Where is the RunServicesOnce registry key
I have an application that updates software on the local machine. I
need the software to be updated prior to user log on
If you want it to start before the user logs on, you will have to
start it as a service. Here is the startup sequence of the major
registry keys, starting immediately after bootmgr has been read and
ending with the program shortcut entries in the two Startup folders.
- HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. This can include instructions to schedule the running of chkdsk but
not user programs.
- Services start next, followed by the RunServicesOnce and RunServices registry keys (if present)
- User then logs on to the system
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. This points to the program
C:\WINDOWS\system32\userinit.exe and the entry ends with a comma.
Other programs can be started from this key by appending them and
separating them with a comma.
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. This should contain just one entry, explorer.exe.
- Program entries in these 2 registry keys for ALL USERS start next: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunOnce
- Program entries in these 2 registry keys for CURRENT USER start next: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and \RunOnce
- Programs in the Startup Folders of All Users and Current User are started last of all.
Important programs like antivirus and firewall
start early in the sequence as Services. The icons that appear in the
Notification Area (bottom right of the screen) are just their user
interfaces, i.e. options and preferences.
The additional location
for 32-bit software in a 64-bit computer is HKLM\SOFTWARE\Wow6432Node
and HKCU.
The registry is accessed even before the NT kernel is loaded, so it is
very important to understand what the computer is configured to load
at startup. The following list of registry keys are accessed during
system start in order of their use by the different windows
components:
- HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute
- HKLM\System\CurrentControlSet\Services (start value of 0 indicates
kernel drivers, which load before kernel initiation)
- HKLM\System\CurrentControlSet\Services (start value of 2, auto-start
and 3, manual start via SCM)
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
(XP, NT, W2k only)
- HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs
Note: Some of these keys are also reflected under
HKLM\Software\wow6432node on systems running on a 64bit architecture
and with a 64bit version of Windows. I won’t be covering each of these
in this post.
Run your service as the LocalSystem account unless the account needs to access network resources at which point you'd create a domain service account, give it access to the applicable resources, and then hard-code its credentials for the service to run as. On the local machine, it'll have administrative permissions to everything and not require any password for the service credential.
The LocalSystem account is a predefined local account used by the
service control manager. This account is not recognized by the
security subsystem, so you cannot specify its name in a call to the
LookupAccountName function. It has extensive privileges on the local
computer, and acts as the computer on the network. Its token includes
the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these
accounts have access to most system objects. The name of the account
in all locales is .\LocalSystem. The name, LocalSystem or
ComputerName\LocalSystem can also be used. This account does not have
a password. If you specify the LocalSystem account in a call to the
CreateService or ChangeServiceConfig function, any password
information you provide is ignored.