windows regidtry question

[celticfan11]

I found that MSCONFIG wont remove everything from startup. Programs can still hide in the registry and startup when your pc loads. All the registry keys are below. What i want to know is there a way to copy and paste those strings somewhere and it will bring me directly to that place, so i dont have to manually goto those locations all the time? Or if there is a program that will do that. Thanks in advance.


Here is the list of all Registry spots that could potentially load applications on Windows startup (you may or may not find them on your computer, depending on version of Windows you have):All of these willnot be found in MSCONFIG

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

 

[celticfan11]

seems i made a typo on the topic of this post

 

[Zaphod1620]

I don't know of a way to "jump" to a spot in the registry. I think they purposely make it difficult to navigate through the registry to scare off novices from mucking about in there. However, if you are attempting to slim down your startup processes, you can check the services on your machine, by running "services.msc" This will show ALL the services, and when and if they start up on your machine. A great guide for tweaking these are here.-Zaphod

 

[celticfan11]

not looking to slim my services. I am thinking about spyware/viruses. When they imbed them selves into the OS and MSCONFIG wont pick it up. Sometimes they hide in the registry startup places described above. its just annoying to manually goto each string. I am all about shortcuts

 

[NetRyder]

Use the Favorites menu built into regedit. First go to the key you want, and select Favorites>Add to Favorites. Do that for all of the above keys, and they'll be stored so that you can get to them quickly next time.

 

[fimchick]

AdAware in combination with Spybot can crawl your registry (deep registry scan) and clear out everything for you.

 

[celticfan11]

thanks netryder

 

[NetRyder]

thanks netryder

Not a problem. I have quite a few common locations stored that way. Very convenient.

 

[hawedi]

Use a vbs-script like this, replace strKeyPath as you need. Save the file for example as runs.vbs. Multiple vbs-files you may merge to a batch-file or other.

Const HKEY_LOCAL_MACHINE = &H80000002
Const REG_SZ = 1
Const REG_EXPAND_SZ = 2
Const REG_BINARY = 3
Const REG_DWORD = 4
Const REG_MULTI_SZ = 7

strComputer = "."

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Run"

oReg.EnumValues HKEY_LOCAL_MACHINE, strKeyPath, _
arrValueNames, arrValueTypes

For i=0 To UBound(arrValueNames)
Wscript.Echo "Value Name: " & arrValueNames(i)
Next

Sorry, it´s half past eleven pm CET, therefore my English drops down

 

[NetRyder]

Very nice, hawedi.

 

[celticfan11]

never wrote or did anything with VB scripts... i understand batch files..not vb scripts...

 

[j79zlr]

There are more startup locations than that. Some of the more crafty spyware programmers exploit them, here's a comprehensive list: http://www.bleepingcomputer.com/forums/index.php?showtutorial=44

 

[Steevo]

Good find J. I didn't realise that the notify key could be used.

 

[Admiral Michael]

There are more startup locations than that. Some of the more crafty spyware programmers exploit them, here's a comprehensive list: http://www.bleepingcomputer.com/forums/index.php?showtutorial=44

wow thats alot of areas to check. Would have been easier ois MS would have stuck to the HKLM Run and HKLU Run areas as wel as the stertup folder. The ones Startup Control Panel look at.

 

[Mainframeguy]

never wrote or did anything with VB scripts... i understand batch files..not vb scripts...

then a good time to learn a little more?

 

[hawedi]

celticfan11 wrote :

never wrote or did anything with VB scripts... i understand batch files..not vb scripts...

Well, I believe there is no CMD-Batch-Command to analyse the windows registry. But the link posted by j79zlr refers to http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
The autorunstool especially autorunsc.exe, the command-line version of autoruns is a good basic approach.

I extracted this file (autorunsc.exe) from the downloaded zip-file to a new folder (for example I:\tools\autoruns in my way)

Next I build this batch - named compare.bat in the same folder :

@echo off
if not exist log.old goto :firstrun
copy /y log.new log.old > nul
autorunsc > log.new
fc log.old log.new > nul
goto answer%errorlevel%

:answer1
echo.
echo.
echo ***** ATTENTION ***** YOU HAVE NEW ENTRIES *****
echo.
pause

:answer0
goto :the_end

:firstrun
autorunsc > log.old
echo.
echo.
echo ***** MAYBE YOU RUN THIS FOR THE FIRST TIME ***** PLEASE RETRY LATER *****
echo.

:the_end
exit

I started compare.bat to create the initial level and then I added the location of my batch-file
first to one of this auto-run locations and at last to autostart - folder.

Running my compare.bat again and the batch notified me that there was an alternation.

Now I deleted the entry of my virus-av-guard using the (same, but GUI - ) tool autoruns and restarted my computer.
Perfect - it advised me about this change in the registry. O.K. - it is not the fastest way and expanding with the using syntax of autorunsc.exe it will become particularly slow.

But the main thing for my study was : less tools as possible !

 

[Tweakfiend]

www.by-users.co.uk/faqs/security/start-up-monitor/

Try Startup monitor... does exaclty that... looks in "Run/Run Once " entries etc in Registry.