The Sans Computer Forensics blog discusses how to query certain registry keys to find secondary indicators of a compromise.

Dave Hull has created a list of registry keys that can be used to run malware at boot time. He used AutoRuns from Microsoft Sysinternals to pull the list of registry keys.

The list of keys are available :

XPSP3_HKCU_Startup_Locations.txt - cannot be remotely queried XPSP3_HKLM_Startup_Locations.txt - can be remotely queried