Windows – Where is the RunServicesOnce registry key

windowswindows-registry

I have an application that updates software on the local machine. I need the software to be updated prior to user log on, and have read that running the application via the RunServicesOnce registry key is probably the most appropriate to use for this purpose.

But I can't find this key using regedit and it doesn't appear in the same location as the HKLM RunOnce key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.

  1. Where is this key located? Same in Windows XP \ Vista \ 7 \ 8 \ 8.1 \ 10 ?
  2. How do I use it, are there any optional parameters?
  3. How do I determine the user that the application is run as? Is it run by the user that created the key? If a LocalSystem service creates the key, will it be run as LocalSystem ?

Best Answer

Where is the RunServicesOnce registry key

I have an application that updates software on the local machine. I need the software to be updated prior to user log on

Start Program before User Logon Windows 7

If you want it to start before the user logs on, you will have to start it as a service. Here is the startup sequence of the major registry keys, starting immediately after bootmgr has been read and ending with the program shortcut entries in the two Startup folders.

  1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. This can include instructions to schedule the running of chkdsk but not user programs.
  2. Services start next, followed by the RunServicesOnce and RunServices registry keys (if present)
  3. User then logs on to the system
  4. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit. This points to the program C:\WINDOWS\system32\userinit.exe and the entry ends with a comma. Other programs can be started from this key by appending them and separating them with a comma.
  5. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell. This should contain just one entry, explorer.exe.
  6. Program entries in these 2 registry keys for ALL USERS start next: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and \RunOnce
  7. Program entries in these 2 registry keys for CURRENT USER start next: HKCU\Software\Microsoft\Windows\CurrentVersion\Run and \RunOnce
  8. Programs in the Startup Folders of All Users and Current User are started last of all.

Important programs like antivirus and firewall start early in the sequence as Services. The icons that appear in the Notification Area (bottom right of the screen) are just their user interfaces, i.e. options and preferences.

The additional location for 32-bit software in a 64-bit computer is HKLM\SOFTWARE\Wow6432Node and HKCU.

The Run Keys and Search-Order

The registry is accessed even before the NT kernel is loaded, so it is very important to understand what the computer is configured to load at startup. The following list of registry keys are accessed during system start in order of their use by the different windows components:

  1. HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
  2. HKLM\System\CurrentControlSet\Services (start value of 0 indicates kernel drivers, which load before kernel initiation)
  3. HKLM\System\CurrentControlSet\Services (start value of 2, auto-start and 3, manual start via SCM)
  4. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  5. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  6. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
  7. HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
  8. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
  9. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
  10. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  11. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  12. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
  13. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  14. HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  15. HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  16. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  17. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  18. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  19. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  20. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
  21. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
  22. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler (XP, NT, W2k only)
  23. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Note: Some of these keys are also reflected under HKLM\Software\wow6432node on systems running on a 64bit architecture and with a 64bit version of Windows. I won’t be covering each of these in this post.

Run your service as the LocalSystem account unless the account needs to access network resources at which point you'd create a domain service account, give it access to the applicable resources, and then hard-code its credentials for the service to run as. On the local machine, it'll have administrative permissions to everything and not require any password for the service credential.

LocalSystem Account

The LocalSystem account is a predefined local account used by the service control manager. This account is not recognized by the security subsystem, so you cannot specify its name in a call to the LookupAccountName function. It has extensive privileges on the local computer, and acts as the computer on the network. Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs; these accounts have access to most system objects. The name of the account in all locales is .\LocalSystem. The name, LocalSystem or ComputerName\LocalSystem can also be used. This account does not have a password. If you specify the LocalSystem account in a call to the CreateService or ChangeServiceConfig function, any password information you provide is ignored.

Related Question