| Item Checked
| OS
|
1. |
HKCU\Control Panel\Desktop\SCRNSAVE.EXE |
NT4+ |
2. |
HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046}\
HKCU\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046}\ |
W2K+ |
3. |
HKCU\Software\Classes\.bat\shell\subkey\command\
HKCU\Software\Classes\.bat\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.cmd\shell\subkey\command\
HKCU\Software\Classes\.cmd\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.com\shell\subkey\command\
HKCU\Software\Classes\.com\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.exe\shell\subkey\command\
HKCU\Software\Classes\.exe\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.hta\shell\subkey\command\
HKCU\Software\Classes\.hta\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.pif\shell\subkey\command\
HKCU\Software\Classes\.pif\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\.scr\shell\subkey\command\
HKCU\Software\Classes\.scr\shell\subkey\ddeexec\ |
W2K+ |
|
| |
|
HKCU\Software\Classes\batfile\shell\subkey\command\
HKCU\Software\Classes\batfile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\cmdfile\shell\subkey\command\
HKCU\Software\Classes\cmdfile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\comfile\shell\subkey\command\
HKCU\Software\Classes\comfile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\exefile\shell\subkey\command\
HKCU\Software\Classes\exefile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\htafile\shell\subkey\command\
HKCU\Software\Classes\htafile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\piffile\shell\subkey\command\
HKCU\Software\Classes\piffile\shell\subkey\ddeexec\ |
W2K+ |
|
HKCU\Software\Classes\scrfile\shell\subkey\command\
HKCU\Software\Classes\scrfile\shell\subkey\ddeexec\ |
W2K+ |
4. |
HKCU\Software\Classes\*\shellex\ColumnHandlers\
HKCU\Software\Classes\*\shellex\ContextMenuHandlers\
HKCU\Software\Classes\*\shellex\CopyHookHandlers\
HKCU\Software\Classes\*\shellex\DragDropHandlers\
HKCU\Software\Classes\*\shellex\PropertySheetHandlers\
HKCU\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\
HKCU\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
HKCU\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\
HKCU\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\
HKCU\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\
HKCU\Software\Classes\Directory\shellex\ColumnHandlers\
HKCU\Software\Classes\Directory\shellex\ContextMenuHandlers\
HKCU\Software\Classes\Directory\shellex\CopyHookHandlers\
HKCU\Software\Classes\Directory\shellex\DragDropHandlers\
HKCU\Software\Classes\Directory\shellex\PropertySheetHandlers\
HKCU\Software\Classes\Directory\Background\shellex\ColumnHandlers\
HKCU\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
HKCU\Software\Classes\Directory\Background\shellex\CopyHookHandlers\
HKCU\Software\Classes\Directory\Background\shellex\DragDropHandlers\
HKCU\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\
HKCU\Software\Classes\Folder\shellex\ColumnHandlers\
HKCU\Software\Classes\Folder\shellex\ContextMenuHandlers\
HKCU\Software\Classes\Folder\shellex\CopyHookHandlers\
HKCU\Software\Classes\Folder\shellex\DragDropHandlers\
HKCU\Software\Classes\Folder\shellex\ExtShellFolderViews\
HKCU\Software\Classes\Folder\shellex\PropertySheetHandlers\
|
W2K+ |
5. |
HKCU\Software\Classes\PROTOCOLS\Filter\ |
W2K+ |
6. |
HKCU\Software\Classes\PROTOCOLS\Handler\ |
W2K+ |
7. |
HKCU\Software\Microsoft\Command Processor\AutoRun |
NT4+ |
8. |
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ |
All |
9. |
HKCU\Software\Microsoft\Internet Explorer\Extensions\ |
All |
10. |
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\ |
x64 |
11. |
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ |
All |
12. |
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ |
All |
13. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\Application
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\Application
|
WMe/W2K/WXP |
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\Progid
|
WXP |
|
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\UserChoice\Progid
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\UserChoice\Progid
|
WVa+ |
14. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ |
W2K+ |
15. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\ |
WVa+ |
16. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\ |
WVa+ |
17. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ |
WMe/W2K+ |
18. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\any subkey\ |
WMe/W2K |
19. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell |
W2K+ |
20. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ |
All |
21. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\any subkey\ |
W2K |
22. |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ |
All |
23. |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\any subkey\ |
W2K |
24. |
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ |
All |
25. |
HKCU\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ |
All |
26. |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration |
WVa+ |
27. |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run |
NT4/W2K/WXP/WVa |
28. |
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell |
NT4+ |
29. |
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\ |
W2K/WXP |
30. |
HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046}\
HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046}\ |
All |
31. |
HKLM\Software\Classes\.bat\shell\subkey\command\
HKLM\Software\Classes\.bat\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\.cmd\shell\subkey\command\
HKLM\Software\Classes\.cmd\shell\subkey\ddeexec\ |
NT4+ |
|
HKLM\Software\Classes\.com\shell\subkey\command\
HKLM\Software\Classes\.com\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\.exe\shell\subkey\command\
HKLM\Software\Classes\.exe\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\.hta\shell\subkey\command\
HKLM\Software\Classes\.hta\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\.pif\shell\subkey\command\
HKLM\Software\Classes\.pif\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\.scr\shell\subkey\command\
HKLM\Software\Classes\.scr\shell\subkey\ddeexec\ |
All |
|
| |
|
HKLM\Software\Classes\batfile\shell\subkey\command\
HKLM\Software\Classes\batfile\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\cmdfile\shell\subkey\command\
HKLM\Software\Classes\cmdfile\shell\subkey\ddeexec\ |
NT4+ |
|
HKLM\Software\Classes\comfile\shell\subkey\command\
HKLM\Software\Classes\comfile\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\exefile\shell\subkey\command\
HKLM\Software\Classes\exefile\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\htafile\shell\subkey\command\
HKLM\Software\Classes\htafile\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\piffile\shell\subkey\command\
HKLM\Software\Classes\piffile\shell\subkey\ddeexec\ |
All |
|
HKLM\Software\Classes\scrfile\shell\subkey\command\
HKLM\Software\Classes\scrfile\shell\subkey\ddeexec\ |
All |
32. |
HKLM\Software\Classes\*\shellex\ColumnHandlers\
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
HKLM\Software\Classes\*\shellex\CopyHookHandlers\
HKLM\Software\Classes\*\shellex\DragDropHandlers\
HKLM\Software\Classes\*\shellex\PropertySheetHandlers\
HKLM\Software\Classes\AllFilesystemObjects\shellex\ColumnHandlers\
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
HKLM\Software\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\
HKLM\Software\Classes\AllFilesystemObjects\shellex\DragDropHandlers\
HKLM\Software\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\
HKLM\Software\Classes\Directory\shellex\ColumnHandlers\
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
HKLM\Software\Classes\Directory\shellex\CopyHookHandlers\
HKLM\Software\Classes\Directory\shellex\DragDropHandlers\
HKLM\Software\Classes\Directory\shellex\PropertySheetHandlers\
HKLM\Software\Classes\Directory\Background\shellex\ColumnHandlers\
HKLM\Software\Classes\Directory\Background\shellex\ContextMenuHandlers\
HKLM\Software\Classes\Directory\Background\shellex\CopyHookHandlers\
HKLM\Software\Classes\Directory\Background\shellex\DragDropHandlers\
HKLM\Software\Classes\Directory\Background\shellex\PropertySheetHandlers\
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
HKLM\Software\Classes\Folder\shellex\CopyHookHandlers\
HKLM\Software\Classes\Folder\shellex\DragDropHandlers\
HKLM\Software\Classes\Folder\shellex\ExtShellFolderViews\
HKLM\Software\Classes\Folder\shellex\PropertySheetHandlers\
|
All |
33. |
HKLM\Software\Wow6432Node\Classes\*\shellex\ColumnHandlers\
HKLM\Software\Wow6432Node\Classes\*\shellex\ContextMenuHandlers\
HKLM\Software\Wow6432Node\Classes\*\shellex\CopyHookHandlers\
HKLM\Software\Wow6432Node\Classes\*\shellex\DragDropHandlers\
HKLM\Software\Wow6432Node\Classes\*\shellex\PropertySheetHandlers\
HKLM\Software\Wow6432Node\Classes\AllFilesystemObjects\shellex\ColumnHandlers\
HKLM\Software\Wow6432Node\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
HKLM\Software\Wow6432Node\Classes\AllFilesystemObjects\shellex\CopyHookHandlers\
HKLM\Software\Wow6432Node\Classes\AllFilesystemObjects\shellex\DragDropHandlers\
HKLM\Software\Wow6432Node\Classes\AllFilesystemObjects\shellex\PropertySheetHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\shellex\ColumnHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\shellex\ContextMenuHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\shellex\CopyHookHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\shellex\DragDropHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\shellex\PropertySheetHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\Background\shellex\ColumnHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\Background\shellex\ContextMenuHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\Background\shellex\CopyHookHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\Background\shellex\DragDropHandlers\
HKLM\Software\Wow6432Node\Classes\Directory\Background\shellex\PropertySheetHandlers\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\ColumnHandlers\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\ContextMenuHandlers\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\CopyHookHandlers\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\DragDropHandlers\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\ExtShellFolderViews\
HKLM\Software\Wow6432Node\Classes\Folder\shellex\PropertySheetHandlers\
|
x64 |
34. |
HKLM\Software\Classes\PROTOCOLS\Filter\ |
All |
35. |
HKLM\Software\Classes\PROTOCOLS\Handler\ |
All |
36. |
HKLM\Software\Microsoft\Active Setup\Installed Components\ |
All |
37. |
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\ |
x64(7) |
38. |
HKLM\Software\Microsoft\Command Processor\AutoRun |
NT4+ |
39. |
HKLM\Software\Wow6432Node\Microsoft\Command Processor\AutoRun |
x64 |
40. |
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ |
All |
41. |
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\ |
x64 |
42. |
HKLM\Software\Microsoft\Internet Explorer\Extensions\ |
All |
43. |
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions\ |
x64 |
44. |
HKLM\Software\Microsoft\Internet Explorer\Toolbar\ |
All |
45. |
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\ |
x64 |
46. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters\ |
WVa+ |
47. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\ |
WVa+ |
48. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers\ |
WVa+ |
49. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ |
WXP+ |
50. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ |
All |
51. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ |
x64 |
52. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\ |
WVa+ |
53. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\DeviceNotificationCallbacks\ |
x64 |
54. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ |
All |
55. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ |
x64 |
56. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ |
All |
57. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ |
x64 |
58. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ |
All |
59. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ |
x64 |
60. |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\ |
WVa+ |
61. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\ |
WVa+ |
62. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ |
WMe/W2K+ |
63. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\any subkey\ |
WMe/W2K |
64. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ |
WMe/W2K+ |
65. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ |
All |
66. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\any subkey\ |
W2K |
67. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ |
x64 |
68. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ |
All |
69. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\any subkey\ |
W2K |
70. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ |
All |
71. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\ |
All |
72. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx\ |
All |
73. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ |
W9x |
74. |
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ |
W9x |
75. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ |
All |
76. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ |
x64 |
77. |
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ |
All |
78. |
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ |
x64 |
79. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration |
WVa+ |
80. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\ |
W2K (6) |
81. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug\ |
NTx |
82. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ |
NTx |
83. |
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ |
x64 |
84. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping\ |
NT4+ |
85. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs |
NT4+ |
86. |
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs |
x64 |
87. |
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib |
WVa+ |
88. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet |
NT4+ |
89. |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ |
W2K+ |
90. |
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\ |
x64 |
91. |
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ |
W2K/WXP |
92. |
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\ |
W2K/WXP |
93. |
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ |
W2K+ |
94. |
HKLM\System\CurrentControlSet\Control\ServiceControlManagerExtension |
Wn7 |
95. |
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath |
NT4+ |
96. |
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters |
W2K+ |
97. |
HKLM\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages
HKLM\System\CurrentControlSet\Control\Lsa\Security Packages |
NT4+ |
98. |
HKLM\System\CurrentControlSet\Control\Print\Monitors\ |
All |
99. |
HKLM\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKLM\System\CurrentControlSet\Control\SafeBoot\Option\UseAlternateShell
|
W2K+ |
100. |
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders |
All |
101. |
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
|
NT4+ |
102. |
HKLM\System\CurrentControlSet\Control\WOW\cmdline
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline |
NTx |
103. |
HKLM\System\CurrentControlSet\Services\ |
NT4+ |
104. |
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ |
All |
105. |
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries64\
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries64\ |
x64 |
106. |
%WINDIR%\WIN.INI [windows] load=, run= |
W9x |
107. |
%WINDIR%\SYSTEM.INI [boot] shell=, scrnsave.exe= |
W9x |
108. |
%WINDIR%\WINSTART.BAT |
W9x (2) |
109. |
[Local Fixed Disk]\AUTORUN.INF open=, shellexecute= |
All (3) |
110. |
[Local Fixed Disk]\[Any Folder with “S” Attribute]\DESKTOP.INI [.ShellClassInfo] CLSID= / UICLSID= |
All (1) |
111. |
%WINDIR%\All Users\Start Menu\Programs\Startup\ |
W9x |
112. |
%WINDIR%\Start Menu\Programs\Startup\ |
W9x |
113. |
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ |
NTx |
114. |
%USERPROFILE%\Start Menu\Programs\Startup\ |
NTx |
115. |
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\ |
WVa+ |
116. |
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ |
WVa+ |
117. |
%USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini |
WVa+ |
118. |
%WINDIR%\Tasks\ |
W9x/NTx |
119. |
%WINDIR%\System32\Tasks\ |
WVa+ |
Hijack Points
These registry keys and files can be used to redirect the desktop, network and Internet Explorer:
|
| Item Checked | O/S |
1. |
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\
|
W9x/NTx |
2. |
HKCU\Software\Microsoft\Internet Explorer\Main\
|
All (4) |
3. |
HKCU\Software\Microsoft\Internet Explorer\SearchURL\
|
All (4) |
4. |
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
|
All |
5. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState |
W9x/NTx |
6. |
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ |
All |
7. |
HKCU\Software\Policies\Microsoft\Internet Explorer\ |
All |
8. |
HKCU\Software\Policies\Microsoft\Windows\ |
All |
9. |
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ |
W2K+ |
10. |
HKLM\Software\Microsoft\Internet Explorer\Main\
|
All (4) |
11. |
HKLM\Software\Microsoft\Internet Explorer\Search\
|
All (4) |
12. |
HKLM\Software\Microsoft\Internet Explorer\AboutURLs\
|
All |
13. |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\
|
All |
14. |
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\ |
All |
15. |
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\ |
All |
16. |
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore\ |
WXP+ |
17. |
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath |
NT4+ |
18. |
%WINDIR%\HOSTS
%WINDIR%\System32\drivers\etc\HOSTS |
W9x NT4+ |
19. |
%WINDIR%\INF\IERESET.INF
|
Note 5 |
|
W9x: |
Windows 95, Windows 98 (Standard Edition),
Windows 98 SE (Second Edition), and
Windows Me (Millennium Edition) |
NTx: |
Windows NT 4.0, Windows 2000, and Windows XP |
NT4+: |
Windows NT 4.0, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 |
W2K+: |
Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 |
WXP: |
Windows XP and Windows Server 2003 |
WXP+: |
Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 |
WVa+: |
Windows Vista, Windows 7, Windows 8 and Windows 10 |
Wn7: |
Windows 7, Windows 8 and Windows 10 |
x64: |
Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10 64-bit only |
(1): |
launch point checked by answering “No” at the script’s first
message box and “Yes” at the message box that follows it or with the “-supp”
or “-all” command line parameters |
(2): |
excluding Windows Me |
(3): |
excluding Windows Me, Windows XP SP2/SP3, Windows Vista, Windows 7, and Windows 8 |
(4): |
not checked by Silent Runners – reset by IERESET.INF (except Windows Vista, Windows 7, Windows 8 and Windows 10) |
(5): |
Internet Explorer 5.01, 5.5 & 6.0 only |
(6): |
only active if UtilMan service running |
(7): |
excluding Windows XP x64 |