Removing startup programs from the Windows registry
Some programs when installed add entries to the Windows registry to run files when Windows starts up.
Some times some of these files are absolutely unnecessary and degrade system performance. Other times, viruses and/or malware will use these startup points in the registry to run files related to the virus or malware without your knowing.
Backing up the registry
When add/removing entries in the Windows registry, you should always make a backup first in case you add or remove something vital to the operation of the Windows operating system. Before making any changes, right-click the key you are going to modify and click “Export”. It will save it as a “.reg” file you can later use if you need to repair any modifications to the registry you have made.
Common load points in the registry
The following are common load points in the registry most programs use:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Programs can also load files in the Winlogon process by using:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
Some virus have also been known to add additonal files to the “Shell” string in Winlogon. The shell should be “explorer.exe”, but some viruses and malware will change it to “explorer.exe nail.exe”. Nail.exe would then load with explorer.exe. To check this setting navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right pane, make sure the “Shell” string only says “explorer.exe”. You should double click the “Shell” string and open it because sometimes the virus or malware will place a bunch of spaces after explorer.exe, so it may appear to be normal because you won’t see the extra filename because the spaces have pushed it to the right so far it doesn’t show in the right pane in regedit.