6

I have an application that updates software on the local machine. I need the software to be updated prior to user log on, and have read that running the application via the RunServicesOnce registry key is probably the most appropriate to use for this purpose.

But I can't find this key using regedit and it doesn't appear in the same location as the HKLM RunOnce key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

  1. Where is this key located? Same in Windows XP \ Vista \ 7 \ 8 \ 8.1 \ 10 ?
  2. How do I use it, are there any optional parameters?
  3. How do I determine the user that the application is run as? Is it run by the user that created the key? If a LocalSystem service creates the key, will it be run as LocalSystem ?
Improve this question
6
  • Same location in every version of Windows
    – Ramhound
    Commented Jan 29, 2016 at 2:57
  • @Ramhound thanks for your help - where in that document does it specify the location of the RunServicesOnce key?
    – khargoosh
    Commented Jan 29, 2016 at 2:59
  • Wrong...Support article....should have linked to this
    – Ramhound
    Commented Jan 29, 2016 at 3:00
  • More talk
    – Ramhound
    Commented Jan 29, 2016 at 3:03
  • 1
    @Ramhound your second link clearly states that it applies to "Windows 95, Windows 98, and Windows Millennium Edition"
    – Yisroel Tech
    Commented Jan 29, 2016 at 4:18

1 Answer 1

Reset to default
8

Where is the RunServicesOnce registry key

I have an application that updates software on the local machine. I need the software to be updated prior to user log on

Start Program before User Logon Windows 7

If you want it to start before the user logs on, you will have to start it as a service. Here is the startup sequence of the major registry keys, starting immediately after bootmgr has been read and ending with the program shortcut entries in the two Startup folders.

  1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. This can include instructions to schedule the running of chkdsk but not user programs.
  2. Services start next, followed by the RunServicesOnce and RunServices registry keys (if present)
  3. User then logs on to the system
  4. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. This points to the program C:\WINDOWS\system32\userinit.exe and the entry ends with a comma. Other programs can be started from this key by appending them and separating them with a comma.
  5. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. This should contain just one entry, explorer.exe.
  6. Program entries in these 2 registry keys for ALL USERS start next: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunOnce
  7. Program entries in these 2 registry keys for CURRENT USER start next: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and \RunOnce
  8. Programs in the Startup Folders of All Users and Current User are started last of all.

Important programs like antivirus and firewall start early in the sequence as Services. The icons that appear in the Notification Area (bottom right of the screen) are just their user interfaces, i.e. options and preferences.

The additional location for 32-bit software in a 64-bit computer is HKLM\SOFTWARE\Wow6432Node and HKCU.

The Run Keys and Search-Order

The registry is accessed even before the NT kernel is loaded, so it is very important to understand what the computer is configured to load at startup. The following list of registry keys are accessed during system start in order of their use by the different windows components:

  1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
  2. HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation)
  3. HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
  4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  5. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
  7. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
  8. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  9. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  10. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  11. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  12. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  13. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  14. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  15. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  16. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  17. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  18. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  19. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  20. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  21. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
  22. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
  23. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Note: Some of these keys are also reflected under HKLM\Software\wow6432node on systems running on a 64bit architecture and with a 64bit version of Windows. I won’t be covering each of these in this post.

Run your service as the LocalSystem account unless the account needs to access network resources at which point you'd create a domain service account, give it access to the applicable resources, and then hard-code its credentials for the service to run as. On the local machine, it'll have administrative permissions to everything and not require any password for the service credential.

LocalSystem Account

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

Improve this answer
2
  • 3
    "If you want it to start before the user logs on, you will have to start it as a service." How about schtasks instead?
    – mirh
    Commented Mar 26, 2017 at 15:47
  • You can technically run anything as a startup script or process "at system startup" to have it run as SYSTEM at startup before any Windows user account login, and without being a service at all for that matter. For example you can schedule a process to run at startup with Task Scheduler and that will work for that purpose too of running before the user account logs into the OS. Regarding "RunServicesOnce registry key" this answer was off the basis of that question—odd right! Good point though otherwise to accomplish what the OP asked but in a different way.
    – Vomit IT - Chunky Mess Style
    Commented Mar 22, 2020 at 20:50

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .