Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

What are the most commonly used registry launchpoints then? We wanted to find out so we picked a collection of several thousand samples of malware and checked which launchpoints they were using. The results are presented in the diagram below. It should be noted that some of the samples used multiple launchpoints.



Please note that many of the launchpoints that malware uses are also very commonly used by normal software such as installers. You can also expect to find several entries there on a typical non-infected Windows host.

The locations of the keys in the top10 are:



As a summary: 39.8% of malware launchpoints are still in the good ol' "run" key in HKLM. Of course a clean "run" does not mean you are not infected, but it still is an excellent place to start looking (after running an anti-virus scan, of course) if you suspect that you have been infected.