【 Weak current College 】 windows boot method summary

First of all say that the simplest way to view the startup project. [Start]-[run]---enter: "Msconfig", does not include quotation marks---[carriage return open]---select [start]-start project can be viewed.

1. Since the start of your project:
Start-programs-start, which add some applications or shortcut.
This is the most common Windows inside and apply the most simple way to start, if you want some files when starting up, you can also drag him inside or to create a shortcut into the inside of the virus now generally does not take such boot modus. few will.

2. the second since the launching of projects:
This is obviously ignored by the people, the use of a method and the first since the startup directory is exactly the same, just find this directory, you will need to start a drag and drop files into it can reach the start of purpose.
Path:
C:\DocumentsandSettings\User\ start menu/Programs/Startup

III. system configuration files to start:
For system configuration files, many people must be really strange that many viruses are boot in this manner.

1) WIN.INI starting:
Start location (xxx.exe is the name of the file you want to start):
[windows]
Load = xxx.exe [this file will run in the background]
Run = xxx.exe [this file will by default be run]

SYSTEM.INI start: 2)
Start location (xxx.exe is the name of the file you want to start):
The default is:
[boot]
Shell = Explorer.exe [Explorer.exe is the Windows program manager or Windows Explorer, is normal]
You can start file to:
[boot]
Shell = explorer.exexxx.exe [now many viruses will adopt this startup, start with the Explorer, hidden good]
Note: the SYSTEM.INI and WIN.INI files are different, the start can only start the SYSTEM.INI to a specify file, do not change the Shell = explorer.exexxx.exe Shell = xxx.exe, this will make Windows crashes!

WININIT.INI start: 3)
WinInit is WindowsSetupInitializationUtility,Chinese: Windows installation initialization tool.
It will mount the Windows in the system so that system before you perform some commands, including copying, deleting, renaming, etc., to complete the update files.
File format:
[rename]
xxx1=xxx2
Mean to xxx2 file replication for the file name for the file, xxx1 equivalent coverage xxx1 files
If you want to delete a file, you can use the following command:
[rename]
nul=xxx2
More filename must contain a full path.

4) WINSTART.BAT start:
This is the system startup batch file, it is mainly used to copy and delete files-such as some of the software after uninstalling some residue remaining in the system, when it came.
Such as:
“@ifexistC:\WINDOWS\TEMPxxxx.BATcallC:\WINDOWS\TEMPxxxx.BAT”
Here is the meaning of Executive xxxx.BAT files

5) USERINIT.INI start [2/2 added]:
This boot method is some viruses as a startup in the same manner, and SYSTEM.INI.

6) AUTOEXEC.BAT start:
This is the common startup. virus will pass it to do some actions in AUTOEXEC.BAT file contains malicious code. If formatc:/y, and so on the other.

4. the registry startup:
Through the registry to launch, is the most frequently used in the WINDOWS of a kind.
-----------------------------------------------------------------------------------------------------------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\System\ControlSet001\SessionManager\BootExecute
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\BootExecute
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GroupPolicyObjects\ local User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BrowserHelperObjects\
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKEY_LOCAL_MACHINE\Software\Microsoft\ActiveSetup\InstalledComponents\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\
HKEY_CURRENT_USER\ControlPanel\Desktop
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKLM\SOFTWARE\Classes\Protocols\Filter
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\SOFTWARE\Microsoft\ActiveSetup\InstalledComponents
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Microsoft\InternetExplorer\UrlSearchHooks
HKLM\Software\Microsoft\InternetExplorer\Toolbar
HKLM\Software\Microsoft\InternetExplorer\Extensions
HKLM\System\CurrentControlSet\Control\SessionManager\BootExecute
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions
HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify
HKCU\ControlPanel\Desktop\Scrnsave.exe
HKLM\System\CurrentControlSet\Services\WinSock\Parameters\Protocol_Catalog9
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\AuthenticationPackages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\NotificationPackages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SecurityPackages

V. other startup modes:
(1). the startup mode: C:\Explorer.exe
This starts the way very few people know.
In Win9X, as the only specified Windows SYSTEM.INI shell file Explorer.exe in the name, but does not specify an absolute path, so the Explorer.exe files Win9X searches.
The search order is as follows:
(1)-search the current directory.
(2). If there is no search into Explorer.exe you get
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Executive\Path] information given a relative path.
(3). If you still do not have file-system you will get information [HKEY_CURRENT_USER\Environment\Path] get the relative path.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Executive\Path] and [HKEY_CURRENT_USER\Environment\Path] the relative path to the key value is: "% SystemRoot% System32;% SystemRoot%" and null.
Therefore, when the system starts, the "current directory"% SystemDrive% is certainly (the system drive), so the system search sequence of Explorer.EXE should be:
(1). the% SystemDrive% (for example C:\)
(2)% SystemRoot% System32 (for example, C:\WINNT\SYSTEM32)
(3). the% SystemRoot% (for example, C:\WINNT)
At this point, if you assign a name to the Explorer.EXE file is placed in the root directory of the system, so that each time you start when the system will automatically start at the root of the Explorer.exe without starting the Windows directory of Explorer.exe.
In WinNT series, WindowsNT/Windows2000 pay more attention to the Explorer.exe file name is positioned, the system startup file to use for the shell (Explorer.exe) to the name of:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell] while in Microsoft Windows2000SP2 has changed the way.

(2). the screensaver start mode:
Windows screen saver is a * .scr file, an executable PE file, if the screen saver * .scr renamed * .exe file, the program still boots, similar * .exe file renamed * .scr files are also still boots.
The path of the file is saved in the System.ini SCRNSAVE.EXE = in this article as: SCANSAVE.EXE =/%system32%xxxx.scr
This way you start with a certain risk.

(3). the scheduled task launch method:
Windows scheduled task function refers to a program at a specified time start. this startup hidden pretty well.
[Start]-[programs]-[attachment]---[tools]-[scheduled task], follow the step by step order operation.

(4) .AutoRun.inf startup:
Autorun.inf-this file appears on the disc is loaded, CD, CD-ROM, depending on the contents of the file to determine whether to open the disc inside the content.
Autorun.inf content is often:
[AUTORUN]
OPEN = filename .exe
ICON = icon (icon file) to .ico
1. If a Trojan horse that is xxx.exe. then Autorun.inf you can:
OPEN=Windows\xxx.exe
ICON=xxx.exe
Then, double click c drive at a time when you are ready to run the Trojan xxx.exe.

2. If the Autorun.inf in the root directory of drive c, the inside contents to:
OPEN=D:\xxx.exe
ICON=xxx.exe
Then, double click c drive you can run the D disk xxx.exe

(5)-change the extension to start mode:
Change the extension: (* .exe)
Such as: * .exe file can be replaced by: * .bat, .scr extensions to * start.

Six .Vxd virtual device driver startup mode:
Applications by dynamically loaded VXD virtual device drivers, and go right to the system of control Windows9X (VXD virtual device driver only applies to Windows95/98/Me).
You can use to manage for example hardware device or installed software, and other system resources in 32-bit executables, make several applications can use these resources.

Seven .Service [Services] startup modes:
[Start]-[run]---type "services.msc", without quotation marks---to service operations.
In the "service startup mode" option, you can set the system startup mode: run automatically when the program starts, or run manually, or permanently stop start, or pause (restarted still starts).
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services registry location:
Through the service to start programs that are running in the background, such as the domestic horse "grey pigeon" is the use of this startup mode to achieve starting, steal user information.

VIII. driver startup mode:
Some viruses will masquerade as hardware drivers, so as to achieve the purpose of the startup.
1. the system drivers. [Refers to work directly with the operating system comes with a standard procedure to start]
2. the hardware drivers. [Refers to the use of hardware comes with a standard procedure to start]
3. the virus itself fake driver. [Refer to the virus itself disguised standard procedures to start]

06/3/11 supplementary [from peter_yu]:
windir\StartMenu\Programs\Startup\
User\Startup\
AllUsers\Startup\
windir\system\iosubsys\
windir\system\vmm32\
windir\Tasks\

c:\explorer.exe
c:\autoexec.bat
c:\config.sys
windir\wininit.ini
windir\winstart.bat
windir\win.ini-[windows]"load"
windir\win.ini-[windows]"run"
windir\system.ini-[boot]"shell"
windir\system.ini-[boot]"scrnsave.exe"
windir\dosstart.bat
windir\system\autoexec.nt
windir\system\config.nt
Folder.htt
desktop.ini
C:\DocumentsandSettings\superman\ApplicationData\Microsoft\InternetExplorer\Desktop.htt