsets stored in the performance structures.

// #define _WIN32_WINNT 0x0502   // Windows Server 2003 family

// For Win Xp, change accordingly...

#define _WIN32_WINNT 0x0501

// #define _WIN32_WINNT 0x0500   // Windows 2000

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>

#include <malloc.h>

#include <string.h>

#define TOTALBYTES    20000

#define BYTEINCREMENT 2048

LPSTR lpNameStrings;

LPSTR *lpNamesArray;

// Functions used to navigate through the performance data.

PPERF_OBJECT_TYPE FirstObject(PPERF_DATA_BLOCK PerfData)

{

    return((PPERF_OBJECT_TYPE)((PBYTE)PerfData + PerfData->HeaderLength));

}

PPERF_OBJECT_TYPE NextObject(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_OBJECT_TYPE)((PBYTE)PerfObj + PerfObj->TotalByteLength));

}

PPERF_INSTANCE_DEFINITION FirstInstance(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfObj + PerfObj->DefinitionLength));

}

PPERF_INSTANCE_DEFINITION NextInstance(PPERF_INSTANCE_DEFINITION PerfInst)

{

    PPERF_COUNTER_BLOCK PerfCntrBlk;

    PerfCntrBlk = (PPERF_COUNTER_BLOCK)((PBYTE)PerfInst + PerfInst->ByteLength);

    return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfCntrBlk + PerfCntrBlk->ByteLength));

}

PPERF_COUNTER_DEFINITION FirstCounter(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_COUNTER_DEFINITION) ((PBYTE)PerfObj + PerfObj->HeaderLength));

}

PPERF_COUNTER_DEFINITION NextCounter(PPERF_COUNTER_DEFINITION PerfCntr)

{

    return((PPERF_COUNTER_DEFINITION)((PBYTE)PerfCntr + PerfCntr->ByteLength));

}

// Load the counter and object names from the registry to the

// global variable lpNamesArray.

BOOL GetNameStrings()

{

    HKEY hKeyPerflib;                 // handle to registry key

    HKEY hKeyPerflib009;          // handle to registry key

    DWORD dwMaxValueLen;  // maximum size of key values

    DWORD dwBuffer;               // bytes to allocate for buffers

    DWORD dwBufferSize;       // size of dwBuffer

    LPSTR lpCurrentString;      // pointer for enumerating data strings

    DWORD dwCounter;          // current counter index

    // Get the number of Counter items.

    if(RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,

       "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib",

        0,

        KEY_READ,

        &hKeyPerflib) != ERROR_SUCCESS)

    return FALSE;

    else

         printf("RegOpenKeyEx() is OK.\n");

    dwBufferSize =sizeof(dwBuffer);

    if(RegQueryValueEx(

       hKeyPerflib,

       "Last Counter",

        NULL,

        NULL,

        (LPBYTE) &dwBuffer,

        &dwBufferSize) != ERROR_SUCCESS)

       return FALSE;

     else

       printf("RegQueryValueEx() is OK.\n");

    RegCloseKey(hKeyPerflib);

   // Allocate memory for the names array.

    lpNamesArray = (LPTSTR *)malloc((dwBuffer+1) * sizeof(LPSTR));

    if(lpNamesArray == NULL)

       return FALSE;

   // Open the key containing the counter and object names.

    if(RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,

       "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009",

        0,

        KEY_READ,

        &hKeyPerflib009) != ERROR_SUCCESS)

       return FALSE;

     else

       printf("RegOpenKeyEx() is OK.\n");

   // Get the size of the largest value in the key (Counter or Help).

    if(RegQueryInfoKey(

       hKeyPerflib009,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        &dwMaxValueLen,

        NULL,

        NULL) != ERROR_SUCCESS

      )

       return FALSE;

     else

       printf("RegQueryInfoKey() is OK.\n");

   // Allocate memory for the counter and object names.

    dwBuffer = dwMaxValueLen + 1;

    lpNameStrings = (LPTSTR)malloc(dwBuffer * sizeof(CHAR));

    if(lpNameStrings == NULL)

    {

        free(lpNamesArray);

       return FALSE;

    }

    else

       printf("Memory allocated for lpNameStrings.\n");

   // Read the Counter value.

    if(RegQueryValueEx(

       hKeyPerflib009,

        "Counter",

        NULL,

        NULL,

        (LPBYTE)lpNameStrings,

       &dwBuffer) != ERROR_SUCCESS)

    return FALSE;

    else

       printf("RegQueryValueEx() is OK.\n");

       printf("Please wait...\n");

   // Load names into an array, by index.

    for(lpCurrentString = lpNameStrings; *lpCurrentString;

         lpCurrentString += (lstrlen(lpCurrentString)+1))

    {

        dwCounter = atol(lpCurrentString);

        lpCurrentString += (lstrlen(lpCurrentString)+1);

        lpNamesArray[dwCounter] = (LPSTR)lpCurrentString;

    }

   return TRUE;

}

// Display the indexes and/or names for all performance objects, instances, and counters.*

int main()

{

    PPERF_DATA_BLOCK PerfData = NULL;

    PPERF_OBJECT_TYPE PerfObj;

    PPERF_INSTANCE_DEFINITION PerfInst;

    PPERF_COUNTER_DEFINITION PerfCntr, CurCntr;

    PPERF_COUNTER_BLOCK PtrToCntr;

    DWORD BufferSize = TOTALBYTES;

    DWORD i, j;

       LONG k;

   // Get the name strings through the registry.

    if(!GetNameStrings())

      return FALSE;

   // Allocate the buffer for the performance data.

    PerfData = (PPERF_DATA_BLOCK) malloc(BufferSize);

    if(PerfData == NULL)

      return FALSE;

    while(RegQueryValueEx(

       HKEY_PERFORMANCE_DATA,

        "Global",

        NULL,

        NULL,

        (LPBYTE) PerfData,

        &BufferSize) == ERROR_MORE_DATA)

    {

       // Get a buffer that is big enough.

        BufferSize += BYTEINCREMENT;

        PerfData = (PPERF_DATA_BLOCK) realloc(PerfData, BufferSize);

    }

   // Get the first object type.

    PerfObj = FirstObject(PerfData);

   // Process all objects.

    for(i=0; i < PerfData->NumObjectTypes; i++)

    {

       // Display the object by index and name.

        printf("\nObject %ld: %s\n", PerfObj->ObjectNameTitleIndex, lpNamesArray[PerfObj->ObjectNameTitleIndex]);

       // Get the first counter.

        PerfCntr = FirstCounter(PerfObj);

       if(PerfObj->NumInstances > 0)

        {

           // Get the first instance.

            PerfInst = FirstInstance(PerfObj);

           // Retrieve all instances.

           for(k=0; k < PerfObj->NumInstances; k++)

            {

               // Display the instance by name.

                printf("\n\tInstance %S: \n", (char *)((PBYTE)PerfInst + PerfInst->NameOffset));

                CurCntr = PerfCntr;

               // Retrieve all counters.

               for(j=0; j < PerfObj->NumCounters; j++)

                {

                // Display the counter by index and name.

                 printf("\t\tCounter %ld: %s\n", CurCntr->CounterNameTitleIndex, lpNamesArray[CurCntr->CounterNameTitleIndex]);

                // Get the next counter.

                 CurCntr = NextCounter(CurCntr);

                }

               // Get the next instance.

                PerfInst = NextInstance(PerfInst);

            }

        }

       else

        {

           // Get the counter block.

            PtrToCntr = (PPERF_COUNTER_BLOCK)((PBYTE)PerfObj + PerfObj->DefinitionLength);

           // Retrieve all counters.

           for(j=0; j < PerfObj->NumCounters; j++)

            {

               // Display the counter by index and name.

                printf("\tCounter %ld: %s\n", PerfCntr->CounterNameTitleIndex,

                    lpNamesArray[PerfCntr->CounterNameTitleIndex]);

               // Get the next counter.

                PerfCntr = NextCounter(PerfCntr);

            }

        }

       // Get the next object type.

        PerfObj = NextObject(PerfObj);

    }

   // Release all the memory back to system...

    free(lpNamesArray);

    free(lpNameStrings);

    free(PerfData);

    return TRUE;

}

Object 2922: .NET CLR Networking

        Counter 2924: Connections Established

        Counter 2926: Bytes Received

        Counter 2928: Bytes Sent

        Counter 2930: Datagrams Received

        Counter 2932: Datagrams Sent

 

Object 2934: .NET CLR Memory

 

        Instance _Global_:

                Counter 2936: # Gen 0 Collections

                Counter 2938: # Gen 1 Collections

                Counter 2940: # Gen 2 Collections

                Counter 2942: Promoted Memory from Gen 0

...

...

...

[trimmed]

Windows Registry and Automatic Program Running

In general, there are seven Run (this Run term used here as a general term) keys in the registry that cause programs to be run automatically as listed below:

1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce

7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup

Keys 1 through 7 apply to Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me).  Keys 1 through 4 also apply to Windows NT 4.0 and Windows 2000. For Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 SP3 or later, and Windows 2000, an additional rule is available; for keys 3 and 4, the value name can be prefixed with an asterisk (*) to force the program to run even in Safe mode.  Keys 1 through 4 are run each time a new user logs in.  Keys 5 and 6 are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.  These keys are for background services such as remote registry service and are run only once per boot.  Key 7 is run as part of Setup's first-boot activities, or after you use the Add/Remove Programs Wizard.  Under each of these keys is a series of values.  The values are used to allow multiple subentries to exist without overwriting one another.  The data value for a value is a command line.  By default, Run keys are ignored in Safe mode.  For keys 3 and 4, the value name can be prefixed with an exclamation point (!) to defer deletion of the value until after the command has been completed.  For keys 3, 4, and 6, the value is deleted before the command line is run unless overridden as noted above.  As a result, if aRunOnce operation fails to run properly, the component that failed will not be asked to run again the next time you start the computer.  Key 7 is used only by Setup.  This key displays the progress dialog box as the keys are run one at a time.  For key 7, the name of the value is the name that is displayed in the dialog box.

Windows Registry and Automatic Program Startup Sequence

Registry keys settings normally done during the programs installation (Setup).  Many programs that you install are automatically run when you start your computer and load Windows.  Unfortunately, there are programs that are not legitimate such as spyware, hijackers, trojans, bots, worms and viruses that load in this manner as well.  Many malware scanner programs try to search the Registry keys and folders where these programs will start automatically during the boot process and Windows loading. Windows’s Msconfig.exe, can be used to list programs that are automatically started from some of these locations unfortunately, it only lists programs from a limited amount of startup keys.  In the following section there are the various list of registry keys, values and files under certain folders that can be used to start a program when Windows boots.  The keys have been arranged in the order they load whenever possible.  Keep in mind, that some of the keys are set to load at the same time (asynchronous), so it is possible that the order will change on each boot up.  These keys generally apply to Windows 95, 98, ME, NT, XP, and 2000 except whenever mentioned.

<Turning on the computer>

The keys start in the following order as Windows loads:

RunServicesOnce key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

This key is designed to start services when a computer boots up.  These entries can also continue running even after you log on, but must be completed before theHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce registry can start loading its programs.

RunServices key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

This key is designed to start services as well.  These entries can also continue running even after you log on, but must be completed before theHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceregistry can start loading its programs.

<Logon dialog box is displayed on the screen>

After a user logs in the rest of the keys continue loading.  The RunServicesOnce and RunServices keys are loaded before the user logs into Windows 95, Windows 98, and Windows Me.  Because these two keys run asynchronously with the Logon dialog box, they can continue to run after the user has logged on.  However, sinceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce must load synchronously, its entries will not begin loading until after theRunServicesOnce andRunServices keys have finished loading.

RunOnce/RunOnceEx key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

These keys are designed to be used primarily by Setup programs.  Entries in these keys are started once and then are deleted from the key.  If there is an exclamation point (!) preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs.  This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.  All entries in this key are started synchronously in an undefined order.  Due to this, all programs in this key must be finished before any entries in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, and Startup Folders,

can be loaded.  TheRunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.  TheRunOnce keys are not supported by Windows NT 3.51.

Run key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

These are the most common startup locations for programs to install auto start from.  By default these keys are not executed in Safe mode.  If you prefix the value of these keys with an asterisk (*), it is forced to run in Safe Mode.

All Users Startup Folder:

For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.  It is generally can be found at:

User Profile Startup Folder:

This folder will be executed for the particular user who logs in.  This folder is usually can be found in:

RunOnce Current User Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

This key is designed to be used primarily by Setup programs.  Entries in these keys are started once and then are deleted from the key.  If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs.  This is important, because if the exclamation point is not use, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.  The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.  TheRunOnce keys are not supported by Windows NT 3.51.

Explorer Run:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

These keys are generally used to load programs as part of a policy set in place on the computer or user if any.

UserInit value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

This key specifies what program should be launched right after a user logs into Windows.  The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username.  It is possible to add further programs that will launch from this key by separating the programs with a comma.  For example:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\system32\otherbadprogram.exe,

This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

Load value:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

This key is not commonly used anymore, but can be used to auto start programs.

Notify key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

This key is used to add a program that will run when a particular event occurs.  Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.  WhenWinlogon.exe generates an event such as mentioned above, Windows will look in theNotify registry key for a DLL that will handle this event.  Malware has been known to use this method to load itself when a user logs on to their computer.  Loading in such a way allows the malware program to load in such a way that it is not easy to stop.

AppInit_DLLs value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

This value corresponds to files being loaded through theAppInit_DLLs Registry value.  The AppInit_DLLs registry value contains a list ofdlls that will be loaded when user32.dll is loaded.  As most Windows executables use theuser32.dll, which means that any DLL that is listed in theAppInit_DLLs registry key will be loaded also.  This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability.  Theuser32.dll file is also used by processes that are automatically started by the system when you log on.  This means that the files loaded in theAppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

ShellServiceObjectDelayLoad key:  This Registry contains values in a similar way as the Run key does.  The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.  The files under this key are loaded automatically byExplorer.exe when your computer starts.  BecauseExplorer.exe is the shell for your computer, it will always start, thus always loading the files under this key.  These files are therefore loaded early in the startup process before any human intervention occurs.

Note:  CLSID Key - A CLSID is a globally unique identifier that identifies a COM class object.  If your server or container allows linking to its embedded objects, then you need to register a CLSID for each supported class of objects.  The Registry entry is:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID =

SharedTaskScheduler key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.  The entries in this registry run automatically when you start windows.

Other Files:

Other files that programs can use to autostart during the bootup, generally used by older Windows OSes such as Win 95 and Win 98 that may still functional in some of the newer Windows OSes are listed in the following (the default %SystemRoot% normally C:\Windows or C:\WINNT):

1. C:\autoexec.bat

2. C:\config.sys

3. %SystemRoot%\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.

4. %SystemRoot%\winstart.bat

5. %SystemRoot%\win.ini - [windows] "load=..."

6. %SystemRoot%\win.ini - [windows] "run=..."

7. %SystemRoot%\system.ini - [boot] "shell=..."

8. %SystemRoot%\system.ini - [boot] "scrnsave.exe"

9. %SystemRoot%\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

10. %SystemRoot%\system\autoexec.nt

11. %SystemRoot%\system\config.nt

Well, a lot of location that can be used to start our program automatically and unfortunately these locations also shared by a lot of malware, viruses and worms :o).

Windows XP

The following information is specific to Windows XP.  Its registry includes the following four Run keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Each of these keys has a series of values.  The values allow multiple entries to exist without overwriting one another.  The data value for a value is a command line.  There are some special considerations for the third and fourth keys in the list, theRunOnce keys:

• Beginning with Windows XP, the values in theRunOnce keys are run only if the user has permission to delete entries from the respective key.

• The programs in the RunOnce key are run sequentially.  Explorer waits until each one has exited before continuing with normal startup.

• By default, Run keys are ignored when the computer starts in Safe mode. Under theRunOnce keys, you can prefix a value name with an asterisk (*) to force the associated program to run even in Safe mode.

• You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs.

• Without the exclamation point prefix, aRunOnce value is deleted before the command runs. As a result, if aRunOnce operation does not run properly, the associated program is not asked to run the next time you start the computer.

If more than one program is registered under any particular key, the order in which those programs are run is indeterminate.  A program run from any of these keys should not write to the key during its execution.  Doing so will interfere with the execution of other programs registered under the key.  Furthermore, applications should use theRunOnce keys only for transient conditions (such as to complete application setup); an application must not continually re-create entries underRunOnce.  Doing so will interfere with Windows Setup.

Windows XP has two separate Run policies:

1. Run at Startup.
2. Legacy Run at Startup.

The items that you added to the Items to run at logon list through the Group Policy, start automatically the next time that you log on to Windows on your computer.  A list of these items is located in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The legacy programs that are configured to start when you log on to your computer are listed in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Many third-party programs, such as Adobe, can be included in this category.  You can either enable or disable the legacy run list.  You cannot modify it directly from within the Group Policy snap-in. The RunOnceEx key has the following features:

• Status: A dialog box is displayed while the items contained in the registry key are being processed.  The entries to be processed are grouped into sections and the dialog box highlights the current section being processed.  You can disable the status dialog box feature.

• Performance: The majority of the commands contained in theRun andRunOnce registry keys create separate processes, which is inefficient.  TheRunOnceEx registry key does not create a separate process.  TheRunOnceEx registry key also supports a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.

• Error Handling: If an exception occurs while calling a function in a DLL, the exception is caught and an error dialog box is displayed to the user.  You can suppress this error dialog box by using a flag in theRunOnceEx registry key.  You can also set a flag to enable log errors and run theRunOnceEx registry key.

• Deterministic: TheRunOnceEx registry key sorts the entries and sections alphabetically to force a deterministic order.

--------------------------- Windows Registry: Examples and Exploits, Part II-----------------------

Further reading and digging:

1. Notation used in MSDN is Hungarian Notation instead of CamelCase and is discussedWindows programming notations.
2. Windows data type information is inWindows data types used in Win32 programming.
3. Check the best selling C, C++ and Windows books at Amazon.com.

4. Microsoft C references, online MSDN.

5. Microsoft Visual C++, online MSDN.

6. ReactOS - Windows binary compatible OS - C/C++ source code repository, Doxygen.

7. Linux Access Control Lists (ACL) info can be found atAccess Control Lists.

8. For Multi bytes, Unicode characters and Localization please refer to Locale, wide characters & Unicode (Story) and Windows users & groups programming tutorials (Implementation).
9. Structure, enum, union and typedef story can be foundC/C++ struct, enum, union & typedef.

|< Windows Registry Tutorial 3 | Main | Windows Share Programming 1 >|Site Index |Download |Disclaimer |Privacy |

2003-2010 © Tenouk. All rights reserved.