Windows sysinternals

Balaviswanathan

Chapter 5

Autoruns

A question I often hear is, “Why is all this stuff running on my computer?” That’s often

followed with, “How do I get rid of it?” The Microsoft Windows operating system is a highly

extensible platform. Not only can programmers write applications that users can choose to

run, those programmers can “add value” by having their software run automatically without

troubling the user to start it, by adding visible or nonvisible features to Windows Explorer

and Internet Explorer or by supplying device drivers that can interact with custom hardware

or change the way existing hardware works. Sometimes the “value” to the user is doubtful at

best; sometimes the value is for someone else entirely and the software acts to the detriment

of the user (which is when the software is called malware).

Autostarts is the term I use to refer to software that runs automatically without being

intentionally started by a user. These include drivers and services that start when the

computer is booted; applications, utilities, and shell extensions that start when a user logs on;

and browser extensions that load when Internet Explorer is started. There are over 100 locations

in the file system and registry that allow autostarts to be configured on x86 versions

of Windows, and many more on x64. These locations are often referred to as Autostart

Extensibility Points, or ASEPs.

ASEPs have legitimate and valuable purposes. For example, if you want your instant

messaging contacts to know when you are online, having the messaging client start when

you log on is a great help. Users enjoy search toolbars and PDF readers that become part of

Internet Explorer. And much of Windows itself is implemented through ASEPs in the form of

drivers, services, and Explorer extensions.

On the other hand, consider the plethora of “free” trial versions of programs that computer

manufacturers install on new computers and that fill up the taskbar notification area.

Consider also the semi-hidden processes that legitimate vendors run all the time so that

their applications can appear to start more quickly. Do you really need all these processes

constantly consuming resources? On top of that, malware almost always hooks one or more

ASEPs, and virtually every ASEP in Windows has been used by malware at one point or

another.

Although Windows offers the System Configuration Utility (msconfig.exe, shown in

Figure 5-1) to let you see some of these autostarts, it shows only a small subset and is of

limited usability. Msconfig also requires administrative rights, even just to view settings. That

means it cannot identify or disable per-user autostarts belonging to nonadministrator users.

www.it-ebooks.info

145

More magazines by this user
Similar magazines