Many users, after working with the operating system for a long time and after installing / uninstalling various applications, often have questions about autoloading applications. Along with the operating system, applications that are unnecessary for you may be loaded, or vice versa, an application that should start automatically is not observed in the notification area after the system boots, and system performance and startup time may deteriorate significantly. In order to avoid these problems, I propose to deal with the processes that run when the operating system boots and with the startup of installed applications.
Today it is difficult to find an organization that has not been subjected to virus attacks. And although antivirus software is already installed almost everywhere, sometimes it becomes necessary to manually see where in the registry this or that malware starts.
Bezmaly V. F.
MVP Consumer Security
Today it is difficult to find an organization that has not been subjected to virus attacks. And although anti-virus software is already installed almost everywhere, sometimes it becomes necessary to manually see where in the registry this or that malicious software starts, and not even necessarily malicious. When searching for resident malware, we cannot help but worry about the following questions:
- How is autoloading done?
- Where can I find a list of automatically downloaded programs?
- How to disable the corresponding autoload list?
This article will be devoted to this.
There are many ways to autoload. Below are a few options. I hope this will help you find and remove malware from startup.
For current user
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "7-Zip"="C:\\Program Files\\7-Zip\\7zFM.exe"
For all users
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "7-Zip"="C:\\Program Files\\7-Zip\\7zFM.exe"
Also, instead of Run – you can use RunOnce: This will allow you to run it once, after the entry from the RunOnce subsection is deleted.
For current user
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce] "7-Zip"="C:\\Program Files\\7-Zip\\7zFM.exe"
For all users
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "7-Zip"="C:\\Program Files\\7-Zip\\7zFM.exe"
Given that you need CMD/BAT, then:
Even the Internet is unnecessary to go out for help – because by reg add
you can get help on the spot from the command line:
reg add /?
reg add /? REG ADD[/v | /ve] [/t ] [/s ] [/d ] [/f] [/reg:32 | /reg:64] partition_name [\\\] Computer - The name of the remote computer. If it is omitted, then The default is the local computer. On the remote only HKLM and HKU root partitions are accessible to the computer. Section - ROOT\ ROOT - [ HKLM | HKCU | HKCR | HKU | HKCC] Subkey is the fully qualified name of the registry subkey under the specified root key. /v The name of the option to add to the selected section. /ve Adds a parameter with an empty name (default) to this section. /t Data type [REG_SZ| REG_MULTI_SZ | REG_EXPAND_SZ | REG_DWORD | REG_QWORD | REG_BINARY | REG_NONE ] If not specified, REG_SZ is used by default. /s Character used as data separator for parameters REG_MULTI_SZ type. If not specified, then as a delimiter "\0" is used. /d The value to assign to the added registry value. /f Forces an existing registry entry to be overwritten without confirmation request. /reg:32 Specifies that the registry key should be accessed using views for 32-bit applications. /reg:64 Specifies that the registry key should be accessed using views for 64-bit applications. Examples: REG ADD\\ABC\HKLM\Software\MyCo Adds the HKLM\Software\MyCo key on the remote machine ABC REG ADD HKLM\Software\MyCo /v Data /t REG_BINARY /d fe340ead Adds a parameter (name: Data, type: REG_BINARY, data: fe340ead) REG ADD HKLM\Software\MyCo /v MRU /t REG_MULTI_SZ /d fax\0mail Adds a parameter (name: MRU, type: REG_MULTI_SZ, data: fax\0mail\0\0) REG ADD HKLM\Software\MyCo /v Path /t REG_EXPAND_SZ /d ^%systemroot^% Adds a parameter (name: Path, type: REG_EXPAND_SZ, data: %systemroot%) Note. In an expandable string, use a caret ( ^ )
Guided by a hint – substitute your data, for example:
For current user Run
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "7-Zip" /t REG_SZ /d "C:\Program Files\7-Zip\7zFM.exe" /F
For all users Run
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "7-Zip" /t REG_SZ /d "C:\Program Files\7-Zip\7zFM.exe" /F (♀eleven)For current user RunOnce
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "7-Zip" /t REG_SZ /d "C:\Program Files\7-Zip\7zFM.exe" /FFor all RunOnce users
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "7-Zip" /t REG_SZ /d "C:\Program Files\7-Zip\7zFM.exe" /FThe /f switch suppresses the overwrite request if the registry entry exists. Thus, there will be a forced entry of data into the registry.
These are the most banal examples.
Obviously.
HKLM
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU
2. RunOnce\RunOnceEx registry branches
Also well-known branches of the registry. The difference from the previous paragraph is that the application will
launched only once. It is necessary to add the key after each reboot. Everything is there
same:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once(Ex)
.3. Folder "Startup"
A very popular daddy, the first Trojans liked to settle there. Besides, it's just a folder, but
the desired application is the file. It follows from this that it is possible to make the file hidden and in a system way
setting attributes and it will not be visible in this folder at first glance. In the modern world people
they forgot this method and are more afraid of all kinds of Run branches.4. Service installation
Due to the fact that such an important system component as services is available to any programmer
through WinAPI, then this generates another way of autorun. To do this, through the SCManager is created
new service function CreateService
. After reading the descriptions of the flags and setting the startup type to
automatic, we achieve autorun along with Windows. In addition to autorun flags, you can
set such an interesting flag as SERVICE_WIN32_OWN_PROCESS
, which means that
this application is actually part of the OS.
It is most likely not necessary to use SCManager. All information about services is stored in
HKLM\SYSTEM\CurrentControlSet\Services\
. And I have no doubt that if you manually add a couple there
keys, then everything will start successfully.
In addition, no one forbids not adding a new service, you can edit the old one,
by changing the path to the application in it. Well, so that no one misses the loss, you need to run in our
application, what we have replaced, i.e. old service.5.3. Winlogon\Notify
What a wonderful process this winlogon is. In theory, it provides an opportunity for
start/stop the system to perform various useful actions, but our actions are not too
are already useful. In this case, we need to design our application as a dll. Then into the branch
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
add a new section, and in it
keys: Dllname
- path to the desired dll, Startup
- the name of the exported dll function to run.
In addition to the Startup event, there are many other events: Shutdown
, StartScreenSaver
, StartShell
,
StopScreenSaver
, Unlock
and others. The presence of StartScreenSaver is especially pleasing, because if the screensaver
is turned on, then the user is most likely not at the computer, and he does not see any arrows on the icon
firewall
This method was used in large autorun botnets.6. ShellServiceDelayLoad
In addition to vinlogon, you can use one more place in the registry. This branch is HKLM\Software\Microsoft\
Windows\CurrentVersion\ShellServiceObjectDelayLoad
. There, as in Run, you need to place the key up to
the dll we need to run. This was used in one of the trojans, and quite well as possible
notice.7. Shell Extensions
To be able to change anything and everything, Microsoft created shell extensions. For example extensions
for the context menu of files. By creating such an extension, you can not only add a couple of useful
items in the file menu, but also run an arbitrary dll. For device details
extensions go to msdn, and for registration go to HKLM\Software\Microsoft\Windows\
CurrentVersion\Shell Extensions\
. In addition to this branch, there are also others, here they are:HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
and so on.8. Browser Helper Objects
An extension especially loved by hackers, because it is loaded directly into the body of Internet Explorer.
And from here, with all the consequences - unhindered access to the Internet. They are registered here:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Brow
ser Helper Objects
For details of the device - in msdn.10. Protocol handlers
Untested, but well worth mentioning way. For processing various protocols
handlers were invented in microsoftware. And they are available here: HKLM\Software\Classes\PROTOCOLS\Handler\
Entire heaps of autoplay capabilities. Starting from the replacement of an existing one, ending with the creation
your own and installation in any place.11. Winsock2
And again, with good intentions, Microsoft added the ability to manage traffic. On this
By the way, protection in NOD32 is based on the method, namely its imon.dll module. This goodness is located in
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\
.
Again, we need a dll to pop into autorun. In addition to the autorun problem, we, having studied more
msdn and imon.dll
we can control traffic, but it's not bad to control it. The library will
mapped into any process, including all sorts of Internet Explorer and others that are running
with winsock2 library. And who does not work with her. Everyone works like a charm.
This method has not been seen in any of the Trojans at the time of this writing. Unfortunately, I think
it won't be the same after a while.12. SubSystems
Another untested method, and very doubtful, but everything can be. The fact is that by herself
Windows itself is a shell for various subsystems. Comes with Win32 subsystem, Posix (bugaga),
OS\2 (?). And the paths to the subsystems are specified in the same registry. The path to the subsystems is:There we will find several keys responsible for different subsystems. Certainly nobody Posix
application does not start, and the Posix subsystem will not start either. But Win32 will fit in the most
once. Csrss.exe
just responsible for this subsystem, and replacing the path to this subsystem in the registry
on your application, we will get autorun even before the subsystem starts. But, our application itself
is built for Win32 and requires a running subsystem. Perhaps Windows will see what is required
for our application, the win32 subsystem will try to run it, but actually run us
again and again. It will probably go into an eternal cycle. But if you write without using win32, then everything is fine
Maybe.13. Maniac way
Finally, the most frostbitten way. Change the about handler protocol to your own, and at startup
browser, it usually ends up on about:blank
, which will inevitably lead to the launch of our application.
If the handler is about:blank
if it doesn't turn out to be some dll, but just a page, then you can stuff it there
an exploit that will run what it needsSearching the registry by mask *.exe
and *.dll
, as well as having climbed all the services and technologies of Windows, you can
find another ton of autorun options.Scheduled tasks
Programs can be launched using "Task Scheduler". You can view the list of installed tasks, as well as add a new one: "Start - All Programs - Accessories - System Tools - Task Scheduler" - this will open the Task Scheduler window, which displays scheduled tasks (Fig. 4).
Figure 4 Task Scheduler Window
To add a new task, you need to select the item "Create a simple task" from the "Actions" menu (Fig. 5).
Figure 5 Creating a simple task in Task Scheduler
You can start programs using this wizard once, when you log in to Windows, when you turn on your computer, or according to a schedule.
Ignore startup lists of programs executed once
Configurable via Group Policy: "Computer Configuration - Administrative Templates - System - Logon - Do not process one-time program list"
The policy for current users is also configured: "User Configuration - Administrative Templates - System - Logon - Do not process the list of one-time launch programs" Registry settings:
Autorun control
You can see most of the applications that automatically start with the operating system in the notification area. I talked about methods for customizing the notification area in the article “Setting the notification area in Windows 7”
, so customization of the notification area will not be considered within the framework of this article. To manage startup applications, users of Windows operating systems usually use the utility "System Configuration"
.System Configuration Utility
Program System Configuration
is a Windows operating system utility designed to manage startup programs and system boot, as well as identify problems that may prevent the operating system from starting normally. With this utility, you can change boot options, disable services and startup programs. This utility first appeared in the Windows 98 operating system, providing a convenient interface to perform its tasks. The utility is called by the MSConfig.exe file, which is located in the System32 folder of the partition with the installed operating system. A huge disadvantage of this utility is the inability to add a new element to autorun. To open this utility, do any of the following:
- Press the button “Start”
to open the menu, in the search box type msconfig
and in the found results, open the application; - Use keyboard shortcut
+R to open dialog Run
. In the dialog box Run
, in the field "Open"
type msconfig
and press the button "OK"
.
The following screenshot shows the utility “System Configuration”
:
There are five tabs in the current utility:
- General
. On this tab, you can choose the boot option: Normal Startup
– the operating system is started in the usual way, "Diagnostic start"
- the system boots only using basic services and drivers, as well as "Selective startup"
- in addition to the main services and drivers, selected services and automatically loaded programs are also loaded with the operating system. - Loading
. On this tab, you can find operating system boot options as well as advanced debugging options such as No GUI
- when loading, the welcome screen is not displayed, "OS Information"
- during the loading of the operating system, downloadable drivers and so on are displayed. - Services
. This tab contains a list of only those services that start automatically with the operating system, as well as the current state of each service. Due to the fact that installed software can install its own services, without a basic knowledge of system services, you may have trouble finding services that are not installed with the operating system by default. By checking the box "Do not display Microsoft services"
, only third-party applications will be displayed in the list of services. To disable a service, just uncheck it. - Autoload
. Tab "Startup"
is responsible for loading applications, as well as certain utility utilities that are not loaded through services. As you can see in the previous screenshot, this tab is divided into five columns. These columns have been created so that you can know the name of the application being automatically loaded, the publisher of the program, the path indicating where the program is being loaded from, the location of the program's registry key or shortcut, and the date the program was disabled from startup. To prevent a certain startup item from starting during the next boot, clear the corresponding checkbox - Service
. On this tab, you can find a list of diagnostic tools that allow you to monitor the health of your system. To launch any tool displayed in this tab, select it and click on the button "Launch"
.
More advanced users may want to not only disable unnecessary startup programs, but also add their own programs to automatically start with the operating system. To do this, you will need to use the system registry.
Autorun management by means of the system registry
In the system registry, you can find the settings for autorun applications for the computer account and the current user account. Applications that run under a computer account are independent of which account the user is logged on to. You can find these settings under HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Applications that run with a user account may differ for each account. You can find these settings under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
To add a new application (program "Registry Editor"
) to autostart the Windows operating system for all existing users, follow these steps:
- Open the registry editor;
- Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run;
- Create a string parameter. You can specify an arbitrary name, for example, Regedit. In the value of the parameter, specify the full path to the application and, if necessary, parameters for launching, for example, c:\Windows\System32\.regedit32.exe;
- Restart your computer.
But for more experienced users of Windows operating systems, the operation of the utility "System Configuration"
and two registry keys may not be enough, since it is not known what was loaded with the system besides startup programs and system services. In order to find out about all the processes that were running along with your system, the Autoruns utility from Sysinternals will help you.
Working with the Autoruns utility
Autoruns by Mark Russinovich and Bryce Cogswell helps you check the maximum number of autorun locations for programs configured to run during boot or login, unlike any other autorun monitoring software. Version 8.61 is now available and can be downloaded from the following link
. This program is absolutely free and one of its advantages is that all programs are displayed in the order in which the operating system processes them. In fact, such programs can be located not only in Run sections, but also in RunOnce, ShellExecuteHooks, ContextMenuHandlers, and other sections of the system registry. You can work with this program under both 32-bit and 64-bit Windows operating systems.
Before running this utility for the first time, a dialog box with a license agreement will be displayed. Read it and click on the button "Agree"
.
After downloading the current program, you will see the applications configured to start automatically, where you can find the names of the applications and the registry keys that store information about their launch, a brief description of the application, the publisher, and the path to the file or library to be launched .
The items displayed by the Autoruns program belong to several categories, which can be viewed on the 18 tabs of the program. In this article, we will not consider each tab, but it is worth noting that the categories of the program include: objects that automatically start at logon, additional components of Explorer, additional components of Internet Explorer, scheduler tasks, application initialization DLLs, objects executable early boot, Windows services and more.
On each tab you can:
- launch any selected application by double clicking on the program name;
- open the registry key that contains the application startup settings by double-clicking on the line with the registry key or by selecting the command "Jump to"
from the context menu; - open the properties dialog of the selected object (to do this, select the command «Properties» from the context menu
); - open Process Explorer tabbed "Image"
for the selected object, as well as find information about the object you are interested in; - disable the object launched automatically by unchecking the corresponding checkbox;
- delete an object using the context menu command or the button «Delete»
; - view auto-launch items for other user accounts by selecting the desired menu item “User”
.
By default, the Autoruns program displays all applications and libraries that start automatically with the operating system. In order to display only those applications that are registered in the registry keys \Software\Microsoft\Windows\CurrentVersion\Run, go to the tab "Login"
.
In addition to applications that start automatically with the operating system, you can view all tasks assigned by the scheduler at boot or login. To do this, go to the tab "Scheduled tasks"
. On this tab, when selecting the context menu command "Jump to"
or double-clicking on a certain object will open the snap-in "Task Scheduler"
with the given task.
You can save startup items by pressing the button “Save”
on the toolbar or by selecting this command from the menu “File”
. The report will be saved with *.arn or *.txt extension. In order to load previously saved Autoruns data, use the command “Open”
menu "File"
.
Using the Autoruns utility to manage autorun objects using the command line
If you prefer to work with the console, you can also use the commands of the Autoruns utility. With it, you can perform the same actions as with the Autoruns utility, only using the command line, displaying information in the console window or redirecting the output of the command to a text file. Due to the fact that this utility can only be opened using command line tools, to work with Autoruns, follow these steps:
- Open command prompt as administrator;
- Go to the folder with the downloaded Autoruns utility, for example "C:\Program Files\Sysinternals Suite\";
- Run the utility with the required parameter.
The following options are available:
-a – display all startup items;
-b – display information about objects that are loaded in the early stages of system boot;
-c – export of displayed data to a CSV file;
-d – display application initialization DLLs;
-e - display Windows Explorer extensions;
-g - Display Windows sidebar and desktop gadgets;
-h – display Hijacks elements;
-i – display additional elements of the Internet Explorer browser;
-k - display known DLLs;
-l - display items that are launched automatically upon login;
-m – do not display objects with a Microsoft digital signature;
-n – display Winsock protocol providers;
-o – display codec elements;
-p – display print monitor drivers;
-r - display LSA security providers;
-s - display services in automatic start mode and not disabled drivers;
-t – display task scheduler elements;
-v – verification of digital signatures;
-w – display Winlogon elements;
-x – export of displayed data to XML file;
For example, if you only want to see items that automatically start at login, use the utility with the -l option, as shown below:
"Startup" folder
A folder that stores shortcuts for programs launched after the user logs in to the system. Shortcuts to this folder can be added by programs during their installation or by the user himself. There are two folders - common for all users and individual for the current user. By default, these folders are located here:
You can see which programs you run in this way by opening the "Start - All Programs - Startup" menu. If you create a shortcut for a program in this folder, it will start automatically after the user logs in.
Changing the shortcut for a program from the startup list
Let's say you have Acrobat installed. Then in the "Startup" folder you will have a shortcut "Adobe Reader Speed Launch" - this shortcut is installed there by default. But it is not at all necessary that this shortcut refers specifically to the corresponding application - any other program can be launched instead of it, especially since this will not affect the functionality of Acrobat.
Adding a program to a program launched from the startup list
Modification of the previous version - simultaneously with loading any program from the startup list, you will start another program - the fact is that you can "glue" two executable files into one and they will run simultaneously. There are programs for such "gluing". Or the shortcut may refer to a batch file, from which both the original program from the list and the added third-party programs will be launched.
You can view the list of automatically loaded programs by opening the "System Information" program (open "Start - All Programs - Accessories - System Tools - System Information" or type msinfo32.exe in the command line) and go to "Program Environment - Automatically loaded programs". The "System Properties" program displays startup groups from the registry and "Startup" folders (Fig. 6).
Figure 6 Automatic download programs
Another program that allows you to view the list of startup programs is "System Configuration" (to run, type msconfig.exe from the command line). This program, in addition to viewing the startup list, provides the ability to disable all startup items (the "General" tab) or selective programs (the "Startup" tab).
Loading the operating system
It is important to note that in fact, the loading of Windows does not start from the moment you approached the personal computer and turned it on or rebooted, the process of loading the operating system actually begins directly from its installation. During the installation process, the hard drive is prepared for its participation in the system boot process. At this time, components are created that participate in the loading of the basic input / output system (BIOS). These components include:
- Winload.exe – loads the Ntoskrnl.exe process and its dependent libraries, as well as loads the drivers of the installed hardware;
- Winresume.exe - allows you to restore the system after a long period of inactivity (hibernation) and is responsible for the hibernation file (Hiberfil.exe);
- Ntoskrnl.exe - initializes the execution subsystems for loading and launching system drivers for devices, and also prepares the system for working with standard applications and loads the smss.exe process;
- Hal.dll - is an integral part of the kernel-mode code that is launched by the Winload.exe boot module that is loaded with the kernel;
- Smss.exe (Session Manager Subsystem Service) is a session management subsystem in Windows. This component is not part of the Windows kernel, but its operation is extremely important for the system;
- Wininit.exe - loads Service control manager (SCM), Local Security Authority process (LSASS), and local session manager (LSM). This component also initializes the system registry and performs certain tasks in initialization mode;
- Winlogon.exe - manages secure user login and launches LogonUI.exe;
- Logonui.exe - displays the user login dialog;
- Services.exe - loads and initializes system services and drivers installed by default.
It is important to understand that device drivers are an essential part of the boot process. When you specify an operating system partition, the installer writes the boot sector. The Windows boot sector gives information about the structure and format of the partition to the Bootngr file. Bootmgr does its work while the operating system begins its real-time life cycle. Bootmgr then reads the BCD file from the \Boot folder located on the system partition. If the BCD file specifies settings for resuming hibernation, then Bootmgr starts the Winresume.exe process, which will read the contents of the file to resume the system from hibernation.
If there are two or more systems in the BCD entry, then Bootmgr displays a boot menu for the user to select an operating system. After selecting a system, or if you have only one operating system installed, the Winload.exe process is loaded. This process loads the files located in the boot partition and starts kernel initialization. Winload.exe does the following:
- Loads the kernel and HAL images (Ntoskrnl.exe and Hal.dll) and all their dependencies. If Winload.exe fails to run HAL images or their dependencies, you will see a warning;
- Reads VGA font files (Vgaoem.fon);
- Reads National Language System (NAL) files to use internationalization;
- Reads the \Windows\System32\Config\System registry key to determine the device drivers needed to boot the operating system;
- Scans the SYSTEM registry key and finds all boot device drivers. These drivers are listed in the registry with the value SERVICE_BOOT_START (0) under HKLM\SYSTEM\CurrentControlSet\Services;
- Adds file system drivers responsible for implementing code for an NTFS partition;
- Loads system drivers from the boot partition. At this time, the user is shown the text "Starting Windows"
with symbols of the operating system; - Prepares processor registers for Ntoskrnl.exe execution.
Then the initialization of the kernel and executive subsystems begins. After Windows calls Ntoskrnl, it passes the bootloader block parameter data, which contains the system paths of the boot partition generated by Winload to describe the physical memory on the system. Upon completion of two stages (Session 0 and Session 1) of kernel initialization, the Smss.exe, Csrss.exe and Wininit processes start. Smss calls the subsystem configuration executive to finish initializing the system registry.
The last stage of system boot is the process of automatically launching applications when booting and entering the operating system.
Using Group Policy for AutoPlay
Open the Group Policy snap-in (gpedit.msc), go to the "Computer Configuration - Administrative Templates - System" tab. On the right side of the snap-in, go to the "Login" item. (Fig. 2).
Figure 2 Using Group Policy for AutoPlay (for all users)
By default, this policy is not set, but you can add a program there: enable the policy, click the "Show - Add" button, specify the path to the program, and if the program being launched is located in the . WINDOWS\System32\ then you can specify only the name of the program, otherwise you will have to specify the full path to the program.
In fact, in this section of the local group policy, you can specify an additional program or document that will be executed when the user logs on to the system.
Attention!
This policy item is available in Computer Configuration and User Configuration. If both policy items are set, then the program from Computer Configuration will be launched first, and then the user.
As a result, we get the launch of Notepad (Fig. 3).
Figure 3 Launching Notepad using Local Group Policy
Attention!
At the same time, programs from this list are not displayed in the list of programs available for disabling in msconfig.exe, and are also not detected by all startup managers.
Autoload methods
Register
Programs that are launched in this section are launched for all users in the system (fig.1).
Figure 1 Autostart for all users
For example, to automatically launch Notepad when the current user logs in, open the Registry Editor (regedit.exe), go to the section
Conclusion
This article explains how to configure the items that automatically start applications when booting and logging into the Windows operating system. The process of loading the Windows 7 operating system is briefly described, as well as the methods of working and monitoring autorun using the system utility “System Configuration”
, changing autorun items using the system registry, how to work with Autoruns applications and the console version of Autoruns from Sysinternals. With the help of the information contained in the article, you can correctly configure the startup applications of your operating system.
Conclusion
Of course, the information provided in this article cannot be considered exhaustive, but I hope it will help you in the hard work of fighting malware.
