This is a list of auto-start locations that malware’s normally use to restart themselves on a system reboot. It was with us since the time we basically started working on .

We have tried to find their Vista entries too. , we don’t know yet. Now, some might not work on all platforms. They might not work on Windows 98, 95, ME, etc. as they are not Windows NT bases and the NT’s work differently. Some will also work without any registry key manipulation.

We have maintained a few known abbreviations just to shorten the post. They are as follows:
HKLM : HKEY_LOCAL_MACHINE
HKCU : HKEY_CURRENT_USER
HKCR : HKEY_CLASSES_ROOT
%windir% : The Windows Directory. Can be C:\Windows or C:\WINNT or anything, depending on the location, the OS & the customization of the OS!
%USERPROFILE% : Normally is C:\Documents and Settings\, depending on the installation location.
%ALLUSERSPROFILE% : Normally is C:\Documents and Settings\All Users, depending on the installation location.

Please keep in mind that the Windows registry is very sensitive and you should fiddle with it only if you know how to get out of it! We should not be held responsible for any harm coming out of their usage!

Beginning with registry methods:

1. HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
2. HKLM\SOFTWARE\\Windows NT\CurrentVersion\Winlogon\AppSetup
3. HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
4. HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logon
5. HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
6. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
7. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
8. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
9. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
10. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
11. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
12. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
13. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
14. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
15. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
16. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
17. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
18. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
19. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
20. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
21. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
22. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
23. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
24. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
25. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce
26. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunonceEx
27. HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
28. HKLM\SOFTWARE\Classes\Protocols\Filter
29. HKLM\SOFTWARE\Classes\Protocols\Handler
30. HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
31. HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
32. HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components
33. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
34. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
35. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
36. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
37. HKCU\Software\Classes\*\ShellEx\ContextMenuHandlers
38. HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
39. HKCU\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
40. HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
41. HKCU\Software\Classes\Folder\ShellEx\ContextMenuHandlers
42. HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers
43. HKCU\Software\Classes\Directory\ShellEx\ContextMenuHandlers
44. HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers
45. HKCU\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
46. HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers
47. HKCU\Software\Classes\Folder\Shellex\ColumnHandlers
48. HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
49. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
50. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
51. HKCU\Software\Microsoft\Ctf\LangBarAddin
52. HKLM\Software\Microsoft\Ctf\LangBarAddin
53. HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
54. HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
55. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
56. HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
57. HKLM\Software\Microsoft\Internet Explorer\Toolbar
58. HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
59. HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
60. HKCU\Software\Microsoft\Internet Explorer\Extensions
61. HKLM\Software\Microsoft\Internet Explorer\Extensions
62. HKLM\System\CurrentControlSet\Services
63. HKLM\System\CurrentControlSet\Services
64. HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
65. HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
66. HKLM\System\CurrentControlSet\Control\Session Manager\Execute
67. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
68. HKLM\Software\Microsoft\Command Processor\Autorun
69. HKCU\Software\Microsoft\Command Processor\Autorun
70. HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
71. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
72. HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
73. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System
74. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
75. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
76. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
77. HKCU\Control Panel\Desktop\Scrnsave.exe
78. HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
79. HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9
80. HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
81. HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
82. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
83. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
84. HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
85. HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
86. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
87. HKCR\batfile\shell\open\command @="\"%1\" %*"
88. HKCR\comfile\shell\open\command @="\"%1\" %*"
89. HKCR\exefile\shell\open\command @="\"%1\" %*"
90. HKCR\htafile\Shell\Open\Command @="\"%1\" %*"
91. HKCR\piffile\shell\open\command @="\"%1\" %*"
92. HKLM\Software\Classes\batfile\shell\open\command
93. HKLM\Software\Classes\comfile\shell\open\command
94. HKLM\Software\Classes\exefile\shell\open\command
95. HKLM\Software\Classes\htafile\shell\open\command
96. HKLM\Software\Classes\piffile\shell\open\command
97. HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\UpperFilters
98. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
99. HKLM\Software\Microsoft\Windows NT\CurrentVersion\InitFileMapping
100. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Aedebug
101. HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
102. HKLM\Software\Classes\CLSID\{CLSID}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
103. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\Application
104. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\Application
105. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\Application
106. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\Application
107. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\Application
108. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\Application
109. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\Application
110. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\ProgID
111. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cmd\ProgID
112. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.com\ProgID
113. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\ProgID
114. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hta\ProgID
115. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pif\ProgID
116. HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.scr\ProgID
117. HKLM\Software\CLASSES\batfile\shell\open\command @="\"%1\" %*"
118. HKLM\Software\CLASSES\comfile\shell\open\command @="\"%1\" %*"
119. HKLM\Software\CLASSES\exefile\shell\open\command @="\"%1\" %*"
120. HKLM\Software\CLASSES\htafile\Shell\Open\Command @="\"%1\" %*"
121. HKLM\Software\CLASSES\piffile\shell\open\command @="\"%1\" %*"
122. HKCR\vbsfile\shell\open\command\
123. HKCR\vbefile\shell\open\command\
124. HKCR\jsfile\shell\open\command\
125. HKCR\jsefile\shell\open\command\
126. HKCR\wshfile\shell\open\command\
127. HKCR\wsffile\shell\open\command\
128. HKCR\scrfile\shell\open\command\
129. HKLM\Software\Microsoft\Active Setup\Installed Components\KeyName
StubPath=C:\PathToFile\Filename.exe

Now, we will start with folder auto start locations.
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
%USERPROFILE%\Start Menu\Programs\Startup
%windir%\Tasks
%windir%\System32\Tasks - Windows Vista
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

In addition to this, there are some more files which when added an entry, will restart the file.
win.ini:
[windows]
load=file.exe

OR

[windows]
run=file.exe

system.ini:
[boot]
Shell=Explorer.exe file.exe

windir\dosstart.bat (Windows 95 or Windows 98 only)
windir\system\autoexec.nt
windir\system\config.nt