윈도우에서 자동 실행되는 경로들
은근 가끔씩 필요한 정보
DiamondCS 에서 제공하는 Autostart Guard, Autostart Viewer 프로그램이 모니터링하는 Windows 자동 실행 위치의 리스트 입니다.
웜, 바이러스 등에 감염되었을 때 한번쯤 살펴봐야 할 곳들이죠.
Autostart Locations are listed in no particular order.
Registry Autostart Locations
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
All values in this key are executed. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
All values in this key are executed, and then their autostart reference is deleted. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
All values in this key are executed as services. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
All values in this key are executed as services, and then their autostart reference is deleted. - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
All values in this key are executed. - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
All values in this key are executed, and then their autostart reference is deleted. - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnceSetup
Used only by Setup. Displays a progress dialog box as the keys are run one at a time. - HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionRun
Similar to the Run key from HKEY_CURRENT_USER. - HKEY_USERS.DefaultSoftwareMicrosoftWindowsCurrentVersionRunOnce
Similar to the RunOnce key from HKEY_CURRENT_USER. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
The "Shell" value is monitored. This value is executed after you log in. - HKEY_LOCAL_MACHINESoftwareMicrosoftActive SetupInstalled Components
All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey. - HKEY_LOCAL_MACHINESystemCurrentControlSetServicesVxD
All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey. - HKEY_CURRENT_USERControl PanelDesktop
The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates. - HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession Manager
The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts. - HKEY_CLASSES_ROOTvbsfileshellopencommand
Executed whenever a .VBS file (Visual Basic Script) is run. - HKEY_CLASSES_ROOTvbefileshellopencommand
Executed whenever a .VBE file (Encoded Visual Basic Script) is run. - HKEY_CLASSES_ROOTjsfileshellopencommand
Executed whenever a .JS file (Javascript) is run. - HKEY_CLASSES_ROOTjsefileshellopencommand
Executed whenever a .JSE file (Encoded Javascript) is run. - HKEY_CLASSES_ROOTwshfileshellopencommand
Executed whenever a .WSH file (Windows Scripting Host) is run. - HKEY_CLASSES_ROOTwsffileshellopencommand
Executed whenever a .WSF file (Windows Scripting File) is run. - HKEY_CLASSES_ROOTexefileshellopencommand
Executed whenever a .EXE file (Executable) is run. - HKEY_CLASSES_ROOTcomfileshellopencommand
Executed whenever a .COM file (Command) is run. - HKEY_CLASSES_ROOTatfileshellopencommand
Executed whenever a .BAT file (Batch Command) is run. - HKEY_CLASSES_ROOTscrfileshellopencommand
Executed whenever a .SCR file (Screen Saver) is run. - HKEY_CLASSES_ROOTpiffileshellopencommand
Executed whenever a .PIF file (Portable Interchange Format) is run. - HKEY_LOCAL_MACHINESystemCurrentControlSetServices
Services marked to startup automatically are executed before user login. - HKEY_LOCAL_MACHINESystemCurrentControlSetServicesWinsock2ParametersProtocol_CatalogCatalog_Entries
Layered Service Providers, executed before user login. - HKEY_LOCAL_MACHINESystemControlWOWcmdline
Executed when a 16-bit Windows executable is executed. - HKEY_LOCAL_MACHINESystemControlWOWwowcmdline
Executed when a 16-bit DOS application is executed. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
Executed when a user logs in. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
Executed by explorer.exe as soon as it has loaded. - HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows un
Executed when the user logs in. - HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
Executed when the user logs in. - HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer un
Subvalues are executed when Explorer initialises. - HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer un
Subvalues are executed when Explorer initialises.
Folder Autostart Locations
- windirStart MenuProgramsStartup
- UserStartup
- All UsersStartup
- windirsystemiosubsys
- windirsystemvmm32
- windirTasks
File Autostart Locations
- c:explorer.exe
- c:autoexec.bat
- c:config.sys
- windirwininit.ini
- windirwinstart.bat
- windirwin.ini - [windows] "load"
- windirwin.ini - [windows] "run"
- windirsystem.ini - [boot] "shell"
- windirsystem.ini - [boot] "scrnsave.exe"
- windirdosstart.bat
- windirsystemautoexec.nt
- windirsystemconfig.nt출처:Windows 자동 실행 위치
보통 Auto Start시키는 설정은 다음과 같습니다. 여기에서 예제 스파이웨어 파일명을 malware.exe로 가정해 보겠습니다.
1) win.ini 파일에서 다음과 같이 설치됩니다
[winodws]
load = malware.exe
run = malware.exe
2) system.ini 파일에서 다음과 같이 추가됩니다.
[boot]
Shell = explorer.exe malware.exe
3) Autoexec.bat 파일에서
%windir%system32% 디렉터리 밑에 malware.exe
4) Registry Shell Open
[HKEY_CLASS_ROOT/exefile/shell/open/command]
[HKEY_LOCAL_MACHINE/Software/Classes/exefile/shell/open/command]
"malware.exe %1 %*" 요런식으로 값이 들어가 있습니다.
5) Alternative Registry Keys
[HKEY_CLASSES_ROOT.exe] @="myexefile"]
[HKEY_LOCAL_MACHINE/Software/Classes/myexefile/shell/open/command@="malware.exe %1 %*"]
winstart.bat
6) Main 레지스트리에 등록되는 경우
[HKEY_LOCAL_MACHINE/SoftwareMicrosoft/Windows/CurrentVersion/RunServices]
[HKEY_LOCAL_MACHINE/SoftwareMicrosoft/Windows/CurrentVersion/RunServicesOnce]
[HKEY_LOCAL_MACHINE/SoftwareMicrosoft/Windows/CurrenVersion/Run]
6) wininit.ini 에 혹시 등록되어 있는 프로그램이 없는지 확인