# Tip: STARTUP ORDER FOR WINDOWS NT4/2000/XP



## lotuseclat79 (Sep 12, 2003)

STARTUP ORDER FOR WINDOWS NT4/2000/XP

1. BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2. Services
3. User enters a password and logon to the system
4. UserInit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
5. Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
6. All Users-RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
7. All Users-Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
8. All Users-RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
9. All Users-RunEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunEx
10. Current User-RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
11. Current User-Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
12. Current User-RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
13. Current User-RunEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunEx
14. Common Startup Folder
15. Startup Folder 

-- Tom


----------



## foxfire (Jan 14, 2003)

Lotuseclat 79.

Very useful.Many thanks.

Foxfire


----------



## brendandonhu (Jul 8, 2002)

I believe kernel-mode device drivers load before all of that too.
http://www.greatis.com/security/startuporder.htm


----------



## lotuseclat79 (Sep 12, 2003)

brendandonhu said:


> I believe kernel-mode device drivers load before all of that too.
> http://www.greatis.com/security/startuporder.htm


Hi brendandonhu,

One would think so, brendandonhu, but there is a way to tell for sure.

Download/install and run the freeware LoadOrderv1.0 from: http://www.sysinternals.com/SystemInformationUtilities.html

Now, to demonstrate that it is possible for at least the following program to load prior to anything else, download/install/run (freeware) SnoopFree Privacy Shield from: http://www.snoopfree.com/default.htm

Reboot.

Now, run LoadOrder and you should find that SnoopFree loads before anything else.

-- Tom


----------



## brendandonhu (Jul 8, 2002)

SnoopFree _is_ a device driver, I imagine you could foce other drivers to load first though.


----------



## lotuseclat79 (Sep 12, 2003)

brendandonhu said:


> SnoopFree _is_ a device driver, I imagine you could foce other drivers to load first though.


Hi brendandonhu,

It comes it two parts:
1) SnoopFreeUI.exe is the User Interface, and
2) SnoopFreeSVC.exe is the driver

As you will note when you run LoadOrder after installing SnoopFree, it loads before any other driver, so, in order to force other drivers to load before it, you would have to either override what it does to place it first, or somehow bump it in the LoadOrder and push it back.

-- Tom


----------



## brendandonhu (Jul 8, 2002)

All it does to load first is add its registry key to the top of GroupOrderList then list its group first in GroupOrderList. If another driver wants to load first, it simply moves its group up to the first slot (you can move SnoopFree to load last by cut-n-pasting in regedit.)


----------



## lotuseclat79 (Sep 12, 2003)

brendandonhu said:


> All it does to load first is add its registry key to the top of GroupOrderList then list its group first in GroupOrderList. If another driver wants to load first, it simply moves its group up to the first slot (you can move SnoopFree to load last by cut-n-pasting in regedit.)


Hi brendandonhu,

Good work on discovering how SnoopFree loads first! However, if one inserted the launch of SnoopFreeSVC.exe into the BootExecute part of the Registry, I wonder if it would preceed the GroupOrderList?

I suppose if one follows your suggestion, however, it would defeat the purpose of having it load first which is to beat any keylogger (at least the hooking kind) to the punch - so to speak.

Here is a very good article on spyware keyloggers:
http://www.securityfocus.com/infocus/1829

SnoopFree perhaps cannot shield one from a kernel-level keylogger, but at least if one has other HIPS or IDS in place that are robust in the area of kernel-level change detection one can avoid them as well.

-- Tom


----------



## brendandonhu (Jul 8, 2002)

BootExecute actually loads right after the kernel drivers. You can't just drop SnoopFreeSvc.exe into BootExecute-- it has to be written/compiled specially to load that way.


----------

