Windows System Configuration Utility: An unexpected antispyware tool

The System Configuration Utility was originally designed as a diagnostic tool that would allow you to disable anything in the system startup that might be interfering with Windows' ability to boot properly. However, the System Configuration Utility also makes an effective spyware detection tool, because many spyware mechanisms embed themselves into the system startup.

You can launch the System Configuration Utility by entering the MSCONFIG command at the Windows Run prompt. When you do, Windows will launch the System Configuration Utility, and the General tab will be selected, as shown in Figure A.

[IMAGE]
Figure A: This is what the System Configuration Utility looks like.

This screen gives you three primary options. You can perform a normal, diagnostic or a selective startup. A diagnostic startup loads Windows with a minimal set of drivers and services, similar to booting in Safe Mode. A selective startup allows you to disable individual parts of the boot process. For example, you could configure Windows so that it does not process the System.ini file or so that it does not load the various startup items.

If you look at Figure A, you will notice that the System Configuration Utility also contains tabs labeled SYSTEM.INI, WIN.INI, BOOT.INI, Services and Startup. These tabs allow you to view, and disable if necessary, settings within those particular areas of the system startup. For example, if you select the SYSTEM.INI tab, you'll see all the commands found within the SYSTEM.INI file, as shown in Figure B. if you ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Windows desktop security tips The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

look at the figure, you will notice that each of the commands has a check box beside it. You can deselect the check box to disable a particular command.

[IMAGE]
Figure B: You can disable individual commands by deselecting a check box.

Now take a look at the Services tab, shown in Figure C. As you might expect, the Services tab contains a list of all of the services on the system, their manufacturer and whether or not the services are running. The main thing I wanted to show you about this tab though is the Hide All Microsoft Services check box.

[IMAGE]
Figure C: The services tab contains an option to hide all Microsoft services.

By selecting the Hide All Microsoft Services check box, you can force the System Configuration Utility to show only services installed by third party applications. This is a particularly effective weapon in trying to track down services related to spyware. One common technique used by spyware authors is to create services with names that appear to be legitimate parts of the operating system. However, if you hide all of the services created by Microsoft, you can be sure that anything that's left on the list was created by someone else. That doesn't necessarily mean that remaining services are malicious though. For example, if you look a Figure C you will notice that some of the services on my system are related to my video driver and my sound card driver.

A better tool

The System Configuration Utility can be a handy tool for tracking down spyware, but Microsoft originally intended for it to be a diagnostic utility for the boot process, so as far as being a spyware removal too, it does have its shortcomings. For example, the Startup tab does not list every conceivable place in the registry from which a program could be launched. Likewise, almost all spyware embeds itself into Internet Explorer. You may have noticed that the System Configuration Utility makes no mention of Internet Explorer.

Fortunately, there is an alternative. A company named Sysinternals, which was recently acquired by Microsoft, realized that the System Configuration Utility had potential as an antispyware tool. Consequently, the company developed their own version called Autoruns. While the System Configuration Utility comes with the operating system, you can download Autoruns for free.

The Autoruns tool is simply an expansion of the System Configuration Utility. It uses a similar tabbed interface, and also uses check boxes to enable or disable individual components.

[IMAGE]
Figure D: This is the Autoruns utility.

If you look at Figure D, you will notice that the Autoruns isn't quite as granular as the System Configuration Utility and that it does not have tabs for each individual .INI file. However, the Autoruns utility does have tabs for other things such as Internet Explorer, scheduled tasks, print monitors, and LSA providers.

The Autoruns tool has a couple of other cool things that it can do as well. For example, the tool allows you to examine the operating system on a user by user basis. By doing so, you can see startup items that apply to one user account but not to another.

Earlier, when I was talking about the System Configuration Utility, I showed you the option to hide Microsoft Services. The Autoruns utility has a similar feature. You can hide anything created by Microsoft. What's nice is that where the System Configuration Utility was only able to hide services created by Microsoft, the Autoruns utility is able to hide anything created by Microsoft. This includes services, DLLs, and just about everything else.
One last feature that I want to mention is that the Autoruns utility is able to verify code signatures. This is important because some spyware modules work by replacing operating system files with malicious files of the same name, or by making modifications to operating system files (or driver files). If an operating system file is signed, then you can verify the signature it an effort to make sure that the file has not been modified.
As you can see, the System Configuration Utility that is included with Windows is an excellent tool for diagnosing startup problems, and for tracking down some types of spyware. If you need something a little more advanced though, I highly recommend checking out the Autoruns utility from Sysinternals.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.