Applications running when I log-on

  • Article

I've seen many applications run at the time of Windows log on.

 

Some of the known ways I've seen applications do this are:

Startupfolder:

Apps do a simple file copy to the startup folder which is read by the system and executed. The advantage of using this method is that a user can always access the startup folder and clean up as per his/her requirements. 

On XP the path to startup folder was:

<sysdrive>:\Documents and Settings\<username>\Start Menu\Programs\Startup

On vista it is:

<sysdrive>:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

 

Filemon can catch the app in action when accessing the start up folder once you find out that’s what the app is using.

 

Registry:

This is the most common method employed by applications.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Launches a program automatically when a particular user logs in. This key is used when you always want to launch a program when a particular user is using a system.

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (Ex)

Launches a program the next time the user logs in and removes its value entry from the registry. This key is typically used by installation programs.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Launches a program automatically at system startup. This key is used when you always want to launch a program on a particular system.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (Ex)

Launches a program the next time the system starts and removes its value entry from the registry. This key is typically used by installation programs.

Regmon tool will catch an app accessing the reg key.

 

Services:

The other way would be if the app installs a service which is marked as automatic.

 

HKLM\System\CurrentControlSet\Services\<service name>

         Start = 2 (Automatic)

 

These are optional keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

Launches a service (a standard NT service or a background process) automatically at startup. An example of a service is a Web server such as Microsoft Internet Information Server.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

Launches a service (a standard NT service or a background process) the next time the system is started, then removes its value entry from the registry.

 

There are other ways of writing to autoexec.bat (legendary DOS file), write to win.ini files with Load= or Run= lines, but are pretty rare.