F-Secure (and Andy, whose blog I checked first!) posted about the most common registry locations that malware tries to start from on Windows. Not only is this list highly useful to check in response to an incident, but like any good baseline, this is a list of locations that all admins should be familiar with even before an incident. It doesn’t help to have an incident, check one of these locations, and not know what those other 25 entries do. That is wasted time trying to isolate which one is out of place. Check these locations out now and see what is really going on with your system. I even filed this into my always-being-built wiki.