[ad_1]
On the heels of my final weblog put up on this matter, I had a few ideas and insights that I wished to analysis a bit, after which tackle. I wished to check out ways in which the StartupApprovedRun key may be impacted, so I began by grabbing the contents of that key based mostly on what we noticed from the earlier put up, that are illustrated in determine 1.
 |
| Fig 1: StartupApprovedRun key contents |
Then, I captured the contents of the Run key, illustrated in determine 2.
 |
| Fig 2: Run key contents |
As you possibly can see in determine 2, there seems to be an entry lacking, the “com.squirrel.Groups.Groups” worth. We all know from the earlier weblog put up that this worth was disabled on 14 Jul 2021, simply over a 12 months in the past. I don’t know how that occurred, because it wasn’t a part of an intentional take a look at on the time, and was only a matter of me not wanting Groups to launch each time I logged in.
As a part of this analysis effort, I deleted the OneDrive worth from the Run key (see determine 2 above) through RegEdit, and rebooted the system. Once I re-opened RegEdit and navigated to the Run key in my consumer hive, I confirmed that the OneDrive worth was now not within the Run key. Nevertheless, once I navigated to the corresponding StartupApprovedRun key, I discovered that the corresponding OneDrive worth nonetheless appeared as illustrated in determine 1. From this then, sure, it seems that for those who delete a price from the Run key through RegEdit, that entry is not faraway from the corresponding StartupApprovedRun key.
For step 2 on this experiment, I added a price to the Run key through RegEdit; I created a brand new string worth, named it “Calc”, after which added the trail, “C:Windowssystem32calc.exe”. I rebooted the system, logged in, and the calculator opened on my desktop…however there was no “Calc” worth within the corresponding StartupApprovedRun key!
I then eliminated the Calc worth through RegEdit, after which typed the next command:
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionRun /v Calc /t REG_SZ /d C:windowssystem32calc.exe /f
After making certain that the command succeeded, I appeared on the contents of the Run key through RegEdit and will see the brand new worth. Nevertheless, I might not see a corresponding worth within the StartupApprovedRun key!
Lastly, after having eliminated the “calc” worth from the Run key, I added it again through RegEdit, after which opened the Activity Supervisor Startup Tab to see the “Home windows Calculator” worth. I then disabled the worth through the Startup Tab, and verified {that a} “calc” worth was added to the StartupApprovedRun key, as illustrated in determine 3.
 |
| Fig. 3: StartupApprovedRun key after disabling Calc worth |
So, the query turns into, how do entries make it into the StartupApprovedRun key? If neither the usage of RegEdit nor reg.exe so as to add a price to the Run key explicitly result in corresponding values being added to the StartupApprovedRun key (say, by the working system), then how are they added? Trying again at determine 1, all the entries within the StartupApprovedRun key had been for functions that had been added through an set up course of, similar to an MSI or a setup.exe file. Perhaps that is what must be higher understood and addressed about these keys.
[ad_2]
Source_link