Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
84 lines (81 sloc) 5.17 KB
   HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
   HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls
   HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls
HKCU\Control Panel\Desktop\Scrnsave.exe
HKCU\Environment
HKCU\Software\Classes\Exefile\Shell\Runas\Command\IsolatedCommand
HKCU\Software\Classes\Mscfile\Shell\Open\Command
HKCU\Software\Microsoft\Command Processor\Autorun
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks\Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\Control.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer“AlwaysInstallElevated”=dword:00000001
HKCU\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\\CurrentControlSet\Control\Cryptography\Providers
HKLM\\CurrentControlSet\Control\SecurityProviders\SSI\Providers
HKLM\\CurrentControlSet\Services\LanmanServer\ShareProviders
HKLM\\CurrentControlSet\Services\RemoteAccess\Accounting\Providers
HKLM\\CurrentControlSet\Services\RemoteAccess\Authentication\Providers
HKLM\\CurrentControlSet\Services\W32Time\TimeProviders
HKLM\\CurrentControlSet\Services\WbioSrvc\Service Providers
HKLM\\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKLM\\CurrentControlSet\Services\WinTrust\TrustProviders
HKLM\\CurrentControlSet\Services\WlanSvc\Parameters\ComInterfaceProviders
HKLM\\CurrentControlSet\Services\WlanSvc\Parameters\VendorSpecificIEProviders
HKLM\\SOFTWARE\Policies\Microsoft\Windows\Installer“AlwaysInstallElevated”=dword:00000001
HKLM\\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
HKLM\Software\Microsoft NT\CurrentVersion\Winlogon\System
HKLM\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Imagefileexecutionoptions
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects
HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Shutdown
HKLM\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup
HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logoff
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Logon
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Shutdown
HKLM\Software\Policies\Microsoft\Windows\System\Scripts\Startup
HKLM\Software\Wow6432Node\Microsoft\Command\Processor\Autorun
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Extensions
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl
HKLM\System\CurrentControlSet\Control\LSA
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders\WDigest
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
HKLM\System\CurrentControlSet\Enum\USB
HKLM\System\CurrentControlSet\Enum\USBTor
HKLM\SYSTEM\CurrentControlSet\services\eventlog\Windows PowerShell
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Locations
You can’t perform that action at this time.