AutoStart Entry Points in Windows

Except in the case of rootkit-enabled malware, it's often possible to remove an infection (at least the active components) by removing their startup points. Following is a list of some of the more frequently used autostart entry points in Windows, including startup folders, registry keys, and ini files.

WIN.INI file
The WIN.INI file was used in earlier versions of Windows (3.x and 9x) to load applications and configuration settings at startup. Though no longer used by default on newer operating systems such as Windows XP, values included in these files will still be acted upon. Thus, some malware authors will leverage the WIN.INI file to load viruses or other malicious software.
The pertinent sections to check in the WIN.INI file are the and lines located under the [Windows] heading.

System.ini File
The system.ini file was used in earlier versions of Windows to load device drivers and the explorer shell. The reliance on system.ini was phased out and is no longer relied upon by Windows XP and above. In the case of an upgrade from an older OS, such as 9x, to Windows XP or above, the settings contained in system.ini will be retained. Though a fresh installation of Windows XP or above will not include any data in the system.ini, subsequent inclusions will be acted upon by the OS. Hence malware authors still occasionally use the system.ini to cause viruses and other malicious software to load.
The pertinent line to check in the system.ini file is , located under the [boot] heading.

Startup Folder
%USERPROFILE%\Start Menu\Programs\Startup
%ALLUSERSPROFILE%\Start Menu\Programs\Startup

System Registry Run Keys
Check subkeys in Run and RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
also
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

System Registry - Winlogon
Winlogon is responsible for supporting the DLL responsible for managing the interactive logon when Windows starts. Even booting into Safe Mode will not deactivate it. The string values that customize the Winlogon process are located in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon

Active Setup
The Active Setup registry key is an often overlooked load point. Programs register themselves using CLSIDs. For each CLSID listed under the Active Setip key, look for the value "StubPath". Any program specified by the StubPath value will be loaded when Windows is started. Pertinent key location is:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\

ASEP Loading Sequence
The order in which Windows processes the autostart entry points is as follows:
RunServices / RunServicesOnce - HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER RunServices/RunServicesOnce will be launched concurrently. In the event of a conflict, precedent is given to HKEY_LOCAL_MACHINE. These ASEPS may continue loading during and after the login dialog.
Login Dialog (Winlogon)
RunOnce / Run for HKEY_LOCAL_MACHINE hive
Run key in HKEY_CURRENT_USER hive
Startup Folder
RunOnce in HKEY_CURRENT_USER hive