Programs, shortcuts, and files placed in these folders are opened when a user logs in. Each user has their own startup folder. Additional startup folders target all users on a host. Both the global and user’s Startup Folder contents will be executed under the context of the user when a user logs in.

Startup Folders are a common persistence mechanism used by malware on Windows systems. Defenders should inventory the contents of and monitor for changes to these folders.

Windows 7+

All Users

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

Specific User

C:\Users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Windows XP

All Users

C:\Documents and Settings\All Users\Start Menu\Programs\

Specific User

C:\Documents and Settings\USER\Start Menu\Programs\

Accessing Startup Folders Within Explorer

Windows+R, shell:startup

Windows+R shell:common startup

Changing Startup Folders in the Registry

The Startup value in the following Registry keys can be reconfigured in the registry to point to a non-standard location.

All Users

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Specific User

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders