1800-209-3006
[email protected]
Contact Us
Create cloud Account

ESDS Knowledge Base

13
Dec

Start up in Windows

0

Today it is difficult to find an organization that has not been subjected to virus attacks. And although almost everywhere already have antivirus software installed, it is sometimes necessary to manually see where in the registry run programs, and not even necessarily harmful. When searching for the resident malware we are interested in the following questions.

How does auto loading works?
Where can I find a list of programs that are loaded automatically?
How to disable the corresponding list of startup?

That is what will be the subject of this article.

Ways to startup

There are many ways to startup. Below are some of the options. I hope that this will help in the search for and removal of malicious programs from startup.

Directory

In the registry, Startup, Windows 7 is presented in several sections:

[HKEY_LOCALMACHINE \ SOFT-WARE \ Microsoft \ Windows \ CurrentVersion \ Run] – programs that run at logon. Programs that run in this section run for all users of the system.

[HKEY_LOCAL_MACHINE \ SOFT-WARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce] – programs that run only once when the user logs into the system. After this program settings are automatically deleted from the key. Programs that run in this section run for all users in the system.

[HKEY_CURRENT_USER \ Soft-ware \ Microsoft \ Windows \ CurrentVersion \ Run] – programs that run in the registration of the current user in the system.

[HKEY_CURRENT_USER \ Soft-ware \ Microsoft \ Windows \ CurrentVersion \ RunOnce] – programs that run only once during registration of the current user in the system. After this program settings are automatically deleted from the key. For example, to automatically launch the Notepad application for registration of the current user, open the Registry Editor (regedit.exe), go to the section [HKEY_CUR-RENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run] and add the following parameter “NOTEPAD.EXE” = “C: \ WINDOWS \ System32 \ notepad.exe”.

Use Group Policy to automatically run

Open the Group Policy snap-»(gpedit.msc), go to Computer Configuration, Administrative Templates, System. In the right equipment, go to the site to log into the system.

By default, this policy is not specified, but you can add back the program: include policies, push the button “Show – Add, specify the path to the program, while if the program is launched, is located in the WINDOWS \ System32 \, you can specify only the name of the program, otherwise have to enter the full path to it. In fact, in this section of the Local Group Policy you can specify an additional program or document to be executed when the user logs into the system.

This item is available in the policy under Computer Configuration and User Configuration. If both the points policy, will initially run the program specified in the configuration section of the computer, and then to the user. In the registry under [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies] creates a sub \ Explorer \ Run with parameters added programs.

Example:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer \ Run] “a” = “notepad.exe”

As a result, the registration system run Notepad.

Similarly, set AutoPlay for current users, in Group Policy “is the path User Configuration – Administrative Templates – System, and in the registry section [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Run].

In this program, this list does not appear in the list of programs available to shutdown in msconfig.exe, and all the startup manager are not determined.

Ignoring lists startup programs that run once

Configured using Group Policy in Computer Configuration, Administrative Templates, System, Logon “via option” Do not process a single list of running programs. If this policy is enabled, it will not run the program from the list [HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ Current Version \ RunOnce]. If you enable this policy, the registry created by the following parameter:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer] “DisableLocalMachineRunOnce” = dword: 00000001

Just set up policies for current users: “User Configuration, Administrative Templates, System, Logon” option “Do not process a single list of running programs.

Registry settings:

[HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer] “DisableLocalUserRunOnce” = dword: 00000001

Scheduled Tasks

Programs can run from Task Scheduler. View a list of installed jobs, as well as add a new possible way: pointing at the Start Menu, All Programs, Accessories, System Tools, Task Scheduler window and see the Task Scheduler, which displays scheduled tasks.

To add a new task, it is necessary to select the Actions “Create a simple task”.

Launching programs with the help of this wizard is possible only once, when registering in Windows, when you turn on your computer, and on schedule.

The Startup folder

A folder that contains shortcuts to programs that run when a user logs into the system. Shortcuts in this folder can be added to the programs when they are installed. There are two folders – common to all users and individual for the current user. By default, these folders are located here:

\ Users \ All Users \ Microsoft \ Windows \ Start Menu \ Programs \ Startup – a folder from which the program will run for all users;
% USERPROFILE% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup – a folder from which the program will run for the current user.

See what programs you run in such a way that can open the Start menu, then select “All Programs” “Startup”. If you create this folder shortcut to a program, it will start automatically after a user logs into the system.

Change the Startup folder

Windows reads the data on the path to the Startup folder from the registry. This path is registered in the following sections:

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ User Shell Folders] “Common Startup” = “% ProgramData% \ Microsoft \ Windows \ Start Menu \ Programs \ Startup” – for all users.

[HKEY_CURRENT_USER \ Soft-ware \ Microsoft \ Windows \ CurrentVersion \ Explorer \ User Shell Folders] “Startup” = “% USERPROFILE% \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup” – for the current user. Replacing path to the folder, we get all the startup programs from the folder.

Example: [HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ User ShellFolders] “Startup” = “c: \ mystartup” – the system loads all the programs, shortcuts, which are located in c: \ mystartup \, while the “Startup “will still appear in the Start menu, and if the user it was nothing, then the change will not be noticed.

Hidden Vulnerability

Substitution of a shortcut to the program from the Startup list is easy. Suppose you have installed Adobe Acrobat. Then in the Startup folder, you will label Adobe Reader Speed Launch, it is installed there by default. But not necessarily the label refers specifically to the appropriate application – instead it can run any other program, the more so in Acrobat functionality is not affected.

Adding a program to program loading from the Startup list, is a modification of the previous version – while downloading a program from the Startup list you will have to start another program. The fact that you can “glue” two executables into one, and they will run simultaneously. There are special programs for such a “glue”. Or label may refer to a batch file, from which it will run as an original program from the list and added extraneous programs.

View a list of startup programs by opening a window “System Information”. To do this, click Start, All Programs, Accessories, System Tools, System Information “or dial msinfo32.exe at the command prompt and navigate to” Software Environment – Startup Programs. ” Application “System Properties” displays the Startup group from the registry and folders “Startup”.

Another program that allows you to view a list of startup programs – “System Configuration Utility (msconfig.exe to start typing from the command line). This program, besides see a list of startup, provides the ability to disable all startup items (General Tab), or sample programs (under the “Startup”).

The information in this article should not be considered exhaustive, but hopefully they will help you in the difficult fight against malware.

, ,

About Post Author

Leave a Reply