Archive for the ‘Software’ Category

Windows registry autorun locations

Operating Systems, Windows 7, Windows 8, Windows Explorer, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider November 17th, 2013

Many times people ask me to check their computers for malware or for the reason it is working slow. The first thing I do is to check all programs that automatically start with windows. Normally I remember 4 or 5 locations in registry where to look for such programs and almost all the time I must search the internet for another ones. That made me to write this post, which will allow me to always have the full (or almost full) list about the registry locations for auto startup purpose in one place.

In the below table I described all of the registry locations I know which programs are using to start automatically with Windows:

No.

Registry Location (blue ones are present in 64bit OS only)

Description

1

HKML\Software\Microsoft\Windows\CurrentVersion\Run\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when any user logs in.

2

HKML\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when any user logs in. After execution
the values are being deleted.

3

HKML\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\

All values
under this key are executed as services when any user logs in.

4

HKML\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\

All values
under this key are executed as services when any user logs in.
After execution the values are being deleted.

5

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when current user logs in.

6

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when current user logs in. After
execution the values are being deleted.

7

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\

Used only by
setup. A progress bar is being displayed.

8

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

Same as 5 but
applies to LOCAL SYSTEM user only.

9

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\

Same as 6 but
applies to LOCAL SYSTEM user only.

10

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when any user logs in.

11

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when current user logs in.

12

HKLM\Software\Microsoft\Active
Setup\Installed Components\

HKLM\Software\Wow6432Node\Microsoft\Active
Setup\Installed Components\

All subkeys
are evaluated for execution when any user logs in. The “StubPath”
value under each subkey describes the program being run.

13

HKCU\Control
Panel\Desktop

SCRNSAVE.EXE”
value is executed when screen saver is being displayed for current
user.

14

HKLM\System\CurrentControlSet\Control\Session
Manager\

The
„BootExecute” value is being executed at boot time.

15

HKLM\System\Control\WOW\cmdline

Value is
executed when 16 bit application is being run for all users.

16

HKLM\System\Control\WOW\wowcmdline

Value is
executed when 16 bit DOS application is being run for all users.

17

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\

Values
contains GUID for COM library which is being run after explorer
finished loading.

18

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Windows\

The „run”
and „load” values are executed when current user logs
in.

19

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

AppInit_DLLs
value contains dll file names separated with comma which are being
loaded into every process being run in the system.

IMPORTANT:
Very dangerous entry used by many malware programs.

20

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 5.
Normally values are named here as numbers starting from „1”.

21

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 1.
Normally values are named here as numbers starting from „1”.

Some information in the above table has been taken from this forum: Registry AutoStart Locations

No Comments »

Decommissioning first Exchange 2003 server together with first AG

MS Exchange | Posted by p_lider March 24th, 2013

Recently I had to decommission the first Exchange 2003 server in our company. Our exchange organization had 2 Exchange 2003 SP2 servers and 2 Administrative Groups (each server in a separate AG). When searching the internet for help in doing that I have found the following article – http://support.microsoft.com/kb/822931.

This article describes almost everything what you should do except the following:

  1. What to do with “schema-root”, “OWAScratch{GUID}” and “StoreEvents{GUID}” system folders.
  2. How to delete the first AG when removing the last server from it.

 

Ad. 1. It is best to rehome mentioned system folders to the other server as you did with the OAB folders and others, so their content is removed from the server being decommissioned but stays on the other one. This would be the best way to get rid of them from the “Public Folder store” of the retiring server.

This is in contrast to simply deleting the folders – I noticed that deleting these folders can lead to strange behavior: they structure is being regenerated by the Exchange after decommissioning the first server however they do not have a replica so they cannot be used. This is not preventing the public folders from working fine, however this causes errors when looking at them using “Exchange System Manager”. I do not know if this can lead to some other, serious problems but seeing an errors in ESM is not a good sign I think.

When there are no mailboxes and public folder instances left on the decommissioned server and other steps mentioned in Microsoft’s article are already done then you can remove the “Public Folder Store” and “Mailbox Store” from it.

 

Ad. 2 If you want to remove whole Administrative Group which will be empty after decommissioning the server, then before uninstalling the Microsoft Exchange from the server follow these steps:

  1. Move the “Public Folders” tree to the other AG if it exists in the current AG being removed.
  2. Remove all the connectors from the routing groups stored within this AG and all connectors from other routing groups in other AGs which were connected to the routing groups in the AG being removed.
  3. Uninstall the Microsoft Exchange from the server being decommissioned in this group.
  4. Remove all routing groups from the AG.
  5. Remove all containers from the AG.
  6. Remove the AG.

Steps 1,2,4,5,6 are best to be performed using ESM on other Exchange server (anyone which is not being decommisioned).

No Comments »

PHP and IIS7 using FastCGI – HTTP 500 error

IIS | Posted by p_lider December 18th, 2012

When you install a php into IIS7 and try to execute phpinfo() script you can get an HTTP 500 Internal Server Error message. The most probably cause of this is that php-cgi.exe program is writing some text to stderr. By default IIS7 displays an HTTP 500 error message when it detects such behavior even, when the CGI displayed only a warning message on stderr. To avoid this problem you have to change default error handling for FastCGI in IIS7.

To do this follow the following steps:

  1. Start IIS Manager
  2. Click on <server name> and then in the right pane go to “FastCGI Settings”.
  3. Right click on php-cgi.exe file and choose “Edit…”.
  4. Set the “Standard error mode” option to “IgnoreAndReturn200” value.
  5. Click OK and close IIS Manager.

After performing mentioned steps you shall no longer see HTTP 500 error messages in the browser.

4 Comments »

Restoring URL autocomplete feature in IE.

Internet Explorer | Posted by p_lider December 29th, 2010

I recently faced strange problem with IE8 browser. The URL autocomplete feature suddenly stopped working. I searched the internet deeply to find the fix for this problem with completely no luck. Analyzing how the IE8 browser works I found, that it is looking for a COM object with class ID {80A3E9B0-A246-11D3-BB8C-0090272FA362} when trying to autocomplete URLs. I then googled for the library which contains the object with mentioned Class ID and found that it is “langwrbk.dll“. Having that in mind fixing the problem was as easy as executing one command:

regsvr32 langwrbk.dll

This worked in IE8 browser, however I am almost sure it will work in other versions of IE as well.

No Comments »

HYPER-V and wrong time measurement in virtual servers

HYPER-V, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider December 3rd, 2010

If you have a virtual server which has more than 1 virtual processor and is hosted by HYPER-V technology then you can face problems during time measurement. As the result you can see that login to such server can take quite long time and you can see strange errors in EventViewer saying something like “Windows cannot obtain the domain controller name for your computer network” etc.

The solution to such problems is quite easy – you only have to add /usepmtimer switch to your server’s boot.ini file and restart the virtual server. This will cause a different approach during time measurement and will fix mentioned problems.

No Comments »

Mapping orphaned database users to SQL Server 2005 logins

SQL Server | Posted by p_lider October 4th, 2010

If you have many users defined in your MS SQL Server 2005 database, then if you will backup your database and then restore in a new, clean SQL Server instance, you will not be able to map database users with logins in your SQL Server instance. This is because of different SID numbers between the source and destination SQL Server instances. So even creating logins named exactly the same as users in a restored database will not help.

Fortunately, I found a solution. The SQL scipt below will map orphaned users in databases to logins in SQL Server instance even when their SIDs do not match:

sp_change_users_login @Action=’update_one’,
@UserNamePattern=’<database user name>‘,
@LoginName=’<sql server instance login name>
GO

2 Comments »

Double clicking the disks icons opens search window instead of their contents

Windows Explorer, Windows Server 2003, Windows XP | Posted by p_lider September 6th, 2010

If the default action for disk drives in “My Computer” window is “Search” instead of “Open” and you cannot change this behavior using “File Types” tab in “Folder Options” then you must set the default value for HKCR\Drive\Shell registry key to none and restart the explorer.exe process.

Mentioned problem sometimes arises after some malware installation – the disinfection not always repairs that problem automatically.

No Comments »

“Object Required” error while changing passwords using OWA

IIS, MS Exchange, Windows Server 2003 | Posted by p_lider September 6th, 2010

After deploying MS Exchange 2003 server in your organization and configuring OWA to let users change their domain passwords you can face a strange issue. When users try to change their passwords, after clicking “OK” button they see an error message saying “Object Required” and their password are not being changed. This enigmatic error message means, that the MS Exchange cannot find a properly registered COM object in the registry. To solve the problem you must manually register the “iispwchg.dll” library on the MS Exchange server. The full command to do this is:

regsvr32 %windir%\system32\inetsrv\iisadmpwd\iispwchg.dll

The reason why MS Exchange does not register mentioned library by itself during the installation is unknown for me. However I noticed, that MS Exchange installers are written is such a way, so the administrators can demonstrate their knowledge and skills <ironic> before the MS Exchange product can start fully working.

No Comments »

OmniPass software and Windows 7

Software, Windows 7 | Posted by p_lider September 6th, 2010

If you want to install the OmniPass software version which was designed for Windows Vista in Windows 7 think twice before making this mistake. Doing so can result in a very long delays during the logon of the user’s profile who installed the software. This can even cause some of your user profiles to be unable to login constantly showing the “Welcome” message on the screen.

So do not install the OmniPass software (the version which was designed for Vista) in Windows 7 if you want to have your system to be usable.

No Comments »

Improve page rendering in IE8

Internet Explorer | Posted by p_lider August 23rd, 2010

While searching the Internet for an solution for one problem I had, I accidentally found something, that can be useful for everyone who use IE8 as his primary browser. Manual registering one dll library can improve the IE8 rendering performance. The reason for that is unknown, because the dll library had been registered during installation of the browser (without it the IE8 cannot run). The magic command to execute is:

regsvr32 %windir%\system32\actxprxy.dll

After executing it log off and then log on again – the IE8 performance from now will be visibly higher.

No Comments »