Wednesday, August 04, 2010
Anu
Where do things load from?
How do you stop them?
A program can be loaded at startup from various places. By knowing where these are located, you have more direct control over them. How to edit and control startup program launching is different in Windows XP than in Windows 2003 and Vista, primarily due to the innovation in Win98 of MSCONFIG.EXE.
In the instructions below, the programs MSCONFIG, SYSEDIT, and REGEDIT each can be launched by clicking Start, then Run, typing in the program name, and clicking OK.
Locations that control startup loading of programs include the following:
The CONFIG.SYS and AUTOEXEC.BATfiles.
Launch SYSEDIT and examine the AUTOEXEC.BAT and CONFIG.SYS files. At machine startup, configuration steps in CONFIG.SYS and command lines listed in AUTOEXEC.BAT will execute.
For more information on individual MS-DOS or command prompt commands, open a DOS or command prompt window and type the individual command followed by /?.
For more information on special batch file commands, see the Batch File Commands article on this site. You can temporarily suspend any line of this file by placing REM (followed by a space) in front of the line.
QUIRKS by QUIRKE: South African Windows watchdog, Chris Quirke, has alerted me to a strange Windows quirk I never knew about. In Win95/98, COMMAND.COM launches not “Autoexec.bat” per se but, rather, the simple command AUTOEXEC. This means that the usual command line launching rules apply so that a .BAT file is first sought (AUTOEXEC.BAT) but, if one isn’t found, the OS next will look for AUTOEXEC.COM and, thereafter, AUTOEXEC.EXE! On the one hand, this is a useful trick; on the other hand, it’s an especially useful trick for malware designers!
In Windows Millennium Edition, the MSCONFIG method, or editing AUTOEXEC.BAT and CONFIG.SYS with Notepad, are your only options unless you migrate SYSEDIT.EXE to your system.
In Windows XP, the only option is to edit AUTOEXEC.BAT (if it exists) with Notepad.
THE WINSTART.BAT FILE
The WINSTART.BAT file in Windows 95 and 98 loads TSR programs required for Windows-based programs but not needed in MS-DOS sessions. This file, if it exists, is usually in the C:\Windows folder, and is executed every time Windows starts — just like AUTOEXEC.BAT, except that AUTOEXEC.BAT is also launched during a DOS startup. You can examine and edit the contents of WINSTART.BAT with Notepad. You can temporarily suspend any line of WINSTART.BAT by placing REM (followed by a space) in front of the line. (Note that this is ignored in all other versions of Windows, since there is no need to differentiate MS-DOS session behavior.)THE STARTUP FOLDER
This is usually located at C:\Documents and Settings\All Users\Start Menu\Programs\Startup. However, it may be at a different location on your computer. You can view the Startup folder in Windows Explorer by clicking the appropriate link (immediately above) if you have used the default; or you can view it by clicking Start | Programs | StartUp.
In Windows, you also can suspend the action of individual startup programs by launching MSCONFIG, clicking the Startup tab, and unchecking the box of any startup items you want to suspend.
You can freely delete any items in this folder without risking modifying or damaging any existing programs, because everything in this folder is a shortcut. (It doesn’t have to be. You can put an actual program or batch file here. But, almost always, it’s a shortcut.)
The actual program is somewhere else. (You must, of course, know how to create a new shortcut if you want to restore it in the future.)
You also may want to remove them to a different (storage) folder. (Disabling them with MSCONFIG actually moves them to a separate folder titled Disabled Startup Items.)
NOTE: In Windows XP there normally is an additional Startup folder for each user account. These are found by going to C:\Documents and Settings, clicking the folder for the particular user name, and navigating down through Start Menu and Programs folders to the individual Startup folder. Please note that a number of the points made in this article may have multiple elements in a multi-user environment.
The location of the folders that Windows treats as the Startup folder (including the individual user profile’s Startup folder) is stored in the Startup key of
and the Common Startup key ofHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
THE WIN.INI FILE
WINDOWS XP NOTE: I have not seen WIN.INI used Windows XP for startup purposes. However, Microsoft continues to include WIN.INI in their XP Help and Support instructions for Selective Startup troubleshooting, so it may still be in use in addition to the Registry key mentioned immediately below.In Windows XP, launch SYSEDIT and examine the WIN.INI file. In the first section (titled [windows]), look for any files beginning with LOAD= or RUN=. These are executed at startup. (Empty LOAD= or RUN= lines do not launch anything.)
You can temporarily suspend these by placing a semi-colon in front of the line.
In Windows Millennium Edition and Windows XP, the MSCONFIG method, or editing WIN.INI with Notepad, are your only options (unless you migrate SYSEDIT.EXE to your Windows ME system).
In Windows 2000 and XP, the LOAD= and RUN= items are usually stored, instead, in the Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows— this (at least generally) replaces the WIN.INI file in those operating systems. Some viruses and parasites exploit this key; see Common Loading Points of Threats in Windows NT/2000/XP.
THE WININIT.INI FILE
In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it is usually replaced by the “PendingFileRenameOperations” sub-key in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
REGISTRY KEYS
The following Registry keys may contain items to execute at launch. ******************************************************
WARNING: Do not edit the Registry directly without first backing it up. For Registry backup recommendations, see Registry Patches. ******************************************************
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunAdditionally, the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key(on Windows NT, 2000, and XP, and Server 2003 systems) has a Userint item which normally points to the perfectly legitimate and important program C:\WINDOWS\system32\userinit.exe.
However, other programs can be made to launch from the same key by appending them to the legitimate value data, separated by a comma.
Please note that in Win XP, these items will appear on the Startup tab of MSCONFIG along with items in the StartUp folder. You can most safely and most easily disable them by unchecking the box in front of them. Also, please note that some items may appear twice in these Registry keys, and thus twice on MSCONFIG’s Startup tab.
For some items — such as power management and TweakUI — this is normal, and both are needed for normal functioning. (They do different jobs, at different stages of system startup.) Some other duplicates may, in fact, be unnecessary.
It is not possible to give a complete list, in advance, of all possible examples.
If there are duplicates that are truly unnecessary, the simplest way to get rid of them is to be sure that both are checked, click OK to close MSCONFIG, and reboot the computer.
DRIVER FILES
Driver files (.VXD files) are also loaded at system startup in Windows. These are primarily loaded from the following locations:• The SYSTEM.INI file in the the [386enh] section (edit with SYSEDIT or MSCONFIG).
• The following Registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD• In Windows ME, on the Static VxDs tab of MSCONFIG.
SERVICES in WINDOWS XP
In addition to the foregoing, in Windows XP you should examine the Services that are automatically launched at startup. You can see these by pressing Ctrl+Alt+Del, then clicking the Processes tab, or by launching the Services management tool that you will use to modify them. To launch the Services tool, log in as an Administrator, then click
Start | Control Panel | Performance & Maintenance | Administrative Tools | Services.(Note that this Control Panel item is simply a shortcut, which you can copy to your desktop or anywhere else you want it.) Even faster, from a Run box (click Start | Run or press Win+R) type SERVICES.MSC.
By default, Windows initiates many Services you just don’t need. For example, if you aren’t on a network, there are at least half a dozen Services that should be set to Manual rather than Automatic — meaning, they still can be launched, but will not launch automatically at Windows startup.
MORE HIDDEN LOADS...
Here, is a list of some non-startup loading mechanisms:1. Network logon processes (e.g., Novell Client)
2. Tasks, both time-based and event-based (e.g., associated with on network login, or executed by a task scheduler)
3. Magic-name dropper attacks (e.g., AutoRun.inf)
4. File infection (what a true “virus” does)
There are several other possibilities which, however, come under the heading of malware detection more than the simpler topic to which this page is dedicated, viz., a general user’s management of their startup process.
For example, we could go into topics of file substitutions (dropping a malicious or alternate program onto the computer to replace one with a known name, e.g., replacing ScanDisk), or the well-known use of the SHELL= line in SYSTEM.INI to launch more than one program. These are well-known to malicious hackers, virus developers, etc.
There are still other startup locations that have not been mentioned here because, according to security experts I know, they haven’t yet been used in malware attacks, and don’t really have any practical use for the typical user.
I do hope, however, that this page helps you control what programs your computer does, and does not, load at startup.
WHAT SHOULD I LOAD?
Okay, now you know how to control what loads at Windows startup. But, what should you let Windows load? Often, there are so many programs or features that come pre-installed on a computer, or automatically launched by Windows — most of them with obscure, abbreviated names — that it is hard to know what to enable and what not to enable. Since these startup items lower the baseline of available System Resources in Windows, it is advisable to only load those programs at startup that you have to, and that you want to — and get rid of the rest!After that TUTORIAL, i think that you can easily autorun your programs at logon and also disable some malwares on your pc.
Posted in
0 comments:
Post a Comment