Author of the article: snaix Introduction: sometimes people tend to start a program of headache, because some users often do not know how those files are activated. So there will be some things that are useless to hook in the system. Sometimes someone will headache because I don't know how to start a certain file. More Some of the authors of Trojan horses make their Trojans easily discovered by others because they don't know the self-starting way of the system ... Many ways of Windows have many ways. In addition to some common startup methods, there are some very hidden ways to start files. This article summarizes the following, although not all, I think it should help everyone. All of the article is based on the system default status for research. English represents the English operating system, (Chinese) represents the Chinese operating system. This article did not add an explanation of the full Chinese Windows98 operating system. Warning: Some of the operations mentioned in the article may involve the stability of the system. For example, if you do not correctly use the Registry Editor, you can cause a serious problem that you might reinstall the system. Microsoft does not guarantee that the results caused by the abnormal use of registry editors can be resolved. The author does not be responsible for the consequences, please use it according to your own situation. Self-starting mode: one. Self-start directory: 1. The first self-launch directory: default path is: C: WINDOWSSTART MENUPROGRAMSTARTURUP (ENGLISH) C: WindowsStart MenuPrograms Startup (Chinese) This is the most basic, most commonly used Windows boot mode, primarily to start some application software's self-start project, such as Office's shortcut menu. General User wants to start when you start, you can start here, just place the required file or its shortcut to place it in the folder. corresponding registry location: [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders] Startup = / "% Directory% /" [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders] Startup = / "% Directory% /" wherein "% Directory% "To start the folder location. C: WINDOWSSTART MENUPROGRAMSSTARTUP Folders, the key values of the above registry will change to the corresponding name. It is worth noting that the contents of the "Start" folder in the Start menu can be seen by the user in the default state. However, by modifying the purpose of fairly hiddenly: First, the shortcut or other files in the "Start" folder can be changed to "hidden". This can reach the system that does not start the hidden file, and it is possible to restore the startup by changing the file attribute when it is started. Second, in fact, "Start" folder is just a normal folder, but since the system monitors this folder, it becomes some special, but the function of the folder is also available. For example, the name of the "Start" folder can be changed, and the "Start" folder can also set the properties.
If the property is set to "Hide", you can't see the "Start" folder in the system in the system (even in the "folder option" "displayed" display all files "). The system also launches non-hidden files in this hidden folder. Sensitive people may have discovered problems. For example: If I want to start a Trojan Server server, I can change the name of the original "Start" menu to "Startup" (here is correct, the registry corresponding key value will also Automatic changes.) After creating a folder called "Start", copy all the files in the "Startup" menu (here you can use the user's check) to the "Start" menu, then put a Trojan The Server program is placed in the "Startup" folder and finally hides the "Startup" folder. Datual! From the appearance of the outside, the user's [start]? [Start] The directory is still, and the file to be started is. But the file that is started at this time is not a file in a folder named "Start", but a file in a folder named "startup". If the Trojan is doing, you can copy the files in "Startup" to the "Startup" directory to achieve the purpose of the real-time update start directory at each time you start. Since the "Startup" folder is hidden, from [Start]? [Program] is unable to see the true startup menu "Startup", the purpose of the concealed start is reached! This start-up mode is more concealed, but it can still be seen in the "Start" page through MSConfig. . This path is located in: C: WINDOWSALL USERSTART MENUPROGRAMSTARTUP (ENGLISH) C: WINDOWSALL USERSTART MENUPROGRAMS Launch (CHINESE) This directory is exactly the same as the first self-start directory. Just find this directory, drag and drop the files that you need to start can reach the purpose. [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerUser Shell Folders] / "Common Startup /" = / "% Directory% /" [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionexplorerShell Folders] / "Common Startup /" = / "% Directory% /" worth Note that this directory is completely unable to see in the "Start" directory of the start menu. With each startup, the non-hidden files in this directory will also start! In addition, you can see the files you want to start in this directory in MSConfig. II. System configuration file started: Due to the system configuration file is quite strange for most users; this causes these startup methods to be quite hidden, so mentioned here Some methods are often used to do some destructive operations, please pay attention.
1.win.ini started: Startup position (file.exe is the name of the file to be started): [windows] LOAD = The difference between Run = is: running files through LOAD = running files (minimized) in the background; and running through Run =, the file is running in the default state. To: [Boot] SHELL = Explorer.exe file.exe 2 There is no impact on the system of the two files, but due to the relationship, the author has no test, and the interester can try it. However, it is certain that it can be sure, such starting methods tend to be used by Trojans or some prank programs (such as the kiss of the demon), which causes the system to be abnormal. Since general users are very young, even people don't know what these files are used, so the concearation is very good. But because of its increasing frequent use, this start-up method has also been greatly perceived. Users can use MSConfig this command to check if any program is loaded. Specifically, it is to enter the MSconfig Enter in the "Run" in the menu, followed by text description. = This will make Windows paralyzed! This start-up mode is launched in advance, so if you want to limit the start of the file in the registry, use this method. 3.Wininit.ini started: Wininit.ini This document may have not known that the user is also very few in contact with this file in general operation. But if you have written an uninstaller, you will know this file. Wininit is Windows Setup Initialization Utility. Translated into Chinese is Windows Installation Initiation Tools. So maybe I don't understand, if you see the following prompt information: This is Wininit.ini works! Due to the Windows, many executable files and driver files are executed to be protected from system protection. So change these files in the normal state of Windows has become a problem, so wininit.ini appears to help the system do this. It will make the system execute some commands before the system is loaded, including copy, delete, rename, etc. to complete the purpose of the update file. The wininit.ini file exists in a Windows directory, but in the general time we can't find this file in the C: windows directory, you can only find its EXE program Wininit.exe.
The reason is that WininIt.ini will be automatically deleted by the system each time it is executed by the system, until the new WininIt.ini file is again removed. File format: [Rename] File1 = file2 File1 = file2 means copying file2 files as file name File1, equivalent to overwriting the file1 file. When this starts, Windows implements the purpose of updating file1 with file2; if file1 does not exist, the actual result is file file2 and renamed File1; if you want to delete files, you can use the following command: The above file name must contain the full path. Note: 1. Due to the WinInit.ini file processing is processed before Windows launch, long file names are not supported. 2. The above document replication, deletion, renaming, etc. are not prompted by the user. Some viruses will also use this document to destroy the system, so if the user finds the system no reason: . 3. In Windows 95 Resource Kit, it is mentioned that there are three possible segments of the wininit.ini file, but only the usage of the [Rename] section is described. 4.WinStart.bat launched: This is a system self-started batch file, the main role is to process some tasks that need to be copied, deleted. For example, some software requires restarting after installation or unloading, you can use this copy and delete some files to achieve the purpose of completing the task. Such as: "@IF EXIST C: WindowsTempproc.bat Call C: WindowsTempproc.bat" This is a command to execute the proc.bat file; "Call filename.exe> Nul" here is remained any on the screen The output. It is worth noting that WinStart.bat files have the same role in a sense and autoexec.bat. If the clever arrangement can achieve the purpose of modifying the system! 5. Outoexec.bat started: this is not said, it should be one of the system files that the user is familiar with. Start under DOS each time you restart the system. Malicious procedures often use this file to do some auxiliary measures. However, there is a malicious code in the autoexec.bat file. Such as Format C: / Y, etc .; this opportunity has increased significantly due to the presence of the BAT malicious program. For example, the most popular SIRCAM worm has also take advantage of the autoexec.bat file. To use these two files, you need a certain understanding of DOS. 3. The registry launch:
[HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices] / "Anything /" = / "% path% file.exe /" [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce] / "Anything /" = / "% path% file.exe /" [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun] / "Anything /" = / "% path% file.exe /" [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce] / "Anything /" = / "% path% file.exe /" [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun] / "Wherever /" = / "c: runfolderprogram.exe /" [hkey_current_usersoftwareverrosoftwindowscurrentversionrun "] /" whatver / "= /" c: RunfolderProgram.exe / "Note: (1). If needed Run the .dll file, require a special command line. 解 Key value. (3). If you only want to keep the key value, just add the REM in this key value. Such as: "REM C: Windowsa.exe" (4). There is no item in the self-beginning item in the registry: [HKEY_CURRENT_USER SOFTWAREMICROFTWINDOWSCURRENTVERSIONRunServices] (5). Run and RunServices : The program in RUN is started at each system startup, and RunServices is started at each login system.
on: [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx] have a special syntax: For example, run notepad.exe HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx / "Title /" = / "My Setup Title /" / "Flag / "= dword: 00000002 HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx001 /" RunMyApp / "= /" || notepad.exe / " syntax is: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx Flags = 0x0000000 Title = /" Status Dialog Box Title / " HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceExDepend 0001 = /" xxx1 / "000X = /" xxxx / " HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx001 Entry1 = /"MyApp1.exe/" EntryX = /"MyApp2.exe / " . (2). "0001,000X" is some name. Can be numbers and text. (3). "Entry1, entryx" is a registry string value to a program file to be run.
Create C: WindowsRunonCeex.err file If there is an error, the execution report file creates an executive report. C: WindowsRunonnex.log file 0x00000040 0x00000080 No State Dialogue When the RunonceEx runtime status dialog is not displayed, please browse the Microsoft webpage due to the differences involved, please browse the Microsoft webpage: Articles / Q232 / 5 / 09.ASP ] @ = / "% 1 /"% * [HKEY_CLASSES_ROOTcomfileshellopencommand] @ = / "% 1 /"% * [HKEY_CLASSES_ROOTbatfileshellopencommand] @ = / "% 1 /"% * [HKEY_CLASSES_ROOThtafileshellopencommand] @ = / " % 1 / "% * [HKEY_CLASSES_ROOTpiffileshellopencommand] @ = /"% 1 / "% * [HKEY_LOCAL_MACHINESoftwareCLASSESbatfileshellopencommand] @ = /"% 1 / "% * [HKEY_LOCAL_MACHINESoftwareCLASSEScomfileshellopencommand] @ = /"% 1 / "% * [HKEY_LOCAL_MACHINESOFTWARECLASSEXEFILESHELLOPENCOMMAND] @ = / "% 1 /"% * [HKEY_LOCAL_MACHINESoftwareCLASSEShtafileshellopencommand] @ = / "% 1 /"% * [HKEY_LOCAL_MACHINESoftwareCLASSESpiffileshellopencommand] @ = / "% 1 /"% * actually on the path from the registry Maybe you can see that these are some key values that are often executed. Often some Trojans can change these key values to achieve the purpose of loading: "If I put" "% 1"% * "change to" file.exe "% 1"% * ", the file file.exe will be in each Execute a type of file (which file type to be changed) is executed! Of course, it is not necessarily only an executable file, such as the glacial key value of the TXT file: [HKEY_CLASSES_ROOTTXTFILESHELLOPENCOMMAND] Realize a startup method for Trojans.
3. Special startup 2: In the registry: This address is the address placed by the system launched the VXD driver file, just like the PRETTYPARK worm, you can add the VXD file to the registry in the registry after building a primary key. Note: You can not rename a VXD file directly to the VXD file, you need to be programmed, generated VxD files. Other boot methods: (1) .C: Explorer.exe launch method: this is a special start-up method, very few people know. Under Win9x, since System.ini specifies the name of Windows's shell files Explorer.exe, no absolute path is specified, so Win9x will search for the Explorer.exe file. The search order is as follows: (1). Search the current directory. (2). If you do not find Explorer.exe, you will get the information of [HKEY_LOCAL_MACHINESYSTEMCURRENTCONTROLSETCONTROLSESSION ManagerenVironmentPath] to get a relative path. (3). If there is still no file system, it will obtain the information of [HKEY_CURRENT_USERENVIRONMENTPATH] to get a relative path. wherein: the key [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerEnvironmentPath] and [HKEY_CURRENT_USEREnvironmentPath] stored relative path is: "% SystemRoot% System32;% SystemRoot%" and empty. So, because when the system starts, "current directory" is definitely% systemDrive% (system drive), so the order of the system search Explorer.exe should be: % systemDrive% (for example, C: (2).% Systemroot% System32 (for example, C: WinntSystem32) (3).% Systemroot% (such as C: Winnt) The file is placed in the system root directory so that the system will automatically start the Ext of Explorer.exe in the root directory when each startup is started without launching Explorer.exe under the Windows directory. Under the Winnt Series, the WindowsNT / Windows 2000 is more note that the location of the file name of Explorer.exe is placed, putting the name of the shell file (Explorer.exe) to be used when the system is started: [hkey_local_machinesoftwareWINLOGTWINDOWSNTCURRENTVERSIONWINLOGONSHELL] this position. As the default, this location does not exist, the default is Explorer.exe.
Specific Reference: http://www.microsoft.com/technet/security/bulletin/fq00-052.asp Note: Be sure to determine the Explorer.exe under the root directory to start the Windows directory Explorer.exe, otherwise it will cause Windows that cannot be started! Now popular virus coded will place two files of about 8KB Explorer.exe in C: and D: Directory! Microsoft has changed this way in Windows 2000 SP2. (2). Screen protection startup mode: Windows screen saver is a .scr file. This is an executable file in a PE format. If the screen saver .scr is renamed. Scr, the program can still start normally. Similar. EXE files are renamed .scr files are also the same as being run! SCR file default exists in the C: Windows directory, his name is the name in the "Screen Saver Program" in the "Display" property. All * .scr files in the C: Windows directory are displayed by Windows "Screen Saver", and the file path itself is saved in Scrnsave.exe = in system.ini. Interesting is in scRNSAVE.EXE = this, its specified path also contains a directory name. That is, if I want to install a .scr file, such as the installation path is D: SCR1.SCR, and D: SCR is still 2.SCR, in this directory, all. Scr (1.SCR, 2. SCR) files are displayed in the "Screen Saver" settings. If the screen saver is set to "(none)", Scrnsave.exe = This does not exist. However, if scrketave.exe = The file or directory referred to in this article is wrong, then "(none)" is still displayed in "Screen Saver Settings". The startup time of the screen saver is stored in this location in the registration table: Record, if the recording time is less than 60 seconds, it is automatically set for 1 minute. The screen protected whether the key value is set to: This shows that if someone renamed the .exe program named .scr, and enable the program to add "Scansave.exe = /% Path%" F / ILE.SCR "in System.ini (/ % Path% / file.scr is the path and file name of the file you want, such as C: Program FileStrojan.scr), modify the HKEY_USERS.DEFAULTCONTROL PANELDESKTOPSCREENSAVETITIMEOMEOMEOMEOTIMEOMEOMEOTIMEOMET in the registry, and the system is only 60, and the system is only one minute. The file will be started! Another simple destruction method is to randomly generate screen protection passwords and write the corresponding position of the corresponding file. The time is 1 minute, and the system will be locked for one minute! (Due to The problem is not self-starting, so it is not discussed.) Note: Since scanSave.exe = here will define the path to the .scr file, it is best not to put the file you want to start in .scr file more Directory, otherwise it is easy to suspect.
(Except for Windows Catalog) (3). Reassuring: This type of start-up method has been similar to viruses. This method is to use the virus's infection mechanism to attach the exe file to be started on another and multiple EXE files to achieve the purpose of the file to be started to start the EXE file. I remember that when YAI this Trojan was popular, it used the purpose of starting with an EXE file, but because BUGS and methods were issued, the destruction of the Trojans was reflected in its "virus". Using this startup method must be aware that you can't destroy the EXE file (otherwise it will be easily discovered), and it is best to position the Trojan on a fixed one or several exe files. Such as: ipplore.exe (IE EXE file), RNApp.exe (Exe file of the dial-up network), etc. Note: This method is relatively dangerous, and it is also quite context, and it is very close to the virus. (4). Planned task launching method: Windows planning task is a feature used by a preset implementation of Windows. But if this feature is used to realize self-starting! Since many computers are automatically loaded "Plan Tasks", the concealation is relatively good. In Windows default, the planned task is a .job file that is saved in the C: WindowsTasks directory. The .job file includes a series of information such as start-up mode, file path. It is the key to prepare or make the software you can write .job files. Then it will be started after the relevant place write mark. Due to the time relationship, this method has not been tested, and the reader can test itself. (5) .autorun.inf start-up mode: Yes, this most often appears in the disc and used for self-start. Each time the disc is placed in the optical drive, the system will determine whether the disc is automatically started. But have you ever thought that this file can also be used from starting some files! Content is typically Autorun.inf: [AUTORUN] OPEN = file.exe ICON = icon.ico OPEN is inserted into the disc or double disc drive letter will run an executable file The name. intact is the icon file of the optical drive driver. This file can be other files. Such as: = file.exe = icon.exe, 2 where Icon.exe is an executable file with icon file, ", 2" is the file in this file 3 icons. (", 0" is the first icon, countless words, the default is the first icon). The most important thing is that the autorun.inf file can be used on the drive of the hard disk. That is, if all the files on the disc and the directory are properly caught into a root directory of a hard disk, the double-click disk will appear automatic running files! If it is a Trojan, play a bit: a Trojan is named AAA.exe after execution in the C: windows directory. Then the Trojan can generate an autorun.inf file in C: under, the content is as follows: [autorun] = windowsaaa.exe = aaa.exe The first icon file. The AAA.exe file is executed while each time you double-click the C drive. But note that the aaa.exe file is best to open the C directory.
(Comparable to camouflage) Note: (1) .autorun.inf's attributes can still be used normally after it is hidden. (2). The path to the path in /f is achievable to relative paths and absolute paths. That is to say, if autorun.inf is placed under 1 disk, you can also use the file on the file! Such as: If the autorun.inf file is placed in the root directory of the C drive, the content is Execute the bbb.exe file on the D disk CCC directory! (3). If there is no Open project, the system does not perform any files, and the next command will be performed. (4). If there is no Icon project, the icon of the disk is the original Windows card icon, but if there is an ICON item but set an error, or the set file is not icon, the system will display as the default blank icon. . (5). Automatic start-up: You can start another file with startup, Subseven uses the method of starting WindOS.exe to start Subseven Sever files. B.Start starts: ] Program [arg ...] start [options] Document.ext In The New Program Restored (in the New Program Restore). [default] The launched program works with this command, you can more concealed, such as :start / m file.exe, but seems some software (such as Jinshan Words), which has a startup screen, does not reflect. C. Control panel launched: This is to use the control panel program to be executed similar to the DLL to achieve the start-up purpose. In the control panel, the .CPL file is the original file of the control panel. The default files are placed in a /% windows% / system / directory, such as Desk.cpl is desktop properties, INETCPL.CPL is the Internet option. But these .CPL files are all PE format files, that is, if the user puts an executable similar DLL .cpl file in% Windows% System, you can see its icon in the control panel, and execute! Due to the particularity of the .CPL file, it is necessary to use Rundll32.exe to launch the file.
Rundll32.exe is the file used when Windows is used to call the dynamic connection function, enter: rundll32 shell32.dll, control_rundll /%Path%/Desk.cpl,, SHELL32.DLL is called DLL file, means calling the control_rundll in shell32.dll to open the desk.cpl file; /% path% / for the path of the .cpl file, the default is C: windowssystem; the last X is the number of pages for the desk.cpl file: from 0 Start, 0 is the first page (such as "Background" of "Display Properties"), 1 is the second page (such as "Desktop Properties" "screen saver"), so on. But if you do it, the file is displayed in the control panel. There are two ways to do not let it show: (1). Do not put your own .CPL file in C: WindowsSystem. Because Windows will load all .cpl files in WINDOWS. If you want it to display, turn on the Control.ini file under C: Windows, write like: File.cpl = d: pathfile.cpl command to achieve the purpose of display. (2). When you see the Control.ini file, you must see [Don't load] above [mmcpl]. Yes, if your file is written to this in the form of file.cpl = no, then the file is not loaded. Against recovery. d Other:. registry: HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced of "HideFileExt" The key is to determine the value of Windows is not displaying extensions, if its value is 1 to Hide extensions for 0 is not hidden. InExe file: like a Sircam worm, *. EXE file extension can be changed to .bat, .com, .pif, .scr, etc., and run the effect, it is not necessarily. But .exe files cannot be renamed .lnk files, this may also be a bug of SIRCAM. Finally: Windows has a lot of style. This is part of the Windows system. A hidden and few people know the self-starting way is the necessary conditions for remote monitoring software to become an excellent software. For ordinary users, it is also necessary to understand this information. The author tries to fully introduce these methods and ideas that can be started. Some self-starting methods mentioned in the article are very common, and some are rarely known, and some ways may even be written in the first time. Many of these methods have joined their own ideas, so that although they are ordinary but they are very hidden. The self-starting mode allocated is passed by default in Windows98 or mentioned accordingly. Only part of the Windows Me and Windows 2000 is available. By testing the self-starting method of different platforms, you can also find Windows systems or towards increasing direction. Therefore, in a Windows version of the future, the author cannot guarantee that these can be used. But there will always be some places that can be used. If this doodle can bring some inspiration to readers, then the author will be very happy! Due to time rush, add a limited number of people, there must be a lot of mistakes in the text, and reader Han Han. The discussion of Windows's self-starting way can contact me, my E-mail is Snaix@yeah.net. This article reprints, please indicate the author and the source. If used for business, please contact the author.
main reference: http: //www.tlsecurity.net/auto.html http: //support.microsoft.com/support/kb/articles/Q232/5/09 .ASP Syntax for the RunOnceEx Registry Key SUMMARY MORE INFORMATION RunOnceEx Sample to Run Notepad Sample Syntax Notes Definition of Values and Subkeys Wininit.ini and virus (name to the author)
http://blog.9cbs.net/scrub/
related articles
In-depth light-out WIN2000 computer start shutdown script Windows self-starting mode Daquan
