TIP: Click on subject to list as thread!

ANSI

echo:	nthelp
to:	John Cuccia
from:	Rich
date:	2004-06-03 08:27:48
subject:	Re: app startup locations
From: "Rich" This is a multi-part message in MIME format. ------=_NextPart_000_08D9_01C44944.A7A10D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The policy keys are valid. They are used for (surprise) group = policy. If you don't use group policy or have your policy configure run = values than the key won't exist or have any entries. I have seen trojans use this as well as the others below. I've never = heard of or seen use of subkeys. Rich "John Cuccia" wrote in message = news:6s7ub0lala87lkqvkd7qk4cb5tunn6dnt6{at}4ax.com... Neither have I. I just did a quick check of one of our W2K servers and the Policies\Explorer\Run keys weren't there,=20 Of course that doesn't mean anything except that they did not exist on that particular machine. I wonder if Rich could tell us if they are valid reg entries? On Thu, 3 Jun 2004 05:58:19 -0400, "Geo." wrote: >the policies keys are the ones I've never seen listed before. > >Geo. > >"John Cuccia" wrote in message >news:do8sb0phg2c2mjj4pu9gn34dmttqs6vdto{at}4ax.com... >> On Wed, 2 Jun 2004 14:45:06 -0400, "Geo." wrote: >> >> >It turns out that W2K has a "feature" not shared by any other MS = O/S >> > >> >-- it launches any program in any subkey of (at least) six keys: >> = >HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >> >HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> >HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce >> = >HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run >> >HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> >HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce >> >> I don't think the above is true. I vaguely recall W95 and NT4 = having >> those registry keys (except maybe the first one). XP definitely has >> them. >> >> >> >This would simply be a curiosity except that I can't find a single >> >third party utility (other than the Silent Runners script) that >> >identifies programs located in such subkeys. >> >> I don't think this is true either. I believe they are exposed by = (at >> least) TweakUI and I know I've seen other utilities report them. >> >> > ------=_NextPart_000_08D9_01C44944.A7A10D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The policy keys are = valid. They=20 are used for (surprise) group policy. If you don't use group = policy or=20 have your policy configure run values than the key won't exist or have = any=20 entries. I have seen trojans use = this as well=20 as the others below. I've never heard of or seen use of=20 subkeys. Rich "John Cuccia" <jcuccia{at}bigfoot.com>">mailto:jcuccia{at}bigfoot.com">jcuccia{at}bigfoot.com> wrote = in message=20 news:6s7ub0lala8= 7lkqvkd7qk4cb5tunn6dnt6{at}4ax.com...Neither=20 have I. I just did a quick check of one of our W2K = serversand the=20 Policies\Explorer\Run keys weren't there, Of course that = doesn't mean=20 anything except that they did not exist onthat particular = machine. I=20 wonder if Rich could tell us if they arevalid reg = entries?On=20 Thu, 3 Jun 2004 05:58:19 -0400, "Geo." <georger{at}nls.net>">mailto:georger{at}nls.net">georger{at}nls.net> = wrote:>the=20 policies keys are the ones I've never seen listed=20 before.>>Geo.>>"John Cuccia" <jcuccia{at}bigfoot.com>">mailto:jcuccia{at}bigfoot.com">jcuccia{at}bigfoot.com> wrote = in=20 = message>news:do8sb0phg2c2mjj4pu9gn34dmttqs6vdto{at}4ax.com...>= >=20 On Wed, 2 Jun 2004 14:45:06 -0400, "Geo." <fake{at}barkdom.com>=20">mailto:fake{at}barkdom.com">fake{at}barkdom.com>=20 wrote:>>>> >It turns out that W2K has a = "feature" not=20 shared by any other MS O/S>> >>> >-- it = launches any=20 program in any subkey of (at least) six keys:>>=20 = >HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<= BR>>>=20 >HKCU\Software\Microsoft\Windows\CurrentVersion\Run>>=20 >HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce>> = = >HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run<= BR>>>=20 >HKLM\Software\Microsoft\Windows\CurrentVersion\Run>>=20 = >HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce>>>>=20 I don't think the above is true. I vaguely recall W95 and NT4=20 having>> those registry keys (except maybe the first one). = XP=20 definitely has>> them.>>>>>> = >This=20 would simply be a curiosity except that I can't find a = single>>=20 >third party utility (other than the Silent Runners script)=20 that>> >identifies programs located in such=20 subkeys.>>>> I don't think this is true either. I = believe=20 they are exposed by (at>> least) TweakUI and I know I've = seen other=20 utilities report=20 them.>>>>> ------=_NextPart_000_08D9_01C44944.A7A10D10-- --- BBBS/NT v4.01 Flag-5 * Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45) SEEN-BY: 633/267 270 @PATH: 379/45 1 633/267
SOURCE: echomail via fidonet.ozzmosis.com

Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.