A registry is a hierarchical database which keeps track of system settings. A registry has several registry keys for different purposes. A registry entry is usually a key-value pair. System settings also include the list of programs that need to start when you first boot. Malware researchers usually term them run entries.
Here are some frequently used keys:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
- HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
- HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell
- HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell
- HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
The value of these keys contains the absolute path (full path) of the malicious program. When Windows starts, the programs that are pointed to by these registry keys are started first. That's how malicious programs start even before the user starts their work.