九乡新闻网越光宝盒粤语高清下载:高危注册表键值(重点保护对象)
来源:百度文库 编辑:九乡新闻网 时间:2024/04/27 08:30:16
总结一些最常被恶意程序篡改的高危注册表键值,不全,但大多数常见的基本都在这了(也欢迎各位大大继续补充),主要可以被用来达到自启动或连带启动的效果
做HIPS的RD(注册表监控)规则的时候,大家可以参考哈
注:
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER
HKU = HKEY_USERS
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecuteHKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\HKLM\System\CurrentControlSet\Services\VxD\HKCU\Control Panel\DesktopHKLM\System\CurrentControlSet\Services\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\runHKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\loadHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\HKLM\SOFTWARE\Classes\Protocols\FilterHKLM\SOFTWARE\Classes\Protocols\HandlerHKLM\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedulerHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksHKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\ApprovedHKLM\Software\Classes\Folder\Shellex\ColumnHandlersHKCU\Software\Microsoft\Internet Explorer\UrlSearchHooksHKLM\Software\Microsoft\Internet Explorer\ToolbarHKLM\Software\Microsoft\Internet Explorer\ExtensionsHKLM\System\CurrentControlSet\Control\Session Manager\BootExecuteHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHostHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKLM\SYSTEM\CurrentControlSet\Control\Print\MonitorsHKLM\SYSTEM\CurrentControlSet\Control\MPRServicesHKCU\ftp\shell\open\commandHKCR\ftp\shell\open\commandHKCU\Software\Microsoft\oleHKCU\Software\Microsoft\Command ProcessorHKLM\SOFTWARE\Classes\mailto\shell\open\commandHKCR\PROTOCOLSHKCU\Control Panel\DesktopHKLM\SOFTWARE\Policies\Microsoft\Windows\System\ScriptsHKLM\SOFTWARE\Microsoft\Code Store Database\Distribution UnitsHKLM\SYSTEM\CurrentControlSet\Services\WinSock2HKLM\SYSTEM\CurrentControlSet\Services\WinSockHKLM\SYSTEM\CurrentControlSet\Control\LsaHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCacheHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedulerHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell folders\StartupHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServicesHKCU\Software\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\Software\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMappingHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKLM\System\CurrentControlSet\Control\Session Manager\KnownDllsHKLM\SOFTWARE\Classes\Protocols\HandlerHKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupProgramsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellHKLM\Software\Microsoft\Command ProcessorHKLM\SOFTWARE\Microsoft\RasHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NetworkHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post PlatformHKCU\Software\Microsoft\Security CenterHKLM\Software\Microsoft\Security CenterHKLM\SOFTWARE\Microsoft\NetcacheHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExtHKCU\Software\Microsoft\Internet explorer\Main\\*pageHKCU\Software\Microsoft\Internet explorer\Main\\Enable Browser ExtensionsHKCU\Software\Microsoft\Internet explorer\Main\FeaturecontrolHKCU\Software\Microsoft\Internet explorer\MenuextHKCU\Software\Microsoft\Internet explorer\StylesHKLM\Software\Clients\StartmenuinternetHKLM\Software\Microsoft\Code store database\Distribution unitsHKCU\Software\Microsoft\Internet explorer\AbouturlsHKLM\Software\Microsoft\Internet explorer\Activex compatibilityHKCU\Software\Microsoft\Internet Explorer\Explorer BarsHKLM\Software\Microsoft\Internet explorer\Main\\*pageHKLM\Software\Microsoft\Internet explorer\StylesHKLM\Software\Microsoft\Internet explorer\MenuextHKLM\Software\Microsoft\Internet explorer\PluginsHKLM\Software\Microsoft\Windows\Currentversion\Explorer\Browser helpr objectsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\*zonesHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\SafesitesHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\UrlHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\ProtocoldefaultsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\DomainsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges
做HIPS的RD(注册表监控)规则的时候,大家可以参考哈
注:
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER
HKU = HKEY_USERS
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecuteHKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceExHKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\HKLM\System\CurrentControlSet\Services\VxD\HKCU\Control Panel\DesktopHKLM\System\CurrentControlSet\Services\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitHKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\runHKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\loadHKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\HKLM\SOFTWARE\Classes\Protocols\FilterHKLM\SOFTWARE\Classes\Protocols\HandlerHKLM\SOFTWARE\Microsoft\Active Setup\Installed ComponentsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedulerHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksHKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\ApprovedHKLM\Software\Classes\Folder\Shellex\ColumnHandlersHKCU\Software\Microsoft\Internet Explorer\UrlSearchHooksHKLM\Software\Microsoft\Internet Explorer\ToolbarHKLM\Software\Microsoft\Internet Explorer\ExtensionsHKLM\System\CurrentControlSet\Control\Session Manager\BootExecuteHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHostHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyHKLM\SYSTEM\CurrentControlSet\Control\Print\MonitorsHKLM\SYSTEM\CurrentControlSet\Control\MPRServicesHKCU\ftp\shell\open\commandHKCR\ftp\shell\open\commandHKCU\Software\Microsoft\oleHKCU\Software\Microsoft\Command ProcessorHKLM\SOFTWARE\Classes\mailto\shell\open\commandHKCR\PROTOCOLSHKCU\Control Panel\DesktopHKLM\SOFTWARE\Policies\Microsoft\Windows\System\ScriptsHKLM\SOFTWARE\Microsoft\Code Store Database\Distribution UnitsHKLM\SYSTEM\CurrentControlSet\Services\WinSock2HKLM\SYSTEM\CurrentControlSet\Services\WinSockHKLM\SYSTEM\CurrentControlSet\Control\LsaHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCacheHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoadHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedulerHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooksHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell folders\StartupHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServicesHKCU\Software\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\Software\Microsoft\Windows NT\CurrentVersion\WindowsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMappingHKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution OptionsHKLM\System\CurrentControlSet\Control\Session Manager\KnownDllsHKLM\SOFTWARE\Classes\Protocols\HandlerHKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupProgramsHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellHKLM\Software\Microsoft\Command ProcessorHKLM\SOFTWARE\Microsoft\RasHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NetworkHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post PlatformHKCU\Software\Microsoft\Security CenterHKLM\Software\Microsoft\Security CenterHKLM\SOFTWARE\Microsoft\NetcacheHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExtHKCU\Software\Microsoft\Internet explorer\Main\\*pageHKCU\Software\Microsoft\Internet explorer\Main\\Enable Browser ExtensionsHKCU\Software\Microsoft\Internet explorer\Main\FeaturecontrolHKCU\Software\Microsoft\Internet explorer\MenuextHKCU\Software\Microsoft\Internet explorer\StylesHKLM\Software\Clients\StartmenuinternetHKLM\Software\Microsoft\Code store database\Distribution unitsHKCU\Software\Microsoft\Internet explorer\AbouturlsHKLM\Software\Microsoft\Internet explorer\Activex compatibilityHKCU\Software\Microsoft\Internet Explorer\Explorer BarsHKLM\Software\Microsoft\Internet explorer\Main\\*pageHKLM\Software\Microsoft\Internet explorer\StylesHKLM\Software\Microsoft\Internet explorer\MenuextHKLM\Software\Microsoft\Internet explorer\PluginsHKLM\Software\Microsoft\Windows\Currentversion\Explorer\Browser helpr objectsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\*zonesHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\SafesitesHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\UrlHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\ProtocoldefaultsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\DomainsHKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges
高危注册表键值(重点保护对象)
注册表常用键值
教你智能删除注册表键值
胃癌高危对象
肺癌高危对象
肠癌高危对象
肝癌高危对象
乳腺癌高危对象
食管癌高危对象
宫颈癌高危对象
四招让注册表键值定位起来更快速 - 网络知识
大肠癌的高危对象
软件自定义卸载器 (可结束进程、删除目录、文件、注册表键值)
鸟王——金雕(国家I级重点保护动物)
注册表大全(一)
注册表
注册表系统优化(批处理文件)
注册表系统优化(批处理文件)
注册表系统优化(批处理文件)
(★)“高危”志愿者 [冯翔]
注册表应用100例(收藏)
实用注册表(亲身实践过的)
javascript对象系统(六)
深圳清理高危人群全记录(组图)