Although the System Configuration Utility has been around since Windows ME, and it was never really intended as a security tool, I have found it to be particularly effective in the war against spyware. In case you are not familiar with the System Configuration Utility, it is a tool that shows you everything that is being run at system startup. It also gives you the option of disabling anything that should not be running.
The System Configuration Utility was originally designed as a diagnostic tool that would allow you to disable anything in the system startup that might be interfering with Windows' ability to boot properly. However, the System Configuration Utility also makes an effective spyware detection tool, because many spyware mechanisms embed themselves into the system startup.
You can launch the System Configuration Utility by entering the MSCONFIG command at the Windows Run prompt. When you do, Windows will launch the System Configuration Utility, and the General tab will be selected, as shown in Figure A.
Figure A: This is what the System Configuration Utility looks like.
This screen gives you three primary options. You can perform a normal, diagnostic or a selective startup. A diagnostic startup loads Windows with a minimal set of drivers and services, similar to booting in Safe Mode. A selective startup allows you to disable individual parts of the boot process. For example, you could configure Windows so that it does not process the System.ini file or so that it does not load the various startup items.
If you look at Figure A, you will notice that the System Configuration Utility also contains tabs labeled SYSTEM.INI, WIN.INI, BOOT.INI, Services and Startup. These tabs allow you to view, and disable if necessary, settings within those particular areas of the system startup. For example, if you select the SYSTEM.INI tab, you'll see all the commands found within the SYSTEM.INI file, as shown in Figure B. if you look at the figure, you will notice that each of the commands has a check box beside it. You can deselect the check box to disable a particular command.
Figure B: You can disable individual commands by deselecting a check box.
Now take a look at the Services tab, shown in Figure C. As you might expect, the Services tab contains a list of all of the services on the system, their manufacturer and whether or not the services are running. The main thing I wanted to show you about this tab though is the Hide All Microsoft Services check box.
Figure C: The services tab contains an option to hide all Microsoft services.
By selecting the Hide All Microsoft Services check box, you can force the System Configuration Utility to show only services installed by third party applications. This is a particularly effective weapon in trying to track down services related to spyware. One common technique used by spyware authors is to create services with names that appear to be legitimate parts of the operating system. However, if you hide all of the services created by Microsoft, you can be sure that anything that's left on the list was created by someone else. That doesn't necessarily mean that remaining services are malicious though. For example, if you look a Figure C you will notice that some of the services on my system are related to my video driver and my sound card driver.
A better tool
The System Configuration Utility can be a handy tool for tracking down spyware, but Microsoft originally intended for it to be a diagnostic utility for the boot process, so as far as being a spyware removal too, it does have its shortcomings. For example, the Startup tab does not list every conceivable place in the registry from which a program could be launched. Likewise, almost all spyware embeds itself into Internet Explorer. You may have noticed that the System Configuration Utility makes no mention of Internet Explorer.
Fortunately, there is an alternative. A company named Sysinternals, which was recently acquired by Microsoft, realized that the System Configuration Utility had potential as an antispyware tool. Consequently, the company developed their own version called Autoruns. While the System Configuration Utility comes with the operating system, you can download Autoruns for free.
The Autoruns tool is simply an expansion of the System Configuration Utility. It uses a similar tabbed interface, and also uses check boxes to enable or disable individual components.
Figure D: This is the Autoruns utility.
If you look at Figure D, you will notice that the Autoruns isn't quite as granular as the System Configuration Utility and that it does not have tabs for each individual .INI file. However, the Autoruns utility does have tabs for other things such as Internet Explorer, scheduled tasks, print monitors, and LSA providers.
The Autoruns tool has a couple of other cool things that it can do as well. For example, the tool allows you to examine the operating system on a user by user basis. By doing so, you can see startup items that apply to one user account but not to another.
One last feature that I want to mention is that the Autoruns utility is able to verify code signatures. This is important because some spyware modules work by replacing operating system files with malicious files of the same name, or by making modifications to operating system files (or driver files). If an operating system file is signed, then you can verify the signature it an effort to make sure that the file has not been modified.
As you can see, the System Configuration Utility that is included with Windows is an excellent tool for diagnosing startup problems, and for tracking down some types of spyware. If you need something a little more advanced though, I highly recommend checking out the Autoruns utility from Sysinternals.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.