Dependencies on Windows Explorer

[Guest]

Hi Newsgroup,

we´ve the following scenario:
Within the local policy of Windows XP, we´ve defined a vbs script as an
alternative Windows shell.
This script determines in relation to the logged on user account if Windows
Explorer or a special application is started.
If the application is started (without windows explorer), it seems to be
that there are some dependencies:
Applications within RUN and RUNONCE registry keys are started, but the icons
are not displayed in the UI.
Well, we´re not sure if there are more dependencies if we don´t use the
windows explorer. Does anybody has a hint or know the restrictions?

Thanks a lot,
Lars

 

[Wesley Vogel]

Applications within RUN and RUNONCE registry keys are started, but the

icons are not displayed in the UI.

What UI?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Guest]

Hi Wesley,

i´m sorry, RUN and RUNONCE doesn´t run!
But this is no big deal, because we can implement this within the vbs script.
Do you know of any other issues?

Thanks,
Lars

 

[Alec S.]

we´ve the following scenario:
Within the local policy of Windows XP, we´ve defined a vbs script as an
alternative Windows shell.
This script determines in relation to the logged on user account if Windows
Explorer or a special application is started.
If the application is started (without windows explorer), it seems to be
that there are some dependencies:
Applications within RUN and RUNONCE registry keys are started, but the icons
are not displayed in the UI.
Well, we´re not sure if there are more dependencies if we don´t use the
windows explorer. Does anybody has a hint or know the restrictions?

You are correct, Windows Explorer IS Windows. There are a lot of things that Explorer does, which if disabled (or not run) will no
longer work. As you found out, auto starting programs are one thing that Explorer is responsible for. Another thing that won't
work without Explorer are the media buttons. Also, driver installation and device detection is not guaranteed to work if Explorer
is not run (sometimes it will, sometimes it won't, it depends on a lot of things-or nothing, computers are weird that way).

Your best bet is to simply test to see if it works correctly. Also, note that even though Explorer is not running, the space
reserved for the taskbar will still be unavailable.

 

[Wesley Vogel]

As Alec stated, explorer.exe is the Windows shell, the GUI.

If explorer.exe is started once, it's the shell, if started a second time
it's Windows Explorer.

This is what starts the Windows shell...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Value Name: Shell
Data Type: REG_SZ
Value Data: Explorer.exe

Notice where the two Run and Runonce keys are located in the start order.

STARTUP ORDER FOR WINDOWS NT4/2000/XP

1. BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2. Services
3. User enters a password and logon to the system
4. UserInit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
5. Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
6. All Users-RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
7. All Users-Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
8. All Users-RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
9. All Users-RunEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunEx
10. Current User-RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
11. Current User-Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
12. Current User-RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
13. Current User-RunEx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunEx
14. Common Startup Folder
15. Startup Folder
There may be more than one Startup Folder. One for each user.

I have no idea what the effect of using some UNKNOWN shell is.

The only alternate shell I have run is cmd.exe. And I prefer explorer.exe.

Booting into Safe Mode with the Command Prompt.

/safeboot:minimal(alternateshell)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
Value Name: AlternateShell
Data Type: REG_SZ
Value Data: cmd.exe

If you are using Windows, why use an alternate shell?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Alec S.]

I have no idea what the effect of using some UNKNOWN shell is.

Perhaps a visit to the Litestep or DesktopX forums could shed some light on how they overcome these limitations.

The only alternate shell I have run is cmd.exe. And I prefer explorer.exe.

Same here. I set cmd as the shell when I've just restored an image and need to restore backed up settings. I then switch it back
and reboot. It works great.

If you are using Windows, why use an alternate shell?

They have different users, some of which are to use Explorer, while others will use the other "shell". What they mean is that some
users will boot into Windows as normal but certain users, when they boot will be greeted by an application instead. For example,
when some (limited/restricted?) users log in, instead of Explorer running, Notepad, Word, or the calculator, or the browser opened
to www.blah.com/ or whatever would run.

 

[Wesley Vogel]

I used to boot into Safe Mode with the Command Prompt to try to delete
index.dat files, until I figured out how to use a batch file to do it
instead. ;-)

Or iexplore -k www.microsft.com

Whatever shell it is, it appears to be a secret.

Open Explorer in Kiosk Mode

iexplore -k c:\

Ctrl + W to close it.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Alec S.]

I used to boot into Safe Mode with the Command Prompt to try to delete
index.dat files, until I figured out how to use a batch file to do it
instead. ;-)

Or, get a copy of Jeremy Collake's MoveLatr. It will allow you to flag files that are in use to be renamed or deleted at the next
boot (before Windows actually loads) by placing the file in the PendingFileRenameOperations.

Or iexplore -k www.microsft.com

Or, simply
start http://www.microsoft.com/
(or whatever URL). That performs a ShellExecute (similar to the Run dialog) which runs the specified object by whatever means the
shell is set up to use (oddly enough, despite it being a SHELL command, it doesn't actually require Explorer!) But don't forget the
http:// that's what identifies it as a website; using start www.microsoft.com would try to execute a DOS command file. Using this
will open the website in the default web browser, whatever it may be—go Arachne!

 

[Wesley Vogel]

identifies it as a website; using start www.microsoft.com would try to

Paste this into the Run command...

iexplore -k www.microsft.com

It opens IE in kiosk mode @ www.microsft.com

No need for http:// in the Run command, Address bar in IE or WE or the
Address toolbar on the taskbar.

Of course www.microsft.com in any of the above. And if you have the right
settings, Ctrl + Enter will add prefix http://www. and suffix .com or
whatever suffix you have set up. I do not have any Append Completion,
AutoComplete In File Dialog or AutoSuggest turned on, I hate those.

I do not run anything that will run from the Run command in cmd.exe, extra
typing.

Cmd.exe, the Run command, the Address toolbar, the Address bar in Windows
Explorer and Internet Explorer all function a lot alike. Of course there
are enough differences to mess you up.

start http://www.microsoft.com/ or just www.microsoft.com for example.

Or, get a copy of Jeremy Collake's MoveLatr. It will allow you to flag
files that are in use to be renamed or deleted at the next boot (before
Windows actually loads) by placing the file in the
PendingFileRenameOperations.

Disk Cleaner has a delete locked files on reboot option.

HijackThis also has a Delete a file on reboot tool.
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#delreb

Bat files do fine.
---------------
@echo off
del "C:\DOCUME~1\WESLEY~1.VOG\Cookies\index.dat"
del "C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\History\History.IE5\index.dat"
del "C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\TEMPOR~1\Content.IE5\index.dat"
del "C:\WINDOWS\Cookies\index.dat"
del "C:\WINDOWS\TEMPOR~1\Content.IE5\index.dat"
cd C:\DOCUME~1\WESLEY~1.VOG\
rd /s /q C:\DOCUME~1\WESLEY~1.VOG\Cookies
cd C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\
rd /s /q C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\History
cd C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\Temp\
rd /s /q C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\Temp\
cd C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\
rd /s /q C:\DOCUME~1\WESLEY~1.VOG\LOCALS~1\TEMPOR~1
cd C:\DOCUME~1\WESLEY~1.VOG\
rd /s /q C:\DOCUME~1\WESLEY~1.VOG\Recent
exit
cls
---------------

@echo off
rem DataColl.bat
: HelpSessionHistorydat.bat
: OfflineCache
: WMPCurrentDatabase.bat
rem Professional_32_1033.bat
: HelpSessionHistory.dat
: edb.chk
rem Office tmp
: Internet Logs tmp
: Help *.chw files
: Office tmp files
: Delete C:\Documents and Settings\Wesley P. Vogel\UserData

del /q C:\WINDOWS\PCHealth\HelpCtr\DataColl
del /q C:\WINDOWS\PCHealth\HelpCtr\OfflineCache\Professional_32#0409
del C:\WINDOWS\PCHealth\HelpCtr\Config\Cache\Professional_32_1033.dat.bak
cd C:\Documents and Settings\Wesley P. Vogel\Local Settings\Application
Data\Microsoft\Media Player
del /q *.*
cd C:\Documents and Settings\Wesley P. Vogel\Local Settings\Application
Data\Microsoft\HelpCtr
del /q HelpSessionHistory.dat
del C:\WINDOWS\system32\CatRoot2\edb.chk
cd C:\WINDOWS\security
del /q *.chk
cd C:\Documents and Settings\Wesley P. Vogel\Application
Data\Microsoft\Office
del /q *.tmp
cd C:\WINDOWS\Internet Logs
del /q *.tmp
cd C:\WINDOWS\Help
del /q *.chw
cd C:\Documents and Settings\Wesley P. Vogel
rd /s /q UserData
---------------

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

news:[email protected]...

 

[Alec S.]

Paste this into the Run command...

iexplore -k www.microsft.com

It opens IE in kiosk mode @ www.microsft.com

No need for http:// in the Run command, Address bar in IE or WE or the
Address toolbar on the taskbar.

That's because IE is expecting a URL. When you use the shell to open a URL you must specifiy it as such by including the http://.
That's the "file extension" of a URL which allows the OS to determine the type.

Disk Cleaner has a delete locked files on reboot option.

HijackThis also has a Delete a file on reboot tool.
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#delreb

Those do the same thing; they add an entry to PendingFileRenameOperations. MoveLatr is more convienient, it's a command line tool
(I've added it to the context menu of all file system objects which makes it a snap.)

Bat files do fine.

They won't work if the file is in use, unless you can execute it before they become in use (ie: before Windows loads or in safe
mode).

rem DataColl.bat
: HelpSessionHistorydat.bat
: OfflineCache
: WMPCurrentDatabase.bat
rem Professional_32_1033.bat
: HelpSessionHistory.dat
: edb.chk
rem Office tmp
: Internet Logs tmp
: Help *.chw files
: Office tmp files
: Delete C:\Documents and Settings\Wesley P. Vogel\UserData

Are those supposed to be comments or labels? If they're supposed to be comments, they should be double colons , if labels, then
they won't work (labels are restricted to 31 characters and no special characters (*, space, etc.)

 

[Wesley Vogel]

When you use the shell to open a

URL you must specifiy it as such by including the http://. That's the
"file extension" of a URL which allows the OS to determine the type.

No. www.microsft.com typed in my Run command, the Address toolbar, the
Address bar in Windows Explorer and Internet Explorer opens
http://www.microsoft.com/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
URL\DefaultPrefix]
@="http://"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

If you have to type http:// + the rest of the address... check your
registry, or...

See...
Reset the WWW prefix manually
here...
WWW Prefix - A definition
http://www.kephyr.com/spywarescanner/library/glossary/wwwprefix.phtml

Or download and apply RepairDefaultPrefix.reg here...
Repairs the corrupted or altered (spyware) HTTP prefixes
http://www.mvps.org/winhelp2002/unwanted.htm

HijackThis can also repair the DefaultPrefix entry
http://www.spywareinfo.com/~merijn/htlogtutorial.html#o13

They won't work if the file is in use, unless you can execute it before
they become in use (ie: before Windows loads or in safe mode).

My Bat file does fine.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Indexdat Killer
REG_SZ
C:\run.bat

Are those supposed to be comments or labels? If they're supposed to be
comments, they should be double colons , if labels, then they won't
work (labels are restricted to 31 characters and no special characters
(*, space, etc.)

Labels start with a colon; a label line is ignored, except when sought as
the target of a GOTO. Therefore, a safer way to start a comment is with ::

They're comments. A single colon may slow it down, but it still works. I
have no goto commands. All my bat files are about as simple as you can get.

I just doubled the colons in the one bat file, it may have run faster or
maybe it didn't do anything and just looked like it ran faster. <shrug>

I just threw some junk files in some of those folders and ran the bat file
again, it looked fast.

I just checked a bunch of my other batch files and every other one that has
comments I used double colons or rem.

I am going to reboot and see what it looks like.

I don't think it made a bit if difference.

-------------------
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>attrib /S index.dat
A C:\Documents and Settings\Wesley P. Vogel\Cookies\index.dat
A C:\Documents and Settings\Wesley P. Vogel\Local
Settings\History\History.IE5\index.dat
A C:\Documents and Settings\Wesley P. Vogel\Local
Settings\Temporary Internet Files\Content.IE5\index.dat
A C:\WINDOWS\PCHealth\HelpCtr\OfflineCache\index.dat
A C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
A C:\WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat

C:\>
------------

That's all the index.dat files on my machine just after rebooting. I never
delete HelpCtr\OfflineCache\index.dat anymore since I discovered that it
messes up msinfo32.

All the others are either 16 or 32 KB so they got deleted at boot and then
recreated.

My Bat file does fine. It deletes all of the index.dat files that recreate
themselves.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

news:[email protected]...

 

[Alec S.]

My Bat file does fine.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Indexdat Killer
REG_SZ
C:\run.bat

Batch files do nothing special, it's the same as entering the commands manually. Once Windows is running, neither a batch file nor
manual deletion of files that are in use will work.

Running this command "del C:\DOCUME~1\WESLEY~1.VOG\Cookies\index.dat" while logged into that account will not work under Windows
because it is locked. The only way to delete it is to do so either in Safe Mode, or before logging in. (Actually, you could also
do it by killing the file handle, but that should only be done as a last resort or in an emergency since it can lead to corruption,
crashing, etc.) Deleting or renaming system files has to occur before Windows loads (during native mode). That's why disk checking
occurs during native mode before startup, to be able to detect and repair system file.

If you are able to run that command while logged into that account and the file is actually deleted (assuming it exists of course),
then either the cookies folder is redirected elsewhere so that file is not actually being used, or something strange is going on.
If it works for you, it may be indicitive of a problem, or you're just lucky.

Labels start with a colon; a label line is ignored, except when sought as the target of a GOTO.

It may work, but it's not correct, it's a hack and cannot be relied on to work forever (maybe Vista or the next version won't allow
it). The standard defines the syntax and the restrictions which are guaranteed to work. For example, you CAN create a label with
more than 31 characters but it's not compliant and so will not work, the command interpreter treats :thislabelistoolongandwontwork
and :thislabelistoolongandwontworktoo as the same label and will not give the expected results (it will always go to the first one).

Therefore, a safer way to start a comment is with ::

Yup, or with rem, those are the only two compliant ways of creating comments.

 

[Alec S.]

No. www.microsft.com typed in my Run command, the Address toolbar, the
Address bar in Windows Explorer and Internet Explorer opens
http://www.microsoft.com/

Yup, that does work for www.whatever.com.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://"

It will also work for ftp.whatever.com, gopher.whatever.com, and those other known protocols. However, it WON'T work for
whatever.com, subdomain.whatever.com, forum.whatever.com, www2.whatever.com, and so on. You MUST prepend the http:// to make the OS
recognize them as URLs. Windows comes with a few antiquated subdomains pre-recognized, but these days, there is no guarantee on
what format any given URL will take (and most of those protocols are rarely used anymore Archie—it's odd the ones that MS chose to
include, where's WAIS, VERONICA, etc.) There are websites that follow the standards but most do not (for example .COM means a
COMMERCIAL web site, so any site that isn't selling stuff should not be using .COM).

 

[Wesley Vogel]

Running this command "del C:\DOCUME~1\WESLEY~1.VOG\Cookies\index.dat"

while logged into that account will not work under Windows because it is
locked.

I already told you my batch file deletes all of the index.dat files that
it's supposed to.

It runs at boot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Value Name: Indexdat Killer
Data Type: REG_SZ
Value Data: C:\run.bat

At boot is the only time it runs. I do not run it manually because it would
not get rid of MY index.dat files at any other time because they would be in
use like you stated.

being used, or something strange is going on. If it works for you, it may
be indicitive of a problem, or you're just lucky.

It works on my XP Pro SP1 and it worked when I had XP Home SP1.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Alec S.]

I already told you my batch file deletes all of the index.dat files that
it's supposed to.

It runs at boot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Value Name: Indexdat Killer
Data Type: REG_SZ
Value Data: C:\run.bat

At boot is the only time it runs. I do not run it manually because it would
not get rid of MY index.dat files at any other time because they would be in
use like you stated.

Ah, I just noticed why it works for you. It's because you've put it in the local machine's run key. What is happening is that when
Windows boots up, the local machine entries run, then WinLogon runs and displays the user login screen (or autologs in if that's set
up). Those files are locked after the user logs in, which happens after the machine's autorun is executed. Therefore, your files
are being deleted successfully.

There's two problems with this however.

First, you should not be performing user-specific operations during the local machine startup, that's for the LOCAL MACHINE:
system-specific operations; there's a CURRENT USER registry branch for that purpose. It might be okay on your home system,
especially if there's only one user, but it's technically incorrect. If you were to add users, it would lead to problems, and you
can bet that if you were to do that at work, on a network, etc. it would not be a good idea.

Second, that works because it deletes user files before the login. But, what about system files? If you needed to delete or rename
system files (for example to switch ntoskrnl.exe to use a skin, or whatever), it would not work because by the time the key runs,
the files are already in use.

Your batch file may work (I've got my own batch system for similar purposes), but for in-use files, it's no substitute for the
PendingFileRenameOperations key; that's what it was designed for. What you could do is to add in-use files to the key in your batch
file. I've added MoveLatr to the context menus of all files/folders and it's a delight, especially for deleting folders that have
pictures which stupid Explorer locks for some reason (either that or I kill the file handles with Unlocker). :-\

 

[Wesley Vogel]

Ah, I just noticed why it works for you.

No shirt?

I stated that in the 10th post in this thread.

Right now I am replying to the 13th post in this thread.

It's because you've put it in
the local machine's run key. What is happening is that when Windows
boots up, the local machine entries run, then WinLogon runs and displays
the user login screen (or autologs in if that's set up). Those files are
locked after the user logs in, which happens after the machine's autorun
is executed. Therefore, your files are being deleted successfully.

No shirt?

See the 4th post in this thread.

STARTUP ORDER FOR WINDOWS NT4/2000/XP

There's two problems with this however.

It's my $%^$%^!! machine. And I will do whatever the $%^$%^!! I want.

You do whatever you like on your machine.

Maybe you can advise this a**hole.

Michel Merlin
http://groups.google.com/groups?q=a...981&as_maxd=9&as_maxm=9&as_maxy=2006&safe=off

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[Alec S.]

It's my $%^$%^!! machine. And I will do whatever the $%^$%^!! I want.

You do whatever you like on your machine.

Wow, calm down, no reason to have a heart attack over a usenet newsgroup. Bad day?

Yes, of course you can do whatever you want on your system. If a hack works for you and implementing the intended method is too
much of a hassle, then please, by all means go ahead. I'm just warning that it goes against the design and may cause unexpected
results/problems since it's not supported, that's all. Although, you should also be aware that most companies do not accept hacks
and tricks that are not compliant (often for legal reasons as much as security), so I would recommend doing things by the book at
work—but again if you're the senior tech and everyone else is computer illiterate, you could probably get away with it there too.


As for other people who don't already have a batch file, you should look into using a tool that does it the expected way.

Maybe you can advise this a**hole.

Michel Merlin

http://groups.google.com/groups?q=a...981&as_maxd=9&as_maxm=9&as_maxy=2006&safe=off

Sure, any specific post, uh, fight?
Aha, now I see why it's a bad day.

Wait a minute, are you guys using Google Groups to read the newsgroups? Personally I find it kind of hard to use. The format is
rather messy. I'm not crazy about OE because it's got some limitations, but for me it's easier to use than GG; I don't know how you
guys manage. (Plus, with OE I can keep a record of all posted and read messages unlike with a web based newsreader.)