Back in the days of DOS, if a program was automatically loading when a computer started up, there were only two places that the program could have been called from: the CONFIG.SYS file or the AUTOEXEC.BAT file. Today, however, this simply isn’t the case. There are many different places that a program can be called from during the Windows startup. Further complicating the problem is that the startup locations are inconsistent among versions of Windows. For example, there are startup locations that exist in Windows 98 and Windows Me that don’t exist in Windows XP. For the purposes of this Daily Feature, I will walk you through all of the possible startup locations within Windows XP.
Perhaps the most obvious place to look for an application that automatically starts when Windows is launched is in the Startup folder. You can access the Startup folder by clicking Start | All Programs (or Programs, depending on your Start menu style) | Startup. When you do, you will see a menu containing the Startup items.
You can easily remove a program from the Startup menu by right-clicking on it and selecting the Delete command from the resulting shortcut menu. Keep in mind that this only deletes the Startup shortcut, not the application.
If you press [CTRL][ALT][Delete] and then click the Task Manager button, you will see the Windows Task Manager. The Applications tab will show you which applications are currently running on your system. This list is deceptive, though, because it only shows applications that currently have a visible window open. If you really want to see what programs are running on your system, select the Processes tab. Doing so will display a rather long list of the various processes that are currently running on your system.
Before you freak out over how much stuff is running on your system, there are a couple of things to keep in mind. First, some of the currently running processes are related to applications that may be open at the moment. To see which processes are related to applications, you can close an application and see which processes disappear. You could also return to the Applications tab, right-click on an application and select the Go To Process command from the resulting shortcut menu.
The other thing that you need to realize is that many of the running processes belong to Windows. For example, the process SPOOLSV.EXE is the Windows print spooler.
The following section involves editing your system registry. Using the Windows Registry Editor incorrectly can cause serious problems requiring the reinstallation of your operating system and possible loss of data. TechRepublic does not and will not support problems that arise from editing your registry. Use the Registry Editor and the following directions at your own risk.
Almost all of the processes that don’t belong to Windows or to open applications are called from within the registry. You can access most of the running processes by opening the Registry Editor, using the REGEDIT command, and navigating to:
This key contains all sorts of programs that are set to run at startup. Some of these programs, such as your antivirus software, are desirable. Others, however, you may want to remove. You will just have to go through the list and see what belongs and what doesn’t.
While you are in this part of the registry, you may also want to check the RunOnce registry key. Normally, this will be empty, but if an application wants your computer to run a file one time on the next boot up, the file will be listed here.
As you work through the registry, you should be able to match most of the running processes up with references within the registry. If there is an undesirable process loading automatically, but you can’t find it in this location, you can always do a registry search. Simply go to the top of the registry and then select the Find command from the Registry Editor’s Edit menu. Now, enter the process name exactly as it’s shown in the task manager. You should be able to find the process within the registry.
One thing to keep in mind is that just because there is a reference to a process within the registry, it doesn’t mean that the registry is telling Windows to launch that process. It’s not uncommon for a process to have dozens of listings. Unless you want a process completely removed from your system, it’s extremely important to check the function of a registry key before deleting it just because it contains a reference to a process. Deleting a key without completely understanding the effect can have disastrous consequences.
In Windows XP, it’s common to run lower-level applications as a system level service. Normally, you would locate a service by opening the Windows XP Control Panel and clicking on the Performance and Maintenance link, followed by the Administrative Tools and Services links. This will launch the Services console. The Services console will display all services loaded on the machine, a description of the service, the service’s current status, and the service’s startup state.
If you were to find an unwanted service, you can disable it through the Services console, but you can’t remove the unwanted service without modifying the registry. If you are interested in modifying services from within the registry, you can find them at:
Before you modify any services through the registry, remember that the services are protected for a reason. Many of the services are critical to Windows. The Registry Editor will allow you to remove any service that you want to. However, if you remove an incorrect service, Windows may not boot back up.
Still another location from which a program may be launched on boot up is the WIN.INI file. The WIN.INI file is a leftover from Windows 3.x. Microsoft chose to continue to provide a WIN.INI file in subsequent versions of Windows as a way of providing backward compatibility for 16-bit applications.
The WIN.INI file is located in the \WINDOWS folder, and can be edited using Notepad or any other text editor. If you open the WIN.INI file, you will notice a line that says LOAD= and another line that says RUN= . Both of these lines normally occur toward the top of the file, but can exist anywhere within the file. Likewise, both of these lines can be used to launch a 16-bit Windows application upon startup.
While there is no way to completely prevent a rogue application from using WIN.INI for malicious purposes, you can take some steps to make it more difficult for WIN.INI to be used maliciously. For starters, you can delete the LOAD= and RUN= lines from the file. After doing so, flag the file as read only. You can do so by opening a Command Prompt window, navigating to the windows directory, and entering the command:
ATTRIB C:\WINDOWS\WIN.INI +R
A DOS environment
In DOS, Windows 95, Windows 98, and Windows ME, the operating system would process a few DOS-related files upon boot up. These files included IO.SYS (hidden), MSDOS.SYS (hidden), COMMAND.COM, CONFIG.SYS, and AUTOEXEC.BAT. The IO.SYS, MSDOS.SYS, and COMMAND.COM made up the DOS platform. The CONFIG.SYS and AUTOEXEC.BAT files could load drivers or launch other executables. It was also possible to modify the MSDOS.SYS file, but that is beyond the scope of this article.
In Windows XP, the Windows kernel takes the place of the IO.SYS and MSDOS.SYS files. However, the COMMAND.COM file still exists. The COMMAND.COM file acts as the command interpreter for any commands issued through a DOS environment. The CONFIG.NT and AUTOEXEC.NT files have replaced the CONFFIG.SYS and AUTOEXEC.BAT files.
The reason why I am telling you about these files in an article that’s supposed to be about programs that run in the Startup is that in some circumstances, CONFIG.NT and AUTOEXEC.NT can be run at startup.
Think about it this way: In the days of DOS, if you wanted to run a DOS program, you had to enter the program’s file name at the DOS prompt. In Windows 9x and Me, the CONFIG.SYS and AUTOEXEC.BAT files ran at Startup. Technically speaking, Windows 9x and Windows Me ran on top of DOS. This meant that if you wanted to run a DOS program through Windows, Windows didn’t really have to do anything because DOS was already present and running. The DOS environment had even been prepared at boot up.
In Windows XP, it’s a different story, though. Windows XP does not run on top of DOS and, therefore, there is no pre-existing DOS environment. If you want to run a DOS program, Windows XP makes use of a DOS virtual machine. This virtual machine is essentially a DOS emulator. At the time that you either open a DOS Window or launch a DOS program, the CONFIG.NT and the AUTOEXEC.NT files are run in the background. This prepares the DOS virtual machine for your program to run.
Now that I have explained how CONFIG.NT and AUTOEXEC.NT work, imagine that someone configured a DOS-based file to run at startup. The file could be run through any of the methods that I discussed earlier in the article. When the file runs, Windows also runs CONFIG.NT and AUTOEXEC.NT. If modified, either of these files (but especially AUTOEXEC.NT) have the capability to run other programs.
If you suspect that CONFIG.NT or AUTOEXEC.NT might be launching an unauthorized program, you can view either file through Notepad. The files are located in the \WINDOWS\SYSTEM32 folder.
There is one exception to everything that I have told you about DOS programs running under Windows XP. If a DOS program is launched through a PIF file, then it will not call CONFIG.NT or AUTOEXEC.NT. A PIF file is a Program Information File, and uses the .PIF file extension. PIF files are a leftover from Windows 3.x. PIF files do not rely on CONFIG.NT or AUTOEXEC.NT because they provide the DOS program with all of the information that it needs. That’s why so many viruses are PIF-based.