# Форум на русском языке  > Угрозы информационной безопасности  > Сетевые атаки  >  Список ключей автозапуска

## Geser

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr  entVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AppInit
Shell
UserInit
System
VMApplet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\Run\
All values in this key are executed. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\RunServices\
All values in this key are executed as services. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\RunServicesOnce\
All values in this key are executed as services, and then their autostart reference is deleted. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre  ntVersion\Run\
All values in this key are executed. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre  ntVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre  ntVersion\RunOnce\Setup\
Used only by Setup. Displays a progress dialog box as the keys are run one at a time. 

HKEY_USERS\.Default\Software\Microsoft\Windows\Cur  rentVersion\Run\
Similar to the Run key from HKEY_CURRENT_USER. 

HKEY_USERS\.Default\Software\Microsoft\Windows\Cur  rentVersion\RunOnce\
Similar to the RunOnce key from HKEY_CURRENT_USER. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" value is monitored. This value is executed after you log in. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic  es\VxD\
All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. 

HKEY_CURRENT_USER\Control Panel\Desktop
The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro  l\Session Manager
The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. 

HKEY_CLASSES_ROOT\vbsfile\shell\open\command\
Executed whenever a .VBS file (Visual Basic Script)  is run. 

HKEY_CLASSES_ROOT\vbefile\shell\open\command\
Executed whenever a .VBE file (Encoded Visual Basic Script) is run. 

HKEY_CLASSES_ROOT\jsfile\shell\open\command\
Executed whenever a .JS file (Javascript) is run. 

HKEY_CLASSES_ROOT\jsefile\shell\open\command\
Executed whenever a .JSE file (Encoded Javascript) is run. 

HKEY_CLASSES_ROOT\wshfile\shell\open\command\
Executed whenever a .WSH file (Windows Scripting Host) is run. 

HKEY_CLASSES_ROOT\wsffile\shell\open\command\
Executed whenever a .WSF file (Windows Scripting File) is run. 

HKEY_CLASSES_ROOT\exefile\shell\open\command\
Executed whenever a .EXE file (Executable) is run. 

HKEY_CLASSES_ROOT\comfile\shell\open\command\
Executed whenever a .COM file (Command) is run. 

HKEY_CLASSES_ROOT\batfile\shell\open\command\
Executed whenever a .BAT file (Batch Command) is run. 

HKEY_CLASSES_ROOT\scrfile\shell\open\command\
Executed whenever a .SCR file (Screen Saver) is run. 

HKEY_CLASSES_ROOT\piffile\shell\open\command\
Executed whenever a .PIF file (Portable Interchange Format) is run. 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic  es\
Services marked to startup automatically are executed before user login. 

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic  es\Winsock2\Parameters\Protocol_Catalog\Catalog_En  tries\
Layered Service Providers, executed before user login. 

HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline
Executed when a 16-bit Windows executable is executed. 

HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline
Executed when a 16-bit DOS application is executed. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Executed when a user logs in. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\ShellServiceObjectDelayLoad\
Executed by explorer.exe as soon as it has loaded. 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Executed when the user logs in. 

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Executed when the user logs in. 

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre  ntVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises. 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr  entVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises. 


Folder Autostart Locations

windir\Start Menu\Programs\Startup\ 
User\Startup\ 
All Users\Startup\ 
windir\system\iosubsys\ 
windir\system\vmm32\ 
windir\Tasks\ 

File Autostart Locations

c:\explorer.exe  
c:\autoexec.bat 
c:\config.sys 
windir\wininit.ini 
windir\winstart.bat 
windir\win.ini - [windows] "load" 
windir\win.ini - [windows] "run" 
windir\system.ini - [boot] "shell" 
windir\system.ini - [boot] "scrnsave.exe" 
windir\dosstart.bat 
windir\system\autoexec.nt 
windir\system\config.nt

----------

Надоело быть жертвой? Стань профи по информационной безопасности, получай самую свежую информацию об угрозах и средствах защиты от ведущего российского аналитического центра Anti-Malware.ru:

----------

