Advanced techniques for disabling Windows XP startup programs

In the first article of this series, I explained how to use the Safe Mode menu and Shift key to prevent certain Windows XP startup programs from loading. Although those techniques do work, they are not appropriate for every situation. In this article, I will continue the discussion by showing you some of the more advanced techniques for disabling annoying Windows XP startup programs.

Editing the registry

The Windows registry can be configured to launch applications at startup. In fact, adding calls to launch applications to the Windows registry is a favorite technique of malware authors. Don't assume though that just because a process is being launched from a call in the registry that the process is related to malware, because many legitimate applications are launched through the registry. This is particularly true of antivirus software and other applications that run in the background.

The most effective way to prevent an application from running on startup is to simply delete the registry key that calls it. Before you do, though, it is extremely important that you know exactly what it is that you are deleting. I will talk about identifying unknown processes in much more detail later in this series. For now, however, if you need to identify a process prior to deleting a registry key that calls it, try doing a Google search on the process' file name.

WARNING: Editing the registry is dangerous. Making an incorrect modification to the registry can destroy Windows and/or your applications. I therefore recommend making a full system backup before continuing.

With that said, Wind...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop management tips Teaching a new PC old tricks: How to deploy Windows 7's XP mode New Windows XP Mode eliminates compatibility issues in Windows 7 Remote troubleshooting made easier with Windows 7's Problem Step Recorder Converting Windows 7 deployment images to virtual hard drive files Using Windows 7 to configure workstations for optimal power management An intro to Windows 7's Deployment Image Servicing and Management tool Admins can wear many hats using Netcat Manage the desktop image lifecycle to limit work, ensure security Choosing the best way to install images Should you switch to the Office 2007 file format? Microsoft Windows XP Pro Guide to converting from Windows XP to Windows 7 Top 5 registry keys for Windows XP Manage the desktop image lifecycle to limit work, ensure security Secure Windows XP before a Windows 7 upgrade Microsoft's August patches run the gamut Hold on to Windows XP at your peril XP stragglers blame hardware costs, new features Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Vista shops eye quick path to Windows 7, XP shops likely to resist

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Error messages for Windows XP Pro  (SearchEnterpriseDesktop.com) XP key changer  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ows differentiates between processes that are only run during the next reboot and those that are configured to run every time Windows is started. Calls to processes that are run only after the next reboot can be found beneath the following registry locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Finding calls to processes that run each time Windows is booted is a bit trickier. Here are the primary locations where these calls are stored:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Calls can also be made on a per-user basis. The problem is that users are identified by GUID, rather than by user name. It is common for some types of malware to create a call to a malicious process for each individual user. The idea is that if one user cleans the call to the process from the machine, another user can log into the machine and cause it to become infected all over again. This is because Windows processes a registry key that is not processed when other users log in. Therefore, if you are trying to track down a malicious process, then it is a good idea to check each user account. Typically, there won't be too many accounts to sift through, and you can find calls to startup programs for individual user accounts at the following location:

HKEY_Users\user's GUID\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Some Group Policies prevent actions at startup

Editing the registry works really well if you find yourself having to manually remove an unwanted process from one or two workstations. As we all know, though, malware infections can spread rapidly, and who wants to manually edit the registries of every workstation on your network? Fortunately, you don't have to.

Windows includes Group Policy settings that prevent the registry from launching applications on system startup. Keep in mind though that the technique I am about to show you is an all or nothing proposition. The Group Policy Object Editor isn't flexible enough to allow you to selectively enable and disable various processes. You have the option of preventing Windows from using the registry to launch processes at startup, but, by doing so, you may disable desirable processes as well as unwanted ones. You do, however, have the option of specifying the processes you want to run when a user logs in directly through the Group Policy rather than through the registry.

Since Group Policies are hierarchical in nature, in the beginning I recommend that you experiment with this technique using only the local security policy on a few workstations. If testing reveals that this technique isn't going to cause problems, then you can always implement the settings at the domain or OU level of the Group Policy hierarchy later on.

To prevent processes from being called from the registry at system startup, open the Group Policy Object Editor and navigate through the Group Policy tree to the following location:

User Configuration\Administrative Templates\System\Logon

There are three Group Policy settings of interest in this location:

Do Not Process the Run Once List
This setting prevents processes listed in the following registry locations from being launched:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_Current_User\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KEY_Users\user's GUID\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[IMAGE]
[IMAGE]DISABLING STARTUP PROGRAMS IN WINDOWS XP
[IMAGE]
[IMAGE] Using Safe Mode and the Shift key
[IMAGE] Editing the registry and using Group Policy
[IMAGE] The System Configuration Utility and the trouble with networks

Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.