Checking The Registry for Startup Items

Skip to content
Navigation

Up to Technology Index

Why check the Registry?

Because the Registry is where all malware (Trojan Horses, Dialers, Ad-ware, etc) will be recorded and will be run from. More clever programs can also use the Registry to protect themselves from being unistalled (after a fashion), by making sure their hidden installer file is called every time you start the computer.

Having a look in the Registry is not that hard and as long as you do not delete entries without any regard, there will be no problem. The instructions below should equip the average user with another tool in his or her arsenal against the continuous threat of malware.


Checking The Registry for Startup Items

First, the obligatory warning:-

CAUTION:-

When you edit the registry you can stop the entire Operating System from working with one mistimed press of the Delete button. BE CAREFUL. Editing the registry is very easy and the layout is pretty obvious but double-check you are on the correct key before you press delete. There is no Undo facility. Please don't blame me if your computer won't work afterwards - if in doubt about your abilities, ask someone!


Here's how to edit the Run entries in the Registry:-

  1. Login to Windows. You will have to be Admin if you have setup user accounts with restrictions

  2. Click Start - Run ...

  3. ... and in the dialog box type:regedit followed by Enter to load the registry editor

    • If you have problems getting into the registry, shut down the PC, remove all network and modem connections (including USB broadband modems) and try again. You MUST have the PC shutdown before you remove such connections ; some spyware and other tools maintain connections and may interfere with certain functions unless they fail to establish such a connection on boot.

    • If you haven't run this before, all 5 "hives" (the 5 main sections) in the registry will be closed. For easy navigation, just click (once!) the little plus symbol ("+") within each box. This is clearer than double-clicking each folder.

    We are interested in the HKeyLocalMachine (abbreviated HKLM) hive and with certain "keys" within that hive. So:-

  4. Navigate to the following key:-HKLM - SOFTWARE - Microsoft - Windows - CurrentVersion - Run

  5. Examine the entries in there. Some will be valid - check by simply entering the executable name in a Google search.
    • To delete an entry (a "key") highlight it and press Delete. No need to save, it happens immediately. Be careful you get the right key!

    • Also check the adjacent keys RunOnce and RunOnceEx and HKLM - SOFTWARE - Microsoft - Windws - CurrentVersion - Explorer (there should be no 'run' key in there).