Source : http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/#O4Diag
Using Regedit - Registry Tweak
O4 Section
This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts. O4 keys are the HJT entries that the majority of programs use to autostart, so particular care must be used when examining these keys. The O4 Registry keys and directory locations are listed below and apply, for the most part, to all versions of Windows.
As of HijackThis version 2.0, HijackThis will also list entries for other users that are actively logged into a computer at the time of the scan by reading the information from the HKEY_USERS registry key. If a user is not logged on at the time of the scan, their user key will not be loaded, and therefore HijackThis will not list their autoruns. When working on HijackThis logs it is not advised to use HijackThis to fix entries in a person's log when the user has multiple accounts logged in. We advise this because the other user's processes may conflict with the fixes we are having the user run.
The current locations that O4 entries are listed from are:
Directory Locations:
Note: In the listing below, HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for HKEY_CURRENT_USER.
The Run keys are used to launch a program automatically when a user, or all users, logs on to the machine.
The RunOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the computer. Once the program is successfully launched for the first time its entry will be removed from the Registry so it does not run again on subsequent logons.
The RunServices keys are used to launch a service or background process whenever a user, or all users, logs on to the computer.
The RunServicesOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the computer. Unlike the RunServices keys, when a program is launched from the RunServicesOnce key its entry will be removed from the Registry so it does not run again on subsequent logons.
The RunOnceEx keys are used to launch a program once and then remove itself from the Registry. This particular key is typically used by installation or update programs.
The Policies\Explorer\Run keys are used by network administrator's to set a group policy settings that has a program automatically launch when a user, or all users, logs on to the computer. Under the Policies\Explorer\Run key are a series of values, which have a program name as their data. When a user, or all users, logs on to the computer each of the values under the Run key is executed and the corresponding programs are launched.
A complete listing of other startup locations that are not necessarily included in HijackThis can be found here : Windows Program Automatic Startup Locations
A sample of the type of O4 listings that you can see in HijackThis can be seen below:
Looking at the examples above, we see 5 different startup entries,
with 2 of them being for users who are logged on in the background. If
an entry starts with a long series of numbers and contains a username
surrounded by parenthesis at the end, then this is a O4 entry for a user
logged on in the background. Let's break down the examples one by one.
When examining O4 entries and trying to determine what they are for you should consult one of the following lists:
Bleeping Computer Startup Database
Answers that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library
Windows Startup Online Database
Using Regedit - Registry Tweak
O4 Section
This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts. O4 keys are the HJT entries that the majority of programs use to autostart, so particular care must be used when examining these keys. The O4 Registry keys and directory locations are listed below and apply, for the most part, to all versions of Windows.
As of HijackThis version 2.0, HijackThis will also list entries for other users that are actively logged into a computer at the time of the scan by reading the information from the HKEY_USERS registry key. If a user is not logged on at the time of the scan, their user key will not be loaded, and therefore HijackThis will not list their autoruns. When working on HijackThis logs it is not advised to use HijackThis to fix entries in a person's log when the user has multiple accounts logged in. We advise this because the other user's processes may conflict with the fixes we are having the user run.
The current locations that O4 entries are listed from are:
Directory Locations:
User's Startup Folder: Any files located in a user's Start Menu Startup folder will be listed as a O4 - Startup. This location, for the newer versions of Windows, are C:\Documents and Settings\USERNAME\Start Menu\Programs\Startup or under C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu in Vista. These entries will be executed when the particular user logs onto the computer.Startup Registry Keys: O4 entries that utilize registry keys will start with the abbreviated registry key in the entry listing. Examples and their descriptions can be seen below. For all of the keys below, if the key is located under HKCU, then that means the program will only be launched when that particular user logs on to the computer. If the entry is located under HKLM, then the program will be launched for all users that log on to the computer.
All Users Startup Folder: These items refer to applications that load by having them in the All Users profile Start Menu Startup Folder and will be listed as O4 - Global Startup. This location, for the newer versions of Windows, are C:\Documents and Settings\All Users\Start Menu\Programs\Startup or under C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup in Vista. These entries will be executed when any user logs onto the computer.
Note: In the listing below, HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for HKEY_CURRENT_USER.
The Run keys are used to launch a program automatically when a user, or all users, logs on to the machine.
| Run keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
The RunOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the computer. Once the program is successfully launched for the first time its entry will be removed from the Registry so it does not run again on subsequent logons.
| RunOnce keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce |
The RunServices keys are used to launch a service or background process whenever a user, or all users, logs on to the computer.
| RunServices keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices |
The RunServicesOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the computer. Unlike the RunServices keys, when a program is launched from the RunServicesOnce key its entry will be removed from the Registry so it does not run again on subsequent logons.
| RunServicesOnce keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
| HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce |
The RunOnceEx keys are used to launch a program once and then remove itself from the Registry. This particular key is typically used by installation or update programs.
| RunOnceEx key: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx |
The Policies\Explorer\Run keys are used by network administrator's to set a group policy settings that has a program automatically launch when a user, or all users, logs on to the computer. Under the Policies\Explorer\Run key are a series of values, which have a program name as their data. When a user, or all users, logs on to the computer each of the values under the Run key is executed and the corresponding programs are launched.
| Policies\Explorer\Run keys: |
| HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run |
A complete listing of other startup locations that are not necessarily included in HijackThis can be found here : Windows Program Automatic Startup Locations
A sample of the type of O4 listings that you can see in HijackThis can be seen below:
| Example Listings: | 04 - HKLM\..\Run: [nwiz] nwiz.exe /install |
| O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe | |
| O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe | |
| O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') | |
| O4 - HKUS\S-1-5-21-1229272821-2000478354--1005\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (User 'BleepingComputer.com') |
- 04 - HKLM\..\Run: [nwiz] nwiz.exe /install - This entry corresponds to a startup launching from HKLM\Software\Microsoft\Windows\CurrentVersion\Run for the currently logged in user. The name of the Registry value is nwiz and when the entry is started it will launch the nwiz.exe /install command.
- O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe - This entry corresponds to a program started by the All Users Startup Folder located at C:\Documents and Settings\All Users\Start
Menu\Programs\Startup.
- O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe - This entry corresponds to a value located under the HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key. The name of the Registry value is user32.dll and its data is C:\Program Files\Video ActiveX Access\iesmn.exe. This particular example happens to be malware related.
- O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') - This
particular entry is a little different. As you can see there is a long
series of numbers before and it states at the end of the entry the user
it belongs to. Those numbers in the beginning are the user's SID, or
security identifier, and is a number that is unique to each user on your
computer. This SID translates to the BleepingComputer.com Windows user
as shown at the end of the entry. The rest of the entry is the same as a
normal one, with the program being launched from a user's Start Menu
Startup folder and the program being launched is numlock.vbs.
- O4 - HKUS\S-1-5-21-1222272861-2000431354-1005\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide (User 'BleepingComputer.com') - This type of entry is similar to the first example, except that it belongs to the BleepingComputer.com user. This is just another example of HijackThis listing other logged in user's autostart entries.
When examining O4 entries and trying to determine what they are for you should consult one of the following lists:
Bleeping Computer Startup Database
Answers that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library
Windows Startup Online Database
0 σχόλια:
Δημοσίευση σχολίου