Fandom

Virus Information

VirusInfo:MS Windows System Reference

245pages on
this wiki
Add New Page
Talk0

This page exists as a reference for Microsoft Windows-specific items that would be too repetitive and/or tedious to write for every article. Also it is to keep long path names that would make the page itself look ugly in one place.

Windows FolderEdit

This is the Windows installation folder, usually located at C:\Windows (on Windows 9x, ME, and XP onwards) or C:\WINNT (On Windows 2000 or NT). It contains everything needed to run a Windows Operating System. Most self-replicating programs prefer to install themselves in a subdirectory of this one, the System Folder, but a few install themselves here too.

System FolderEdit

The System folder contains programs, libraries and other files necessary to run the computer. On Windows 95, 98 and ME, it is located in the folder C:\Windows\System. On Windows 2000 and NT, it is in C:\WINNT\System32. Worms usually install themselves to this folder. In Windows XP it is C:\Windows\System32.

Temp FolderEdit

This folder is for the storage of temporary files. In Windows 9x and ME it is located at C:\Windows\Temp, while in Windows 2000, NT and XP it is located at C:\WINNT\TEMP.

Recycle BinEdit

This is for the storage of files before final deletion. It is located at C:\Recycled in Windows 9x and ME and at C:\Recycler in Windows 2000, NT and XP.

Startup FolderEdit

In Windows 95, 98 and ME, located at C:\Windows\Start Menu\Programs\Startup\.

In Windows 2000, NT and XP, C:\Documents and Settings\<user name>\Start Menu\Programs\Startup\.

Separate Startup exist for specific users and all users.

RegistryEdit

The Registry is a directory that stores system and program settings. Worms often use the registry to make sure they start upon the system being started. The Windows registry consists of six subtrees, five of which are visible to the user, beginning with HKEY. A typical registry key works in a similar way to a file path name, using backslashes (\) to indicate levels of hierarchy.

HKEY_LOCAL_MACHINE, referred to on this wiki as the "local machine registry key," is the subtree that contains settings relevant to all users on the computer.

HKEY_CURRENT_USER, referred to on this wiki as the "current user registry key", contains settings relevant to the currently logged in user.

HKEY_USERS, referred to on this wiki as the "users registry key", contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.

HKEY_CLASSES_ROOT referred to on this wiki as the "root registry key" contains settings relevant to registered applications. On Windows 2000 and above, HKCR is a compilation of HKEY_CURRENT_USER\Software\Classes and HKEY_LOCAL_MACHINE\Software\Classes. If a given value exists in both of the subkeys above, the one in HKEY_CURRENT_USER\Software\Classes is used.

HKEY_CURRENT_CONFIG referred to on this wiki as the "current configuration key", contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.

HKEY_PERFORMANCE_DATA referred to on this wiki as the "performance data key" provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API.

Registry Keys and DetailsEdit

Viruses and worms make use of the following keys for various purposes. Most commonly, they use one of the "Run" keys which will start the worm automatically.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit

These programs automatically start when any user is logged in. It is used for all users on this computer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit

The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExEdit

The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. Also the RunOnceEx registry key does not create a separate processes. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEdit

These programs automatically start when the system is loading before the user logs in. It is used for service applications - antivirus, drivers etc. In Windows NT/2000/XP it could be canceled by admin to use other service startup sections. Read more at services startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceEdit

These programs automatically start only once when the system is loading as service application and items are deleted after the Windows boot process have finished.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonEdit

This key deals with logons

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit

The programs here automatically start when the current user logs in. It is used only for current logoned user.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit

The programs here automatically start only once when the current user logs in and it will be deleted after the Windows boot process would have finished.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesEdit

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Account Manager\AccountsEdit

This key contains a list of the current user's email account.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunEdit

The programs here automatically will be copied into HKEY_CURRENT_USER\...\Run for every new user account.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEdit

The programs here automatically will be copied into HKEY_CURRENT_USER\...\RunOnce for every new user account.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell ExtensionsEdit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Edit

HKEY_CURRENT_USER\Software\Microsoft\OLEEdit

This registry key contains information pertaining to Windows DCOM settings.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Edit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersEdit

A now mostly unused key that has been replaced by the function "SHGetSpecialFolderLocation".

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\PersonalEdit

This key lists the current users personal folders.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\CacheEdit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\StartupEdit

This key points to the current user's startup folder.

HKEY_CURRENT_USER\Software\Micro==soft\Windows\CurrentVersion\Explorer\Shell Folders\DesktopEdit

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\commandEdit

HKEY_LOCAL_MACHINE\Software\CLASSES\txtfile\shell\open\commandEdit

HKEY_CLASSES_ROOT\exefile\shell\open\commandEdit

HKEY_CLASS_ROOT\txtfile\shell\open\commandEdit

This registry key sets the default application for opening text files.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\WindowsEdit

This is another registry key that causes programs to run on startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemEdit

HKEY_CURRENT_USER\Software\Microsoft\Office\Edit

This is a registry key containing information about Microsoft Office.

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32Edit

This key ensures that a program is run by Internet Explorer.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution UnitsEdit

This registry key's use has not yet been determined.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionEdit

Key used by the Mydoom worm.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\VersionEdit

Key used by the Mydoom worm.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App PathsEdit

This key contains information on where to find installed programs and their support files on the local machine.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Network\LanMan\Edit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableEdit

HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableEdit

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxyEdit

This key contains the locations of personal folders.

HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContentEdit

Contains the location of the Kazaa network share folder.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netsvcs\Parameters\ServiceDllEdit

Key used by Conficker.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Edit

HKEY_USERS\.DEFAULT\Software\Mirabilis\ICQ\Agent\Apps\ICQEdit

A key specific to an ICQ client.

\CurrentControlSet\Services\SharedAccessEdit

This key controls shared access.

HKEY_Local_Machine\System\CurrentControlSet\Services\SharedAccessEdit

This key controls shared access.

HKEY_Local_Machine\System\ControlSet001\Services\SharedAccessEdit

This key controls shared access.

\software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellEdit

Programs listed in this registry key will start up as soon as someone logs in.

\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Edit

Programs listed in this registry key will start up when an image file is opened.

\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUAEdit

This key controls user account control.

\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\PromptOnSecureDesktopEdit

\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableVirtualizationffffEdit

\SYSTEM\ControlSet001\Services\wscsvcEdit

\SYSTEM\CurrentControlSet\Services\wscsvcEdit

\SYSTEM\ControlSet001\Services\wuauservEdit

\SYSTEM\CurrentControlSet\Services\wuauservEdit

SYSTEM\CurrentControlSet\Services\"MRxCls\ImagePath = %System%\drivers\mrxcls.sysEdit

SYSTEM\CurrentControlSet\Services\"MRxNet\ImagePath = %System%\drivers\mrxnet.sysEdit

SourcesEdit

Wikipedia, Windows Registry

Microsoft Corporation. Microsoft Windows 2000 Professional Resource Kit, Part 7 "Troubleshooting", Registry Editors, pp. 1448-1452. Microsoft Press: Redmond, Washington. 2000 ISBN: 1572318082

Windows Registry Startup Sections for Startup Programs

Rusty Russell, Daniel Quinlan, Christopher Yeoh. Filesystem Hierarchy Standard Group, Filesystem Hierarchy Standard. 1994-2004

Tarma Quickinstall, App Paths Settings

Raymond Chen. Technet, Windows Confidential, The Sad Story of the Shell Folders Key

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.