|Win31FileSystem = 0||Long filenames are enabled|
|Win31FileSystem = 1||Long filenames are disabled
Also known as "the Windows 3.1 File System"
Reference: Windows 95 Annoyances - Windows 95 Keeps Deleting My Applications
C:\CONFIG.SYS C:\AUTOEXEC.BAT c:\windows\system.ini c:\windows\win.ini HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceas well as those in the directories pointed to by
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common Startup=C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp (NT) Common Startup=C:\WINNT\All Users\Start Menu\Programs\StartUp (NT) HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Startup=C:\WINDOWS\Start Menu\Programs\StartUp (95) Startup=C:\WINNT\Profiles\userid\Start Menu\Programs\StartUp (NT)(If you rename HKLM\..\Common Startup, NT 4 just creates another one.)
Review C:\BOOTLOG.TXT to see those programs loaded via Config.sys and Autoexec.bat followed by the Windows operating system files. Those run via the registry entries and StartUp are not listed.
Not all of the registry keys will contain values. For instance, on one of my fairly plain systems, only HKLM/../Run includes any programs (4). The rest of the keys are either empty or missing. Some of the registry keys may not exist on your system. HKCU/../RunOnce, HKLM/../RunOnceEx, and HKLM/../RunServices are missing and the HKCU/../Run and HKLM/../RunServices key are empty. In general, the 4 RunOnce keys are empty since they are only used if it is necessary to re-boot the system when installing new software.
BTW, simply renaming the StartUp directory won't hide it from the Windows boot process. For more information, see here.
This Microsoft knowledge base article explains the purpose of each Run... key and indicates when it is executed. However, notice that RunOnceEx is not listed.
A list of the Programs (.exe) started during the boot process is available via Start / Programs / Accessories / System Tools / System Information / Software Environment / Startup Programs (assuming that your system has msinfo loaded).
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MSConfig=C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /autoThese programs are controlled via msconfig.exe.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig startupfolder This is a list of files in your Start\Programs\Startup directory startupreg key = SOFTWARE\Microsoft\Windows\CurrentVersion\RunRun msconfig.exe to disable these programs.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnceI suppose that a new method was introduced to run Services. Possibly, they are loaded via
The dll's located here are executed
XP - Running a Virus in Windows Safe Mode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon shell = Explorer.exeThis runs the virus/parasite of your (actually, their) choice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon shell = Explorer.exe C:\WINDOWS\Any_Virus_You_Want.exeWhat happens is that Explorer.exe is the program that displays the desktop (also known as the shell). Therefore, this key makes sense. However, Explorer can also take command line arguments (usually a directory path) that instruct the program to perform some action. In this case, the argument is a program and Explorer executes (runs/opens) it.
When Windows runs in Safe mode, the non-operating system drivers and programs specified in most other locations are not run. This hack gets around that problem and causes the virus to run.
Regedit Command Line Options
regedit [/L:system.dat] [/R:user.dat] file1.reg, file1a.reg... regedit [/L:system.dat] [/R:user.dat] /e file3.reg [regkey] regedit [/L:system.dat] [/R:user.dat] /c file2.reg
Backup the Registry
attrib -s -h -r *.dat copy user.dat user.sav copy system.dat system.sav attrib +s +h +r *.dat
KiXtart 95, part of the Windows NT 4.0 Resource kit, allows you to use a Basic like language to read & modify the registry and to send key strokes to any open window.   
When importing .reg files, it is possible to delete keys. Simply edit the .reg file and place a minus sign in front of any key you want to delete. For instance
change [HKEY_CLASSES_ROOT\jpegfile] to [-HKEY_CLASSES_ROOT\jpegfile]Watch out - this could be very dangerous!
HKCU\Software\Microsoft\Office\8.0\Word\Options LiveScrolling = 1