楼主: Deker
收起左侧

[求助] XT准备加入系统修复功能,请大家贡献修复方法

  [复制链接]
lusix
发表于 2010-4-5 00:36:49 | 显示全部楼层
用regmon监控注册表,然后再打一任一款注册表修复软件,测试修复项,记录下来,照抄就行了,我以前做过!很简单的,我建议不要这功能,同类软件太多了!没必要加大你这个软件的体积!不要和360什么的类似!
nijiuaiwoa
发表于 2010-4-5 06:30:57 | 显示全部楼层
7  楼的我也遇到过  很是郁闷啊
hdlcpqs
发表于 2010-4-5 09:51:29 | 显示全部楼层
注册表安全&设置键值详解
组策略设置的储存位置

(※可以考虑允许C:\WINDOWS\system32\mmc.exe,c:\windows\system32\winlogon.exe对其修改,其他程序全部询问).
*\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\*
*\Software\Microsoft\Windows\CurrentVersion\Group Policy\*
*\Software\Microsoft\Windows\CurrentVersion\Policies\*
*\Software\Policies\Microsoft\*




※组策略中常用项解析

删除"运行"命令
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun\*
隐藏/显示文件夹选项
*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions*
删除"查找"命令
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
从"开始"菜单的"属性"中删除任务栏
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar
"我的电脑"中隐藏驱动器
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
退出时不保存设置
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
只能允许运行的Windows程序
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\*
禁用密码的用户配置文件页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoProfilePage\*
禁止系统鼠标右击快捷菜单
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu\*
禁止任务栏鼠标右击快捷菜单
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu\*
禁止修改开始按钮快捷菜单
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu\*
禁用“显示器”控制面板
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL\*
隐藏背景页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage\*
隐藏屏幕保护程序页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]\NoDispScrSavPage\*
隐藏外观页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage\*
隐藏设置页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage\*
禁用“网络”控制面板
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetup\*
隐藏标识页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupIDPage\*
隐藏访问控制页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupSecurityPage\*
隐藏“口令”控制面板
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoNetSetupSecurityPage\*
隐藏更改口令页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoPwdPage\*
隐藏远程管理页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoAdminPage\*
隐藏用户配置文件页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoProfilePage\*
隐藏常规和详细资料页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs\*
禁止删除打印机
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDeletePrinter\*
禁止添加打印机
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAddPrinter\*
隐藏设备管理页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDevMgrPage\*
隐藏硬件配置文件页
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConfigPage\*
隐藏“文件系统”按钮
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoFileSysPage\*
隐藏“虚拟内存”按钮
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoVirtMemPage\*
禁用文件共享控制
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl\*
禁用打印共享控制
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoPrintSharingControl\*
隐藏"开始"菜单
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders\*
删除"运行"命令
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun\*
从"开始"菜单上的"设置"中删除文件夹
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders\*
删除"查找"命令
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind\*
在"我的电脑"中隐藏驱动器
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives\*
隐藏"网上邻居
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood\*
"网上邻居"中没有"整个网络"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoEntireNetwork\*
"网上邻居"中没有工作组目录
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoWorkgroupContents\*
隐藏桌面上的所有程序项
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop\*
禁用"关闭系统"命令
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose\*
退出时不保存设置
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose\*
禁用注册表编辑器
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools\*
只能允许运行的windows程序
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun\*
禁止光盘自动运行
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun\*
每次退出系统(或注销用户)时自动清除文档历史记录
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClearRecentDocsOnExit\
关闭‘开始’菜单动画提示
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartBanner\*





浏览器设置

自定义IE的临时目录
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache\*
自定义Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies\*
自定义"收藏夹"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites\*
自定义"历史记录"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\History\*
指定浏览器(包括ie浏览器、windows的explorer浏览器)工具栏的背景
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\BackBitmap\*
设置ie标题栏
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title\*
不检查ie更新
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoUpdateCheck\*
禁用常规页
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\NoGeneralTab\*
禁用更改主页设置
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage\*
禁用更改辅助功能设置
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\Accessibility\*
Internet Explorer-IIS安全通道设置
*\SYSTEM\*ControlSet*\Control\SecurityProviders\SCHANNEL\Protocols\*




资源管理器设置

右对齐菜单
HKEY_CURRENT_USER\Control Panel\Desktop\MenuDropAlignment\*
隐藏/显示隐藏文件:
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden*
隐藏/显示开始菜单运行项
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuRun\*
桌面墙纸设置
*\Internet Explorer\Desktop\General\Wallpaper\*
*\Internet Explorer\Desktop\General\BackupWallpaper\*
*\Internet Explorer\Desktop\General\WallpaperFileTime\*
*\Internet Explorer\Desktop\General\TileWallpaper\*
*\Internet Explorer\Desktop\General\ConvertedWallpaper\*
*\Internet Explorer\Desktop\General\OriginalWallpaper\*
*\Internet Explorer\Desktop\General\WallpaperStyle\*
*\Control Panel\Desktop\Wallpaper\*
*\Control Panel\Desktop\BackWallpaper\*
*\Control Panel\Desktop\OriginalWallpaper\*
*\Control Panel\Desktop\ConvertedWallpaper\*
*\Control Panel\Desktop\TileWallpaper\*
*\Control Panel\Desktop\WallpaperStyle\*
在新建快捷方式时不显示'快捷方式'字符串
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Link\*
自定义"程序"文件夹
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Programs\*
自定义桌面图标
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop\*
自定义"启动"文件夹
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup\*
自定义网上邻居
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\NetHood\*
自定义"开始"菜单
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu\*
自定义开始菜单中的"文档"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent\*
自定义"我的文档"文件夹
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal\*
开始菜单速度
HKEY_USERS\.DEFAULT\Control Panel\Desktop\MenuShowDelay\*
开始菜单速度
HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{00021400-0000-0000-C000-000000000046}\MenuShowDelay\*
关闭菜单动画效果
HKEY_USERS\.DEFAULT\Control Panel\Desktop\WindowMetrics\MinAnimate\*
关闭平滑卷动效果
HKEY_USERS\.DEFAULT\Control Panel\Desktop\SmoothScroll\*
关闭动画显示窗口、菜单和列表
HKEY_USERS\.DEFAULT\Control Panel\Desktop\UserPreferencemask\*
系统托盘显示时间前面加一字符串
HKEY_CURRENT_USER\Control Panel\International\StimeFormat\*
系统自动记录文件夹视图设置的数量上限
*\Software\Microsoft\Windows\Shell\BagMRU Size\*
*\Software\Microsoft\Windows\ShellNoRoam\BagMRU Size\*
新建菜单项
*\ShellEx\ContextMenuHandlers\*
屏幕保护程序设置
HKCU\Control Panel\Desktop\ScreenSaveActive\*
HKCU\Control Panel\Desktop\ScreenSaveIsSecure\*
HKCU\Control Panel\Desktop\SCANSAVE.EXE\*
局域网共享文件设置<部分病毒通过这个途径在局域网传播>
*\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\Shared\*







系统设置

自定义windows临时文件夹
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Templates\*
不自动搜索网络文件夹和打印机
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling\*
出错时报警
HKEY_CURRENT_USER\Control Panel\Sound\Beep\*
不显示最后登录的用户名
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\DontDisplayLastUserName\*
允许登录前关机
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\ShutdownWithoutLogon\*
缩短ctrl+alt+del关闭无响应程序的等待时间(ms)
HKEY_USERS\.DEFAULT\Control Panel\Desktop\WaitToKillAppTimeout\*
缩短应用程序出错的等待响应时间(ms)
HKEY_USERS\.DEFAULT\Control Panel\Desktop\HungAppTimeout\*
Explorer崩溃之后,Windows自动恢复桌面
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\AutoRestartShell\*
文件系统底层设置<底层项>
HKLM\SYSTEM\*ControlSet*\Control\FileSystem\*
Windows系统文件存储位置/备份设置<重要项>
HKLM\SYSTEM\*ControlSet*\Control\BackupRestore\*
系统定时运行任务设置<可以通过此键定时运行程序>
*\SYSTEM\*ControlSet*\Services\Schedule\*
VB/VBA程序设置/调试 内容
HKCR\Software\VB and VBA Program Settings\*
Internet Explorer加载DLL位置<Internet Explorer加载DLL读取位置,有恶意程序会通过此处在Internet Explorer加载时加载/复活>
*\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\*
ini文件注册表映射
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\*
MountPoint项<Autorun.inf文件内容注册表存储位置,U盘自动运行类病毒重点防御部位>
*\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*
Windows 程序路径<包含了常用程序的路径记录,谨防病毒恶意修改为病毒路径,个人认为全局允许配合记录日志,然后定期查看比较合适?还是直接套用询问的好?>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*
URL默认前缀<部分病毒会修改这里的DefaultPrefix\default,这里一般直接禁写吧>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\*
Svchost程序配置<此注册表项下的每个值都代表单独的 Svchost 组,包含Svchost加载项,微软官方解释请移步:http://support.microsoft.com/kb/314056/zh-cn&gt;;
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\*
系统文件检查器参数
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable\*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan\*
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCQuota\*
命令提示符配置参数
*\Software\Microsoft\Command Processor\*
恶意程序会利用下面键值在命令提示符运行前启用其它应用程序
*\Software\Microsoft\Command Processor\AutoRun\*
命令扩展开关
*\Software\Microsoft\Command Processor\EnableExtensions\*
我的电脑配置参数
备份程序路径储存键:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\BackupPath\*
磁盘清理程序储存键:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\cleanuppath\*
磁盘整理程序储存键:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\DefragPath\*
辅助工具配置参数
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\*
安全模式配置参数<推荐防护>
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot\Minimal\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\SafeBoot\Network\*
DrWaston32配置参数
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto\*<是否自动启动
>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger\*<启动参数>
系统环境变量参数
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\Environment\*
HKEY_CURRENT_USER\Environment\*
HKEY_USERS\*\Environment\*
命令提示符配置参数<定义命令提示符的路径和文件名>
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Session Manager\Environment\ComSpec\*
OutlookExpress设置参数储存位置
HKEY_CURRENT_USER\Identities\*\Software\Microsoft\Outlook Express\*
启动和故障恢复配置参数
*\SYSTEM\*ControlSet*\Control\CrashControl\*
证书-受信任的发行者
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\*
系统还原配置参数
*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\*
Windows自动更新配置参数
*\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\*
Windows防火墙配置参数
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\*\AuthorizedApplications\List\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\*\GloballyOpenPorts\List\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\*\IcmpSettings\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Parameters\FirewallPolicy\*\*\*
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Services\SharedAccess\Enum\*
Windows安全中心配置参数
*\SOFTWARE\Microsoft\Security Center\*
Windows终端服务器配置参数
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\Terminal Server\*
Telnet服务器配置参数
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\*
WOW 设置
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot\* <Lists drivers and Windows 3.x modules, with these entries and default values to map Windows 3.x drivers to Windows NT.驱动及Windows3.x模块加载项>
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\WOW\cmdline\*<Defines the commmand line that runs when an MS-DOS-based application runs under Windows NT.定义DOS程序运行时同时加载的其他程序>
HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\Control\WOW\wowcmdline\*\*<Defines the command line that runs when a 16-bit Windows-based application is started.定义16程序运行时同时加载的其他程序>






用户账户设置

(第一条适用于对修改操作使用询问规则(此条内为用户账户常用设置),第二条一般阻止吧(为第一条的上层,这里包含账户分组数据,个人取舍吧,需要修改分组的也可以考虑用询问)c:\windows\system32\lsass.exe可直接允许)
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\*
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\*






自动终止程序设置

程序超时结束时间
*\Control Panel\Desktop\WaitToKillAppTimeout*
程序超时挂起时间
*\Control Panel\Desktop\HungAppTimeOut*
自动结束任务
*\Control Panel\Desktop\ArtoEndTasks*
服务超时结束时间
HKLM\SYSTEM\*ControlSet*\Control\WaitToKillServiceTimeout*

评分

参与人数 1人气 +1 收起 理由
Deker + 1 3q

查看全部评分

hdlcpqs
发表于 2010-4-5 09:52:41 | 显示全部楼层
注册表防御部位




自启动项

*\System\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\StartupPrograms*
*\Software\Microsoft\Command Processor\AutoRun*
*\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping\*
*\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load*
*\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run*
*\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\NonWindowsApp\*
*\Software\Microsoft\Windows NT\CurrentVersion\WOW\standard\*
*\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\*
*\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Startup*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup*
*\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run*
*\Software\Microsoft\Windows\CurrentVersion\Policies\System\Shell\*
*\Software\Microsoft\Windows\CurrentVersion\Run*
*\Software\Microsoft\Windows\CurrentVersion\Runonce*
*\Software\Microsoft\Windows\CurrentVersion\Runservices*
*\Software\Microsoft\Internet Explorer\URLSearchHooks\*
*\Software\Policies\Microsoft\Windows\System\Scripts*
HKLM\System\*ControlSet*\Control\WOW\*
HKLM\System\*ControlSet*\Control\Session Manager\BootExecute*
HKLM\System\*ControlSet*\Control\Session Manager\PendingFileRenameOperations*
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries*
HKLM\System\CurrentControlSet\Control\Lsa\AuthenticationPackages*
HKLM\System\CurrentControlSet\Control\Lsa\NotificationPackages*
HKLM\System\CurrentControlSet\Control\Lsa\SecurityPackages*
HKLM\System\CurrentControlSet\Control\NetworkProvider\Order*
HKLM\System\CurrentControlSet\Control\Print\Monitors*
HKLM\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders*
HKLM\System\CurrentControlSet\Control\SessionManager\KnownDlls*
HKLM\System\CurrentControlSet\Services*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers*
HKLM\Software\Microsoft\Internet Explorer\Extensions*
HKLM\Software\Microsoft\ActiveSetup\Installed Components*
HKLM\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs*
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers*
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers*
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers*
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers*
HKLM\Software\Classes\Directory\Shellex\DragDropHandlers*
HKLM\Software\Classes\Directory\Shellex\PropertySheetHandlers*
HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers*
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers*
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers*
HKLM\Software\Classes\Protocols\Filter*
HKLM\Software\Classes\Protocols\Handler*
HKCU\Control Panel\Desktop\SCRNSAVE.EXE
HKCU\Software\Microsoft\InternetExplorer\UrlSearchHooks*

服务&驱动加载相关

HKLM\System\*ControlSet*\Services\*
HKLM\System\*ControlSet*\Control\SafeBoot\*
HKLM\System\*ControlSet*\Control\BackupRestore\*
HKLM\System\*ControlSet*\Control\ComputerName\*
HKLM\System\*ControlSet*\Control\GroupOrderList\*
HKLM\System\*ControlSet*\Control\Lsa\*
HKLM\System\*ControlSet*\Control\MprServices\*
HKLM\System\*ControlSet*\Control\Print\Monitors\*
HKLM\System\*ControlSet*\Control\ServiceGroupOrder\*
HKLM\System\*ControlSet*\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\*
HKLM\Software\Microsoft\Ole*
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WOW\boot\*
HKEY_LOCAL_MACHINE\System\*controlset*\Services\*
HKEY_LOCAL_MACHINE\System\*controlset*\Services\*imagepath
HKEY_LOCAL_MACHINE\System\*controlset*\Control\Safeboot***
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Shellserviceobjectdelayload**

文件关联&默认图标等

HKCR\.*\*
HKCR\Shell*
HKCR\Comfile*
HKCR\Folder\Shell*
HKCR\Directory\Shell*
HKCR\Unknown\Shell*
HKCR\?\Shell\*
HKCR\*\ShellNew*
HKCR\*\Shell\*\Command*
HKCR\*\NeverShowExt
HKCR\*\AlwaysShowExt
*\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*\*
HKCR\CLSID\{7EFFAAFF-EA0A-1A3A-CBCD-F13522D53649}\InProcServer32\*
HKEY_CLASSES_ROOT\Exefile\Shell\Open\Command*
HKEY_CLASSES_ROOT\Comfile\Shell\Open\Command*
HKEY_CLASSES_ROOT\Batfile\Shell\Open\Command*
HKEY_CLASSES_ROOT\Piffile\Shell\Open\Command*
HKEY_CLASSES_ROOT\.bat*
HKEY_CLASSES_ROOT\.cmd*
HKEY_CLASSES_ROOT\.exe*
HKEY_CLASSES_ROOT\.txt*
HKEY_CLASSES_ROOT\.pif*
HKEY_CLASSES_ROOT\Txtfile\Shell\Open\Command*
HKEY_CLASSES_ROOT\.com*
HKEY_CLASSES_ROOT\Comfile*
HKEY_CLASSES_ROOT\.reg*
HKEY_CLASSES_ROOT\Regfile\Shell\Open\Command*
HKEY_CLASSES_ROOT\.inf*
HKEY_CLASSES_ROOT\Inffile\Shell\Open\Command*
HKEY_CLASSES_ROOT\.hlp*
HKEY_CLASSES_ROOT\Hlpfile\Shell\Open\Command*
HKEY_CLASSES_ROOT\.chm*
HKEY_CLASSES_ROOT\Chm.file\Shell\Open\Command*

U盘病毒&自动运行相关

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*\Shell\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run***
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run***
HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session managerBootExecute
HKEY_CURRENT_USER\Software\Microsoft\Windows nt\Currentversion\Windowsload
HKEY_CURRENT_USER\Software\Microsoft\Windows nt\Currentversion\Windowsrun
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Explorer\Run*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Explorer\Run*
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts*
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\Shell foldersStartup
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Runonce*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runonce*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runonceex*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runservices*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shell foldersCommon Startup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\User shell foldersCommon Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Explorer\User shell foldersStartup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Inifilemapping**

其他重要项

*\Software\Microsoft\Driver Signing\Policy* [管理是否进行驱动签名认证]
*\Software\Policies\* [存储安全策略设置]
HKUS\*\Environment\Path [环境变量]
HKUS\*\Control Panel\Desktop\SCRNSAVE.EXE [屏幕保护程序对应项]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\* [储存定时任务中的程序列表]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\* [映像劫持]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution\* [映像劫持]
HKLM\Software\Classes\Protocols\Filter\* [网络协议]
HKLM\Software\Classes\Protocols\Handler\* [网络协议]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons* [系统图标]
*\Software\Classes\*file\DefaultIcon [系统图标]
*\Software\Classes\CLSID\*\DefaultIcon [系统图标]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\*\DefaultIcon [系统图标]

网络相关

HKLM\System\*ControlSet*\Services\Winsock2\*
HKLM\System\*ControlSet*\Services\Tcpip\Parameters\DataBasePath
HKLM\System\*ControlSet*\Services\Tcpip\Parameters\Interfaces\*
HKLM\System\*ControlSet*\Control\Session Manager\UserAgent*
HKLM\Software\Microsoft\Ras*
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Network\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\*
HKEY_LOCAL_MACHINE\System\*controlset*\Services\Winsock2***
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\Network*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\Network*
HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\ParametersDataBasePath
HKEY_LOCAL_MACHINE\System\*controlset*\Services\Tcpip\Parameters\Interfaces***
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windowsupdate**
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windowsfirewall***
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windowsupdate**
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windowsfirewall***
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Sharedaccess\Parameters\Firewallpolicy*

详细安全策略

HKCU\Control Panel\Desktop\*
HKCU\Software\Policies\Microsoft\*
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnforceShellExtensionSecurity
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hid*
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\No*
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Documents\HideMyDocsFolder
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\IncludeSubFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Search*
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\*
HKCU\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\*
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Open
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\*
HKLM\Software\Microsoft\Windows\CurrentVersion\NetCache\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall\*
HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\WindowsUpdate\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR
HKLM\Software\Policies\Microsoft\Windows\*
HKLM\System\ControlSet???\Services\Sharedaccess\Parameters\FirewallPolicy\*
HKLM\System\CurrentControlSet\Services\Sharedaccess\Parameters\FirewallPolicy\*
*\Software\Microsoft\Security Center\*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced*
*\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\*
*\Software\Microsoft\Windows\CurrentVersion\Policies\System\*

IE浏览器

*\Software\Microsoft\Internet Domains\*
*\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
*\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
*\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions
*\Software\Microsoft\Internet Explorer\Main\First Home Page
*\Software\Microsoft\Internet Explorer\Main\HOMEOldSP
*\Software\Microsoft\Internet Explorer\Main\Local Page
*\Software\Microsoft\Internet Explorer\Main\Start Page
*\Software\Microsoft\Internet Explorer\Main\Start Page_bak
*\Software\Microsoft\Internet Explorer\Main\Use Custom Search URL
*\Software\Microsoft\Internet Explorer\Main\Window Title
*\Software\Microsoft\Internet Explorer\Main\FeatureControl\*
*\Software\Microsoft\Internet Explorer\Main\Search*
*\Software\Microsoft\Internet Explorer\AboutURLs\*
*\Software\Microsoft\Internet Explorer\Activex Compatibility\*
*\Software\Microsoft\Internet Explorer\AdvancedOptions\*
*\Software\Microsoft\Internet Explorer\Desktop\Components\*
*\Software\Microsoft\Internet Explorer\Explorer Bars\*
*\Software\Microsoft\Internet Explorer\Extensions\*
*\Software\Microsoft\Internet Explorer\MenuExt\*
*\Software\Microsoft\Internet Explorer\Plugins\*
*\Software\Microsoft\Internet Explorer\Search\*
*\Software\Microsoft\Internet Explorer\SearchUrl*
*\Software\Microsoft\Internet Explorer\Styles\*
*\Software\Microsoft\Internet Explorer\Toolbar\*
*\Software\Microsoft\Internet Explorer\UrlSearchHooks\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigProxy
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Special Paths\Cookies\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MinLevel
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
*\Software\Microsoft\Windows\Currentversion\Internet Settings\Security_RunActiveXControls
*\Software\Microsoft\Windows\Currentversion\Internet Settings\Security_RunScripts
*\Software\Microsoft\Windows\Currentversion\Internet Settings\Safety Warning Level
*\Software\Microsoft\Windows\Currentversion\Internet Settings\Trust Warning Level
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SafeSites\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Security*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Warnon*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\User Agent\*
*\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\*
*\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\*
*\Software\Microsoft\Windows\CurrentVersion\Wintrust\Trust Providers\Software Publishing\*
*\Software\Clients\StartMenuInternet\*
*\Software\Microsoft\Windows\CurrentVersion\URL\*
*\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell\OpenHomePage\Command\*
HKLM\Software\Microsoft\Internet Explorer\Registration\ProductID
HKLM\Software\Microsoft\Code Store Database\Distribution Units\*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Extensions**           *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Extensions**                   *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext                 *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Toolbar                 *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper objects*     *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\styles        stylesheet
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet explorer\Toolbars\Restrictions   *
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet explorer\Infodelivery\Restrictions         *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main            Start Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main            Default_Page_U...
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main            Local Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main        Start Page_bak
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main        HOMEOldSP
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main        Search Page
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Main        Default_Search_...
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        Start Page
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        Default_Page_U...
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        Local Page
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        Start Page_bak
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        HOMEOldSP
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main        Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\MainUse Custom Sea...
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\MainSearch Page
HKEY_USERS\.default\Software\Microsoft\Internet explorer\MainSearch Page
HKEY_USERS\.default\Software\Microsoft\Internet explorer\MainSearch Bar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\SearchCustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\SearchSearchAssistant
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\SearchDefault_Search_...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges***
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges***
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settingsMinLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settingsSafety Warning L...
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settingsTrust Warning Le...
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settingsSecurity_RunActiv...
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Internet settingsSecurity_RunScri...
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Internet settingsMinLevel
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Internet settingsSafety Warning L...
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Internet settingsSecurity_RunActiv...
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Internet settingsSecurity_RunScri...
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Internet settingsTrust Warning Le...
HKEY_CLASSES_ROOT\Protocols\Filter***
HKEY_CLASSES_ROOT\Protocols\Handler***
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Searchurl**         *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Urlsearchhooks**        *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Advancedoptions       *
HKEY_LOCAL_MACHINE\Software\Microsoft\Active setup\Installed components*       *
HKEY_LOCAL_MACHINE\Software\Microsoft\Code store database\Distribution units*     *

特殊项<引用U版的内容>

*\Software\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\*
HKEY_CURRENT_USER\Control Panel\don't load\*
HKEY_CURRENT_USER\Environment\*
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\*
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Programs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayload*
HKLM\Software\Clients\Mail\*\Protocols\mailto*
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\don't load\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup\*
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\*
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Extensions\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Imagefile Execution Options\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Secedit\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Defaultpassword
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ReportBootOk
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFC*
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\System\ControlSet???\Control\Session Manager\AllowProtectedRenames
HKLM\System\CurrentControlSet\Control\Session Manager\AllowProtectedRenames
HKLM\System\ControlSet???\Control\BootVerificationProgram\ImagePath
HKLM\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKLM\System\ControlSet???\Control\Session Manager\Memory Management\EnforceWriteProtection
HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\EnforceWriteProtection
HKLM\System\ControlSet???\Control\Session Manager\ExcludeFromKnownDlls
HKLM\System\CurrentControlSet\Control\Session Manager\ExcludeFromKnownDlls
HKLM\System\ControlSet???\Control\Session Manager\Environment\*
HKLM\System\CurrentControlSet\Control\Session Manager\Environment\*
HKLM\System\ControlSet???\Control\Session Manager\Execute
HKLM\System\CurrentControlSet\Control\Session Manager\Execute
HKLM\System\ControlSet???\Control\Session Manager\KnownDlls*
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls*
HKLM\System\ControlSet???\Control\Session Manager\SetupExecute
HKLM\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKLM\System\ControlSet???\Control\Session Manager\SubSystems\*
HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems\*
HKLM\System\ControlSet???\Control\VirtualDeviceDrivers\VDD
HKLM\System\CurrentControlSet\Control\VirtualDeviceDrivers\VDD
HKLM\System\ControlSet???\Control\Wmi\Globallogger*
HKLM\System\CurrentControlSet\Control\Wmi\Globallogger*
HKLM\System\LastKnownGoodRecovery*
HKLM\System\MountedDevices\*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\WindowsAppInit_DLLs
HKEY_LOCAL_MACHINE\System\*controlset*\Control\Session manager*FileRenameOpe...
HKEY_CURRENT_USER\Control panel\Don';t load*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Control panel\Don';t load*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Policies\System*
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies\System*
HKEY_CURRENT_USER\Control panel\Desktopscrnsave.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Image file execution options***
HKEY_LOCAL_MACHINE\Software\Microsoft\Security center*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\Codeidentifiers\0\Paths*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Shellexecutehooks**
HKEY_CURRENT_USER\Software\Microsoft\Command processorAutorun
HKEY_LOCAL_MACHINE\Software\Microsoft\Command processorAutoRun
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Policies*
HKEY_CLASSES_ROOT\Clsid\{e6fb5e20-de35-11cf-9c87-00aa005127ed}*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon\Notify**
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Sharedtaskscheduler**
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Svchost**

流氓及恶意程序保护

HKEY_CLASSES_ROOT\Cns**
HKEY_CURRENT_USER\Software\3721   *
HKEY_LOCAL_MACHINE\Software\3721 *
HKEY_LOCAL_MACHINE\Software\Classes\Cns* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Helper.dll*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\!搜一搜 *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Advancedoptions\!cns*
HKEY_LOCAL_MACHINE\System\Controlset*\Enum\Root\Legacy_cnsmink*
HKEY_LOCAL_MACHINE\System\Controlset*\Services\Cnsminkp *
HKEY_CLASSES_ROOT\Assist* *
HKEY_CLASSES_ROOT\Autolive* *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main\Cns* *
HKEY_CLASSES_ROOT\Adkiller* *
HKEY_LOCAL_MACHINE\Software\Classes\Adkiller**
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\{1b0e7716-898e-4...*
HKEY_CLASSES_ROOT\Coolbar**
HKEY_LOCAL_MACHINE\Software\Classes\Coolbar* *
HKEY_CURRENT_USER\Software\Yahoo*
HKEY_LOCAL_MACHINE\Software\Yahoo*
HKEY_CLASSES_ROOT\Zschkfile*
HKEY_CLASSES_ROOT\Ebay**
HKEY_USERS\S-1-5-**\Software\Microsoft\Internet explorer\Menuext\*ebay**
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Ebay* *
HKEY_CLASSES_ROOT\Applications\Pig* *
HKEY_LOCAL_MACHINE\Software\Classes\Applications\Pig**
HKEY_LOCAL_MACHINE\Software\Miranda *
HKEY_USERS\S-1-5-*\Software\Bcgp appwizard-generated applications\网络猪*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Pig**
HKEY_CLASSES_ROOT\Pig* *
HKEY_CURRENT_USER\Software\Pig**
HKEY_LOCAL_MACHINE\Software\Classes\Pig**
HKEY_CLASSES_ROOT\Filetransferprogressbar* *
HKEY_CLASSES_ROOT\Gif89.gif89* *
HKEY_LOCAL_MACHINE\Software\Classes\Gif89**
HKEY_CLASSES_ROOT\360**
HKEY_CLASSES_ROOT\Hugi**
HKEY_LOCAL_MACHINE\Software\360so*
HKEY_LOCAL_MACHINE\Software\Classes\360main* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run 360Main*.exe
HKEY_LOCAL_MACHINE\Software\Baidu *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\百度**
HKEY_CLASSES_ROOT\Baidu**
HKEY_CURRENT_USER\Software\Baidu *
HKEY_LOCAL_MACHINE\Software\Classes\Mimefilter**
HKEY_CLASSES_ROOT\Mimefilter* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object...*
HKEY_LOCAL_MACHINE\Software\Blogchina*
HKEY_CLASSES_ROOT\Bocai**
HKEY_LOCAL_MACHINE\Software\Classes\Bocai* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Toolbar\{4da2ee61-6399-4c39-aeb9-0d... *
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Cdn**
HKEY_CURRENT_USER\Software\Cnnic *
HKEY_LOCAL_MACHINE\Software\Cnnic *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Advancedoptions\Cdnclient *
HKEY_CLASSES_ROOT\Cdn* *
HKEY_CLASSES_ROOT\Mailparsersvr**
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Extensions\{35980f6e-a137-4e50-953d... *
HKEY_LOCAL_MACHINE\System\*controlset*\Enum\Root\Legacy_cdnprot *
HKEY_CLASSES_ROOT\Applications\Dudu* *
HKEY_CLASSES_ROOT\Ddd* *
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\&使用dudu 加速器下载 *
HKEY_LOCAL_MACHINE\Software\Dudu*
HKEY_USERS\S-1-5-*\Software\Microsoft\Internet explorer\Menuext\&使用dudu 加速器下载 *
HKEY_CLASSES_ROOT\Xpwindow**
HKEY_CLASSES_ROOT\Applications\Henbang**
HKEY_LOCAL_MACHINE\Software\Classes\Applications\Henbang* *
HKEY_CLASSES_ROOT\Downloadstart**
HKEY_LOCAL_MACHINE\Software\Classes\Downloadstart* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object...*
HKEY_CLASSES_ROOT\Monitor.urlmonitor**
HKEY_LOCAL_MACHINE\Software\Classes\Monitor.urlmonitor* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object...*
HKEY_LOCAL_MACHINE\Software\World2 *
HKEY_LOCAL_MACHINE\Software\Classes\Hugi* *
HKEY_CLASSES_ROOT\Yisou**
HKEY_CURRENT_USER\Software\Yisou**
HKEY_LOCAL_MACHINE\Software\3721\Yisou *
HKEY_LOCAL_MACHINE\Software\Classes\Yisoubar* *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object...*
HKEY_LOCAL_MACHINE\Software\Yisou*
HKEY_CLASSES_ROOT\Searchm**
HKEY_LOCAL_MACHINE\Software\Classes\Searchm* *
HKEY_CLASSES_ROOT\Clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}*
HKEY_CLASSES_ROOT\Clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}*
HKEY_CLASSES_ROOT\Clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2} *
HKEY_CLASSES_ROOT\Clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}*
HKEY_CLASSES_ROOT\Clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2} *
HKEY_CLASSES_ROOT\Clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}*
HKEY_CLASSES_ROOT\Clsid\{bb936323-19fa-4521-ba29-eca6a121bc78} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{38928d50-8a48-44c2-945f-d2f23f771410}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{bb936323-19fa-4521-ba29-eca6a121bc78}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{57421194-58fb-49ae-9b4f-fd48869b9ad4}*
HKEY_CLASSES_ROOT\Clsid\{57421194-58fb-49ae-9b4f-fd48869b9ad4} *
HKEY_CLASSES_ROOT\Clsid\{406f94f0-504f-4a40-8dfd-58b0666abebd}*
HKEY_CLASSES_ROOT\Clsid\{fe3ecae7-0a37-4506-8a7d-3cc9a04d2ca8}*
HKEY_CLASSES_ROOT\Clsid\{38928d50-8a48-44c2-945f-d2f23f771410} *
HKEY_CLASSES_ROOT\Clsid\{17f1c8e8-b99b-4d85-927b-a0ee7290455a} *
HKEY_CLASSES_ROOT\Clsid\{af53d70e-29df-443a-92aa-9c314af5871e} *
HKEY_CLASSES_ROOT\Clsid\{22d8e815-4a5e-4dfb-845e-aab64207f5bd}*
HKEY_CLASSES_ROOT\Clsid\{92085ad4-f48a-450d-bd93-b28cc7df67ce} *
HKEY_CLASSES_ROOT\Clsid\{b7856497-7097-424a-b03c-557aca6477b4}*
HKEY_CLASSES_ROOT\Clsid\{bc0fa0e8-0e7a-4836-b6ea-6e6880f4522c}*
HKEY_CLASSES_ROOT\Clsid\{28d47530-cf84-11d1-834c-00a0249f0c28} *
HKEY_CLASSES_ROOT\Clsid\{4b946315-e88c-4fe9-9c51-d9277ba85acc}*
HKEY_CLASSES_ROOT\Clsid\{b580cf65-e151-49c3-b73f-70b13fca8e86}*
HKEY_CLASSES_ROOT\Clsid\{a7f05ee4-0426-454f-8013-c41e3596e9e9}*
HKEY_CLASSES_ROOT\Clsid\{fe14f22e-be14-4f08-a80f-f27bc3a67b2d}*
HKEY_CLASSES_ROOT\Clsid\{4da2ee61-6399-4c39-aeb9-0d990e610d29} *
HKEY_CLASSES_ROOT\Clsid\{461a86f7-a29d-460a-80d5-52979aa6c46d} *
HKEY_CLASSES_ROOT\Clsid\{9a578c98-3c2f-4630-890b-fc04196ef420}*
HKEY_CLASSES_ROOT\Clsid\{d449eb58-55af-4695-b216-895d546aed89}*
HKEY_CLASSES_ROOT\Clsid\{35980f6e-a137-4e50-953d-813bb8556899}*
HKEY_CLASSES_ROOT\Clsid\{8135ef31-fe8c-4c6e-a18a-f59944c3a488}*
HKEY_CLASSES_ROOT\Clsid\{915e63f4-4733-401e-8556-6559b30a4c5a} *
HKEY_CLASSES_ROOT\Clsid\{6bde1669-b490-48e3-b668-456314f2d6c3} *
HKEY_CLASSES_ROOT\Clsid\{ffd95f65-f5e4-4ab8-b7f9-f61f13878a04}*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Extensions\{3db9f45e-aa74-4373-a466... *
HKEY_CLASSES_ROOT\Clsid\{2d6f6bff-1796-4779-9ba3-5f20f17e5cea}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{2d6f6bff-1796-4779-9ba3-5f20f17e5cea} *
HKEY_CLASSES_ROOT\Clsid\{616d4040-5712-4f0f-bcf1-5c6420a99e14}*
HKEY_CLASSES_ROOT\Clsid\{3ed9ffda-79db-4b2d-99b7-16ea3c4a3a92}*
HKEY_CLASSES_ROOT\Clsid\{f43bd772-abdd-43b7-a96a-3e9e61946ec0} *
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{f43bd772-abdd-43b7-a96a-3e9e61946ec0}*
HKEY_CLASSES_ROOT\Clsid\{115f6e46-fcbc-41ed-b3b5-3bddd4aab5e5}*
HKEY_CLASSES_ROOT\Clsid\{db4f72f5-fa97-4424-a8cd-758feae6861f}*
HKEY_CLASSES_ROOT\Clsid\{ef1d17a9-089f-40cc-8d64-7324cdeba0db} *
HKEY_CLASSES_ROOT\Clsid\{594be7b2-23b0-4fae-a2b9-0c21cc1417ce}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{594be7b2-23b0-4fae-a2b9-0c21cc1417ce} *
HKEY_LOCAL_MACHINE\Software\Stdup *
HKEY_CURRENT_USER\Software\Stdup *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\{9a578c98-3c2f-46...*
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Universal disk manager *

系统初始化及用户登录                                                                        
                                            
HKEY_CURRENT_USER\Software\Microsoft\Windows nt\Currentversion\Winlogon              GinaDLL  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             taskman  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             Shell   
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon\Notify*       *      
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             System   
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             Userinit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             VmApplet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon             *        

RunDll32 应用程序规则                                                                        
                                                            
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run                  *            
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run                  *           
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runonce             *            
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runonceex           *            
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Runservices           *         
HKEY_USERS\.default\Software\Microsoft\Windows\Currentversion\Run                     *
hdlcpqs
发表于 2010-4-5 09:54:08 | 显示全部楼层
瓦斯曲流氓软件RD黑名单



HKEY_CLASSES_ROOT\Cns*
HKEY_CURRENT_USER\Software\3721*
HKEY_LOCAL_MACHINE\Software\3721*
HKEY_LOCAL_MACHINE\Software\Classes\Cns*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Helper.dll*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\!搜一搜 *
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Advancedoptions\!cns*
HKEY_LOCAL_MACHINE\System\Controlset*\Enum\Root\Legacy_cnsmink*
HKEY_LOCAL_MACHINE\System\Controlset*\Services\Cnsminkp*
HKEY_CLASSES_ROOT\Assist*
HKEY_CLASSES_ROOT\Autolive*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Main\Cns*
HKEY_CLASSES_ROOT\Adkiller*
HKEY_LOCAL_MACHINE\Software\Classes\Adkiller*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\{1b0e7716-898e-4*
HKEY_CLASSES_ROOT\Coolbar*
HKEY_LOCAL_MACHINE\Software\Classes\Coolbar*
HKEY_CURRENT_USER\Software\Yahoo*
HKEY_LOCAL_MACHINE\Software\Yahoo*
HKEY_CLASSES_ROOT\Zschkfile*
HKEY_CLASSES_ROOT\Ebay*
HKEY_USERS\S-1-5-*\Software\Microsoft\Internet explorer\Menuext\*ebay*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Ebay*
HKEY_CLASSES_ROOT\Applications\Pig*
HKEY_LOCAL_MACHINE\Software\Classes\Applications\Pig*
HKEY_LOCAL_MACHINE\Software\Miranda *
HKEY_USERS\S-1-5-*\Software\Bcgp appwizard-generated applications\网络猪*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run\Pig*
HKEY_CLASSES_ROOT\Pig*
HKEY_CURRENT_USER\Software\Pig*
HKEY_LOCAL_MACHINE\Software\Classes\Pig*
HKEY_CLASSES_ROOT\Filetransferprogressbar*
HKEY_CLASSES_ROOT\Gif89.gif89*
HKEY_LOCAL_MACHINE\Software\Classes\Gif89*
HKEY_CLASSES_ROOT\360*
HKEY_CLASSES_ROOT\Hugi*
HKEY_LOCAL_MACHINE\Software\360so*
HKEY_LOCAL_MACHINE\Software\Classes\360main*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run 360Main*.exe
HKEY_LOCAL_MACHINE\Software\Baidu*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\百度*
HKEY_CLASSES_ROOT\Baidu*
HKEY_CURRENT_USER\Software\Baidu*
HKEY_LOCAL_MACHINE\Software\Classes\Mimefilter*
HKEY_CLASSES_ROOT\Mimefilter*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object*
HKEY_LOCAL_MACHINE\Software\Blogchina*
HKEY_CLASSES_ROOT\Bocai*
HKEY_LOCAL_MACHINE\Software\Classes\Bocai*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Toolbar\{4da2ee61-6399-4c39-aeb9-0d*
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Cdn*
HKEY_CURRENT_USER\Software\Cnnic*
HKEY_LOCAL_MACHINE\Software\Cnnic*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Advancedoptions\Cdnclient*
HKEY_CLASSES_ROOT\Cdn*
HKEY_CLASSES_ROOT\Mailparsersvr*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Extensions\{35980f6e-a137-4e50-953d*
HKEY_LOCAL_MACHINE\System\*controlset*\Enum\Root\Legacy_cdnprot*
HKEY_CLASSES_ROOT\Applications\Dudu*
HKEY_CLASSES_ROOT\Ddd*
HKEY_CURRENT_USER\Software\Microsoft\Internet explorer\Menuext\&使用dudu 加速器下载*
HKEY_LOCAL_MACHINE\Software\Dudu*
HKEY_USERS\S-1-5-*\Software\Microsoft\Internet explorer\Menuext\&使用dudu 加速器下载*
HKEY_CLASSES_ROOT\Xpwindow*
HKEY_CLASSES_ROOT\Applications\Henbang*
HKEY_LOCAL_MACHINE\Software\Classes\Applications\Henbang*
HKEY_CLASSES_ROOT\Downloadstart*
HKEY_LOCAL_MACHINE\Software\Classes\Downloadstart*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object*
HKEY_CLASSES_ROOT\Monitor.urlmonitor*
HKEY_LOCAL_MACHINE\Software\Classes\Monitor.urlmonitor*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object*
HKEY_LOCAL_MACHINE\Software\World2*
HKEY_LOCAL_MACHINE\Software\Classes\Hugi*
HKEY_CLASSES_ROOT\Yisou*
HKEY_CURRENT_USER\Software\Yisou*
HKEY_LOCAL_MACHINE\Software\3721\Yisou *
HKEY_LOCAL_MACHINE\Software\Classes\Yisoubar*
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser helper object...*
HKEY_LOCAL_MACHINE\Software\Yisou*
HKEY_CLASSES_ROOT\Searchm*
HKEY_LOCAL_MACHINE\Software\Classes\Searchm*
HKEY_CLASSES_ROOT\Clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}*
HKEY_CLASSES_ROOT\Clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}*
HKEY_CLASSES_ROOT\Clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}*
HKEY_CLASSES_ROOT\Clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}*
HKEY_CLASSES_ROOT\Clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}*
HKEY_CLASSES_ROOT\Clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}*
HKEY_CLASSES_ROOT\Clsid\{bb936323-19fa-4521-ba29-eca6a121bc78}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{141a5e19-bdcb-4e27-a3d7-9e16503bc05b}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{38928d50-8a48-44c2-945f-d2f23f771410}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{9eb2b422-c9ee-46c4-a471-1e79c7517b1d}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{abec6103-f6ac-43a3-834f-fb03fba339a2}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{bb936323-19fa-4521-ba29-eca6a121bc78}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{57421194-58fb-49ae-9b4f-fd48869b9ad4}*
HKEY_CLASSES_ROOT\Clsid\{57421194-58fb-49ae-9b4f-fd48869b9ad4}*
HKEY_CLASSES_ROOT\Clsid\{406f94f0-504f-4a40-8dfd-58b0666abebd}*
HKEY_CLASSES_ROOT\Clsid\{fe3ecae7-0a37-4506-8a7d-3cc9a04d2ca8}*
HKEY_CLASSES_ROOT\Clsid\{38928d50-8a48-44c2-945f-d2f23f771410}*
HKEY_CLASSES_ROOT\Clsid\{17f1c8e8-b99b-4d85-927b-a0ee7290455a}*
HKEY_CLASSES_ROOT\Clsid\{af53d70e-29df-443a-92aa-9c314af5871e}*
HKEY_CLASSES_ROOT\Clsid\{22d8e815-4a5e-4dfb-845e-aab64207f5bd}*
HKEY_CLASSES_ROOT\Clsid\{92085ad4-f48a-450d-bd93-b28cc7df67ce}*
HKEY_CLASSES_ROOT\Clsid\{b7856497-7097-424a-b03c-557aca6477b4}*
HKEY_CLASSES_ROOT\Clsid\{bc0fa0e8-0e7a-4836-b6ea-6e6880f4522c}*
HKEY_CLASSES_ROOT\Clsid\{28d47530-cf84-11d1-834c-00a0249f0c28}*
HKEY_CLASSES_ROOT\Clsid\{4b946315-e88c-4fe9-9c51-d9277ba85acc}*
HKEY_CLASSES_ROOT\Clsid\{b580cf65-e151-49c3-b73f-70b13fca8e86}*
HKEY_CLASSES_ROOT\Clsid\{a7f05ee4-0426-454f-8013-c41e3596e9e9}*
HKEY_CLASSES_ROOT\Clsid\{fe14f22e-be14-4f08-a80f-f27bc3a67b2d}*
HKEY_CLASSES_ROOT\Clsid\{4da2ee61-6399-4c39-aeb9-0d990e610d29}*
HKEY_CLASSES_ROOT\Clsid\{461a86f7-a29d-460a-80d5-52979aa6c46d}*
HKEY_CLASSES_ROOT\Clsid\{9a578c98-3c2f-4630-890b-fc04196ef420}*
HKEY_CLASSES_ROOT\Clsid\{d449eb58-55af-4695-b216-895d546aed89}*
HKEY_CLASSES_ROOT\Clsid\{35980f6e-a137-4e50-953d-813bb8556899}*
HKEY_CLASSES_ROOT\Clsid\{8135ef31-fe8c-4c6e-a18a-f59944c3a488}*
HKEY_CLASSES_ROOT\Clsid\{915e63f4-4733-401e-8556-6559b30a4c5a}*
HKEY_CLASSES_ROOT\Clsid\{6bde1669-b490-48e3-b668-456314f2d6c3}*
HKEY_CLASSES_ROOT\Clsid\{ffd95f65-f5e4-4ab8-b7f9-f61f13878a04}*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Extensions\{3db9f45e-aa74-4373-a466*
HKEY_CLASSES_ROOT\Clsid\{2d6f6bff-1796-4779-9ba3-5f20f17e5cea}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{2d6f6bff-1796-4779-9ba3-5f20f17e5cea}*
HKEY_CLASSES_ROOT\Clsid\{616d4040-5712-4f0f-bcf1-5c6420a99e14}*
HKEY_CLASSES_ROOT\Clsid\{3ed9ffda-79db-4b2d-99b7-16ea3c4a3a92}*
HKEY_CLASSES_ROOT\Clsid\{f43bd772-abdd-43b7-a96a-3e9e61946ec0}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{f43bd772-abdd-43b7-a96a-3e9e61946ec0}*
HKEY_CLASSES_ROOT\Clsid\{115f6e46-fcbc-41ed-b3b5-3bddd4aab5e5}*
HKEY_CLASSES_ROOT\Clsid\{db4f72f5-fa97-4424-a8cd-758feae6861f}*
HKEY_CLASSES_ROOT\Clsid\{ef1d17a9-089f-40cc-8d64-7324cdeba0db}*
HKEY_CLASSES_ROOT\Clsid\{594be7b2-23b0-4fae-a2b9-0c21cc1417ce}*
HKEY_LOCAL_MACHINE\Software\Classes\Clsid\{594be7b2-23b0-4fae-a2b9-0c21cc1417ce}*
HKEY_LOCAL_MACHINE\Software\Stdup*
HKEY_CURRENT_USER\Software\Stdup*
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet explorer\Activex compatibility\{9a578c98-3c2f-46*
HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Universal disk manager*


hdlcpqs
发表于 2010-4-5 09:57:26 | 显示全部楼层
个人COM接口分类


秒杀接口  \Windows\ApiPort    任何程序要运行,必先允许此项,请谨慎使用,系统程序如未允许将会死机蓝屏
Web浏览器  Shell.Explorer.*   貌似是使用资源管理器的壳
windows外壳shell32.dll  {75048700-EF1F-11D0-9888-006097DEACF9}
XML核心服务(后台访问网页)   Microsoft.XMLHTTP  浏览器允许这个,访问网络会快一点
IE对象设置  InternetExplorer.Application.*  浏览器允许这个,系统打开文件会快一点
IE外壳   {FBF23B40-E3F0-101B-8488-00AA003E56F8}  浏览器允许这个,系统打开文件会快一点
Windows管理  {4590F811-1D3A-11D0-891F-00AA004B2E24}
                    {5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}
                    WindowsInstaller.*
                    IMSIServer
后台智能上传  {4991D34B-80A1-4291-83B6-3328366B9097}
                   {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
后台调用IE  {0002DF01-0000-0000-C000-000000000046}
打开IE新窗口 {9BA05972-F6A8-11CF-A442-00A0C90A8F39} 在客户端或者服务端打开一个IE窗口
后台调用OE  {8f92a857-478e-11d1-a3b4-00c04fb950dc}
OE对象设置  Outlook.Application.*
后台调用MSN发消息  {B69003B3-C55E-4B48-836C-BC5946FC3B28}
                            {F81CD990-910B-4bbf-9CB3-6A77F3D697B3}
远程帮助   RemoteHelper.RemoteHelper
远程桌面   {A6A6F92B-26B5-463B-AE0D-5F361B09C171}
               {E423AF7C-FC2D-11d2-B126-00805FC73204}
用户帐户   {60664caf-af0d-0003-a300-5c7d25ff22a0}
              {7A9D77BD-5403-11d2-8785-2E0420524153}
全局文件夹设置   {EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}
Windows Script Host Shell Object  {F935DC22-1CF0-11D0-ADB9-00C04FD58A0B}  网页脚本攻击有关的东东
Windows Script Host Network Object  
                                                   {F935DC26-1CF0-11D0-ADB9-00C04FD58A0B}  网络攻击有关的东东
危险脚本   ADODB.Stream   网页恶意代码攻击常用的东东
              ADODB.Stream.6.0  网页恶意代码攻击常用的东东
              WScript.Shell   网页恶意代码攻击常用的东东
              WScript.Shell.1  网页恶意代码攻击常用的东东
              Scripting.FileSystemObject  网页恶意代码攻击常用的东东
              JavaScript   网页恶意代码攻击可能用到的东东
     {06290BD5-48AA-11D2-8432-006008C3FBFC}   网页恶意代码攻击可能用到的东东
ICatRegisterM接口-注册COM种类  {0002E012-0000-0000-C000-000000000046}  一个重要的东东  
杂类   {EE140200-0000-0000-C000-000000000046}  作用未明,XP上找不到此项
伪COM接口 - 重要端口   \RPC Control   RPC控制面板
                                \RPC Control\wzcsvc  无线配置服务
                                \RPC Control\spoolss   打印服务
                                \KnownDlls\*   Windows NT (和Win9x)系统常用DLL的"缓冲"机制
特权端口-备份还原   LocalSecurityAuthority.Backup   备份
                           LocalSecurityAuthority.Restore  还原
特权端口-关机重启   LocalSecurityAuthority.Shutdown  关机
                           LocalSecurityAuthority.Restart  重新启动
特权端口-调试提权   LocalSecurityAuthority.Debug
特权端口-系统环境   LocalSecurityAuthority.SystemEnvironment
特权端口-修改系统时间  LocalSecurityAuthority.SystemTime
hdlcpqs
发表于 2010-4-5 09:58:17 | 显示全部楼层
常见CLSID


无关联文件 文件名.{00021401-0000-0000-c000-000000000046} 

BMP文件 文件名.{d3e34b21-9d75-101a-8c3d-00aa001a1652}

HTML文件 文件名.{25336920-03f9-11cf-8fd0-00aa00686f13}

媒体剪辑文件 文件名.{00022601-0000-0000-c000-000000000046}

打印机 文件名.{2227a280-3aea-1069-A2de-08002b30309d}

控制面板 文件名.{21ec2020-3aea-1069-A2dd-08002b30309d}

网上邻居 文件名.{208d2c60-3aea-1069-A2d7-08002b30309d}

拨号网络 文件名.{992cffa0-F557-101a-88ec-00dd010ccc48}

计划任务 文件名.{D6277990-4c6a-11cf-8d87-00aa0060f5bf}

回收站 文件名.{645ff040-5081-101b-9f08-00aa002f954e}

Web文件夹 文件名.{Bdeadf00-C265-11d0-Bced-00a0c90ab50f}

历史记录 文件名.{Ff393560-C2a7-11cf-Bff4-444553540000}

收藏夹 文件名.{1a9ba3a0-143a-11cf-8350-444553540000}

excel.{00020810-0000-0000-C000-000000000046}

word.{00020900-0000-0000-C000-000000000046}

media.{00022603-0000-0000-C000-000000000046}

CAB.{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}

计划任务.{148BD520-A2AB-11CE-B11F-00AA00530503}

搜索-计算机{1f4de370-d627-11d1-ba4f-00a0c91eedba}

网上邻居.{208D2C60-3AEA-1069-A2D7-08002B30309D}

我的电脑.{20D04FE0-3AEA-1069-A2D8-08002B30309D}

控制面板.{21EC2020-3AEA-1069-A2DD-08002B30309D}

打印机.{2227A280-3AEA-1069-A2DE-08002B30309D}

html.{25336920-03f9-11cf-8fd0-00aa00686f13}

mht.{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}

mshta.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}

我的文档.{450D8FBA-AD25-11D0-98A8-0800361B1103}

XML.{48123bc4-99d9-11d1-a6b3-00c04fd91555}

回收站(满).{5ef4af3a-f726-11d0-b8a2-00c04fc309a4}

回收站.{645FF040-5081-101B-9F08-00AA002F954E}

ftp_folder.{63da6ec0-2e98-11cf-8d82-444553540000}

网络和拨号连接.{7007ACC7-3202-11D1-AAD2-00805FC1270E}

写字板文档.{73FDDC80-AEA9-101A-98A7-00AA00374959}

Temporary Offline Files Cleaner.{750fdf0f-2a26-11d1-a3ea-080036587f03}

用户和密码.{7A9D77BD-5403-11d2-8785-2E0420524153}

Internet 临时文件.{7BD29E00-76C1-11CF-9DD0-00A0C9034933}

已下载的程序文件的清除程序.{8369AB20-56C9-11D0-94E8-00AA0059CE02}

公文包.{85BBD920-42A0-1069-A2E4-08002B30309D}

ActiveX 高速缓存文件夹.{88C6C381-2E85-11D0-94DE-444553540000}

mail.{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}

历史记录.{FF393560-C2A7-11CF-BFF4-444553540000}

目录.{fe1290f0-cfbd-11cf-a330-00aa00c16e65}

Internet Explorer.{FBF23B42-E3F0-101B-8488-00AA003E56F8}

Snapshot File.{FACB5ED2-7F99-11D0-ADE2-00A0C90DC8D9}

预订文件夹.{F5175861-2688-11d0-9C5E-00AA00A45957}

MyDocs Drop Target.{ECF03A32-103D-11d2-854D-006008059367}

Policy Package.{ecabaebd-7f19-11d2-978E-0000f8757e2a}

搜索结果.{e17d4fc0-5564-11d1-83f2-00a0c90dc849}

添加网上邻居.{D4480A50-BA28-11d1-8E75-00C04FA31A86}

Paint.{D3E34B21-9D75-101A-8C3D-00AA001A1652}

管理工具.{D20EA4E1-3957-11d2-A40B-0C5020524153}

字体.{D20EA4E1-3957-11d2-A40B-0C5020524152}

Web Folders.{BDEADF00-C265-11d0-BCED-00A0C90AB50F}

DocFind Command.{B005E690-678D-11d1-B758-00A0C90564FE}

脱机文件夹.{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}

打印机.{2227A280-3AEA-1069-A2DE-08002B30309D}
hdlcpqs
发表于 2010-4-5 10:02:26 | 显示全部楼层
HIPS 防护注册表关键位置整理



一.自启动项目:
    开始---程序---启动,里面添加一些应用程序或者快捷方式.
    这是Windows 里面最常见,以及应用最简单的启动方式,如果想一些文件开机时候启动,那么也可以将他拖入里面或者建立快捷方式拖入里面.现在一般的病毒不会采取这样的启动手法.也有个别会.
    路径:C:\Documents and Settings\Owner\「开始」菜单\程序\启动

二. 第二自启动项目:
    这个是很明显却被人们所忽略的一个,使用方法和第一自启动目录是完全一样的, 只要找到该目录,将所需要启动的文件拖放进去就可以达到启动的目的.
    路径:
    C:\Documents and Settings\User\「开始」菜单\程序\启动

三. 系统配置文件启动:
    对于系统配置文件,许多人一定很陌生,许多病毒都是以这种方式启动.

1)WIN.INI启动:
    启动位置(*.exe为要启动的文件名称):
  [windows]
  load=*.exe[这种方法文件会在后台运行]
    run=*.exe[这种方法文件会在默认状态下被运行]

2)SYSTEM.INI启动:
    启动位置(*.exe为要启动的文件名称):
  默认为:
  [boot]
  Shell=Explorer.exe [Explorer.exe是Windows程序管理器或者Windows资源管理器,属于正常]
  可启动文件后为:
  [boot]
  Shell= Explorer.exe *.exe [现在许多病毒会采用此启动方式,随着Explorer启动, 隐蔽性很好]
    注意: SYSTEM.INI和WIN.INI文件不同,SYSTEM.INI的启动只能启动一个指定文件,不要把Shell=Explorer.exe *.exe换为Shell=*.exe,这样会使Windows瘫痪!

3) WININIT.INI启动:
    WinInit即为Windows Setup Initialization Utility, 中文:Windows安装初始化工具.
    它会在系统装载Windows之前让系统执行一些命令,包括复制,删除,重命名等,以完成更新文件的目的.
    文件格式:
  [rename]
  *=*2
  意思是把*2文件复制为文件名为*1的文件,相当于覆盖*1文件
    如果要把某文件删除,则可以用以下命令:
    [rename]
  nul=*2
    以上文件名都必须包含完整路径.

4) WINSTART.BAT启动:
    这是系统启动的批处理文件,主要用来复制和删除文件.如一些软件卸载后会剩余一些残留物在系统,这时它的作用就来了.
    如:
  “@if exist C:\WINDOWS\TEMP*.BAT call C:\WINDOWS\TEMP*.BAT”
    这里是执行*.BAT文件的意思

5) USERINIT.INI启动[2/2补充]:
    这种启动方式也会被一些病毒作为启动方式,与SYSTEM.INI相同.

6) AUTOEXEC.BAT启动:
    这个是常用的启动方式.病毒会通过它来做一些动作. 在AUTOEXEC.BAT文件中会包含有恶意代码。如format c: /y 等等其它.

四. 注册表启动:(07.4.27整理更新)
    通过注册表来启动,是WINDOWS中使用最频繁的一种.
[quoteHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute
HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\
HKLM\System\CurrentControlSet\Services\VxD\
HKCU\Control Panel\Desktop
HKLM\System\CurrentControlSet\Services\
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
HKLM\SOFTWARE\Classes\Protocols\Filter
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Toolbar
HKLM\Software\Microsoft\Internet Explorer\Extensions
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
HKLM\SYSTEM\CurrentControlSet\Control\MPRServices
HKCU\ftp\shell\open\command
HKCR\ftp\shell\open\command
HKCU\Software\Microsoft\ole
HKCU\Software\Microsoft\Command Processor
HKLM\SOFTWARE\Classes\mailto\shell\open\command
HKCR\PROTOCOLS
HKCU\Control Panel\Desktop
HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2
HKLM\SYSTEM\CurrentControlSet\Services\WinSock
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell folders\Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
HKLM\SOFTWARE\Classes\Protocols\Handler
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\Software\Microsoft\Command Processor
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Accessibility\Utility Manager registry
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders ][/quote]
病毒经常会修改的注册表位置:
HKLM\SOFTWARE\Microsoft\Ras
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKCU\Software\Microsoft\Security Center
HKLM\Software\Microsoft\Security Center
HKLM\SOFTWARE\Microsoft\Netcache
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
HKCU\Software\Microsoft\Internet explorer\Main\\*page
HKCU\Software\Microsoft\Internet explorer\Main\\Enable Browser Extensions
HKCU\Software\Microsoft\Internet explorer\Main\Featurecontrol
HKCU\Software\Microsoft\Internet explorer\Menuext
HKCU\Software\Microsoft\Internet explorer\Styles
HKLM\Software\Clients\Startmenuinternet
HKLM\Software\Microsoft\Code store database\Distribution units
HKCU\Software\Microsoft\Internet explorer\Abouturls
HKLM\Software\Microsoft\Internet explorer\Activex compatibility
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Microsoft\Internet explorer\Main\\*page
HKLM\Software\Microsoft\Internet explorer\Styles
HKLM\Software\Microsoft\Internet explorer\Menuext
HKLM\Software\Microsoft\Internet explorer\Plugins
HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Browser helpr objects
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\*zones
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Safesites
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Url
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Protocoldefaults
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Domains
HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges
HKLM\SYSTEM\ControlSet*\Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKLM\Software\Microsoft\Windows\Currentversion\Policies\System\
HKCU\Software\Policies\Microsoft\Internet Explorer\Control panel\homepage

五.其他启动方式:
    (1).C:\Explorer.exe启动方式:
    这种启动方式很少人知道.
    在Win9X下,由于SYSTEM.INI只指定了Windows的外壳文件Explorer.exe的名称,而并没有指定绝对路径,所以Win9X会搜索Explorer.exe文件.
    搜索顺序如下:
  (1).  搜索当前目录.
  (2).  如果没有搜索到Explorer.exe则系统会获取
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive\Path]的信息获得相对路径.
  (3).  如果还是没有文件系统则会获取[HKEY_CURRENT_USER\Environment\Path]的信息获得相对路径.
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive\Path]和[HKEY_CURRENT_USER\Environment\Path]所保存的相对路径的键值为:“%SystemRoot%System32;%  SystemRoot%”和空.
    所以,由于当系统启动时,“当前目录”肯定是%SystemDrive%(系统驱动器),这样系统搜索Explorer.EXE的顺序应该是:
  (1).  %SystemDrive%(例如C:\)
  (2).  %SystemRoot%System32(例如C:\WINNT\SYSTEM32)
  (3).  %SystemRoot%(例如C:\WINNT)
    此时,如果把一个名为Explorer.EXE的文件放到系统根目录下,这样在每次启动的时候系统就会自动先启动根目录下的Explorer.exe而不启动Windows目录下的Explorer.exe了.
  在WinNT系列下,WindowsNT/Windows2000更加注意了Explorer.exe的文件名放置的位置,把系统启动时要使用的外壳文件(Explorer.exe)的名称放到了:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell] 而在Windows 2000 SP2中微软已经更改了这一方式.

(2).屏幕保护启动方式:
    Windows 屏幕保护程序是一个*.scr文件,是一个可执行PE文件,如果把屏幕保护程序*.scr重命名为*.exe的文件,这个程序仍然可以正常启动,类似的*.exe文件更名为*.scr文件也仍然可以正常启动.
    文件路径保存在System.ini中的SCRNSAVE.EXE=的这条中.如: SCANSAVE.EXE=/%system32% *.scr
    这种启动方式具有一定危险.

    (3).计划任务启动方式:
    Windows 的计划任务功能是指某个程序在某个特指时间启动.这种启动方式隐蔽性相当不错.
    [开始]---[程序]---[附件]---[系统工具]---[计划任务],按照一步步顺序操作即可.

    (4).AutoRun.inf的启动方式:
    Autorun.inf这个文件出现于光盘加载的时候,放入光盘时,光驱会根据这个文件内容来确定是否打开光盘里面的内容.
    Autorun.inf的内容通常是:
  [AUTORUN]
  OPEN=*.exe
  ICON=icon(图标文件).ico
    1.如一个木马,为*.exe.那么Autorun.inf则可以如下:
    OPEN=Windows\*.exe
    ICON=*.exe
    这时,每次双击C盘的时候就可以运行*.exe.

    2.如把Autorun.inf放入C盘根目录里,则里面内容为:
    OPEN=D:\*.exe
    ICON=*.exe
    这时,双击C盘则可以运行D盘的*.exe
(5).更改扩展名启动方式:
    更改扩展名:(*.exe)
    如:*.exe的文件可以改为:*.bat,*.scr等扩展名来启动.

六.Vxd虚拟设备驱动启动方式:
    应用程序通过动态加载的VXD虚拟设备驱动,而去的Windows 9X系统的操控权(VXD虚拟设备驱动只适用于Windows 95/98/Me).
    可以用来管理例如硬件设备或者已安装软件等系统资源的32位可执行程序,使得几个应用程序可以同时使用这些资源.

七.Service[服务]启动方式:
    [开始]---[运行]---输入"services.msc",不带引号---即可对服务项目的操作.
    在“服务启动方式”选项下,可以设置系统的启动方式:程序开始时自动运行,还是手动运行,或者永久停止启动,或者暂停(重新启动后依旧会启动).
    注册表位置:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
    通过服务来启动的程序,都是在后台运行,例如国产木马"灰鸽子"就是利用此启动方式来达到后台启动,窃取用户信息.

八.驱动程序启动方式:
    有些病毒会伪装成硬件的驱动程序,从而达到启动的目的.
    1.系统自带的驱动程序.[指直接使用操作系统自带的标准程序来启动]
    2.硬件自带的驱动程序.[指使用硬件自带的标准程序来启动]
    3.病毒本身伪装的驱动程序.[指病毒本身伪装的标准程序来启动]



windir\Start Menu\Programs\Startup\
User\Startup\
All Users\Startup\
windir\system\iosubsys\
windir\system\vmm32\
windir\Tasks\

c:\explorer.exe
c:\autoexec.bat
c:\config.sys
windir\wininit.ini
windir\winstart.bat
windir\win.ini - [windows] "load"
windir\win.ini - [windows] "run"
windir\system.ini - [boot] "shell"
windir\system.ini - [boot] "scrnsave.exe"
windir\dosstart.bat
windir\system\autoexec.nt
windir\system\config.nt




Folder.htt
desktop.ini
C:\Documents and Settings\用户名\Application Data\Microsoft\Internet Explorer\Desktop.htt

hdlcpqs
发表于 2010-4-5 10:06:18 | 显示全部楼层
本帖最后由 hdlcpqs 于 2010-4-5 10:19 编辑

HIPS输入法设置项保护:



*System\CurrentControlSet\Control\Keyboard Layouts\*






hdlcpqs
发表于 2010-4-5 10:10:23 | 显示全部楼层
本帖最后由 hdlcpqs 于 2010-4-5 10:20 编辑

53种自启动方式


注册表
1.
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\Curr entVersion\Run\
All values in this key are executed.
2.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.
3.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServices\
All values in this key are executed as services.
4.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunServicesOnce\
All values in this key are executed as services, and then their autostart reference is deleted.
5.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run\
All values in this key are executed.
6.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.
7.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce\Setup\
Used only by Setup. Displays a progress dialog box as the keys are run one at a time.
8.
HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run\
Similar to the Run key from HKEY_CURRENT_USER.
9.
HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce\
Similar to the RunOnce key from HKEY_CURRENT_USER.
10.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The "Shell" value is monitored. This value is executed after you log in.
11.
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
All subkeys are monitored, with special attention paid to the "StubPath" value in each subkey.
12.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VxD\
All subkeys are monitored, with special attention paid to the "StaticVXD" value in each subkey.
13.
HKEY_CURRENT_USER\Control Panel\Desktop
The "SCRNSAVE.EXE" value is monitored. This value is launched when your screen saver activates.
14.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager
The "BootExecute" value is monitored. Files listed here are Native Applications that are executed before Windows starts.
15.
HKEY_CLASSES_ROOT\vbsfile\shell\open\command\
Executed whenever a .VBS file (Visual Basic Script) is run.
16.
HKEY_CLASSES_ROOT\vbefile\shell\open\command\
Executed whenever a .VBE file (Encoded Visual Basic Script) is run.
17.
HKEY_CLASSES_ROOT\jsfile\shell\open\command\
Executed whenever a .JS file (Javascript) is run.
18.
HKEY_CLASSES_ROOT\jsefile\shell\open\command\
Executed whenever a .JSE file (Encoded Javascript) is run.
19.
HKEY_CLASSES_ROOT\wshfile\shell\open\command\
Executed whenever a .WSH file (Windows Scripting Host) is run.
20.
HKEY_CLASSES_ROOT\wsffile\shell\open\command\
Executed whenever a .WSF file (Windows Scripting File) is run.
21.
HKEY_CLASSES_ROOT\exefile\shell\open\command\
Executed whenever a .EXE file (Executable) is run.
22.
HKEY_CLASSES_ROOT\comfile\shell\open\command\
Executed whenever a .COM file (Command) is run.
23.
HKEY_CLASSES_ROOT\batfile\shell\open\command\
Executed whenever a .BAT file (Batch Command) is run.
24.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\
Executed whenever a .SCR file (Screen Saver) is run.
25.
HKEY_CLASSES_ROOT\piffile\shell\open\command\
Executed whenever a .PIF file (Portable Interchange Format) is run.
26.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\
Services marked to startup automatically are executed before user login.
27.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\
Layered Service Providers, executed before user login.
28.
HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline
Executed when a 16-bit Windows executable is executed.
29.
HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline
Executed when a 16-bit DOS application is executed.
30.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Executed when a user logs in.
31.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\
Executed by explorer.exe as soon as it has loaded.
32.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Executed when the user logs in.
33.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Executed when the user logs in.
34.
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.
35.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.
文件夹
1. windir\Start Menu\Programs\Startup\
2. User\Startup\
3. All Users\Startup\
4. windir\system\iosubsys\
5. windir\system\vmm32\
6. windir\Tasks\
文件
1. c:\explorer.exe
2. c:\autoexec.bat
3. c:\config.sys
4. windir\wininit.ini
5. windir\winstart.bat
6. windir\win.ini - [windows] "load"
7. windir\win.ini - [windows] "run"
8. windir\system.ini - [boot] "shell"
9. windir\system.ini - [boot] "scrnsave.exe"
10. windir\dosstart.bat
11. windir\system\autoexec.nt
12. windir\system\config.nt

您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-12-23 14:52 , Processed in 0.105339 second(s), 14 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表