Tuesday, July 30, 2002

Applications startup in Windows

mad hack
The article gives the systematisation of the places in the system registry and ini-files, which are for the placements of the application to be launched during Windows-system startup.

In «Komputernaya Gazeta» #10 (200) for 16 March 1999 I made my debut with the article «Breaking into Windows via registry». The talk in the article was about the places in the system registry, in initialization files, where the program can be registered to launch during the Windows boot. Since that time several new Windows versions have been released, new version have own features, and the amount of my knowledge has increased. It is high time to fill up the gaps.

The utility for system configuration MSConfig.exe

Beginning from Windows version 98, Microsoft supplies with utility «MSConfig.exe», which gives the convenient interface for management of files starting up while Windows boots. It is placed in Windows installation folder. One can launch it from «Run» dialog box. There is no option to add new item with the application or document name to start-up, but there is an option to turn off, not deleting, any of items present in the lists. There is another interesting option - to check the validity of the path corresponding to given start-up item, and to delete from the lists the items, which paths are not correct. In spite of the rather miserable functionality of this application, it fits for the users of system, but not for the administrators. I will refer to this utility under necessity further in the article.

Startup from the initialization files

The description of places for startup will be delivered in chronological order, beginning from the first Windows version and obsolete technologies. The initialization files were inherited from 16-bit Windows versions, Microsoft declared several times about getting rid of obsolete files, but up to now they are actually processed during boot.

There are two values in «Win.ini» file in «[windows]» section, which can be the place for startup. The first value is «load», the second one - «run». Their content «by default» is an empty string. The file names in them must contain no blanks; the composing of full file name in quotes is not admissible. In these values several file names can be enumerated by comma. Usually they are used for drivers loading, but can load «Trojan horses» or «keyboard spies».

Another initialization file, which can be used for applications startup is the «System.ini» file. There is a value «shell» in this file in «[boot]» section, which stores the name of Windows shell. The content «by default» of this value is «Explorer.exe». The value «shell» can contain the applications list for startup as command line parameters for «Explorer.exe». The «Explorer.exe» application processes the command line and tries to launch the applications or documents, enumerated in the command line. The requirements to the «shell» value format are the same as to above-mentioned values of «Win.ini» file. Last time this value is wide used for the network worms launch. This makes the localisation hard to reveal, as the administrators forget to check this value as a place for destructive applications startup.

«MSConfig.exe» utility allows checking the state and modifying the content of these three values: «load», «run», «shell», which are located in initialization files.

Startup folders

The first folder, which is worked through after the Windows booting finished, is the folder «StartUp», which can stores the list of applications or documents shortcuts (*.lnk). One can see its state, passed by the «Start» into the submenu «Programs». This is the folder, corresponding to the «Current User».

In order to find its location, one must to find in the system registry the «HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\User Shell Folders» key storing the locations of all the changed folders and to search out the value «Startup» of string type. If the needed value is missing, that its location on hard drive «by default» is registered in the system registry in «Startup» value of «HKEY_CURRENT_USER \SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders» key.

The utility for the system tuning «MSConfig.exe» shows the shortcuts to applications, which are located in «StartUp» folder. If any item is turned off using the «MSConfig.exe», that the folder named «Disabled Startup Items» will be created in «Programs» folder (it is the submenu in the «Start» menu), where «MSConfig.exe» will move the disabled item. In order to temporarily exclude the shortcut from the startup I resort to much simpler method: I set the attribute «hidden» on the needed shortcut and it will be omitted during the next booting.

The next folder is «Common» for all users - folder «StartUp» (Common Startup Folder), which is also processed after Windows booting to search for the shortcuts to documents or applications. One can see it in submenu «Start» in Windows NT or 2000. Its content is not shown in Windows 9.x, ME. It must store the shortcuts common for all users' profiles. This folder created for multi-users mode as reported in Microsoft documentation (MSDN). However, its content is processed, even Windows 95, 98, ME work in single-user mode.

The value «Common Startup» in «HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\User Shell Folders» system registry key, which store the locations of all the changed folders, stores its registered location on the hard drive. If this value is missing, one must search of this folder location «by default» in «Common Startup» in «HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Shell Folders» key.

«MSConfig.exe» also shows the list of executables located in «Common» (general for all the users) «StartUp» folder. If using the «MSConfig.exe» turns off any item, the folder with name «Disabled Startup Items» will be created in the same, where the «Common StartUp» folder is located, folder, and the disabled item will be moved there.

The administrators are to pay attention to this folder content as to place of possible application startup.

System registry: startup, common for all Windows versions

There is the branch «SOFTWARE\Microsoft\Windows\CurrentVersion» in the Windows system registry containing several groups for applications startup. All these groups can be in the both HKEY_LOCAL_MACHINE hive and HKEY_CURRENT_USER hive. The description is general; all can be extrapolated for both these hives. If Windows is used in multi-user mode, in other words, this is either Windows version NT/2000/XP, or 95, 98, ME with user profiles enabled, one must also search these groups in «HKEY_USERS\.Default» hive. This branch is common for all the users of system. If Windows 95, 98, ME work in single-user mode, the «HKEY_USERS\.Default» branch is identical to the HKEY_CURRENT_USER branch.

So then, I give the full paths to keys:
«SOFTWARE\Microsoft\Windows\CurrentVersion\Run»,
«SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce»,
«SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx»,
«SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup»,
«SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices»,
«SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce»,
which can contain the string values with applications or documents names launching during the system starts. The «RunOnce» branch is not supported in Windows NT 3.5. The names of string values, which are located in these keys, can be arbitrary.

Further I deliver few rules, orientated on which one can better understand the process and the order of applications launch registered in those or other places for startup:

  1. The keys, located in HKEY_LOCAL_MACHINE hive, are processed earlier than corresponding keys, located in HKEY_CURRENT_USER hive.
  2. The content of «RunServices», «RunServicesOnce» system registry keys is processed earlier than values in «Run», «RunOnce» keys.
  3. The launch of «RunServices» and «RunServicesOnce» happens before the displaying of user logon dialog box, further goes asynchronously with logon dialog box and can continue after successful registration. The applications, registered in system registry values, located in «RunServices» and «RunServicesOnce» are launched asynchronously, and therefore there can be the situation when they work simultaneously.
  4. The launch of applications or documents, as it follows from the very name, registered in «RunOnce» and «RunServicesOnce» keys, happens one time irrespective whether it is successful or not. The value, located in «RunOnce» or «RunServicesOnce» key, is removed before the launch of application, which name it contains.
  5. The values, stored in «Run», «RunOnce» keys, are launched synchronously and in indefinite order, but only, when the content of «RunServices» and «RunServicesOnce» finishes loading.
The system registry keys are processed in the following order. At first, the «RunServices» and «RunServicesOnce» content of HKEY_LOCAL_MACHINE hive is processed. Further the logon dialog box for user registration in system appears. After this the operating system start processing the «RunOnce» and «Run» keys of HKEY_LOCAL_MACHINE hive, further «Run» of HKEY_CURRENT_USER hive. The items stored in «StartUp» folder are the next to get launched. After this is the turn of values in «RunOnce» key of HKEY_CURRENT_USER hive.

The list located in «RunServices» and «Run» keys, which automatically startup while Windows boots, can be controlled with the application for the system tuning «MSConfig.exe». If any item form the list is disabled, the «MSConfig.exe» will move this item to «RunServices-» or «Run-» correspondingly.

The «Setup» key, which can be stored in «RunOnce» key both in HKEY_LOCAL_MACHINE hive and HKEY_CURRENT_USER hive, is worthy attention. This key is used by either the Windows Setup Wizard or «Add/Remove Programs» Wizard. While working through the values containing in this key, dialog box with the progress bar is displayed. The name of item is used as a name of item in dialog box. Analogously to the content «RunOnce» key, the item of the «RunOnce\Setup» are deleted and launched one time. Another system registry key, which is worthy attention, is «RunOnceEx». I will give the differences in launch for the values located in «RunOnceEx» and «RunOnce» from the launch of values located in system registry key «Run».

The values located in «RunOnceEx» key will not be launched. For the automatic processing the registry sub-key must be created in it and, this sub-key, which is to contain values with applications names. The keys and values located in «RunOnceEx» key are sorted in alphabetical order to force them to definite startup order compulsorily. In other words, the item higher by alphabet would be launched earlier, not depending when it was added to «RunOnceEx» key. The applications or scripts must either finish themselves or not require the definite action for finishing. While one item is not finished either further list processing stops or Windows booting stops waiting for compulsory terminating of the launched application. The separate processes are not created for the applications launched from «RunOnceEx» key in contrast to the «RunOnce» и «Run» keys.

«MSConfig.exe» application for the system tuning does not show the content of the keys «RunOnce», «RunOnceEx», «RunOnce\Setup» and «RunServicesOnce»

Startup features in Windows NT/2000/XP

As an addition to above-listed keys, the another key «Software\Microsoft\Windows NT\CurrentVersion \Windows\Run» is specific for Windows versions NT, 2000 and XP, which can be in hives LOCAL_MACHINE or HKEY_CURRENT_USER.

There can be two string values «Load» and «Run» in «Software\Microsoft\Windows NT\CurrentVersion \Windows» key, which can store the list of applications for automatic startup.

These values are analogies to values of the same name from the initialisation file «Win.ini». When Windows NT (2000) is installed over Windows 95, 98 the values content from section «[windows]» of «Win.ini» are transferred to the corresponding values of «Software\Microsoft\Windows NT\CurrentVersion\ Windows» key. If several files are registered in the value, their names must be separated with space chars. Therefore the path to file containing the space char can not be written to them, the quotation marks are not accepted. The content «by default» for these values is the space char. The programs, which launched from «Load» value, are minimised during launch.

Startup features in Windows ME/2000/XP

Windows versions has another one list for documents or applications startup, launching after the user registration in the system, which can be located both in HKEY_LOCAL_MACHINE hive and HKEY_CURRENT_USER hive. It is stored in string values of «Software\Microsoft\Windows\CurrentVersion \Policies\Explorer\Run» key. The names of values for this key have one distinctive feature: they must be represented in the form of ordinal numbers, beginning at «1». The list located in HKEY_LOCAL_MACHINE hive will be processed before the list of HKEY_CURRENT_USER hive.

Startup while Windows Logon

The separate group Windows Logon for the control over the initialisation during the user registration appears in Windows NT and is developed further by Microsoft for Windows version 2000 and XP. The Winlogon values are located in the system registry in «SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon» key of HKEY_LOCAL_MACHINE hive. All the described in the article values, related to Winlogon, have the string type.

Shell value

The «Shell» value standing for the program shell, is present in the system registry branch «Winlogon» in Windows versions NT, 2000 and XP.

This string value determines the list of executable files providing the operating system with the user interface, and which must be launched together with the program shell.

«By default» Windows launches the programs, enlisted in «Userinit» value, located in «Winlogon» branch, and including very «Userinit.exe». If, by any reason, «Winlogon» process could not launch the programs defined in «Userinit» value, then «Winlogon» would directly go to process the executable files, which name are registered in «Shell» value.

The «value by default» of «Shell» can vary. This is «taskman, progman, wowexec» for Windows NT and «Explorer.exe» for Windows 2000, XP.

System value

This value is present in Windows versions NT, 2000 and XP. It contains the list of executable files launched by Winlogon in the system context during the system initialisation. This list can be varied by modification of this value.

The «value by default» is «lsass.exe, spoolss.exe» for Windows NT and «lsass.exe» for Windows 2000, XP. The note by Microsoft given in MSDN is interesting: «This entry appears in the registry, but it is not used by Windows».

VmApplet value

«VmApplet» value launching the «Control Panel» application for the system configuration is specific for Windows versions 2000 и XP.

It stores the list or one executable file, which is launched by Winlogon process to let user to adjust the virtual memory settings, if the system volume misses the paging swap-file. The file extensions for the file name are not obligatory.

The «value by default» for it is «rundll32 shell32, Control_RunDLL "sysdm.cpl"». One must not change the content of this value without need, because it can lead to the change of virtual memory settings in Windows 2000, XP.

Userinit value

«Userinit» (user initialization) is specific for Windows versions NT, 2000 and XP.

The content of this value contains the executables, which are launched by WinLogon process in user context, during the user registration in the system.

«By default» Winlogon launches «Userinit.exe», which is responsible for the launch of program shell, and executes the script files for registration, re-establishes the network connections and then launches the «Explorer.exe».

The «value by default» for «Userinit» is «userinit, nddeagnt.exe» for Windows NT, «userinit» for Windows 2000, XP. «nddeagnt.exe» application is necessary for the NetDDE launch - network dynamic data exchange.

The extensions in file name enumerated in this value are not obligatory.

One may change the content of this value by adding or removing the programs from the list. «Userinit.exe» can be changed to the name of one's own program, not having forgotten to include in application the code for «Userinit.exe» launch, if it is necessary to launch the application before the user interface together with the Windows «explorer» is loaded. Or make much simpler, creating the executable file for batch processing named «userinit.bat» with the list of programs for launch and registering in one of the lines the very «Userinit.exe» file.

P.S. These are administrators, but not hackers, who were addressed with the information, systematised in this article. The official Microsoft documentation contains in such or other form all the knowledge given in the article.

Valient Newman aka Black Prince


All of these was realised in Activity and Authentication Analyzer

Thursday, July 18, 2002

System Policies for the restriction of printers

mad hack

The article describes the System Policies, which restrict the access to the adjustments, forbids deleting or adding new printers to the system.

While elaborating on the security rules for computer system, the part of rules are dedicated to the printer management. The prohibitions against: settings adjustment, addition or new printers installation are included to management of printers in the framework of security rules. The second, what can be emphasised while creating stricter rules - the access to printers must be under proper supervision to avoid undesirable, on the reason of elementary paper and supplying materials economy, or not authorised, on the reason of conducting confidentiality measures.

As far as I revealed, all the illustrated policies for management of printers can be located in both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER system registry hives and applied to Local Machine or Current User respectively. If the same policy was applied both to HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, while conflict exists, the policy with Local Machine range has the priority over the policy with the range of Current User.

All the values have numeric DWORD type. The value equals "1" stands for the active state of the policy, its absence or value "0" cancels the restriction introduced by the system policy.

The last, what I would like to give the accent to in the preface is in order to put for sure into the effect the system policy, Windows must be restarted.

Disable Addition of Printers

The numeric value "NoAddPrinter" located in the branch "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" is responsible for this policy. This system policy prohibits from using the applet Printers from the Control Panel to add new printers to the system.

While attempt to install new printer using Printers folder, the message appears explaining that due to restrictions set by system administrator this action is impossible.

Disable Deletion of Printers

DWORD-value "NoDeletePrinter" stores the state of this system policy, which is created in the branch "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer". This policy prohibits from deleting of printers from the system. Printer can be deleted by selecting the Delete menu item in short-cut menu of the corresponding printer shown in Printers folder in Control Panel. While attempt to delete printer using Printers folder, the message appears explaining that this is impossible due to restrictions introduced by system administrator.

Hide General and Details Pages

This policy can be applied under Windows 95, 98 and ME.

The value "NoPrinterTabs" stores the state of this policy, which must be located in the same "Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" branch as above-mentioned system policies. If this policy is enabled, the General and Details pages are hidden in the printer property dialog box, thus protecting from the changing of specific settings. Since the Details page allows manipulating the system settings, therefore there may be the need to remove the access to it for not experienced users.


The implementation in Activity and Authentication Analyzer

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then Control Panel, Printers item after this, and find in the right list items corresponding to these policies named:

  • Disable Addition of Printers
  • Disable Deletion of Printers
  • Hide General and Details Pages

Thursday, July 11, 2002

System Policies for the restriction of MS-DOS

mad hack

The article is dedicated to the System Policies destined for the restriction of MS-DOS.

When developing the operating system, the Microsoft Corporation encounters all the time the next dilemma. On the one hand the need to provide with the backward compatibility with the previous operating systems and programs, developed for them, including MS-DOS. On the other hand, the urgent demand to get rid of the very MS-DOS to provide secure and stable functioning, to design operating system with genuine multitasking and correct resource sharing. The literal reading of the abbreviation, which gives the name to system registry key storing the policies destined for the MS-DOS restriction: "WinOldApp" - Windows Old Applications.

Time by time, the administrator faces the need to forbid the users to launch the MS-DOS applications or reboot the computer to the single MS-DOS mode, while conducting the administration of either net client or servers.

I deliver few thoughts to ensure the benefits of the policies, which are resorted to for MS-DOS restriction in Windows systems. The 16-bit Windows applications are unsecured for the safety and stability of the working under Windows systems. While the most of the MS-DOS applications are finely performed simultaneously in the 32-bit Windows environment, some MS-DOS applications demand the monopoly access to the system resources for the performance. The Virtual Machine Manager (VMM) creates the system environment with the exclusive rights, so-called the Single MS-DOS mode. When MS-DOS application is launched in the MS-DOS mode, it is gained the exclusive rights for the system resources and no other applications or processes have any rights to access the system resources. Therefore the MS-DOS applications are also the threat because of the possible capture of the control over the system resources. Besides, the MS-DOS prohibition disables execution of the game programs, designed for MS-DOS, which distract from job, and are often, like other computer games, potential virus containers.

To tell the truth, all above-given argumentation, like the system policies, developed by Microsoft for the MS-DOS restriction are no more than palliation.

Disable MS-DOS Command Prompt

This policy prohibits the MS-DOS Command Prompt usage in Windows or launch of the MS-DOS applications from within the Windows shell.

The numeric value "Disabled" responds for this system policy state, which is stored in the HKEY_CURRENT_USER hive of the system registry in the "Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp" branch. The value "1" enables the restriction for the MS-DOS applications launch, the value "0" or the absence of the value is the default state and removes this prohibition.

While attempting the DOS application launch or "MS-DOS Command Prompt" activation using the icon containing the link to the command interpreter "COMMAND.COM", Windows gives out the message that the administrator prohibits the launch. I do not deliver the literal message text, which is varied depending on the Windows version.

Disable Single Mode MS-DOS Applications

This policy is intended for the prohibition of the Windows reboot to the Single MS-DOS mode. Its state does not affect the usage of MS-DOS Command Prompt in Windows or the MS-DOS applications launch from within the Windows shell.

The state of this system policy is stored in the numeric value "NoRealMode", which is located in the same system registry branch as above-described value: "Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp" in the hive HKEY_CURRENT_USER. The value equals to "1" stands for the prohibition of the MS-DOS launch in the Single mode. The value "0", which is default state, or its absence removes the prohibition of the Single MS-DOS mode.

When this policy is enabled in Windows 95/98 the menu item "Restart in MS-DOS mode" is removed from the "Shut Down" dialog box. However, it must be noted here, that this does not prohibit entirely the MS-DOS launch in the Single mode. The Single MS-DOS mode can be entered, while Windows booting by clicking F8 key and than selecting any item, which contains the "Command Prompt".

In Windows ME and later this value can be stored in the system registry in two hives: HKEY_CURRENT_USER and in HKEY_LOCAL_MACHINE hive, and spreads the scope either on the Local Machine or Current User respectively. There is no conflict between the policies having the different scopes: any policy disables the Single MS-DOS mode.

Another attempt to get rid of MS-DOS was undertaken in Windows ME - the menu item "Restart in MS-DOS mode" was removed from the "Shut Down" dialog box in a difference from the Windows 9.x. However, it inherits a lot o interface from the previous versions. That is why, the policy "Disable Single Mode MS-DOS Applications" applied on the Local Machine is used to remove some unnecessary elements. If deleting the value from the system registry has disabled this policy, there will be an interesting effect: the menu item "Restart in MS-DOS mode" will appear in the "Shut Down" dialog box. But an attempt to reboot to MS-DOS gives nothing; there will be the message explaining that this version of Windows does not support the MS-DOS mode.

In order to see the state of above-mentioned policies or to manipulate them in Activity and Authentication Analyzer follow in the left navigation pane next way:

Computer Administration then MS DOS and find in the right list items corresponding to these policies named:

  • Disable MS-DOS Command Prompt
  • Disable Single Mode MS-DOS Applications

Activity and Authentication Analyzer history

"Activity and Authentication Analyzer" takes into account what system policies and what histories of user activity are inherent in...