在警惕熊猫烧变种玉兔病毒毁灭安全模式 &&& 如何清除玉兔病毒一文中了解到：玉兔病毒是通过修改注册表启动项随机启动病毒的，也许大部分人都指导注册表中的启动项 RUN 和 RUNONCE，但是应该有很少人指导这个启动项吧！于是笔者从翻阅了很多资料，把系统启动项总结出来。多了解点系统启动项的知识，对于解决未知的木马病毒间谍软件等会有很多帮助。

以下是系统启动时所有可能加载启动程序的方式：
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
通过文件夹启动 ：
★      %windir%\Start Menu\Programs\Startup\
★      User\Startup\
★      All Users\Startup\
★      %windir%\system\iosubsys\
★      %windir%\system\vmm32\
★      %windir%\Tasks\
通过文件启动:
★      c:\explorer.exe
★      c:\autoexec.bat
★      c:\config.sys
★      %windir%\wininit.ini
★      %windir%\winstart.bat
★      %windir%\win.ini - [windows] “load”
★      %windir%\win.ini - [windows] “run”
★      %windir%\system.ini - [boot] “shell”
★      %windir%\system.ini - [boot] “scrnsave.exe”
★      %windir%\dosstart.bat
★      %windir%\system\autoexec.nt
★      %windir%\system\config.nt
通过注册表启动:
★     HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\Curr entVersion\Run\
All values in this key are executed.
★     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.
★     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
All values in this key are executed as services.
★    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ All values in this key are executed as services, and then their autostart reference is deleted.
★     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
All values in this key are executed.
★     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\
All values in this key are executed, and then their autostart reference is deleted.
★     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\
Used only by Setup. Displays a progress dialog box as the keys are run one at a time.
★     HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\
Similar to the Run key from HKEY_CURRENT_USER.
★     HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Similar to the RunOnce key from HKEY_CURRENT_USER.
★     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The “Shell” value is monitored. This value is executed after you log in.
★     HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\
All subkeys are monitored, with special attention paid to the “StubPath” value in each subkey.
★     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\VxD\
All subkeys are monitored, with special attention paid to the “StaticVXD” value in each subkey.
★     HKEY_CURRENT_USER\Control Panel\Desktop
The “SCRNSAVE.EXE” value is monitored. This value is launched when your screen saver activates.
★     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Session Manager
The “BootExecute” value is monitored. Files listed here are Native Applications that are executed before Windows starts.
★     HKEY_CLASSES_ROOT\vbsfile\shell\open\command\
Executed whenever a .VBS file (Visual Basic Script) is run.
★     HKEY_CLASSES_ROOT\vbefile\shell\open\command\
Executed whenever a .VBE file (Encoded Visual Basic Script) is run.
★     HKEY_CLASSES_ROOT\jsfile\shell\open\command\
Executed whenever a .JS file (Javascript) is run.
★      HKEY_CLASSES_ROOT\jsefile\shell\open\command\
Executed whenever a .JSE file (Encoded Javascript) is run.
★     HKEY_CLASSES_ROOT\wshfile\shell\open\command\
Executed whenever a .WSH file (Windows Scripting Host) is run.
★     HKEY_CLASSES_ROOT\wsffile\shell\open\command\
Executed whenever a .WSF file (Windows Scripting File) is run.
★     HKEY_CLASSES_ROOT\exefile\shell\open\command\
Executed whenever a .EXE file (Executable) is run.
★      HKEY_CLASSES_ROOT\comfile\shell\open\command\
Executed whenever a .COM file (Command) is run.
★     HKEY_CLASSES_ROOT\batfile\shell\open\command\
Executed whenever a .BAT file (Batch Command) is run.
★      HKEY_CLASSES_ROOT\scrfile\shell\open\command\
Executed whenever a .SCR file (Screen Saver) is run.
★     HKEY_CLASSES_ROOT\piffile\shell\open\command\
Executed whenever a .PIF file (Portable Interchange Format) is run.
★     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
Services marked to startup automatically are executed before user login.
★     HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog\Catalog_En tries\
Layered Service Providers, executed before user login.
★     HKEY_LOCAL_MACHINE\System\Control\WOW\cmdline
Executed when a 16-bit Windows executable is executed.
★     HKEY_LOCAL_MACHINE\System\Control\WOW\wowcmdline
Executed when a 16-bit DOS application is executed.
★     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Executed when a user logs in.
★     KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\
Executed by explorer.exe as soon as it has loaded.
★     HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
Executed when the user logs in.
★      HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
Executed when the user logs in.
★    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.
★    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
Subvalues are executed when Explorer initialises.