|
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
Description:
Indicates programs to be executed in System mode.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
Description:
Specifies the Task Manager to be used by Windows. The default is TaskMan.exe, but the SysInternals.com tool, Process Explorer, can replace this value.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
Description:
Lists programs to be automatically run when the user logs in. Userinit.exe is responsible for shell execution. Nddeagnt.exe is responsible for NetDDE. Multiple programs may be listed.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
Description:
Specifies programs to be run when certain system events (ie, logon, logoff, startup, shutdown, startscreensaver, stopscreensaver) occur. The event is generated by Winlogon.exe, at which point the system will look for a DLL within this key to handle the event.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Control\Session Manager\BootExecute
Description:
Specifies the applications, services, and commands executed during startup.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\System\CurrentControlSet\Services
Description:
Subkeys list services to be executed, most of which are run as LocalSystem. The Hacker Defender rootkit installs as a service.
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Active Setup\Installed Components\
Description:
..................................................................................................................................................
Registry Location:
HKLM
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup
Description:
Designates location of Startup folders; ie, Autostart directory
..................................................................................................................................................
Registry Location:
HKCU
Key Location:
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup
Description:
..................................................................................................................................................
Triage LHF module reports on this key
|
