{"id":23409020,"url":"https://github.com/wjsjtu/windows-startups","last_synced_at":"2025-07-01T06:38:41.029Z","repository":{"id":25648238,"uuid":"29083651","full_name":"WJsjtu/windows-startups","owner":"WJsjtu","description":"Detect the boot options of Windows","archived":false,"fork":false,"pushed_at":"2016-01-22T05:59:27.000Z","size":69,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-04-09T01:41:39.000Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WJsjtu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-11T06:35:52.000Z","updated_at":"2016-01-22T05:58:49.000Z","dependencies_parsed_at":"2022-08-24T14:10:49.915Z","dependency_job_id":null,"html_url":"https://github.com/WJsjtu/windows-startups","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/WJsjtu/windows-startups","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WJsjtu%2Fwindows-startups","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WJsjtu%2Fwindows-startups/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WJsjtu%2Fwindows-startups/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WJsjtu%2Fwindows-startups/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WJsjtu","download_url":"https://codeload.github.com/WJsjtu/windows-startups/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WJsjtu%2Fwindows-startups/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262915535,"owners_count":23383847,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-22T15:19:32.821Z","updated_at":"2025-07-01T06:38:40.968Z","avatar_url":"https://github.com/WJsjtu.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# windows-startups\n* * *\n##功能\n####Dectect the startups options on Windows\n####检测开机启动项\n* * *\n##实现细节\n###1.    Logon\n主要就是：\n\nHKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\n下的StartupPrograms键所对应的值。\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon下Userinit键所对应的值。\nHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon下Shell键所对应的值（默认路径system32下）。\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run下的所有键值对，如果系统是64位的话，那么还有HKLM\\SOFTWARE\\Wow6432Node\\Microsoft \\Windows\\CurrentVersion\\Run下的所有键值对。\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run下所有的键值对。\n\n###2.\tExplore\n在HKLM中：\n\nSOFTWARE\\Classes\\Protocols\\Filter下的CLSID的键值（COM）对，显示父节点的名字。\nSOFTWARE\\Classes\\Protocols\\Handler下的CLSID的键值（COM）对，显示父节点的名字。\nSOFTWARE\\Microsoft\\Active Setup\\Installed Components下的StubPath，显示兄弟节点（键为“”）的值。\n64位还有SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components下的StubPath，显示兄弟节点（键为“”）的值。\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad下的所有键值对。\n64位有SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad的所有键值对。\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved的键名所对应的文件，显示的是对应的值，与之前的都反过来的。\n同样的，64位也是Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved的键名所对应的文件，显示的是对应的值，与之前的都反过来的。\n\nSoftware\\Classes\\Folder\\Shellex\\ColumnHandlers下的所有键值对。\n64位下有Software\\Wow6432Node\\Classes\\Folder\\Shellex\\ColumnHandlers下的所有键值对。\n\n###3.\tInternet Explorer\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects的文件夹COM文件，名字为其默认值。\n64位下有HKLM\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects的文件夹COM文件，名字为其默认值。\nHKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\UrlSearchHooks的键所对应的文件\n\n###4.\tService\n在HKLM\\System\\CurrentControlSet\\Services下寻找ImagePath键所对应的值的文件的后缀名是exe 或者是dll的值，显示父节点的名字，默认路径是system目录下的drivers文件夹。\n###5.\tDrivers\n在HKLM\\System\\CurrentControlSet\\Services下寻找ImagePath键所对应的值的文件的后缀名是sys的值，显示父节点的名字，默认路径是system目录下的drivers文件夹。\n###6.\tKnownDlls\nHKLM\\System\\CurrentControlSet\\Control\\Session Manager\\KnownDlls下所有dll文件，默认路径system文件夹，如果是64位系统那么还要包括（systemx86文件夹，即SysWOW64文件夹）。\n\n###7.\tWinsock Providers\n位置在HKLM\\System\\CurrentControlSet\\Services\\WinSock2\\Parameters\\ Protocol_Catalog9下，但是内容在PackedCatalogItem键所对应的之当中。对于其功能的了解还是最初在\nhttp://msdn.microsoft.com/en-us/library/windows/desktop/aa374737(v=vs.85).aspx\n上得到的，后来，我为了知道如何读取其值的具体内容，通过谷歌的查找找到了\nhttp://read.pudn.com/downloads3/sourcecode/windows/network/11373/winsock2/dll/winsock2/dcatitem.cpp__.htm\n这篇文章，其实就是winsock2的源码……，里面读到了这么一个数据结构（C++）\n```c\n\t// The following typedef is used in packing and unpacking catalog item data for   \n\t// reading and writing in the registry.   \n\t   \n\ttypedef struct {   \n\t    char            LibraryPath[MAX_PATH];   \n\t        // The unexpanded path where the provider DLL is found.   \n\t   \n\t    WSAPROTOCOL_INFOW   ProtoInfo;   \n\t        // The  protocol information.  Note that if the WSAPROTOCOL_INFOW structure   \n\t        // is  ever changed to a non-flat structure (i.e., containing pointers)   \n\t        // then  this  type  definition  will  have  to  be changed, since this   \n\t        // structure must be strictly flat.   \n\t} PACKED_CAT_ITEM;  \n```\n新建一个C++的工程，测试一下MAX_PATH和WSAPROTOCOL_INFOW，发现MAX_PATH是系统的最大文件名长度（以前写大作业的时候查过，知道是260，但是如何编写C#代码获取还是不知道）。于是查到了\nhttp://stackoverflow.com/questions/3406494/what-is-the-maximum-amount-of-characters-or-length-for-a-directory\n，\n```c\n// reflection FieldInfo maxPathField = typeof(Path).GetField(\"MaxPath\", \n    BindingFlags.Static | \n    BindingFlags.GetField | \n    BindingFlags.NonPublic ); \n// invoke the field gettor, which returns 260 int MaxPathLength = (int) maxPathField.GetValue(null);\nWSAPROTOCOL_INFOW可以再MSDN http://technet.microsoft.com/zh-cn/library/ff565963上查到其结构：\ntypedef struct _WSAPROTOCOL_INFOW {\n  DWORD            dwServiceFlags1;\n  DWORD            dwServiceFlags2;\n  DWORD            dwServiceFlags3;\n  DWORD            dwServiceFlags4;\n  DWORD            dwProviderFlags;\n  GUID             ProviderId;\n  DWORD            dwCatalogEntryId;\n  WSAPROTOCOLCHAIN ProtocolChain;\n  int              iVersion;\n  int              iAddressFamily;\n  int              iMaxSockAddr;\n  int              iMinSockAddr;\n  int              iSocketType;\n  int              iProtocol;\n  int              iProtocolMaxOffset;\n  int              iNetworkByteOrder;\n  int              iSecurityScheme;\n  DWORD            dwMessageSize;\n  DWORD            dwProviderReserved;\n  WCHAR            szProtocol[WSAPROTOCOL_LEN+1];\n} WSAPROTOCOL_INFOW, *LPWSAPROTOCOL_INFOW;\n```\n测试的结果是，C#程序中断点监视的值转为byte[]刚好为888长度（字节，C#中byte为8位），sizeof(WSAPROTOCOL_INFOW) 刚好是628，两者在本机上相差260，刚好符合PACKED_CAT_ITEM的描述\n\nhttp://www.herongyang.com/Windows/Winsock-netsh-winsock-show-catalog-LSP.html 这篇文章中提到了命令行获取列表的方式.\n\n###8.    Print Monitors\n位置在HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors下的Driver所对应的值中，默认路径是System文件夹，显示的是父节点的名称。\n\n###9.\tLSA Providers\n在HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders下SecurityProviders键所对应的值，默认路径为System文件夹，特别的是还要在64位系统中寻找SysWOW64文件夹下的对应文件。\n在HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa下找到Authentication Packages、Notification Packages和Security Packages键所对应的值，值得注意的是他们的值类型都是REG_MULTI_SZ，程序获取后应转为数组类型。对于其中每个值需要加上system文件夹的路径和dll问件的后缀名。\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Providers\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\Credential Provider Filters\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\PLAP Providers\n都是获取文件夹的名字所对应的COM组件文件就可以了。\n\n###10.\t Network Providers\n在HKLM\\SYSTEM\\CurrentControlSet\\Control\\NetworkProvider\\Order中找到ProviderOrder所对应的值，他是一个用逗号分隔的一些列Provider的名字。\n每一项的具体信息还要到HKLM\\SYSTEM\\CurrentControlSet\\Services\\ + 名字 + \\NetworkProvider中ProviderPath和Name键中分别获得路径值和描述。\n当然这些方法，我都是从http://msdn.microsoft.com/en-us/library/windows/desktop/aa374737(v=vs.85).aspx\n中知道的。\n\n###11.\tScheduled Tasks\n这些都是C:\\Windows\\Tasks下的job文件的信息，所以只要解析了这些文件就行了。当然我说的轻松，做的也轻松……。在CodeProject上找到了\nhttp://www.codeproject.com/Articles/2407/A-New-Task-Scheduler-Class-Library-for-NET\n，这里它是导出到dll库的，我懒得拖一个文件在外面就将源码复制到了我的程序中去（就是那个Task文件夹）。\n在TaskSchedulerInterop.cs文件中，通过它对于非托管代码的描述，可以详细的知道里面的数据结构和数据位置。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwjsjtu%2Fwindows-startups","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwjsjtu%2Fwindows-startups","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwjsjtu%2Fwindows-startups/lists"}