How to Prevent Applications Listed in the Registry Run and RunOnce Keys from Starting
|
|
How to Prevent Applications Listed in the Registry Run and RunOnce Keys from Starting
As outlined in Chapter 6, at logon Windows 2000, Windows XP, and Windows Server 2003 start the programs referenced in the following registry keys:
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies \Explorer\Run
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
-
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs listed in the Run registry keys run every time the user logs on. The programs specified under RunOnce key run just once. These entries are generally configured by installation routines. However, Run and RunOnce registry keys also represent the favorite target for attacks and are used most often for installing worms, viruses, and Trojans. For this reason, you may wish to disable the Run and RunOnce lists for your computers.
To accomplish this, enable the Do not process the run once list and Do not process the legacy run list policies under Computer Configuration | Administrative Templates | System or User Configuration | Administrative Templates | System | Logon (Fig. 12.8).
Figure 12.8: Disabling the Run and RunOnce registry keys using Group Policy Object Editor
If the policies are set to Not configured, you can implement them by editing the system registry. Using this method, you can disable the following registry keys that run applications at startup:
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
To disable any of the above keys, start Registry Editor and locate the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer.
Under this key, create REG_DWORD value entries listed in Table 12.4. Set these values to 1. Setting these values to 0 will re-enable respective Run keys.
 |
| Value name | Disables the key |
|---|---|
| | |
| DisableLocalMachineRun | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
| DisableLocalMachineRunOnce | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce |
| DisableCurrentUserRun | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| DisableCurrentUserRunOnce | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce |
|
|
|
