Previously in this series, I explained how to locate registry entries that caused programs to launch at system startup and disable them. In this article, I want to continue the discussion by showing you a couple more ways to disable annoying startup programs in Windows XP.
The System Configuration Utility
Although the majority of our last article focused on the Windows registry, the registry is far from being the only mechanism for loading programs during system startup. One mechanism that I'm sure most admins are familiar with is the Startup folder. Any application placed in the Startup folder will load automatically when the system is booted.
Another place where Windows can load programs during startup is the WIN.INI file. The WIN.INI file is left over from the days of Windows 3.x and has been retained for backward compatibility purposes.
WIN.INI is a text file located in the \Windows folder that can be opened using Notepad. There are two lines in the WIN.INI file that are of particular interest to admins. These lines are:
By default these particular lines of code do not even exist in Windows XP, while older versions of Windows included these lines near the top of the WIN.INI file. The idea was that third-party application developers could use them as a way of automatically loading applications or application modules at system startup.
Microsoft chose to remove the Load= and Run= lines from Windows XP because it prefers application developers to use the registry as the primary means for launching code during startup. Even so, these commands are still fully supported and are often added to the WIN.INI file by malware authors. Over the past several years, I've seen numerous cases in which various types of spyware have been launched through the WIN.INI file because relatively few people know that WIN.INI can be used to launch startup programs.
Although you can edit the Startup folder and the WIN.INI file manually, it's sometimes easier to use the System Configuration Utility instead. Personally, I prefer using the System Configuration Utility initially because it allows you to enable or disable commands by simply selecting or deselecting check boxes. This is handy since sometimes you might see an entry for a startup program that you don't recognize. The System Configuration Utility allows you to temporarily disable such an entry -- and learn the effects of doing so -- without making a permanent configuration change to your system. Once you are confident in the changes that you have made, you can then make them permanent.
You can access the System Configuration Utility by entering the MSCONFIG command at the Run prompt. The System Configuration Utility looks something like what you see in Figure A. As you can see, you can enable or disable various elements by using the corresponding check boxes.
Also, any time you've made a change to the system startup by using the System Configuration Utility, you will see a warning message during the boot process. To get rid of this warning message, you must perform a normal startup and then manually remove the offending settings.
The problem with networked workstations
All of the techniques I have shown you in this article series focus on preventing applications from automatically loading at system startup. The problem is that if the workstation is connected to a network, there are a lot more things that can cause programs to load automatically. For example, programs can be loaded through login scripts, Group Policy settings or even roaming or mandatory user profiles.
Typically, these types of mechanisms won't really present a problem because they are usually secured and under an administrator's direct control. This means that if an unwanted program is running at startup, the program will almost always be called by the local machine's registry, local security policy or by the WIN.INI file.
However, even though it is somewhat rare for an unwanted program to be called by a logon script or a network-level Group Policy setting, it can happen. In addition, if a program is being called from one of these locations, the effects will typically be widespread.
The most common way for a user to spread an unwanted startup program over a network is through roaming profiles. When non-mandatory roaming profiles are used, a user's local profile is copied to the network when the he or she logs off. Hence, if the user's local machine is infected by an unwanted startup program, there is the potential for that program -- or at least a call to the program -- to be copied to the user's profile on the network. If a user logs into a different machine, then the user's profile will follow him there and the unwanted file may consequently be copied to that machine.
Of course this is just a generalization. There are many different types of unwanted startup programs, and not all of them can be spread in this way. It's important to have some insight, though, as to how an unwanted program or a call to an unwanted program could theoretically be spread over a network.
|Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.|
This was first published in January 2008