Registry tree

Potentially interesting keys

Potentially Interesting keys might be:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders (Value Common Startup)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (Values: Userinit and shell)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CLASSES_ROOT\batfile
HKEY_CLASSES_ROOT\comfile
HKEY_CLASSES_ROOT\exefile
HKEY_CLASSES_ROOT\htafile
HKEY_CLASSES_ROOT\piffile

Modifications of data in the registry (by another application) can be captured and displayed with the Sysinternals tool Procmon.exe.