Here is a summary of some of the most commonly modified high-risk registry keys by malicious programs. The list is not exhaustive, but it includes most common ones (further additions from experts are welcome). These keys are primarily used to achieve auto-start or associated startup effects.
Note:
- HKLM = HKEY_LOCAL_MACHINE
- HKCU = HKEY_CURRENT_USER
- HKU = HKEY_USERS
---
### Common High-Risk Registry Keys Modified by Malware:
1. **Auto-Start via Run Keys**
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- `HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run` (for 64-bit systems)
2. **RunOnce Keys**
- `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
3. **Policies and Extensions**
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`
4. **Winlogon Notifications**
- `HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management`
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify`
5. **Shell Extensions**
- `HKLM\Software\Classes\*\shellex\ContextMenuHandlers`
- `HKLM\Software\Classes\Folder\shellex\ColumnHandlers`
- `HKLM\Software\Classes\Directory\shellex\PropertySheetHandlers`
6. **Services and Drivers**
- `HKLM\System\CurrentControlSet\Services`
- `HKLM\System\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}` (Network adapters)
- `HKLM\System\CurrentControlSet\Enum\Root\LEGACY_`
7. **Startup Folder Emulation**
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup`
8. **Browser Helper Objects (BHOs)**
- `HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
9. **Scheduled Tasks**
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache`
10. **Image Hijacking**
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options`
11. **AppInit_DLLs**
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs`
12. **Winsock Layered Service Providers (LSPs)**
- `HKLM\System\CurrentControlSet\Services\Winsock\Parameters\Protocol_Catalog9`
13. **Script Host Settings**
- `HKLM\Software\Microsoft\Windows Script Host\Settings`
- `HKCU\Software\Microsoft\Windows Script Host\Settings`
14. **Group Policy Preferences**
- `HKLM\Software\Policies\Microsoft\Windows\System\Scripts`
15. **User Init Mappings**
- `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`
---
### Notes:
- Malicious programs often modify these keys to ensure they run automatically when the system starts or when specific events occur.
- Always back up the registry before making any changes.
- Use tools like `autoruns` from Sysinternals for easier inspection of startup entries.
If you have additional keys or insights, feel free to share!