| ||||||||||||||||||
| You are here: Home > Spyware > Spyware Registry |
| ||||||||||||||||||
|
Back to Spyware ComparisonSpyware RegistryThis article reviews some of the common and likely registry locations that Spyware applications might place themselves in, and are always good candidates for a quick review. Finding Spyware Where are the various locations a spyware program can get itself loaded on startup. If you suspect you have spyware programs on your computer you should check the following registry keys For Windows NT 4.0, 2000, XP and Server 2003:
For Windows 95/98/ME registry you should check these ADDITIONAL registry keys:
Note: By default, these keys are ignored when running in safe mode. However, Starting with Windows NT 4.0 SP3, spyware programs can force windows to run these programs even in safe mode by prefixing the name with an asterisk (*). Spyware and Winlogon What is Winlogon? Winlogon creates the desktop for the windows environment. The registry key is located at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Just by adding an ADDITIONAL shell (to the default explorer application) a spyware program can get itself loaded on windows startup. "The Shell key value can contain a comma-separated list of programs to be executed. Explorer is the default shell program and will be executed if the Shell key value is null or not present. By default, Explorer is listed." Editing the registry You can use either regedit.exe or regedt32.exe to modify the registry. Under Windows XP and Windows Server 2003 there is no difference. However if you are using Windows NT 4 or Windows 2000 then regedit.exe would have a few restrictions and is recommended only to search the registry (to view the restrictions, please refer to the references below) References: MSDN, Registry keys, Run and RunOnce MSDN, Responsibilites of Winlogon Microsoft Knowledge Base, Differences between regedit.exe and regedt32.exe |
|
contact us: elouai@gmail.com ©2003-2008 eLouai.com, All rights reserved |
