Windows Registry Keys

gistfile1.txt

StartUp/Run Keys

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Winlogon

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

When Certain file rules:

HKCU\exefile\shell\open\command
HKCU\comfile\shell\open\command
HKCU\batfile\shell\open\command
HKCU\htafile\Shell\Open\Command
HKCU\piffile\shell\open\commandHKLM\Software\CLASSES\batfile\shell\open\command
HKLM\Software\CLASSES\comfile\shell\open\command
HKLM\Software\CLASSES\exefile\shell\open\command
HKLM\Software\CLASSES\htafile\Shell\Open\Command
HKLM\Software\CLASSES\piffile\shell\open\commandHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Boot related keys

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\System\CurrentControlSet\Services  (start value of 0 indicates kernel drivers, which load before kernel initiation)
HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)