Windows Services   Leave a comment

Some people have asked me, “How do I know what software is loaded when my machine boots up?” According to Microsoft TechNet:

Under Microsoft Windows 95, Windows 98, and Windows Millennium Edition (Me) where all keys are supported, the keys are loaded in the following order:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

<Logon Prompt>

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

StartUp Folder

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

With the exception of the HKEY_LOCAL_MACHINE\…\RunOnce key, all keys and their entries are loaded asynchronously. Therefore, all entries in the RunServices and RunServicesOnce keys can potentially run at the same time.

Entries in the HKEY_LOCAL_MACHINE\…\RunOnce key are loaded synchronously in an undefined order.

Because the HKEY_LOCAL_MACHINE\…\RunOnce key is loaded synchronously, all of its entries must finish loading before the HKEY_LOCAL_MACHINE\…\Run, HKEY_CURRENT_USER\…\Run, HKEY_CURRENT_USER\…\RunOnce, and Startup Folder entries can be loaded.

The RunServicesOnce and RunServices keys are loaded before the user logs into Windows 95, Windows 98, and Windows Me. Because these two keys run asynchronously with the Logon dialog box, they can continue to run after the user has logged on. However, since HKEY_LOCAL_MACHINE\…\RunOnce must load synchronously, its entries will not begin loading until after the RunServicesOnce and RunServices keys have finished loading.

Because of different system configurations (such as a computer that is configured to automatically log on), any application that is dependant upon other applications that are executed under these keys having completed must be prepared to wait until these applications are complete. Other than this exception, the above description applies to Microsoft Windows NT 4.0, Windows 2000, and Windows XP.

If you’re leery about messing with your registry, you can also use Mark Russinovich’s Autoruns utility, available at the Sysinternals web site.

This will help you to identify spyware or adware that may be loading up on your machine at boot time.

If you think your machine has been hacked, this procedure probably won’t help you, as many/most packaged rootkits will attempt to hide themselves from cursory inspection of the registry. You can use RootKitRevealer to detect user- or kernel-level rootkits.

Advertisements

Posted March 30, 2007 by padraic2112 in OS, registry, security, software, tech, Uncategorized, Windows

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: