This document describes the most common load points that are used by malicious software. These files or registry locations allows running the malware automatically once you log on or start the machine etc.

          

## Startup folders (including all users)- The file stored inside of these folders will be executed after user logs on.

-#HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup#*\*
-#HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup#*\*
-%ProgramFiles%\Startup\*.*
-%ProgramFiles(x86)%\Startup\*.*

## Other files which may start some malware.

-c:\autoexec.bat
-c:\config.sys
-%windir%\wininit.ini- Usually used by setup programs to have a file run once and then get deleted.
-%windir%\winstart.bat
Win.ini Programs written for 16-bit Windows versions can add commands to the Load= and Run= lines in the [Windows] section of this startup file, which is located in %SystemRoot%. The Win.ini file is a legacy of the Windows 3.1 era.
-%windir%\win.ini- [windows] "load"
-%windir%\win.ini- [windows] "run"
-%windir%\system.ini- [boot] "shell"
-%windir%\system.ini- [boot] "scrnsave.exe"
-%windir%\system\autoexec.nt
-%windir%\system\config.nt

## Run keys:
-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

## Load value: Programs listed in that value will run when any user logs on.

-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows- load (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- load (REG_SZ)
-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows- run (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows- run (REG_SZ)

## RunOnce and RunOnceEx keys This group of registry keys identifies programs that run only once, at startup.

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

## RunServices and RunServicesOnce keys As the names suggest, these rarely used keys can control automatic startup of services.

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

## Winlogon key- The Winlogon key controls actions that occur when you log on to a computer.

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- System (REG_SZ) > The programs listed in this value launch in the protected system context. Looks like this value is not used by Winlogon at this moment.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- TaskMan (REG_SZ) > Specifies the task manager that the system uses during logon. It does not exist by default.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- VMApplet (REG_SZ) > Specifies programs that Winlogon runs for the user so that the user can adjust the configuration of virtual memory when there is no paging file on the system volume. These programs run only when the system volume does not include a paging file.
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*\- DLLName(REG_EXPAND_SZ) (where * is a Key) > Winlogon loads any notification packages listed in this key. Each package uses own subkey under Notify key. The DllName value(REG_EXPAND_SZ) contains the DLL file name.
-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- Userinit (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon- Userinit (REG_SZ)
-HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon- Shell (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Userinit- Shell (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Userinit- Run (REG_SZ)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Userinit- Load (REG_SZ)

## Policies\Explorer\Run keys Using policy settings to specify startup programs.

-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

## BootExecute value By default, the multistring BootExecute value of the registry key is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of your hard disks if your system has been shut down abnormally.

-HKLM\System\CurrentControlSet\Control\Session Manager- BootExecute (BootExecute)

## AppInit_DLLs- All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows- AppInit_DLLs (REG_SZ)

## SharedTaskScheduler- The key contains the list of the GUIDs automatically loaded by Explorer (GUID of COM object)

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

## AlternateShell- Lists the name of the alternative environment used when the Safe mode with Command Prompt option is selected.

-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot- AlternateShell

## Active Setup- msiexec will run whatever is in StubPath if this GUID does not exist in HKCU.

-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\*\- StubPath (REG_SZ)
-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\*\- StubPath (REG_SZ)

## SCRNSAVE.EXE- Screen saver program. If the screen saver is not specified, the value may not exist.

-HKEY_CURRENT_USER\Control Panel\Desktop- SCRNSAVE.EXE (REG_SZ)

## ShellExecuteHooks

-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks (key) > The ShellExecuteHooks registry key contains the list of COM objects that trap execute commands.

## ShellServiceObjectDelayLoad

-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad (Key)- his Registry value contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.
 The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

## Scheduled tasks- It can start task upon startup or user logon … or during any other schedule.

-we could block at.exe and SCHTASKS.exe
-we could block the execution from %windir%\Tasks\*.* (especially *.job)
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*\*

## BHO- Browser Helper Objects are the COM components-that Internet Explorer will load each time it starts up. For example, a BHO could spy all browser events, access the browser’s menu and toolbar and make changes, create windows to display additional information, etc. There are no default objects.

-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*
-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*\*

## Group Policy The Group Policy console includes two policies (one in Computer Configuration\Administrative Templates\System\Logon, and one in the comparable User Configuration folder) called Run These Programs At User Logon that specify a list of programs to be run whenever any user logs on.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Description: The System subkey stores the entries created when you configure a Group Policy that affects a basic component of Windows. Group Policy creates and maintains the entries in this subkey, and the component program reads and interprets them.
This subkey stores policy-related entries that are configured separately for each user. There is also a Software\Microsoft\Windows\CurrentVersion\Policies\System subkey in HKEY_LOCAL_MACHINE that stores entries applying to all users of this computer. 

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Regs where write should be forbidden. (More info later)

HKEY_CLASSES_ROOT\comfile\shell\open\command
HKEY_CLASSES_ROOT\piffile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\txtfile\shell\open\command

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*\*

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced- ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\*\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\*\*

_________________________________________…

Ref:
http://technet.microsoft.com/en-us/magazine/ee851671.aspx
http://www.symantec.com/docs/TECH99331
http://support.microsoft.com/kb/197571
http://technet.microsoft.com/en-us/library/cc775504%28v=ws.10%29.aspx
http://blogs.msdn.com/b/aruns_blog/archive/2011/11/02/10176957.aspx
http://greatis.com/security/registrytracer.htm
http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/
http://support.microsoft.com/kb/103865
http://msdn.microsoft.com/en-us/library/bb250436%28v=vs.85%29.aspx