Autorun Monitoring

 Top  Previous  Next

With Autorun monitoring you can be notified if:

 

An application that registers itself in the Add/Remove Programs control panel is installed or uninstalled
An application or file registers itself in a registry location that will automatically run the program when the system starts or a user logs in
An application or file registers itself in a directory that will automatically run the program when the system starts or a user logs in

 

As with most system monitoring features, Autorun Monitoring will write an event to the Application event log when it detects any change. As such, you will need to make sure that you are monitoring the application event log with at least one event log filter.

 

Combined with Service Monitoring, EventSentry will detect most applications and files that will automatically run when the system boots and/or a user logs in.

 

Add/Remove Programs

If an application is installed an registers itself in the Control Panel under Add/Remove Programs, then EventSentry will notify you and log which application was installed or removed.

 

EventSentry will not notify you if an application is installed that does not register itself in Add/Remove Programs. You might still be notified if the application registers itself in one of the many autorun registry keys.

 

Autorun Registry Keys

Some applications register files to automatically run when the computer starts or when a user logs on to the system. While those files are usually required and harmless, this is unfortunately misused by Spyware, Trojan horses and viruses.

 

EventSentry monitors certain registry locations and will notify you when an application is added or removed from one of the monitored locations. Please note that only HKEY_LOCAL_MACHINE registry keys, which affect all users on the system, are monitored at this time. HKEY_CURRENT_USER keys are not monitored.

 

EventSentry monitors the following registry values:

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell

 

EventSentry monitors the following registry keys:

 

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon

 

Autorun Directories

In addition to the registry keys listed above, this feature will also monitor the following directories and notify you if a file is added:

 

<Documents and Settings>\All Users\Start Menu\Programs\Startup

 

Additional Information

The Active Setup\Installed Components registry subkey is intended to be used by installations to make sure that certain all users on a system have up-to-date information in their profile, and as such is examined every time a user logs in. This key has unfortunately been misused by software to install and run malicious applications. We urge you to investigate all changes to this registry key to make sure only authorized applications register themselves there.

 

 

Please see the next chapter for all event records logged to the application event log by this feature.