Some of the other registry keys which are used during boot-up (and which could be compromised by a cunning hacker) would be ...
The services keys:
KEY_LOCAL_MACHINE\System\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
The logon keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
The autostart keys and user folders you mentioned, plus:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
There is a registry key which starts up programs when user32.dll is loaded ...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
... and a registry key that loads the listed programs when Explorer is launched:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Programs can also be launched if included in this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
These files can also be used as startup vectors:
1. c:\autoexec.bat
2. c:\config.sys
3 . windir\wininit.ini - Usually used by setup programs to have a file run once and then get deleted.
4. windir\winstart.bat
5. windir\win.ini - [windows] "load"
6. windir\win.ini - [windows] "run"
7. windir\system.ini - [boot] "shell"
8 . windir\system.ini - [boot] "scrnsave.exe"
9. windir\dosstart.bat - Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.
10. windir\system\autoexec.nt
11. windir\system\config.nt
From your conversation, I suspect that the CCleaner startup tool doesn't quite cover all of these.
I got this information from
http://www.bleepingc...rtup-locations/.
Personally, given all these places where a clever hacker could hide something that would start up on boot-up, I'm glad that I'm migrating to Linux at home. I just never realized how dysfunctional Windows was until Wednesday, when I saw all these places where an application or script could be started from. It's pure madness!