回首頁

木馬要開機啟動時候可能會常修改的地方

參考 sysinternals autoruns 執行結果重新整理了

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml



-----------------------------------------------------------------------------

Windows 98/ME 中文版

%windir%\All Users\Start Menu\Programs\啟動
%windir%\Start Menu\Programs\啟動
%windir%\Tasks
%windir%\win.ini

NT4 中文版

%USERSPROFILE%\..\All Users\「開始」功能表\程式集\啟動 (NT4 沒有 %ALLUSERSPROFILE%)
%USERSPROFILE%\「開始」功能表\程式集\啟動
%windir%\Tasks

Windows NT4/2000/XP/2003 中文版

%ALLUSERSPROFILE%\「開始」功能表\程式集\啟動
%USERSPROFILE%\「開始」功能表\程式集\啟動
%windir%\Tasks


HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\Run (Win2003 才有)
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\Runonce (Win2003 才有)
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\RunonceEx (Win2003 才有)
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices (Win98/ME 才有)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices (Win98/ME 才有)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (Win98/ME 才有)
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (Win98/ME 才有)
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\Run (Win2003 才有)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\Runonce (Win2003 才有)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServer\Install\Software\MICROSOFT\Windows\CURRENTVERSION\RunonceEx (Win2003 才有)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup (Win2003 才有)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify (Win98/ME 沒有)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms (Win2003 才有)
HKLM\System\CurrentControlSet\Services (Win98/ME 沒有)