总结一些最常被恶意程序篡改的高危注册表键值，不全，但大多数常见的基本都在这了（也欢迎各位大大继续补充），主要可以被用来达到自启动或连带启动的效果

注：
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER
HKU = HKEY_USERS

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

HKLM\SYSTEM\ControlSet001\Control\Session Manager\BootExecute

HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\User\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKLM\System\CurrentControlSet\Services\VxD\

HKCU\Control Panel\Desktop

HKLM\System\CurrentControlSet\Services\

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

HKLM\SOFTWARE\Classes\Protocols\Filter

HKLM\SOFTWARE\Classes\Protocols\Handler

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKLM\Software\Classes\Folder\Shellex\ColumnHandlers

HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks

HKLM\Software\Microsoft\Internet Explorer\Toolbar

HKLM\Software\Microsoft\Internet Explorer\Extensions

HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

HKLM\SYSTEM\CurrentControlSet\Control\MPRServices

HKCU\ftp\shell\open\command

HKCR\ftp\shell\open\command

HKCU\Software\Microsoft\ole

HKCU\Software\Microsoft\Command Processor

HKLM\SOFTWARE\Classes\mailto\shell\open\command

HKCR\PROTOCOLS

HKCU\Control Panel\Desktop

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts

HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2

HKLM\SYSTEM\CurrentControlSet\Services\WinSock

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell folders\Startup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\runServices

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

HKLM\SOFTWARE\Classes\Protocols\Handler

HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

HKLM\Software\Microsoft\Command Processor

HKLM\SOFTWARE\Microsoft\Ras

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKCU\Software\Microsoft\Security Center

HKLM\Software\Microsoft\Security Center

HKLM\SOFTWARE\Microsoft\Netcache

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt

HKCU\Software\Microsoft\Internet explorer\Main\\*page

HKCU\Software\Microsoft\Internet explorer\Main\\Enable Browser Extensions

HKCU\Software\Microsoft\Internet explorer\Main\Featurecontrol

HKCU\Software\Microsoft\Internet explorer\Menuext

HKCU\Software\Microsoft\Internet explorer\Styles

HKLM\Software\Clients\Startmenuinternet

HKLM\Software\Microsoft\Code store database\Distribution units

HKCU\Software\Microsoft\Internet explorer\Abouturls

HKLM\Software\Microsoft\Internet explorer\Activex compatibility

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars

HKLM\Software\Microsoft\Internet explorer\Main\\*page

HKLM\Software\Microsoft\Internet explorer\Styles

HKLM\Software\Microsoft\Internet explorer\Menuext

HKLM\Software\Microsoft\Internet explorer\Plugins

HKLM\Software\Microsoft\Windows\Currentversion\Explorer\Browser helpr objects

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\*zones

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Safesites

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Url

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Protocoldefaults

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Domains

HKLM\Software\Microsoft\Windows\Currentversion\Internet settings\Zonemap\Ranges

做HIPS的RD规则的时候，大家可以参考哈

看来注册表漏洞还是很多的，应该时常的检查一下才行。

注册表项值被恶意修改了怎么办？

用户可以在注册表编辑器中新建注册表项或值项，也可以对已有的注册表项或值项进行修改。
请看看这个http://www.iforchina.com/show.aspx?id=3024&cid=147

感谢LZ分享