Startup Folders and Keys

Executables placed in the "Startup" folder will be run on logon. The default locations are listed below but these can be changed by editing the "Shell Folders" registry key. Most are backwards compatible.

Windows 95, 98 and ME :

C:\Windows\Start Menu\Programs\Startup
C:\Windows\All Users\Start Menu\Programs\Startup

Windows NT :

C:\wont\Profiles\All Users\Start Menu\Programs\Startup

Windows XP :

C:\Documents and Settings\%username%\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Windows Vista, 7, 8 and 10:

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

When the python example is run it will first check the startup folders on the local machine. If copies of itself don't exist in those folders it will copy itself there otherwise it will launch windows calculator. Every reboot will then launch calculator until the files are removed from the startup folders. Probably the simplest (and most obvious) form of persistence but it works.

The startup folder can be changed from the following locations:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ : "Common Startup"
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ : "Startup"
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ : "Startup"
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ : "Startup"
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ : "Startup"