|< Windows Registry Tutorial 3 | Main | Windows Share Programming 1 >| Site Index | Download | Disclaimer | Privacy |


 

 

 

 

MODULE P1

WINDOWS OS

.:: REGISTRY:  EXAMPLES AND EXPLOITS::.

PART 4

 

 

 

 

What do we have in this Module?

  1. Program example to check the Registry for policies and preferences

  2. Program example to retrieve and display object, instance, and counter names

  3. Windows Registry and Windows (Automatic) Program Running

  4. Windows Registry and Automatic Program Startup Sequence:

  1. RunServicesOnce key

  2. RunServices key

  3. RunOnce/RunOnceEx key

  4. Run key

  5. All Users Startup Folder

  6. User Profile Startup Folder

  7. RunOnce Current User Key

  8. Explorer Run

  9. UserInit value

  10. Load value

  11. Notify key

  12. AppInit_DLLs value

  13. SharedTaskScheduler key

  14. Other Files

  1. Some Windows XP boot sequence issue

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

My Training Period: xx hours. Before you begin, read some instruction here. This is a continuation from previous Windows Registry Tutorial 3

 

The expected abilities:

  • Able to understand and use functions to manipulate Windows Registry.

  • Able to gather and understand the required information in order to use those functions.

  • Able to understand the Registry and automatic programs startup.

  • Able to understand and aware the misuse of the automatic programs startup.

  • Able to understand the Registry execution order during the Windows bootup.

Checking the Registry for Policies and Preferences

 

The following code sample illustrates how your application can check the registry for policy and preference information.

 

// #define _WIN32_WINNT 0x0502   // Windows Server 2003 family

// For Win Xp, change accordingly...

#define _WIN32_WINNT 0x0501

// #define _WIN32_WINNT 0x0500   // Windows 2000

// #define _WIN32_WINNT 0x0400   // Windows NT 4.0

// #define _WIN32_WINDOWS 0x0500 // Windows ME

// #define _WIN32_WINDOWS 0x0410 // Windows 98

// #define _WIN32_WINDOWS 0x0400 // Windows 95

#include <windows.h>

#include <stdio.h>

// Change accordingly...

#define POLICY_KEY TEXT("Software\\Policies\\Microsoft\\Windows\\Explorer")

#define PREFERENCE_KEY TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer")

DWORD ReadValue(LPTSTR lpValueName, DWORD dwDefault)

{

     HKEY hKey;

     LONG lResult;

     DWORD dwValue, dwType, dwSize = sizeof(dwValue);

    // First, check for a policy.

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, POLICY_KEY, 0, KEY_READ, &hKey);

 

    if(lResult == ERROR_SUCCESS)

    {

        lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);

        RegCloseKey(hKey);

    }

    // Exit if a policy value was found.

    if(lResult == ERROR_SUCCESS)

    {

       // return the data value

        return dwValue;

    }

    else

       printf("Policy: value not found!\n");

    // Second, check for a preference.

    lResult = RegOpenKeyEx(HKEY_CURRENT_USER, PREFERENCE_KEY, 0, KEY_READ, &hKey);

    if(lResult == ERROR_SUCCESS)

    {

        lResult = RegQueryValueEx(hKey, lpValueName, 0, &dwType, (LPBYTE)&dwValue, &dwSize);

        RegCloseKey (hKey);

    }

    // Exit if a preference was found.

    if(lResult == ERROR_SUCCESS)

    {

       // Return the data value

        return dwValue;

    }

    else

       printf("Preference: value not found!\n");

    // Neither a policy nor a preference was found; return the default value.

    return dwDefault;

}

 

int main()

{

       LPTSTR lpValueName = "Browse For Folder Height";

       DWORD dwDefault = 0x00000000;

       DWORD ret = ReadValue(lpValueName, dwDefault);

       printf("The value data for the \'%s\' value name is 0X%.8X(%d).\n", lpValueName, ret, ret);

       return 0;

}

 

A sample output:

Policy: value not found!

The value data for the 'Browse For Folder Height' value name is 0X00000120(288).

Press any key to continue

 

Information extraction from registry verification

 

Figure 3: Getting the Registry values.

 

Retrieving and Displaying Object, Instance, and Counter Names

 

The performance data contains information for a variable number of object types, instances per object, and counters per object type.  Therefore, the number and size of blocks in the performance data varies.  To ensure that your application correctly receives the performance data, you must use the offsets included in the performance structures to navigate through the data.  Every offset is a count of bytes relative to the structure containing it. The reason the system uses offsets instead of pointers is that pointers are not valid across process boundaries.  The addresses that the process that installs the counters would store would not be valid for the process that reads the counters. The following example displays the index and name of each object, along with the indexes and names of its counters.  The object and counter names are stored in the registry, by index.  This example creates a function, GetNameStrings(), to load the indexes and names of each object and counter from the registry into an array, so that they can be easily accessed.  GetNameStrings() uses the following standard registry functions to access the data: RegOpenKey(), RegCloseKey(), RegQueryInfoKey(), and RegQueryValueEx().

This example creates the following functions for navigating the performance data: FirstObject, FirstInstance, FirstCounter, NextCounter, NextInstance, and NextCounter.  These functions navigate the performance data by using the offsets stored in the performance structures.

 

// #define _WIN32_WINNT 0x0502   // Windows Server 2003 family

// For Win Xp, change accordingly...

#define _WIN32_WINNT 0x0501

// #define _WIN32_WINNT 0x0500   // Windows 2000

 

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>

#include <malloc.h>

#include <string.h>

 

#define TOTALBYTES    20000

#define BYTEINCREMENT 2048

 

LPSTR lpNameStrings;

LPSTR *lpNamesArray;

 

// Functions used to navigate through the performance data.

PPERF_OBJECT_TYPE FirstObject(PPERF_DATA_BLOCK PerfData)

{

    return((PPERF_OBJECT_TYPE)((PBYTE)PerfData + PerfData->HeaderLength));

}

 

PPERF_OBJECT_TYPE NextObject(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_OBJECT_TYPE)((PBYTE)PerfObj + PerfObj->TotalByteLength));

}

 

PPERF_INSTANCE_DEFINITION FirstInstance(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfObj + PerfObj->DefinitionLength));

}

 

PPERF_INSTANCE_DEFINITION NextInstance(PPERF_INSTANCE_DEFINITION PerfInst)

{

    PPERF_COUNTER_BLOCK PerfCntrBlk;

    PerfCntrBlk = (PPERF_COUNTER_BLOCK)((PBYTE)PerfInst + PerfInst->ByteLength);

    return((PPERF_INSTANCE_DEFINITION)((PBYTE)PerfCntrBlk + PerfCntrBlk->ByteLength));

}

 

PPERF_COUNTER_DEFINITION FirstCounter(PPERF_OBJECT_TYPE PerfObj)

{

    return((PPERF_COUNTER_DEFINITION) ((PBYTE)PerfObj + PerfObj->HeaderLength));

}

 

PPERF_COUNTER_DEFINITION NextCounter(PPERF_COUNTER_DEFINITION PerfCntr)

{

    return((PPERF_COUNTER_DEFINITION)((PBYTE)PerfCntr + PerfCntr->ByteLength));

}

 

// Load the counter and object names from the registry to the

// global variable lpNamesArray.

BOOL GetNameStrings()

{

    HKEY hKeyPerflib;                  // handle to registry key

    HKEY hKeyPerflib009;           // handle to registry key

    DWORD dwMaxValueLen;   // maximum size of key values

    DWORD dwBuffer;                // bytes to allocate for buffers

    DWORD dwBufferSize;        // size of dwBuffer

    LPSTR lpCurrentString;       // pointer for enumerating data strings

    DWORD dwCounter;           // current counter index

    // Get the number of Counter items.

    if(RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,

       "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib",

        0,

        KEY_READ,

        &hKeyPerflib) != ERROR_SUCCESS)

    return FALSE;

    else

         printf("RegOpenKeyEx() is OK.\n");

    dwBufferSize = sizeof(dwBuffer);

    if(RegQueryValueEx(

       hKeyPerflib,

       "Last Counter",

        NULL,

        NULL,

        (LPBYTE) &dwBuffer,

        &dwBufferSize) != ERROR_SUCCESS)

        return FALSE;

     else

       printf("RegQueryValueEx() is OK.\n");

 

    RegCloseKey(hKeyPerflib);

 

    // Allocate memory for the names array.

    lpNamesArray = (LPTSTR *)malloc((dwBuffer+1) * sizeof(LPSTR));

 

    if(lpNamesArray == NULL)

        return FALSE;

 

    // Open the key containing the counter and object names.

    if(RegOpenKeyEx(

       HKEY_LOCAL_MACHINE,

       "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib\\009",

        0,

        KEY_READ,

        &hKeyPerflib009) != ERROR_SUCCESS)

        return FALSE;

     else

       printf("RegOpenKeyEx() is OK.\n");

 

    // Get the size of the largest value in the key (Counter or Help).

    if(RegQueryInfoKey(

       hKeyPerflib009,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        NULL,

        &dwMaxValueLen,

        NULL,

        NULL) != ERROR_SUCCESS

      )

        return FALSE;

     else

       printf("RegQueryInfoKey() is OK.\n");

 

    // Allocate memory for the counter and object names.

    dwBuffer = dwMaxValueLen + 1;

 

    lpNameStrings = (LPTSTR)malloc(dwBuffer * sizeof(CHAR));

 

    if(lpNameStrings == NULL)

    {

        free(lpNamesArray);

        return FALSE;

    }

    else

       printf("Memory allocated for lpNameStrings.\n");

 

    // Read the Counter value.

    if(RegQueryValueEx(

       hKeyPerflib009,

        "Counter",

        NULL,

        NULL,

        (LPBYTE)lpNameStrings,

       &dwBuffer) != ERROR_SUCCESS)

    return FALSE;

    else

       printf("RegQueryValueEx() is OK.\n");

 

       printf("Please wait...\n");

    // Load names into an array, by index.

    for(lpCurrentString = lpNameStrings; *lpCurrentString;

         lpCurrentString += (lstrlen(lpCurrentString)+1))

    {

        dwCounter = atol(lpCurrentString);

        lpCurrentString += (lstrlen(lpCurrentString)+1);

        lpNamesArray[dwCounter] = (LPSTR)lpCurrentString;

    }

 

   return TRUE;

}

 

// Display the indexes and/or names for all performance objects, instances, and counters.*

int main()

{

    PPERF_DATA_BLOCK PerfData = NULL;

    PPERF_OBJECT_TYPE PerfObj;

    PPERF_INSTANCE_DEFINITION PerfInst;

    PPERF_COUNTER_DEFINITION PerfCntr, CurCntr;

    PPERF_COUNTER_BLOCK PtrToCntr;

    DWORD BufferSize = TOTALBYTES;

    DWORD i, j;

       LONG k;

 

    // Get the name strings through the registry.

    if(!GetNameStrings())

       return FALSE;

 

   // Allocate the buffer for the performance data.

    PerfData = (PPERF_DATA_BLOCK) malloc(BufferSize);

 

    if(PerfData == NULL)

       return FALSE;

 

    while(RegQueryValueEx(

       HKEY_PERFORMANCE_DATA,

        "Global",

        NULL,

        NULL,

        (LPBYTE) PerfData,

        &BufferSize) == ERROR_MORE_DATA)

    {

        // Get a buffer that is big enough.

        BufferSize += BYTEINCREMENT;

        PerfData = (PPERF_DATA_BLOCK) realloc(PerfData, BufferSize);

    }

 

    // Get the first object type.

    PerfObj = FirstObject(PerfData);

    // Process all objects.

    for(i=0; i < PerfData->NumObjectTypes; i++)

    {

        // Display the object by index and name.

        printf("\nObject %ld: %s\n", PerfObj->ObjectNameTitleIndex, lpNamesArray[PerfObj->ObjectNameTitleIndex]);

        // Get the first counter.

        PerfCntr = FirstCounter(PerfObj);

        if(PerfObj->NumInstances > 0)

        {

            // Get the first instance.

            PerfInst = FirstInstance(PerfObj);

            // Retrieve all instances.

            for(k=0; k < PerfObj->NumInstances; k++)

            {

                // Display the instance by name.

                printf("\n\tInstance %S: \n", (char *)((PBYTE)PerfInst + PerfInst->NameOffset));

                CurCntr = PerfCntr;

                // Retrieve all counters.

                for(j=0; j < PerfObj->NumCounters; j++)

                {

                 // Display the counter by index and name.

                 printf("\t\tCounter %ld: %s\n", CurCntr->CounterNameTitleIndex, lpNamesArray[CurCntr->CounterNameTitleIndex]);

                 // Get the next counter.

                 CurCntr = NextCounter(CurCntr);

                }

                // Get the next instance.

                PerfInst = NextInstance(PerfInst);

            }

        }

        else

        {

            // Get the counter block.

            PtrToCntr = (PPERF_COUNTER_BLOCK)((PBYTE)PerfObj + PerfObj->DefinitionLength);

            // Retrieve all counters.

            for(j=0; j < PerfObj->NumCounters; j++)

            {

                // Display the counter by index and name.

                printf("\tCounter %ld: %s\n", PerfCntr->CounterNameTitleIndex,

                    lpNamesArray[PerfCntr->CounterNameTitleIndex]);

                // Get the next counter.

                PerfCntr = NextCounter(PerfCntr);

            }

        }

        // Get the next object type.

        PerfObj = NextObject(PerfObj);

    }

    // Release all the memory back to system...

    free(lpNamesArray);

    free(lpNameStrings);

    free(PerfData);

    return TRUE;

}

A sample output:

RegOpenKeyEx() is OK.

RegQueryValueEx() is OK.

RegOpenKeyEx() is OK.

RegQueryInfoKey() is OK.

Memory allocated for lpNameStrings.

RegQueryValueEx() is OK.

Please wait...

 

Object 2908: .NET CLR Data

        Counter 2910: SqlClient: Current # pooled and nonpooled connections

        Counter 2912: SqlClient: Current # pooled connections

        Counter 2914: SqlClient: Current # connection pools

        Counter 2916: SqlClient: Peak # pooled connections

        Counter 2918: SqlClient: Total # failed connects

        Counter 2920: SqlClient: Total # failed commands

Object 2922: .NET CLR Networking

        Counter 2924: Connections Established

        Counter 2926: Bytes Received

        Counter 2928: Bytes Sent

        Counter 2930: Datagrams Received

        Counter 2932: Datagrams Sent

 

Object 2934: .NET CLR Memory

 

        Instance _Global_:

                Counter 2936: # Gen 0 Collections

                Counter 2938: # Gen 1 Collections

                Counter 2940: # Gen 2 Collections

                Counter 2942: Promoted Memory from Gen 0

...

...

...

[trimmed]

 

Windows Registry and Automatic Program Running

 

In general, there are seven Run (this Run term used here as a general term) keys in the registry that cause programs to be run automatically as listed below:

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

  2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

  4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

  6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunServicesOnce

  7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ RunOnce\Setup

 

Keys 1 through 7 apply to Windows 95, Windows 98, Windows 98 Second Edition, and Windows Millennium Edition (Me).  Keys 1 through 4 also apply to Windows NT 4.0 and Windows 2000. For Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 SP3 or later, and Windows 2000, an additional rule is available; for keys 3 and 4, the value name can be prefixed with an asterisk (*) to force the program to run even in Safe mode.  Keys 1 through 4 are run each time a new user logs in.  Keys 5 and 6 are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.  These keys are for background services such as remote registry service and are run only once per boot.  Key 7 is run as part of Setup's first-boot activities, or after you use the Add/Remove Programs Wizard.  Under each of these keys is a series of values.  The values are used to allow multiple subentries to exist without overwriting one another.  The data value for a value is a command line.  By default, Run keys are ignored in Safe mode.  For keys 3 and 4, the value name can be prefixed with an exclamation point (!) to defer deletion of the value until after the command has been completed.  For keys 3, 4, and 6, the value is deleted before the command line is run unless overridden as noted above.  As a result, if a RunOnce operation fails to run properly, the component that failed will not be asked to run again the next time you start the computer.  Key 7 is used only by Setup.  This key displays the progress dialog box as the keys are run one at a time.  For key 7, the name of the value is the name that is displayed in the dialog box.

 

Windows Registry and Automatic Program Startup Sequence

 

Registry keys settings normally done during the programs installation (Setup).  Many programs that you install are automatically run when you start your computer and load Windows.  Unfortunately, there are programs that are not legitimate such as spyware, hijackers, trojans, bots, worms and viruses that load in this manner as well.  Many malware scanner programs try to search the Registry keys and folders where these programs will start automatically during the boot process and Windows loading. Windows’s Msconfig.exe, can be used to list programs that are automatically started from some of these locations unfortunately, it only lists programs from a limited amount of startup keys.  In the following section there are the various list of registry keys, values and files under certain folders that can be used to start a program when Windows boots.  The keys have been arranged in the order they load whenever possible.  Keep in mind, that some of the keys are set to load at the same time (asynchronous), so it is possible that the order will change on each boot up.  These keys generally apply to Windows 95, 98, ME, NT, XP, and 2000 except whenever mentioned.

 

<Turning on the computer>

 

The keys start in the following order as Windows loads:

 

RunServicesOnce key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

This key is designed to start services when a computer boots up.  These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce registry can start loading its programs.

 

RunServices key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

This key is designed to start services as well.  These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce registry can start loading its programs.

 

<Logon dialog box is displayed on the screen>

 

After a user logs in the rest of the keys continue loading.  The RunServicesOnce and RunServices keys are loaded before the user logs into Windows 95, Windows 98, and Windows Me.  Because these two keys run asynchronously with the Logon dialog box, they can continue to run after the user has logged on.  However, since HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce must load synchronously, its entries will not begin loading until after the RunServicesOnce and RunServices keys have finished loading.

 

RunOnce/RunOnceEx key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

These keys are designed to be used primarily by Setup programs.  Entries in these keys are started once and then are deleted from the key.  If there is an exclamation point (!) preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs.  This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.  All entries in this key are started synchronously in an undefined order.  Due to this, all programs in this key must be finished before any entries in:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run,

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, and Startup Folders,

can be loaded.  The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.  The RunOnce keys are not supported by Windows NT 3.51.

 

Run key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

These are the most common startup locations for programs to install auto start from.  By default these keys are not executed in Safe mode.  If you prefix the value of these keys with an asterisk (*), it is forced to run in Safe Mode.

 

All Users Startup Folder:

 

For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.  It is generally can be found at:

 

Windows XP

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Windows NT

C:\Winnt\Profiles\All Users\Start Menu\Programs\Startup

Windows 2000

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

 

User Profile Startup Folder:

 

This folder will be executed for the particular user who logs in.  This folder is usually can be found in:

 

Win 9X, ME

C:\windows\start menu\programs\startup

Windows XP

C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

 

RunOnce Current User Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

This key is designed to be used primarily by Setup programs.  Entries in these keys are started once and then are deleted from the key.  If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs.  This is important, because if the exclamation point is not use, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.  The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.  The RunOnce keys are not supported by Windows NT 3.51.

 

Explorer Run:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

These keys are generally used to load programs as part of a policy set in place on the computer or user if any.

 

UserInit value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

This key specifies what program should be launched right after a user logs into Windows.  The default program for this key is C:\windows\system32\userinit.exe Userinit.exe is a program that restores your profile, fonts, colors, etc for your username.  It is possible to add further programs that will launch from this key by separating the programs with a comma.  For example:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\system32\otherbadprogram.exe,

This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

 

Load value:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

This key is not commonly used anymore, but can be used to auto start programs.

 

Notify key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

This key is used to add a program that will run when a particular event occurs.  Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.  When Winlogon.exe generates an event such as mentioned above, Windows will look in the Notify registry key for a DLL that will handle this event.  Malware has been known to use this method to load itself when a user logs on to their computer.  Loading in such a way allows the malware program to load in such a way that it is not easy to stop.

 

AppInit_DLLs value:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

This value corresponds to files being loaded through the AppInit_DLLs Registry value.  The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.  As most Windows executables use the user32.dll, which means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also.  This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability.  The user32.dll file is also used by processes that are automatically started by the system when you log on.  This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

ShellServiceObjectDelayLoad key:  This Registry contains values in a similar way as the Run key does.  The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.  The files under this key are loaded automatically by Explorer.exe when your computer starts.  Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key.  These files are therefore loaded early in the startup process before any human intervention occurs.

Note:  CLSID Key - A CLSID is a globally unique identifier that identifies a COM class object.  If your server or container allows linking to its embedded objects, then you need to register a CLSID for each supported class of objects.  The Registry entry is:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID =

SharedTaskScheduler key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines.  The entries in this registry run automatically when you start windows.

 

Other Files:

 

Other files that programs can use to autostart during the bootup, generally used by older Windows OSes such as Win 95 and Win 98 that may still functional in some of the newer Windows OSes are listed in the following (the default %SystemRoot% normally C:\Windows or C:\WINNT):

  1. C:\autoexec.bat

  2. C:\config.sys

  3. %SystemRoot%\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.

  4. %SystemRoot%\winstart.bat

  5. %SystemRoot%\win.ini - [windows] "load=..."

  6. %SystemRoot%\win.ini - [windows] "run=..."

  7. %SystemRoot%\system.ini - [boot] "shell=..."

  8. %SystemRoot%\system.ini - [boot] "scrnsave.exe"

  9. %SystemRoot%\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

  10. %SystemRoot%\system\autoexec.nt

  11. %SystemRoot%\system\config.nt

 

Well, a lot of location that can be used to start our program automatically and unfortunately these locations also shared by a lot of malware, viruses and worms :o).

 

Windows XP

 

The following information is specific to Windows XP.  Its registry includes the following four Run keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Each of these keys has a series of values.  The values allow multiple entries to exist without overwriting one another.  The data value for a value is a command line.  There are some special considerations for the third and fourth keys in the list, the RunOnce keys:

If more than one program is registered under any particular key, the order in which those programs are run is indeterminate.  A program run from any of these keys should not write to the key during its execution.  Doing so will interfere with the execution of other programs registered under the key.  Furthermore, applications should use the RunOnce keys only for transient conditions (such as to complete application setup); an application must not continually re-create entries under RunOnce.  Doing so will interfere with Windows Setup.

Windows XP has two separate Run policies:

 

  1. Run at Startup.
  2. Legacy Run at Startup.

 

The items that you added to the Items to run at logon list through the Group Policy, start automatically the next time that you log on to Windows on your computer.  A list of these items is located in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

The legacy programs that are configured to start when you log on to your computer are listed in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Many third-party programs, such as Adobe, can be included in this category.  You can either enable or disable the legacy run list.  You cannot modify it directly from within the Group Policy snap-in. The RunOnceEx key has the following features:

 

--------------------------- Windows Registry: Examples and Exploits, Part II-----------------------

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Further reading and digging:

 

  1. Notation used in MSDN is Hungarian Notation instead of CamelCase and is discussed Windows programming notations.
  2. Windows data type information is in Windows data types used in Win32 programming.
  3. Check the best selling C, C++ and Windows books at Amazon.com.
  4. Microsoft Visual C++, online MSDN.
  5. MSDN library.
  6. For Multibytes, Unicode characters and Localization please refer to Locale, wide characters & Unicode (Story) and Windows users & groups programming tutorials (Implementation).
  7. Structure, enum, union and typedef story can be found C/C++ struct, enum, union & typedef.

 

 

 

 

 

 

 

|< Windows Registry Tutorial 3 | Main | Windows Share Programming 1 >| Site Index | Download | Disclaimer | Privacy |


2003-2010 © Tenouk. All rights reserved.