HIPS 自定义框架

整理:Baker  2011.8.17  特别感谢zengjian96帮我排版

对关键程序注入运行防护:

*.bat

*.cmd

*.com

*.dll

*.drv

*.exe

*.lnk

*.ocx

*.pif

*.scr

*.sys

 

关键文件/程序防护:

Cacls.exe

cmd.exe

command.com

cscript.exe

csrss.exel

debug.exe

diskpart.exe

format.exe

ftp.exe

 

对文件夹的保护:

C\WINDOWS

C\WINDOWS\system.ini

C\WINDOWS\system32

C\WINDOWS\system32

C\WINDOWS\System32\AUTOEXEC.nt

C\WINDOWS\System32\bootvrfy.exe

C\WINDOWS\system32\config

C\WINDOWS\System32\CONFIG.nt

C\WINDOWS\System32\control.ini

C\WINDOWS\system32\drivers

C\WINDOWS\system32\drivers\etc

C\WINDOWS\system32\drivers\etc

C\WINDOWS\System32\logon.exe

C\WINDOWS\System32\ntdos.sys

C\WINDOWS\system32\svchost.exe

C\WINDOWS\win.ini.

C\WINDOWS\wininit.ini

 

HOSTS

msconfig.exe

msh.exe

mshta.exe

net.exe

net1.exe

netsh.exe

netstat.exe

ntoskrnl.exe

ntsd.exe

ntvdm.exe

reg.exe

regedit.exe

regsvr32.exe

replace.exe

rundll32

lsass.exe

schtasks.exe

services.exe

smss.exe

svchost.exe

system.exe

taskkill.exe

tasklist.exe

telnet.exe

tftp.exe

winlogon.exe

winrar.exe

wscript.exe

 

注册表关键位置防护

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\polices\system\h

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore\DisallowRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explore\NoRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRunH

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RistrictRun

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Network\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Network\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windowsnt\Currentversion\Windows\load

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\load

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Programs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\Programs

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\run

HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internetexplorer\Infodelivery\Restrictions\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internetexplorer\Toolbars\Restrictions\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logoff\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon\p

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate\

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windowsfirewall\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\j

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\Shell\Open\Command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\htafile\shell\open\command\d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command\j

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellScrap\shell\open\command\

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ShellScrap\shell\open\command\v

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ActiveSetup\InstalledComponents\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Activesetup\InstalledComponents\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CodeStoreDatabase\DistributionUnits\r

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CodeStoreDatabase\DistributionUnits\V

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CommandProcessor\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CommandProcessor\V

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Extensions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\Default_Page_URL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\Default_Search_URL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\HOMEOldSP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\LocalPage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\SearchPage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\StartPage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Main\StartPage_bak

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Search\CustomizeSearch

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Search\Default_Search_URL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Search\SearchAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internetexplorer\Toolbar\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\V

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ras\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPaths\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\Advanced\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\ShareTaskScheduler\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\ShellExecuteHooks\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\ShellFolders\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore\UserShellFolders\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Explorer\Browserhelperobjects\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserShellFolders\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explore\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Network\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\Network\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\h

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\p

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\t

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\x

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellExtensions\Approved\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\AutoUpdate\AUOptions

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DriverSigning

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Accessibility\UtilityManager\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Accessibility\UtilityManager\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\GinaDLL\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\v

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore\DisableSR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore\DisableSR

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\DefaultUserName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\DefaultUserName

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GinaDLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GunaDLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SFCDisabale

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SFCDisable

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList\x

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Taskman

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Taskman

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UIHost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UIHost

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UserInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\UserInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\VmApplet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\VmApplet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WOW\boot\t

HKEY_LOCAL_MACHINE\SOFTWARE\Mirabilis\ICQ\Agent\Apps\IcqWinCfg\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\r

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate\

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windowsfirewall\t

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\t

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\Environment\ComSpec

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SessionManager\Environment\ComSpect

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\r

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SessionManager\Environment\ComSpec

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SessionManager\Environment\ComSpect

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SessionManager\Environment\ComSpec

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SessionManager\Environment\ComSpect

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvide\Order

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\r

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\BootExecute

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\ComSpec

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\ComSpect

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Environment\Path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs\p

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\PendindFileRenameOprations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\PendingFileRenameOperations

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ShellHWDetection\V

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\StartupPrograms

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalSever\Wds\rdpwd\StartupPrograms

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\b

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\d

HKEY_USERS\.default\SOFTWARE\Microsoft\Internetexplorer\Main\

HKEY_USERS\.default\SOFTWARE\Microsoft\Internetexplorer\Main\SearchBar

HKEY_USERS\.default\SOFTWARE\Microsoft\Internetexplorer\Main\SearchPage

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\MessengerService\

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Devices\

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\PrintPorts\

HKEY_USERS\S-1-5-21-682003330-484061587-1801674531-500\SOFTWARE\Microsoft\InternetExplorer\Main\StartPage

posted on 2011-11-13 01:24  zhxfl  阅读(1297)  评论(1编辑  收藏  举报

导航