Geoff Chappell - Software Analyst
Windows NT builds of the Windows Explorer provide yet another way to get a program to run automatically in an otherwise normal startup. Whenever EXPLORER.EXE runs as the shell, seen most obviously by its creating the desktop and taskbar, it checks the following registry value and runs whatever command line it finds there.
Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value | Taskman |
The data type is immaterial, but there is a limit of 520 bytes. Any data that is read successfully from the registry for the Taskman value is accepted as a Unicode string to be tried as a command line, provided only that the first two bytes are not both zero. (No, EXPLORER does not actually check that at least two bytes are produced.)
Note especially that execution is not subject to any policy settings or other such restrictions. Execution occurs very early, even before EXPLORER waits for the Service Control Manager to initialise. In terms of other ways to have EXPLORER run programs automatically, this is easily the earliest, preceding even the processing of RunOnce entries.
This behaviour is seen in all known NT builds of EXPLORER.EXE as far back as version 4.0.1377.1 from Windows NT 4.0 and continuing at least until version 6.0.6000.16386 from Windows Vista.