Run Registry Key On Startup

[Su Strawderman]

Meanwhileif you disable them through Autoruns, they simply are moved to a subkey named AutorunsDisabled (and they disappear from the settings startup apps list), so it seems like the registry entries are simply a list of POTENTIAL startup commands, and there should be something somewhere that enables or disables those.

Since I'm trying to learn how these work so I can add or remove them programmatically, What does the Settings GUI do under the hood to let the computer know which entries to run and which entries to ignore?

The values belowHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Runcan be used to enable or disable the corresponding values underHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

First, you need to open the registry editor. To do this, press the Windows key (the one with the emblem) + R on the keyboard, and in the Run window that appears, type regedit and press Enter or Ok.

There are other sections related to automatically loaded components, but we will not touch them: all the programs that can slow down the system, make the computer boot too long and just unnecessary, you will find it in these two sections.

The parameter name usually (but not always) corresponds to the name of the automatically launched program, and the value is the path to the executable program file. If you wish, you can add your own programs to the autoload or delete what is not needed there.

There's no fundamental difference. The folder tends to be favorited by users, easy for them to create a shortcut there. The registry key tends to be favorited by installers, lower odds that the user disables the program.

If you're trying to remove a program and can not find it in the StartUp folder (usually C:\WINDOWS\Start Menu\Programs\StartUp), then it may be launching from one of the registry keys below. To remove it, delete the value associated with the program you want to remove.

I have created a script I want to deploy on my XP workstations as a shutdown script. I know I can add my script as a shutdown script with the UI (gpedit.msc), but I want to automate the deployment of my script. My workstations are not part of a Windows domain. I will deploy with OCS Inventory.

I tried to add entries to the Windows registry, but this doesn't work. I don't see what I added when I run gpedit.msc. If I add something with gpedit.msc, this seem to overwrite what I added manually into the registry.

To anyone struggling to get this working, my sympathy. I spent many hours trying to figure out exactly which of the hundreds of changes gpedit makes are actually important. My tests were conducted on Windows Server 2016. These turned out to be relevant:

Nothing else gpedit does seemed to matter. This includes many registry entries and the .ini files referenced in other answers. It's possible that some of the keys above are superfluous as well but I ran out of testing patience.

I added the script with gpedit.msc on one computer. I exported registry keys from HKLM\Software\Policies\Microsoft\Windows\System\Scripts and HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine. I also zipped the C:\WINDOWS\SYSTEM32\GroupPolicy directory.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Windows registry key addition and modification have long been a hot topic in the security community, but I would argue that most SOC analysts still view this as a grey area, particularly junior analysts. Windows Registry should no longer be a concern for Threat hunters alone, but also for SOC analysts, given the current attack trends. Even though it is an age-old technique, malware persistence continues to be a problem.

The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.

Persistence using registry run keys, or the startup folder are probably the two most common forms of persistence malware and adversaries use. For example, the Ryuk ransomware, which has been responsible for some of the most damaging attacks globally, has utilized registry run keys to establish persistence.

Run registry keys cause programs to run each time a user logs on. Actors often create a Run key so that their code will persist because execution will occur as long as the affect account logs onto that endpoint.

C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Shortcut links (.lnk extension) placed in this folder will cause Windows to launch the application each time logs into Windows. This is used by various forms of malware, but also easily identified and remediated by simply deleting the shortcut.

Placing a malicious file under the startup directory is often used by malware authors. Any shortcut created to the location pointed by subkey Startup will launch the service during logon/reboot. Start-up location is specified both at Local Machine and Current User.

If this method of persistence is successful, malware will continue executing its code to either make sure advertisement sites are hit (in cases of click fraud malware), command and control servers are beaconed (in cases such as botnets where further commands need to be sent to victim machines), or to constantly try to have the end user click on popup window links for any number of purposes.

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot. It should always have the value of autocheck autochk*. If there are more values in it, then probably the malware is likely to launch at boot.

Many windows services are required to run at boot like Workstation/server services, Windows Event Log, and other Win drivers. These are located at HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\services.

Along with placing a malicious file in the above-listed registry key, there is another way to load malicious files. Malicious files can be loaded if a service fails to start. For example, the screenshot below shows how RDP failure can be used to run a program.

For a SOC UC Developer or for a threat hunter, below are some possible ways to write a query to look out for signs of persistence using above methods. Now, it should be said, the registry is generally a very busy place, and logs generated from registry activity can be exceptionally noisy. So, teams will want to focus on logs relating to the specific registry keys noted above.

Some of my computers have two startup entries for dropbox. If you open Task Manager - Startup, there are two things using PC resources at startup. The first one appears as "Dropbox (3)." That is the one I am used to seeing, which should run at Startup. But the other is "Dropbox Update (4)." Why is this second thing in my PC startup? I have the same Dropbox installed on several computers. None of the desktop computers have this "Dropbox Update" running in the computer startup processes. But all three of my laptop computers have both Dropbox entries running at startup. Why? I would like to eliminate unnecessary startup processes to help computer performance. Why would laptops have this extra startup for Dropbox Update?

Did this post help you? If so please give it a Like below.

Did this post fix your issue/answer your question? If so please press the 'Accept as Best Answer' button to help others find it.

Still stuck? Ask me a question! (Questions asked in the community will likely receive an answer within 4 hours!)

Did this post help you? If so, give it a Like below to let us know.

Need help with something else? Ask me a question!

Find Tips & Tricks Discover more ways to use Dropbox here!

What do you think about the Community? Fill out our survey here!

I've been searching for a while now on how to set the sepicific startupage of Edge through a registry setting.

After alot of searching I stumbled upon a solution that comes close to mine however this works only when I push the Homepage button.

I would like to be able to set the default startup page to something else.

Does anyone have the solution?

It would be much apreciated.

Thank you for this tips. I am using multiple profils, for personal and professional usage. Is it possible to have a specific startup page for each profil, with registry modification ? Because one of my organisation control Edge, it control all profiles, not only the profile connected with the ms account of my organisation. Thank you for your help

3a8082e126