Some people have asked me, “How do I know what software is loaded when my machine boots up?” According to Microsoft TechNet:
Under Microsoft Windows 95, Windows 98, and Windows Millennium Edition (Me) where all keys are supported, the keys are loaded in the following order:
With the exception of the HKEY_LOCAL_MACHINE\…\RunOnce key, all keys and their entries are loaded asynchronously. Therefore, all entries in the RunServices and RunServicesOnce keys can potentially run at the same time.
Entries in the HKEY_LOCAL_MACHINE\…\RunOnce key are loaded synchronously in an undefined order.
Because the HKEY_LOCAL_MACHINE\…\RunOnce key is loaded synchronously, all of its entries must finish loading before the HKEY_LOCAL_MACHINE\…\Run, HKEY_CURRENT_USER\…\Run, HKEY_CURRENT_USER\…\RunOnce, and Startup Folder entries can be loaded.
The RunServicesOnce and RunServices keys are loaded before the user logs into Windows 95, Windows 98, and Windows Me. Because these two keys run asynchronously with the Logon dialog box, they can continue to run after the user has logged on. However, since HKEY_LOCAL_MACHINE\…\RunOnce must load synchronously, its entries will not begin loading until after the RunServicesOnce and RunServices keys have finished loading.
Because of different system configurations (such as a computer that is configured to automatically log on), any application that is dependant upon other applications that are executed under these keys having completed must be prepared to wait until these applications are complete. Other than this exception, the above description applies to Microsoft Windows NT 4.0, Windows 2000, and Windows XP.
This will help you to identify spyware or adware that may be loading up on your machine at boot time.
If you think your machine has been hacked, this procedure probably won’t help you, as many/most packaged rootkits will attempt to hide themselves from cursory inspection of the registry. You can use RootKitRevealer to detect user- or kernel-level rootkits.