Archive for the ‘Windows XP’ Category

Windows registry autorun locations

Operating Systems, Windows 7, Windows 8, Windows Explorer, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider November 17th, 2013

Many times people ask me to check their computers for malware or for the reason it is working slow. The first thing I do is to check all programs that automatically start with windows. Normally I remember 4 or 5 locations in registry where to look for such programs and almost all the time I must search the internet for another ones. That made me to write this post, which will allow me to always have the full (or almost full) list about the registry locations for auto startup purpose in one place.

In the below table I described all of the registry locations I know which programs are using to start automatically with Windows:

No.

Registry Location (blue ones are present in 64bit OS only)

Description

1

HKML\Software\Microsoft\Windows\CurrentVersion\Run\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when any user logs in.

2

HKML\Software\Microsoft\Windows\CurrentVersion\RunOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when any user logs in. After execution
the values are being deleted.

3

HKML\Software\Microsoft\Windows\CurrentVersion\RunServices\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\

All values
under this key are executed as services when any user logs in.

4

HKML\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\

HKML\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\

All values
under this key are executed as services when any user logs in.
After execution the values are being deleted.

5

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

All values
under this key are executed when current user logs in.

6

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

All values
under this key are executed when current user logs in. After
execution the values are being deleted.

7

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup\

Used only by
setup. A progress bar is being displayed.

8

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\

Same as 5 but
applies to LOCAL SYSTEM user only.

9

HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\

Same as 6 but
applies to LOCAL SYSTEM user only.

10

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when any user logs in.

11

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\

Shell”
and „Userinit” values contain file names separated
with comma which are executed when current user logs in.

12

HKLM\Software\Microsoft\Active
Setup\Installed Components\

HKLM\Software\Wow6432Node\Microsoft\Active
Setup\Installed Components\

All subkeys
are evaluated for execution when any user logs in. The “StubPath”
value under each subkey describes the program being run.

13

HKCU\Control
Panel\Desktop

SCRNSAVE.EXE”
value is executed when screen saver is being displayed for current
user.

14

HKLM\System\CurrentControlSet\Control\Session
Manager\

The
„BootExecute” value is being executed at boot time.

15

HKLM\System\Control\WOW\cmdline

Value is
executed when 16 bit application is being run for all users.

16

HKLM\System\Control\WOW\wowcmdline

Value is
executed when 16 bit DOS application is being run for all users.

17

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad\

Values
contains GUID for COM library which is being run after explorer
finished loading.

18

HKCU\Software\Microsoft\Windows
NT\CurrentVersion\Windows\

The „run”
and „load” values are executed when current user logs
in.

19

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

HKLM\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

AppInit_DLLs
value contains dll file names separated with comma which are being
loaded into every process being run in the system.

IMPORTANT:
Very dangerous entry used by many malware programs.

20

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 5.
Normally values are named here as numbers starting from „1”.

21

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Same as 1.
Normally values are named here as numbers starting from „1”.

Some information in the above table has been taken from this forum: Registry AutoStart Locations

No Comments »

How to prevent reinstalling Windows after changing motherboard, disk controller or processor.

Windows Server 2003, Windows XP | Posted by p_lider October 28th, 2011

In most cases, when we replace the motherboard with or without a new processor in the computer the previously installed system will not boot – probably we will end with BSOD. After that most people will go and reinstall the previously installed operating system because they think there is no other option to resurrect the old one. Well, this is not true. Here I want to tell what steps (without getting to the very details) you must do to resurrect previously installed system.

But first let think why the old os cannot successfully boot on the new hardware. The problem lies in two places (or at least in one of them). First is the controller of the system disk – if the controller in the new motherboard comes from other vendor or is simply incompatible with the old controller (for examle the old one was Intel IDE and the new is VIA IDE), then the os does not have the right device driver for it and as the result it cannot access the hard drive during boot resulting in BSOD. The second lies in the processor architecture (but only if the new processor is from other vendor, for example the old one was from Intel and the new one comes from AMD).

To cope with the problem with device driver for disk controller you have to have a Live CD or bootable USB flash (with BartPE, VistaPE, etc.) in which you can access the system partition and the registry of the installed system. You will have then manually place the right driver for the new disk controller in the “%systemroot%\system32\drivers” folder and manually add or edit the registry to make the driver being loaded with the system (the drivers are being represented as services in the following registry key: HKLM\System\CurrentControlSet\Services).

When you will be fine with the driver for the hard disk controller, then you need to ensure that the IntelPPM service is disabled  (in the registry the start value must be set to 4). Without disabling it, when the new processor comes not from Intel, you will end up with BSOD as well.

This is not a detailed explanation of what to do exactly but it shows the way you shall go if you don’t want to reinstall the whole operating system after changing your hardware like motherboard, disk controller or processor.

1 Comment »

Restoring Selfimage’s partition image to a greater partition

Windows 7, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider December 19th, 2010

Sometimes you must restore you partition images made by programs like SelfImage to a greater partitions – for example after buying new greater hard drive and setting the partitions’ sizes to greater values as they were in original drive.

The problem with such operation is that after restoring for example 20GB partition image to a partition which has 40GB, you will see, that the file system says that there is only 20GB of total partition’s space. This is caused due to old partition size information saved inside internal filesystem’s structures, which was made during the format of the partition on the original drive. Fortunately, the DISKPART utility built in Windows XP and newer systems can fix that problem. To do that follow the following steps after you restore the image to the new, reater partition:

  1. Launch the diskpart command line utility.
  2. Execute “select volume <number>” command, where “<number>” is a number of the volume containing the restored partition image (the list of all volumes and their numbers can be retrieved by executing “list volume” command).
  3. Execute “extend filesystem” command.
  4. And this is all – now exit the diskpart utility by executing “exit” command and the system will correctly see the real partition size.

Thanks to this tip you can use programs like SelfImage not only for making backups but also for moving entire partitions (including system partitions) to other hard drives even, when they size do not match.

1 Comment »

HYPER-V and wrong time measurement in virtual servers

HYPER-V, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider December 3rd, 2010

If you have a virtual server which has more than 1 virtual processor and is hosted by HYPER-V technology then you can face problems during time measurement. As the result you can see that login to such server can take quite long time and you can see strange errors in EventViewer saying something like “Windows cannot obtain the domain controller name for your computer network” etc.

The solution to such problems is quite easy – you only have to add /usepmtimer switch to your server’s boot.ini file and restart the virtual server. This will cause a different approach during time measurement and will fix mentioned problems.

No Comments »

VPN connection and internal DNS names

Windows 7, Windows Server 2003, Windows Server 2008 and 2008 R2, Windows XP | Posted by p_lider December 3rd, 2010

Sometimes after you connect to your VPN network by means of any VPN client (CiscoVPN, OpenVPN, etc.) you are not able to access network resources using their names, however you can access them using IP addresses. This is caused by the DnsCache service, which sometimes may cache wrong IP addresses for your internal network names.

To fix this irritating behavior clearing the dnscache will not always work. The best way to cope with this problem is to stop DnsCache service – after doing that every time you try access any network resource by its name, the DNS name query will be passed directly to your DNS servers omitting your local cache.

EDIT:

After some time I noticed one more problem with DNS especially when using VPNs established using RRAS. Simply the names were not being resolved by DNS servers provided by RRAS but they were trying to be resolved by DNS servers outside of VPN. This prevented accessing VPN network resources using names. The problem can be fixed by following the following steps:

  1. Go to Network Connections in Control Panel.
  2. Go to Menu: Advanced -> Advanced Settings -> Adapters & Bindings
  3. Move DialUp connections to the top of the list.
  4. Save changes by clisking OK button.
  5. In Windows XP & 2k also follow the instructions described under the following link: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218
  6. Reboot your computer.

After performing the above operations you should not have any DNS issues when using VPNs on your computer.

No Comments »

Double clicking the disks icons opens search window instead of their contents

Windows Explorer, Windows Server 2003, Windows XP | Posted by p_lider September 6th, 2010

If the default action for disk drives in “My Computer” window is “Search” instead of “Open” and you cannot change this behavior using “File Types” tab in “Folder Options” then you must set the default value for HKCR\Drive\Shell registry key to none and restart the explorer.exe process.

Mentioned problem sometimes arises after some malware installation – the disinfection not always repairs that problem automatically.

No Comments »

Completely disabling the autorun feature in Windows XP/2003

Windows Server 2003, Windows XP | Posted by p_lider August 27th, 2010

Nowadays many viruses and malware spread using portable media like pendrives, players or DVDs. This is possible thanks to the autorun feature which is in every Windows operating system (95 or newer). You can find a lot of guides in the internet telling how to disable the autorun in Windows. However I noticed, that in most cases the guides are not accurate – they do disable the autorun yet they don’t prevent the autorun.inf file from being analyzed by the system. Thanks to that, the system will not execute commands from autorun.inf file by itself but if you double click the removable disk icon, the system will execute the default command from autorun.inf file and thus install the malware.

Fortunately, I found a way to prevent the system from reading the autorun.inf file at all resulting in completely disabled autorun feature. It is done by creating a new key in the registry. The key that must be created is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
with its default value set to:SYS:DoesNotExist

After creating mentioned key and restarting the shell by killing explorer.exe process, logging out or rebooting, the autorun feature in the whole system will be completely disabled allowing everyone to plug any portable devices without worrying about malware anymore.

No Comments »

Sharing folders in XP by anyone

Windows Server 2003, Windows XP | Posted by p_lider August 23rd, 2010

By default, only members of “Power Users” or “Administrators” groups can share folders or printers. Sometimes this is not enough – sometimes we want to allow specific users to have a possibility to share some folders but nothing more. Unfortunately there is no graphical tool in Windows XP or in any other version of Windows, which can give us a possibility to do that.

However, there is a great tool called “TweakUI” (created by Microsoft), which can change specific Access Lists in the registry, so we can give anyone we want the right to share folders or printers. To make this happen you must do the following steps:

  1. Download and install TweakUI (you can get it from here: http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx)
  2. Launch it and go to “Access Control” tab.
  3. Now give the same rights for the users or groups you want to be able to share folders, like they are set for “Power  Users” in the following categories:
    • Manage file/print server connections
    • Manage file shares
    • Manage print shares
  4. Apply the changes and reboot the system.

From now, the specified in step 3 users or groups will have the right to share folders. It is wise, to create a group called for example “Share Creators”, give it the mentioned earlier rights and put all the users we want to share folders into that group.

No Comments »

“HP Compaq dc7600 CM” computers and Windows XP installation

Hardware, Windows XP | Posted by p_lider August 23rd, 2010

While installing the Windows XP operating system on some of the “HP Compaq dc7600 CM” computers I came to a strange problem – the Windows XP CD did not boot. The solution to this strange behavior was to disable the “Hard Disk Emulation” in BIOS for the first (text) phase of the Windows XP installation. After the text phase, the “Hard Disk Emulation” must have been re enabled because without it the system couldn’t boot from the hard drive.

This was strange and I don’t know what can be causing it. However, the mentioned trick does the job :)

2 Comments »