VirusInfo:MS Windows System Reference
Talk0this wiki
This page exists as a reference for Microsoft Windows-specific items that would be too repetitive and/or tedious to write for every article. Also it is to keep long path names that would make the page itself look ugly in one place.
Windows Folder
Edit
This is the Windows installation folder, usually located at C:\Windows (on Windows 9x, ME, and XP onwards) or C:\WINNT (On Windows 2000 or NT). It contains everything needed to run a Windows Operating System. Most self-replicating programs prefer to install themselves in a subdirectory of this one, the System Folder, but a few install themselves here too.
System FolderEdit
The System folder contains programs, libraries and other files necessary to run the computer. On Windows 95, 98 and ME, it is located in the folder C:\Windows\System. On Windows 2000 and NT, it is in C:\WINNT\System32. Worms usually install themselves to this folder. In Windows XP it is C:\Windows\System32.
Temp FolderEdit
This folder is for the storage of temporary files. In Windows 9x and ME it is located at C:\Windows\Temp, while in Windows 2000, NT and XP it is located at C:\WINNT\TEMP.
Recycle BinEdit
This is for the storage of files before final deletion. It is located at C:\Recycled in Windows 9x and ME and at C:\Recycler in Windows 2000, NT and XP.
Startup FolderEdit
In Windows 95, 98 and ME, located at C:\Windows\Start Menu\Programs\Startup\.
In Windows 2000, NT and XP, C:\Documents and Settings\<user name>\Start Menu\Programs\Startup\.
Separate Startup exist for specific users and all users.
RegistryEdit
The Registry is a directory that stores system and program settings. Worms often use the registry to make sure they start upon the system being started. The Windows registry consists of six subtrees, five of which are visible to the user, beginning with HKEY. A typical registry key works in a similar way to a file path name, using backslashes (\) to indicate levels of hierarchy.
HKEY_LOCAL_MACHINE, referred to on this wiki as the "local machine registry key," is the subtree that contains settings relevant to all users on the computer.
HKEY_CURRENT_USER, referred to on this wiki as the "current user registry key", contains settings relevant to the currently logged in user.
HKEY_USERS, referred to on this wiki as the "users registry key", contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.
HKEY_CLASSES_ROOT referred to on this wiki as the "root registry key" contains settings relevant to registered applications. On Windows 2000 and above, HKCR is a compilation of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. If a given value exists in both of the subkeys above, the one in HKEY_CURRENT_USER\Software\Classes is used.
HKEY_CURRENT_CONFIG referred to on this wiki as the "current configuration key", contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.
HKEY_PERFORMANCE_DATA referred to on this wiki as the "performance data key" provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API.
Registry Keys and DetailsEdit
Viruses and worms make use of the following keys for various purposes. Most commonly, they use one of the "Run" keys which will start the worm automatically.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit
These programs automatically start when any user is logged in. It is used for all users on this computer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit
The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExEdit
The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. Also the RunOnceEx registry key does not create a separate processes. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEdit
These programs automatically start when the system is loading before the user logs in. It is used for service applications - antivirus, drivers etc. In Windows NT/2000/XP it could be canceled by admin to use other service startup sections. Read more at services startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceEdit
These programs automatically start only once when the system is loading as service application and items are deleted after the Windows boot process have finished.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonEdit
This key deals with logons
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit
The programs here automatically start when the current user logs in. It is used only for current logoned user.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit
The programs here automatically start only once when the current user logs in and it will be deleted after the Windows boot process would have finished.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEdit
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\AccountsEdit
This key contains a list of the current user's email account.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit
The programs here automatically will be copied into HKEY_CURRENT_USER\...\Run for every new user account.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit
The programs here automatically will be copied into HKEY_CURRENT_USER\...\RunOnce for every new user account.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsEdit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Edit
HKEY_CURRENT_USER\Software\Microsoft\OLEEdit
This registry key contains information pertaining to Windows DCOM settings.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Edit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersEdit
A now mostly unused key that has been replaced by the function "SHGetSpecialFolderLocation".
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\PersonalEdit
This key lists the current users personal folders.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CacheEdit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\StartupEdit
This key points to the current user's startup folder.
HKEY_CURRENT_USER\Software\Micro==soft\Windows\CurrentVersion\Explorer\Shell Folders\DesktopEdit
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\commandEdit
HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\commandEdit
HKEY_CLASSES_ROOT\exefile\shell\open\commandEdit
HKEY_CLASS_ROOT\txtfile\shell\open\commandEdit
This registry key sets the default application for opening text files.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WindowsEdit
This is another registry key that causes programs to run on startup.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemEdit
HKEY_CURRENT_USER\Software\Microsoft\Office\Edit
This is a registry key containing information about Microsoft Office.
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32Edit
This key ensures that a program is run by Internet Explorer.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution UnitsEdit
This registry key's use has not yet been determined.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionEdit
Key used by the Mydoom worm.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionEdit
Key used by the Mydoom worm.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App PathsEdit
This key contains information on where to find installed programs and their support files on the local machine.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Edit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableEdit
HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableEdit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxyEdit
This key contains the locations of personal folders.
HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContentEdit
Contains the location of the Kazaa network share folder.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\ServiceDllEdit
Key used by Conficker.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Edit
HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQEdit
A key specific to an ICQ client.
Edit
This key controls shared access.
Edit
This key controls shared access.
Edit
This key controls shared access.
\software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellEdit
Programs listed in this registry key will start up as soon as someone logs in.
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Edit
Programs listed in this registry key will start up when an image file is opened.
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUAEdit
This key controls user account control.
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\PromptOnSecureDesktopEdit
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableVirtualizationEdit
\SYSTEM\ControlSet001\Services\wscsvcEdit
\SYSTEM\CurrentControlSet\Services\wscsvcEdit
\SYSTEM\ControlSet001\Services\wuauservEdit
\SYSTEM\CurrentControlSet\Services\wuauservEdit
SYSTEM\CurrentControlSet\Services\"MRxCls\ImagePath = %System%\drivers\mrxcls.sysEdit
SYSTEM\CurrentControlSet\Services\"MRxNet\ImagePath = %System%\drivers\mrxnet.sysEdit
SourcesEdit
Wikipedia, Windows Registry
Microsoft Corporation. Microsoft Windows 2000 Professional Resource Kit, Part 7 "Troubleshooting", Registry Editors, pp. 1448-1452. Microsoft Press: Redmond, Washington. 2000 ISBN: 1572318082
Windows Registry Startup Sections for Startup Programs
Rusty Russell, Daniel Quinlan, Christopher Yeoh. Filesystem Hierarchy Standard Group, Filesystem Hierarchy Standard. 1994-2004
Tarma Quickinstall, App Paths Settings
Raymond Chen. Technet, Windows Confidential, The Sad Story of the Shell Folders Key
