Which registry keys cause programs to run automatically

Many programs and tools effect Windows run keys and services to automatically startup or load whenever Windows OS is booted. While this service can be a necessary convenience, it too can be problematic when accessed by a malicious program.

Run keys are part of the registry, a hierarchical database housing settings that run the Windows operating system, its services and Windows-supported applications. There are seven run keys in total and five Service types.

    1.   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    2.   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    3.   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
    4.   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    5.   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    6.   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    7.   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup

Based on the list mentioned above, run keys #1 through #4 are processed once during login or at boot stage. Run keys #5 and #6 are run in the background when the logon dialog box first appears, or at this stage of the boot process if there is no logon. These keys are for background services such as remote registry service and are run only once per boot. Run key #7 is run as part of Setup first-boot activities, or after you use the Add/Remove Programs Wizard.

Note: Run keys are ignored in Safe Mode, although there are ways to get around this setting.