Contributed by: Vino Rosso
Learn About the Lists
Overview of the SystemLookup Lists
The lists at SystemLookup have been compiled to provide both computer users and helpers with useful information on the different files and entries that can be found in key locations on a computer and in the Windows registry.
For some time, HijackThis was the preferred tool used by helpers to interrogate a computer system to get an understanding of what files or programs were being run and how they were being launched. The log produced by HijackThis displayed entries by various categories - R3, O4, and O23 are three examples. Though HijackThis is not used as widely now, newer tools and helpers still refer to these categories... and so does SystemLookup.
Many tools have known good entries in a 'whitelist', meaning those good entries will not be shown in the tool's output log. So, just because you can't see a good entry, it doesn't mean it's not there.
The lists at SystemLookup are:
Where possible, each entry in the lists will include:
Where does the information in the SystemLookup lists come from?
Trained helpers across the malware removal community use the SystemLookup lists as part of their research when deciding on a course of action to clean or speed up a computer. When an entry being researched is not found in the lists, it is reported to the team of experienced people who maintain the lists. That team investigate, collect evidence, and decide on the entry's status before adding it to the lists.
How should the information in the SystemLookup lists be used?
Any entry should be looked at from all possible angles. If the CLSID and file name are available, look up both items in the lists and compare the results.
The lists should be used in conjunction with other sources such as the major search engines to confirm findings.
List Descriptions
CLSID (O2, O3, R3) - BHOs, Toolbars, URLSearchHooks, Explorer Bars
Browser Helper Objects - Browser plug-ins which are designed to enhance the browser's functionality.
Entries can be found in the registry at:
Toolbars - Additional toolbars that appear in a browser, often below the address bar.
Entries can be found in the registry at:
URLSearchHooks - Used when an address without a protocol such as http:// has been entered in the browser's address bar.
Entries can be found in the registry at:
Explorer Bars - Internet Explorer sidebars located adjacent to the browser pane.
Entries can be found in the registry at:
Startup (O4) - Startup / Autorun Entries
Entries in this list will start up with Windows either on a global or an individual user basis. They can be launched from one of the Startup folders or from one of the various keys in the registry.
The startup folders can be found at:
O9 - Internet Explorer Buttons
These entries related to buttons on the IE toolbar or items in the Tools menu.
Entries can be found in the registry at:
O10 - Layered Service Providers (LSPs)
A Layered Service Provider can intercept and modify inbound and outbound Internet traffic. A security program can use this functionality to protect the computer while online. Malware can use this to redirect traffic.
Great care must be taken when dealing with O10 entries as improper action could break the TCP/IP stack and the computer will no longer have network/internet access.
Entries are found as data values in keys in the registry under:
Further information: Layered Service Provider
O16 - DPF ActiveX Installs
Small programs, sometimes called "add-ons", ActiveX controls can enhance browsing experience by allowing animation or they can help with tasks such as installing security updates at Microsoft Update.
ActiveX entries can be found as keys in the registry at:
The CLSID will refer to a file stored in:
Further information: What is an ActiveX control?
O18 - Extra Protocols
Protocol entries are values of the keys that are found in the registry at:
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and can be used to change how a computer sends and receives information.
Further information: About Asynchronous Pluggable Protocols
O20 - AppInit_DLLs & Winlogon Notify
AppInit_DLLs entries can be found as values of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key in the registry. These entries are loaded when the file user32.dll is loaded. Most Windows executables use user32.dll which means any entry in the AppInit_DLL value will be loaded as well. This makes it very difficult to remove the entry as it will be loaded by multiple processes, some of which can not be stopped without causing system instability.
Further information: Working with the AppInit_DLLs registry value
Winlogon Notify entries can be found as subkeys of
This is well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
Further information: Notify registry key
O21 - ShellServiceObjectDelayLoad
These entries will be loaded when the computer starts. This happens because ShellServiceObjectDelayLoad entries are loaded by the computer's "shell" program, explorer.exe.
ShellServiceObjectDelayLoad entries are found in the Windows registry at:
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key.
O22 - Shared Task Scheduler
Shared Task Scheduler entries are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.
O23 - Services
Services are programs that start with Windows, no matter whether the user logs on. They can be set to start automatically, to start manually when required, or to not start at all (disabled). Services tend to provide system-wide facilities such as Event logging, Indexing, and the Task Scheduler.
Services are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
However, they are better managed via: Start > Run > Services.msc
Further information on Services can be found at: Black Viper's Web Site
SEH - ShellExecuteHooks
ShellExecuteHooks entries are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.
Further information: IShellExecuteHook Interface
Drivers - Windows System Drivers
Basically, a driver is a piece of code that an operating system often uses to control items such as disk devices, display adapters, input devices, modems, fax machines, printers and other hardware.
The loaded drivers on a computer can be seen by clicking Start > Run > MSINFO32.EXE. Expand Software Environment and you can see the System Drivers and Signed Drivers.
Windows drivers can run in either user mode or kernel mode:
Overview of the SystemLookup Lists
The lists at SystemLookup have been compiled to provide both computer users and helpers with useful information on the different files and entries that can be found in key locations on a computer and in the Windows registry.
For some time, HijackThis was the preferred tool used by helpers to interrogate a computer system to get an understanding of what files or programs were being run and how they were being launched. The log produced by HijackThis displayed entries by various categories - R3, O4, and O23 are three examples. Though HijackThis is not used as widely now, newer tools and helpers still refer to these categories... and so does SystemLookup.
Many tools have known good entries in a 'whitelist', meaning those good entries will not be shown in the tool's output log. So, just because you can't see a good entry, it doesn't mean it's not there.
The lists at SystemLookup are:
| CLSID (O2, O3, R3) | BHOs, Toolbars, URLSearchHooks, Explorer Bars |
| Startup (O4) | Startup / Autorun Entries |
| O9 | Internet Explorer Buttons |
| O10 | Layered Service Providers (LSPs) |
| O16 | DPF ActiveX Installs |
| O18 | Extra Protocols |
| O20 | AppInit_DLLs & Winlogon Notify |
| O21 | ShellServiceObjectDelayLoad |
| O22 | Shared Task Scheduler |
| O23 | Services |
| SEH | ShellExecuteHooks |
| Drivers | Windows System Drivers |
Where possible, each entry in the lists will include:
- An entry name
- A file name
- A description
- A file location
- A CLSID
- A good, bad, unknown indication of whether the entry can be trusted
- A reference or link to further information
Where does the information in the SystemLookup lists come from?
Trained helpers across the malware removal community use the SystemLookup lists as part of their research when deciding on a course of action to clean or speed up a computer. When an entry being researched is not found in the lists, it is reported to the team of experienced people who maintain the lists. That team investigate, collect evidence, and decide on the entry's status before adding it to the lists.
How should the information in the SystemLookup lists be used?
Any entry should be looked at from all possible angles. If the CLSID and file name are available, look up both items in the lists and compare the results.
The lists should be used in conjunction with other sources such as the major search engines to confirm findings.
List Descriptions
The descriptions and information about the SystemLookup lists below are provided to help enhance understanding of each list's content. Computer users are advised NOT to remove files from their computer or make changes to the Windows registry without seeking expert advice first.
CLSID (O2, O3, R3) - BHOs, Toolbars, URLSearchHooks, Explorer Bars
Browser Helper Objects - Browser plug-ins which are designed to enhance the browser's functionality.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Toolbars - Additional toolbars that appear in a browser, often below the address bar.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
URLSearchHooks - Used when an address without a protocol such as http:// has been entered in the browser's address bar.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks
Explorer Bars - Internet Explorer sidebars located adjacent to the browser pane.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Explorer Bars
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars
Startup (O4) - Startup / Autorun Entries
Entries in this list will start up with Windows either on a global or an individual user basis. They can be launched from one of the Startup folders or from one of the various keys in the registry.
The startup folders can be found at:
- Windows 98 and Millennium:
- Global: %WinDir\Start Menu\Programs
- Individual: %WinDir%\All Users\Start Menu\Programs
- Global:
- Windows XP and 2000
- Global: %AllUsersProfile%\Start Menu\Programs
- Individual: %UserProfile%\Start Menu\Programs
- Global:
- Vista/Windows 7
- Global: %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup
- Individual: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
- Global:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices (only Windows 98 and ME)
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (only Windows 98 and ME)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices (only Windows 98 and ME)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (only Windows 98 and ME)
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
"run"=
"load"=
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
O9 - Internet Explorer Buttons
These entries related to buttons on the IE toolbar or items in the Tools menu.
Entries can be found in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CLSID}
O10 - Layered Service Providers (LSPs)
A Layered Service Provider can intercept and modify inbound and outbound Internet traffic. A security program can use this functionality to protect the computer while online. Malware can use this to redirect traffic.
Great care must be taken when dealing with O10 entries as improper action could break the TCP/IP stack and the computer will no longer have network/internet access.
Entries are found as data values in keys in the registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters
Further information: Layered Service Provider
O16 - DPF ActiveX Installs
Small programs, sometimes called "add-ons", ActiveX controls can enhance browsing experience by allowing animation or they can help with tasks such as installing security updates at Microsoft Update.
ActiveX entries can be found as keys in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CLSID}
The CLSID will refer to a file stored in:
%windir%\Downloaded Program Files
Further information: What is an ActiveX control?
O18 - Extra Protocols
Protocol entries are values of the keys that are found in the registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and can be used to change how a computer sends and receives information.
Further information: About Asynchronous Pluggable Protocols
O20 - AppInit_DLLs & Winlogon Notify
AppInit_DLLs entries can be found as values of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key in the registry. These entries are loaded when the file user32.dll is loaded. Most Windows executables use user32.dll which means any entry in the AppInit_DLL value will be loaded as well. This makes it very difficult to remove the entry as it will be loaded by multiple processes, some of which can not be stopped without causing system instability.
Further information: Working with the AppInit_DLLs registry value
Winlogon Notify entries can be found as subkeys of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
This is well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
Further information: Notify registry key
O21 - ShellServiceObjectDelayLoad
These entries will be loaded when the computer starts. This happens because ShellServiceObjectDelayLoad entries are loaded by the computer's "shell" program, explorer.exe.
ShellServiceObjectDelayLoad entries are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key.
O22 - Shared Task Scheduler
Shared Task Scheduler entries are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.
O23 - Services
Services are programs that start with Windows, no matter whether the user logs on. They can be set to start automatically, to start manually when required, or to not start at all (disabled). Services tend to provide system-wide facilities such as Event logging, Indexing, and the Task Scheduler.
Services are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
However, they are better managed via: Start > Run > Services.msc
Further information on Services can be found at: Black Viper's Web Site
SEH - ShellExecuteHooks
ShellExecuteHooks entries are found in the Windows registry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
These entries usually point to the CLSID in HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CLSID} where the file information is held in the InprocServer32 key and the entries will be loaded when the computer starts.
Further information: IShellExecuteHook Interface
Drivers - Windows System Drivers
Basically, a driver is a piece of code that an operating system often uses to control items such as disk devices, display adapters, input devices, modems, fax machines, printers and other hardware.
The loaded drivers on a computer can be seen by clicking Start > Run > MSINFO32.EXE. Expand Software Environment and you can see the System Drivers and Signed Drivers.
Windows drivers can run in either user mode or kernel mode:
- User-mode drivers run in the nonprivileged processor mode in which other application code, including protected subsystem code, executes. User-mode drivers cannot gain access to system data except by calling the Win32 API which, in turn, calls system services.
- Kernel-mode drivers run as part of the operating system's executive, the underlying operating system component that supports one or more protected subsystems.