logo标签列表

防病毒程序如何在Windows启动时启动?

windowsbootanti-virus
在执行一些测试时,我注意到在安装Avast并检查我的“运行”注册表键和“启动”文件夹之后,两个位置都没有启动项。考虑到这一点,大多数防病毒程序将自己定位在哪个位置,以便在操作系统启动时自动启动?
4你实际指的是什么“启动时间”,是指在引导加载程序之后,还是指在登录屏幕出现之前的黑屏(或者没有黑屏)?这是一个非常重要的区别。使用“引导加载程序之后”的方法会涉及到驱动程序,在Windows加载之前就完成了(例如重新启动计算机以删除无法在Windows运行时删除的病毒)。 - Gizmo
1通常情况下,即时访问驱动程序是过滤驱动程序(设备)。还有一种用于早期启动恶意软件检测的新功能,称为ELAM(https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-prerequisites)。除此之外,正常的自动运行、服务和资源管理器扩展主要用于用户界面和支持工作,比如刷新签名和驱动程序。行为检测通常通过注入dll来实现。 - eckes
2个回答
大多数防病毒程序在操作系统启动时从哪里开始? 在安装了Avast并检查了我的“运行”注册表键和“启动”文件夹后,两个位置都没有启动项。 还有许多其他的启动位置需要检查(稍后会提到)。 许多防病毒程序(包括Avast)都作为Windows服务启动,这使它们能够在启动过程中尽早运行,从而提供最大的保护。

enter image description here

Avast的图形用户界面(包括系统托盘图标)是从HKLM\Software\Microsoft\Windows\CurrentVersion\Run启动的。

enter image description here

有许多地点可以用来在启动时运行程序。您需要逐个检查它们,直到找到您要找的程序。 有一些程序可以方便地检查启动位置。

  1. msconfig(启动选项卡):

    enter image description here

  2. Autoruns 来自 SysInternals

    enter image description here

  3. WhatInStartup 来自 NirSoft

    enter image description here

  4. WinPatrol

    enter image description here

    注意:

    • WinPatrol 允许您将程序从“启动程序”移至“延迟启动”
    • 如果这样做,您可以指定延迟时间。

    enter image description here]12

在Windows中有多少种方式可以让程序在启动时运行?

至少有17个位置可以启动程序。请参见下文。

Windows程序自动启动位置

Upon turning on the computer the following autostart locations are processed in the following order:

  1. Windows Boot Device Drivers

    • These drivers are loaded first as they are required for the proper operation of hardware such as storage devices.
    • Boot device drivers will be located under the following key and have a Start value equal to 0.


    Registry Keys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

    Windows will now perform various tasks and then start the Winlogon process. Winlogon eventually starts the service control manager that loads services and drivers that are set for auto-start.

  2. Windows Auto-start Services & Drivers

    • The Service Control Manager (SCM) process (\Windows\System32\services.exe), will now launch any services or drivers that are marked with a Start value of 2.


    Registry Keys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

  3. RunServicesOnce

    • This key is designed to start services when a computer boots up.
    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...\RunOnce registry can start loading its programs.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

  4. RunServices

    • This key is designed to start services as well.
    • These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE...\RunOnce registry can start loading its programs.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

    The Windows logon prompt is shown on the Screen. After a user logs in the rest of the keys continue.

  5. Notify

    • This key is used to add a program that will run when a particular event occurs.
    • Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver.
    • When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will handle this event.
    • Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the malware program to load in such a way that it is not easy to stop.


    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

  6. UserInit Key

    • This key specifies what program should be launched right after a user logs into Windows.
    • The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your user name.

    • It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:

      HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.

    This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from. Registry Key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

  7. Shell Value

    • This value contains a list of comma separated values that Userinit.exe will launch.
    • The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts the shell, it will first launch the Shell value found in HKEY_CURRENT_USER. If this value is not present, it will then launch the value found in HKEY_LOCAL_MACHINE.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

    The rest of the Autostart locations will now be processed.

  8. RunOnce Local Machine Key

    • These keys are designed to be used primarily by Setup programs.
    • Entries in these keys are started once and then are deleted from the key.
    • If there is an- exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.
    • All entries in this key are started synchronously in an undefined order.
    • Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE...\Run, HKEY_CURRENT_USER...\Run, HKEY_CURRENT_USER...\RunOnce, and Startup Folders can be loaded.
    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

  9. Run

    • These are the most common startup locations for programs to install auto start from.
    • By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  10. All Users Startup Folder

    • For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer.


    It is generally found at:

    • Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    • Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup

    • Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

  11. User Profile Startup Folder

    • This folder will be executed for the particular user who logs in.


    This folder is usually found in:

    • Win 9X, ME c:\windows\start menu\programs\startup
    • Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

  12. RunOnce Current User Key

    • These keys are designed to be used primarily by Setup programs.
    • Entries in these keys are started once and then are deleted from the key.
    • If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted.
    • The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode.
    • The RunOnce keys are not supported by Windows NT 3.51.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  13. Explorer Run

    • These keys are generally used to load programs as part of a policy set in place on the computer or user.


    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

  14. Load Key

    • This key is not commonly used anymore, but can be used to auto start programs.


    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

  15. AppInit_DLLs

    • This value corresponds to files being loaded through the AppInit_DLLs Registry value.
    • The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded.
    • As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability.
    • The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.


    Registry Key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HelpingHand指出,在64位计算机上,有两个位置:
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows引用64位DLL文件
  • HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows引用32位DLL文件。
64位进程加载64位DLL文件,而32位进程加载32位DLL文件。 16. ShellServiceObjectDelayLoad
  • 这个注册表值以与Run键类似的方式包含值。
  • 不同之处在于,它不是指向文件本身,而是指向包含有关正在使用的特定DLL文件的CLSID的InProcServer。
  • 此键下的文件在计算机启动时由Explorer.exe自动加载。因为Explorer.exe是计算机的外壳,所以它始终会启动,因此始终会加载此键下的文件。因此,在任何人为干预发生之前,这些文件会在启动过程的早期加载。

注册表键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
17. SharedTaskScheduler
  • 此部分对应于通过SharedTaskScheduler注册表值加载的文件(适用于XP、NT、2000机器)。
  • 此注册表值中的条目在启动Windows时会自动运行。

注册表键:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
18. 其他

以下是程序可以在启动时从中自动启动的文件:

  1. c:\autoexec.bat
  2. c:\config.sys
  3. windir\wininit.ini - 通常由安装程序使用,运行一次后会被删除。
  4. windir\winstart.bat
  5. windir\win.ini - [windows] "load"
  6. windir\win.ini - [windows] "run"
  7. windir\system.ini - [boot] "shell"
  8. windir\system.ini - [boot] "scrnsave.exe"
  9. windir\dosstart.bat - 在Win95或98中选择"在MS-DOS模式下重新启动"时使用。
  10. windir\system\autoexec.nt
  11. windir\system\config.nt

源代码 Windows程序自动启动位置

免责声明

我与SysInternals、Nirsoft或WinPatrol没有任何关联,我只是软件的最终用户。

安全产品通常由多个组件组成,例如:
  • 一个或多个位于内核中的文件系统过滤驱动程序。通常这些是可以使用命令行工具 fltmc.exe 列出的迷你过滤器。您还可以使用诸如 Process Explorer 的工具查看加载到“System”进程中的驱动程序。它们很可能负责过滤文件的打开和关闭,并在允许访问文件之前向用户模式服务发出扫描文件的请求。
  • 可能还有其他用于过滤网络流量的驱动程序。旧平台上的 NDIS 过滤驱动程序,例如 Win 7,以及新平台上的 WFP 驱动程序,例如 Win 8.1 及更高版本。由于遗留原因,可能会安装组合驱动程序。
  • 一个或多个用户模式服务,您可以通过运行 services.msc 来查看。其中一个通常加载病毒数据并执行实际的扫描。通常还有其他用于管理、附加功能(如 Web 控制、设备控制、数据控制、更新等)的服务。
  • 可能会从注册表的“Run”键(或开始菜单)启动并在登录用户的上下文中运行的其他进程。这些通常提供用户界面并处理用户消息。例如,检测到恶意软件的消息。
简而言之,一个完整的安全产品通常是用户模式服务、驱动程序和以登录用户身份运行的进程的组合。从你的问题来看,听起来你正在查看后者。通过运行services.msc,你可以看到用户模式服务,并且通过运行driverquery.exe或者甚至msinfo32等工具,你可以看到驱动程序。用户模式服务和内核驱动程序都在服务控制管理器(SCM)的数据库中引用,位于hklm\system\currentcontrolset\services下。
  • 相关问题