Introduction
It's a good practice to frequently inspect the startup entries for security. The System Configuration Utility will not list applications loaded in all possible startup locations. Most other entry points are hidden and unknown to the end-user. This article will provide a clear picture about the start locations of applications and drivers. Some of the locations mentioned in this article may not apply to Windows 95/98/ME systems.
Startup locations
HKCU refers to HKEY_CURRENT_USER
HKLM refers to HKEY_LOCAL_MACHINE
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
(In right-pane, Value named "Run" & "Load")
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\{Username}\Start Menu\Programs\Startup
Note Items marked in blue are those which MSCONFIG can manage.
Using Windows Defender to manage Windows startup
Windows Defender (included by default in Windows Vista) helps you inspect/manage your startup programs.
-
Open Windows Defender.
-
Click Tools, and then click Software Explorer.
-
In the Category list, select Startup Programs.
-
To list startup entries for the system, click Show for all users.
-
You can enable, disable or remove startup entries from there.
Advanced stuff - additional Windows Startup launch-points
Silentrunners.org covers many more startup launch-points. It is possible that a malware is present in any of the locations described. Additionally, it's worth verifying the contents of ShellExecuteHooks key here:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellExecuteHooks
Excellent utility to manage Windows startup
Inspecting all the keys manually may be a tiring task. Your best bet is to use a third-party software to inspect the startup. Though there are many freeware utilities which can track/log the startup entries, the following tool is very impressive.
http://technet.microsoft.com/hi-in/sysinternals/bb963902(en-us).aspx
Autoruns - This utility covers most of the start locations. It allows you to edit the startup for other user profiles (Windows 2000/XP/Vista) as well. This tool is my personal favorite.
Additionally, you can enable or disable certain shell extensions, Browser Helper Objects, other Internet Explorer add-ons, drivers, Winsock providers etc.
View and manage Windows XP Services and Drivers
http://www.nirsoft.net/utils/serviwin.html
ServiWin utility displays the list of installed drivers and services on your system. For some of them, additional useful information is displayed: file description, version, product name, company that created the driver file, and more. In addition, ServiWin allows you to easily stop, start, restart, pause, and continue service or driver, change the startup type of service or driver (automatic, manual, disabled, boot or system), save the list of services and drivers to file, or view HTML report of installed services/drivers in your default browser.
-
To view Services list, click the View menu and choose Services [F8 key]
-
To view Drivers list, click the View menu and choose Drivers [F7 key]
-
To find out the list of third-party drivers, sort the column named Company
You may also use DriverQuery command built-in with Windows XP, to view the list of all the device drivers installed in your system. You can transfer the list to a file for troubleshooting purposes. Type driverquery /? in Command Prompt for more information:
Usage / Examples
DRIVERQUERY /SI [This lists the drivers signing status, whether Signed or Unsigned]
DRIVERQUERY /V [ Generates a detailed report ]
DRIVERQUERY [ Lists all device drivers ]
To redirect the output to a file, use:DRIVERQUERY /SI >C:\driverslist.txt
No comments:
Post a Comment