Windows – Where can i find the registry key “HKEY_CURRENT_USER\Control Panel\Desktop”

Where is the RunServicesOnce registry key

I have an application that updates software on the local machine. I need the software to be updated prior to user log on

Start Program before User Logon Windows 7

If you want it to start before the user logs on, you will have to start it as a service. Here is the startup sequence of the major registry keys, starting immediately after bootmgr has been read and ending with the program shortcut entries in the two Startup folders.

1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. This can include instructions to schedule the running of chkdsk but not user programs.
2. Services start next, followed by the RunServicesOnce and RunServices registry keys (if present)
3. User then logs on to the system
4. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. This points to the program C:\WINDOWS\system32\userinit.exe and the entry ends with a comma. Other programs can be started from this key by appending them and separating them with a comma.
5. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. This should contain just one entry, explorer.exe.
6. Program entries in these 2 registry keys for ALL USERS start next: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunOnce
7. Program entries in these 2 registry keys for CURRENT USER start next: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and \RunOnce
8. Programs in the Startup Folders of All Users and Current User are started last of all.

Important programs like antivirus and firewall start early in the sequence as Services. The icons that appear in the Notification Area (bottom right of the screen) are just their user interfaces, i.e. options and preferences.

The additional location for 32-bit software in a 64-bit computer is HKLM\SOFTWARE\Wow6432Node and HKCU.

The Run Keys and Search-Order

The registry is accessed even before the NT kernel is loaded, so it is very important to understand what the computer is configured to load at startup. The following list of registry keys are accessed during system start in order of their use by the different windows components:

1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2. HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation)
3. HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
5. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
6. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
7. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
8. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
9. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
10. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
11. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
12. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
13. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
14. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
15. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
16. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
17. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
18. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
19. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
20. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
21. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
22. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
23. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Note: Some of these keys are also reflected under HKLM\Software\wow6432node on systems running on a 64bit architecture and with a 64bit version of Windows. I won’t be covering each of these in this post.

Run your service as the LocalSystem account unless the account needs to access network resources at which point you'd create a domain service account, give it access to the applicable resources, and then hard-code its credentials for the service to run as. On the local machine, it'll have administrative permissions to everything and not require any password for the service credential.

LocalSystem Account

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.