S
Sietse Fliege
offendingSietse said:
LOL
LOL
O
omega
[...]Bjorn Simonsen said:[...]omega wrote in said:
IMHO, adding an application for exclusion via group policy this way is
rather "involving", compared to using a startup monitor utility that
will let you "black list" any app with a click or two when prompted.
But AFAIK it seems non of the free startup monitoring tools can do
this (just had a look at Winpatrol, but no).
As mentioned I use a shareware app for this my self - RegRun (gold
edition) from <http://www.reatis.com>. The Pro and Gold editions
offers a black-list feature (always deny) as well as a exclusion list
(never deny). It can also add any new found startup app to the
blacklist automatically if you so please. [...]
I rather prefer a startup monitoring app with a one (or twoclick
"add-to-black list" choice.
Thank you, Bjorn. You've well convinced me that the Windows approach for
this is not worth recommending. Nor using; even if the w9x poledit were
to have had a similar option, it wouldn't be worth it to me to hassle with
setting up on my own system.
The fact that the wanted feature in a startup control app already exists
in payware, I believe that should make it reasonably forseeable to come
around to freeware...
O
omega
Sietse Fliege said:
This has been in my mind as well.
Until Jordan's tool comes in, he could resort to some manual labor to set up
dealing with specific problem programs. Export his reg key where they're
entering. I'll use HKLM\...\Run for the example.
Copy from his export, the right key and value, to make a bat file for
REG.EXE to use:
: Echo y | REG delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Real Screwed" >nul
Or...he could make his exported run key always static.
: Regedit /s MyRunFile.reg
---
: REGEDIT4
:
: [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
:
: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
: "Allowed1"="program.exe"
: "Allowed2"="rundll something"
: "Allowed3"="path\programB.exe"
B
Bjorn Simonsen
Sietse Fliege wrote in
Good suggestion. A script run at startup is of little use, since the
app you want to prevent might already be running, that is - unless you
launch a script via the Group Policy that will run pre-logon (in
XP-Pro/2k).
As an example of the latter, one could use reg.key delte scripts as
suggested by Karen, or similar.On my Win2k system I would then place
the script(s) (*.cmd file(s)) in:
<\WINNT\system32\GroupPolicy\User\Scripts\Logon\
or to be run at logoff in:
<\WINNT\system32\GroupPolicy\User\Scripts\Logoff\>
When this is done, add/activate both scripts in the Group Policy
Editor; Run Gpedit.msc, and in it navigate to
[Console Root\Local computer Policy\UserConfiguration\Windows
settings\Scripts]
and there dbl-click either Logon or Logoff icons (or both), then use
the ADD button, then BROWSE and point to the saved script file(s) to
add.
Reason I think this is a manageable "temp" solution is, well since
a) it runs at logon - before anything is loaded via the regular "run"
keys, and
b) once you have created the script file(s) and added it (or them) to
gpedit, it is not a major task (unless you experience many such
offending apps) to simply edit the script file(s) to add new reg.key's
when needed. All one has to do it to find the reg.key for the
offending app, then add it to the script file. The script file is
already in the system an will always run anyway. If often used - a
shortcut to the script file(s) should do the trick.
All the best,
Bjorn Simonsen
Good suggestion. A script run at startup is of little use, since the
app you want to prevent might already be running, that is - unless you
launch a script via the Group Policy that will run pre-logon (in
XP-Pro/2k).
As an example of the latter, one could use reg.key delte scripts as
suggested by Karen, or similar.On my Win2k system I would then place
the script(s) (*.cmd file(s)) in:
<\WINNT\system32\GroupPolicy\User\Scripts\Logon\
or to be run at logoff in:
<\WINNT\system32\GroupPolicy\User\Scripts\Logoff\>
When this is done, add/activate both scripts in the Group Policy
Editor; Run Gpedit.msc, and in it navigate to
[Console Root\Local computer Policy\UserConfiguration\Windows
settings\Scripts]
and there dbl-click either Logon or Logoff icons (or both), then use
the ADD button, then BROWSE and point to the saved script file(s) to
add.
Reason I think this is a manageable "temp" solution is, well since
a) it runs at logon - before anything is loaded via the regular "run"
keys, and
b) once you have created the script file(s) and added it (or them) to
gpedit, it is not a major task (unless you experience many such
offending apps) to simply edit the script file(s) to add new reg.key's
when needed. All one has to do it to find the reg.key for the
offending app, then add it to the script file. The script file is
already in the system an will always run anyway. If often used - a
shortcut to the script file(s) should do the trick.
All the best,
Bjorn Simonsen
B
Bjorn Simonsen
Bjorn Simonsen wrote in
Addition: When above is done, if one wants one can set:
"Run logoff scripts visible", in gpedit under
[User Configuration\Administrative Templates\System\Logon/Logoff].
Run hidden is default setting I think. (Personally I opt for visible,
feel more in control that way - see what is going on - if it is and
when it is)
All the best,
Bjorn Simonsen
All the best,
Bjorn Simonsen
Addition: When above is done, if one wants one can set:
"Run logoff scripts visible", in gpedit under
[User Configuration\Administrative Templates\System\Logon/Logoff].
Run hidden is default setting I think. (Personally I opt for visible,
feel more in control that way - see what is going on - if it is and
when it is)
All the best,
Bjorn Simonsen
All the best,
Bjorn Simonsen
B
Bjorn Simonsen
omega wrote in
If you use Win9x you could edit your boot config so that windows will
always boot to the CLI first, then autoexec.bat or any batch to run
any of the scripts you suggested in another post, then load win (gui)
at end of same batch. Pretty safe pre-gui and thus pre RUN/startup
removal in other words. Same reasoning apply about manageability; if
not that many/often, should be easy to add a shortcut to the batch
file for easy/fast loading and edit (add new reg.keys/apps) on
demand.
All the best,
Bjorn Simonsen
If you use Win9x you could edit your boot config so that windows will
always boot to the CLI first, then autoexec.bat or any batch to run
any of the scripts you suggested in another post, then load win (gui)
at end of same batch. Pretty safe pre-gui and thus pre RUN/startup
removal in other words. Same reasoning apply about manageability; if
not that many/often, should be easy to add a shortcut to the batch
file for easy/fast loading and edit (add new reg.keys/apps) on
demand.
All the best,
Bjorn Simonsen
J
Jordan
omega said:
Quicktime is the offending program that always launches qttask.exe changing
its "disabled" status in freeware Startup Cop to "enabled."
My quick and dirty solution was to simply rename qttask.exe to qttask2.exe,
and Quicktime runs fine but is unable to kick off qttask.exe because it
doesn't exist. I also set my registry cleaner to ignore the "invalid" entry
it finds for qttask.
Thanks again Karen and Bjorn for your suggestions and help.
O
omega
Bjorn Simonsen said:omega wrote in
If you use Win9x you could edit your boot config so that windows will
always boot to the CLI first, then autoexec.bat or any batch to run
any of the scripts you suggested in another post, then load win (gui)
at end of same batch. Pretty safe pre-gui and thus pre RUN/startup
removal in other words. Same reasoning apply about manageability; if
not that many/often, should be easy to add a shortcut to the batch
file for easy/fast loading and edit (add new reg.keys/apps) on
demand.
Hi, Bjorn. I don't ever have startups problems, as my habits keep me aware
of added registry entries. (My ref with poledit was theoretical.)
My standing hassle has only to do with programs that add other types of
unwanted keys, when I run them. Filetypes keys, and shellnew entries,
especially. For those progs, the one automated strategy I sometimes config
is for launching them from a command with a start /wait routine, where their
reg additions are deleted after they've been run. (I'd considered a global
cleanup file first, but it works better for my interests that the corrective
cleanup for each individual prog is filed separately.)
As to autoexec, yes it's a great thing. I don't know what you use in XP
for processing at that early level?
O
omega
Jordan said:
Glad to hear that! I should think it means you can next go ahead and give
qttask.exe a good shove into the incinerator...
I'd had to run an install of QuickTime about a year ago, because an old
CD insisted upon it. It was ver 5.01 that come with the CD, and the one
I installed. I was able to delete a few of its offending files; the names
were QuickTimeUpdater.exe, QuickTimeUpdateHelper.exe, QuickTimeCheck.ocx.
Also, I was able to move most of the QT files out of my system directory
into its local path. Annoyingly, not all. It was adamant concerning about
four of them (esp .qtx, .qtr, .qtp). Luckily, registry was a lesser problem.
I got by with deleting almost all of the regentries. There were only two
keys I needed for meeting the requirements of that old CD. The whole thing
was still a lot of hassle, and with it requiring four of its files in my
system directory, I found that very annoying.
And that was way back version 5x. The entanglements and offenses it's
developed since then, ugh, I'd almost dreaad to even see em.
Good you got its primary offense nulled out. Ideally, some good citizen
should try to set it up so that search engine hits on "Quicktime" point
to a page with that vital tip, to rename (or kill) qttask.exe.
O
omega
[snipping the startups mon & config freeware list]Bjorn Simonsen said:
That greatis site gives an _excellent_ list for startup sequence, for
both NT & 9X. (Contrast to the mskb, where you have to add a large bunch
of articles together, to get a complete file of the sequence.)
http://www.greatis.com/regrun3startuporder.htm
STARTUP ORDER FOR WINDOWS NT4/2000/XP
1. BootExecute
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
2. Services
3. User enters a password and logon to the system
4. UserInit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
5. Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
6. All Users-RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
7. All Users-Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
8. All Users-RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
9. All Users-RunEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
10. Current User-RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
11. Current User-Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
12. Current User-RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
13. Current User-RunEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunEx
14. Common Startup Folder
15. Startup Folder
STARTUP ORDER FOR WINDOWS 9X/ME
1. config.sys
2. autoexec.bat
3. wininit.ini
4. winstart.bat
5. system.ini
6. win.ini
7. All Users-RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
8. All Users-RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
9. All Users-RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
10. All Users-Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
11. All Users-RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
12. All Users-RunEx
HKLM\Software\Microsoft\Windows\CurrentVersion\RunEx
13. Current User-RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
14. Current User-Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
15. Current User-RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
16. Current User-RunEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunEx
17. Common Startup Folder
18. Startup Folder
O
omega
STARTUP ORDER FOR WINDOWS 9X/ME
They forgot dosstart.bat... Or does it only run when using "restart in
MS-DOS mode"?
Then there is another type of startup case. My Lucent modem loads an exec
from its VXD. Its VXD isn't in any of the defined startup locations; instead
over in the hardware section. My one workaround is to have a PRCVIEW .bat
run at post-startup to kill that auto-launched process.
I suppose some malware out there too, might be able to do that, load a
sneaky VXD or similar from an abnormal location? In case of that, it
makes it worthy to have a good process viewer as part of your watch crew.
They forgot dosstart.bat... Or does it only run when using "restart in
MS-DOS mode"?
Then there is another type of startup case. My Lucent modem loads an exec
from its VXD. Its VXD isn't in any of the defined startup locations; instead
over in the hardware section. My one workaround is to have a PRCVIEW .bat
run at post-startup to kill that auto-launched process.
I suppose some malware out there too, might be able to do that, load a
sneaky VXD or similar from an abnormal location? In case of that, it
makes it worthy to have a good process viewer as part of your watch crew.
B
Bjorn Simonsen
omega wrote in
Yes, only at restart in ms-dos mode. And yes, excellent lists over at
greatis.com.
VXD's, loading exe's, the problem with Windows in general. Win2k/XP,
simple example, scripts loaded at logon/logoff, inserted by admin.
If admin can do that, so can hacker, no? Problem, non of the startup
monitoring apps covers loading of such scripts AFAIK. Still, the
common startup locations is fairly easy to use. And since most users
don't even know them, not to mention watch and monitor these location,
they offer a nice and easy way to insert call-home spyware, trojans,
and what ever. In other words, why go to the trouble of writing some
advanced code to load and camouflage malicious code in or via some
vxd, dll or whatever, when for most users regular users - anything
loaded via startup will be invisible anyway. Still, problem is there
(try and run RegMon without filters for an hour, then worry about the
stuff you don't know/understand/recognize... then freak out) so in
toto - when it comes to Windows, only way to play it safe is not to
run your computer, or at least stay offline<g>.
All the best,
Bjorn Simonsen
Yes, only at restart in ms-dos mode. And yes, excellent lists over at
greatis.com.
VXD's, loading exe's, the problem with Windows in general. Win2k/XP,
simple example, scripts loaded at logon/logoff, inserted by admin.
If admin can do that, so can hacker, no? Problem, non of the startup
monitoring apps covers loading of such scripts AFAIK. Still, the
common startup locations is fairly easy to use. And since most users
don't even know them, not to mention watch and monitor these location,
they offer a nice and easy way to insert call-home spyware, trojans,
and what ever. In other words, why go to the trouble of writing some
advanced code to load and camouflage malicious code in or via some
vxd, dll or whatever, when for most users regular users - anything
loaded via startup will be invisible anyway. Still, problem is there
(try and run RegMon without filters for an hour, then worry about the
stuff you don't know/understand/recognize... then freak out) so in
toto - when it comes to Windows, only way to play it safe is not to
run your computer, or at least stay offline<g>.
All the best,
Bjorn Simonsen
O
omega
Bjorn Simonsen said:
Then must be they didn't forget; but instead that it wouldn't have fit
into the list, since it's regular startup being described.
Best I've seen. Especially with its specificity about sequence.
Not using XP, I hadn't been conscious of the \Scripts\ keys until you
posted about that today (and it made me envious, not having that one on
my OS). I see no reason for the monitoring tools not to watch it? I
can't see how watching that one would be any different from watching
the other keys?
I was idly curious if any malware (or at least of the more prevalent
malwares) had in fact been designed this way. But you have a good point:
the common vulnerability of the simple places, leaves the malicious
designers with little incentive to try something more difficult.
My comment earlier was to use a good process monitor. However, I've never
investigated at length the situation of "invisible tasks," if that's how
to reference it. I'd seen instructions on some Delphi-related page, about
designing something that a process monitor (even a good one?) can't see.
If that is possible, then yes, that makes all the more worthwhile the added
strategy you brought up: after closing every last thing possible, run
Regmon (& Filemon).
I don't have experience with spyware infestation in my ~memory. I do have
experience with annoyance-ware. Remember how it is after a fresh install
of Windows, and MS Office, for example. You have to spend a great deal of
time finding all the krap that is running behind in your back, and reconfig
out a good number of weirdo things.
For fielding out this type of software behavior, that which comes from
annoyance-ware, it might not be for safety so much, but it is for sanity.
(Remember Office's FindFast? Obnoxiousness incarnate...)
Then would get bored and need to seek other sources of risk & adventure.
Such as maybe go skulking around a big city's backstreets; adventures
there could make the worst virus seem boring in compare. Except, well,
for true geeks. For them, even something like getting mugged and spending
a month in intensive care would be 50x less painful than loss of computer
data.
S
Sietse Fliege
Bjorn said:
I just came across StartRight 1.12 Requirements: A Windows OS.
http://jackass.arsware.org/sr.php
"StartRight will manage the execution of programs that are automatically
started by the operating system at logon time. Instead of executing many
programs at once (causing your OS to spit and sputter and attack your
hard drive), StartRight will give the OS time to execute the program
before running the next program. The OS should become much more
responsive almost imediately after logon."
In its version history I saw:
Changes in v1.0.4:
Programs that automatically add themselves back are now auto-excluded
Have not checked it out.
B
Bigfut
How about Mike Lin's Startup Control Panel? It is a control panel applet
written by a 19 Year old student (according to his site:
http://www.mlin.net/StartupCPL.shtml ) While free to use, he does have
a paypal button for "tips". I have been using it for about 4 months on
my Dell 2350 running WindowsXP Home with no problems. I like it because I
can move the items between my wife's login and mine because she runs aol,
incredimail, trillian, camera detection, etc in the taskbar and all I
want is to run Xnews.
J
Jordan
Bigfut said:
Doesn't do what I want: block disabled programs from re-enabling themselves
during a session.