Xem mẫu

  1. How to Prevent Applications Listed in the Registry Run and RunOnce Keys from Starting As outlined in Chapter 6, at logon Windows 2000, Windows XP, and Windows Server 2003 start the programs referenced in the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunO nce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polici es \Explorer\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\R un HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru n Programs listed in the Run registry keys run every time the user logs on. The programs specified under RunOnce key run just once. These entries are generally configured by installation routines. However, Run and RunOnce registry keys also represent the favorite target for attacks and are used most often for installing worms, viruses, and Trojans. For this reason, you may wish to disable the Run and RunOnce lists for your computers. To accomplish this, enable the Do not process the run once list and Do not process the legacy run list policies under Computer Configuration | Administrative Templates | System or User Configuration | Administrative Templates | System | Logon (Fig. 12.8). Figure 12.8: Disabling the Run and RunOnce registry keys using Group Policy Object Editor
  2. If the policies are set to Not configured, you can implement them by editing the system registry. Using this method, you can disable the following registry keys that run applications at startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunO nce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOn ce To disable any of the above keys, start Registry Editor and locate the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion Policies\Explorer. Under this key, create REG_DWORD value entries listed in Table 12.4. Set these values to 1. Setting these values to 0 will re-enable respective Run keys. Table 12.4: Registry Values Disabling Run and RunOnce Keys Value name Disables the key DisableLocalMachineR HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr un entVersion\Run DisableLocalMachineR HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr unOnce entVersion\RunOnce DisableCurrentUserRu HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre n ntVersion\Run DisableCurrentUserRu HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre nOnce ntVersion\RunOnce