Useful Registry Locations

Posted June 11, 2009
Filed under: Advanced |

I’ve come across these keys by searching on the Internet. I use these keys for detecting viruses, troubleshooting stuff, and other geeky things. The convention I’m using in writing out the keys is MainKey\SubKey1\SubKey2\SubKeyEtc > Value (I’m not stating the data)

“Windows Shell”=”My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon”
“Run on Startup”=”My Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run”
“Run on Startup 2″=”My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run”
“Session Manager”=”My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager”
“Default Wallpaper”=”My Computer\\HKEY_USERS\\.DEFAULT\\Control Panel\\Desktop”
“IIS Ports”=”My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ServiceProvider\\ServiceTypes\\w3svc”
“Show Hidden Files”=”My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL”
“Shell Context Menu”=”My Computer\\HKEY_CLASSES_ROOT\\Directory\\shell”
“My Computer Context Menu”=”My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\shell”
“File Context Menu”=”My Computer\\HKEY_CLASSES_ROOT\\*\\shell”
“System Services”=”My Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services”
“Registry Favorites”=”My Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit\\Favorites”

1. Windows Shell – This is the place where the OS sets its shell “explorer.exe”. Viruses often target this and inject other files to start up

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon > Shell

2. Run on Startup – The place programs use to start with the OS. There are two places in the registry that hold this, one for the system generally, and one specific to the logged in user.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

3. Default Wallpaper – Sets the default wallpaper of your desktop (the one that shows when no one is logged in yet)

HKEY_USERS\.DEFAULT\Control Panel\Desktop

4. My Computer Context Menu – Things that show up when you right-click the My Computer icon on the desktop (not sure if the CLSID number value will be the same)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell

5. System Services – Listing of all system services. Useful for removing them manually

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

No comments yet

Leave a reply