Tuesday, February 10, 2009

Who’s That Hiding in my Windows?


Who’s That Hiding in my Windows?

Hello AskPerf!  My name is Satyajit and I am a Support Engineer on the Performance team.  Today we’re going to discuss the use of a very useful Windows SysInternals tools named Autoruns that we can use to examine programs that start during the boot process or the login process.  This comes in particularly useful when you start trying to dig around for potential malware as well as applications that are configured to auto-start that you had no idea were even running!  So without further delay – let’s dive right in …

Most administrators are aware of the usual places to look for programs that are auto-starting – such as the Startup folder itself and the Run and RunOnce registry keys.  Using MSCONFIG.EXE we can examine the components that execute from these locations.


However, there are numerous other components and locations to be aware of, including:

  • IE Browser Helper Objects
  • Scheduled Tasks
  • Sidebar Gadgets (Windows Vista)
  • Services and Drivers
  • Print Monitors

We’ve seen what the MSCONFIG utility shows us – what about Autoruns?  Download Autoruns from the Windows SysInternals site and extract the .zip file into a folder.  There are two executables – AUTORUNS.EXE (GUI version) and AUTORUNSC.EXE (Command-line version).  We’ll go into the differences a bit later on, but for the moment, we’re simply going to double-click on AUTORUNS.EXE and … voila!


Clearly, Autoruns provides us with a much more in-depth and granular view of what is going on with this system when compared to MSCONFIG.  However, similar to MSCONFIG, you can disable startup items simply by clearing the checkbox and rebooting the system.  Within the Autoruns UI, there are some different tasks that you can perform.  If you double-click on one of the entries, the Registry Editor will launch and navigate directly to the registry entry.  One caveat here – for Windows Vista / Windows Server 2008 systems, you’ll need to launch Autoruns as an administrator so that it can automatically open RegEdit.  Double-clicking on an entry or using the Entry –> Jump To option from the menu bar.  You can also use the Entry –> Search Online feature to perform an internet search for the process or DLL.  This can come in especially handy when investigating software with which you are not familiar.  If you are unsure about an entry, you can use the Verify function.  This attempts to ensure the authenticity of program files that are signed with digital signatures.  Let’s take a quick look:


So in this scenario, I want to examine the Zune Launcher executable.  Some basic information is provided when I highlight the entry in the main Autoruns pane.  Now, I want to try to verify the authenticity of the file.  I can either use Entry –> Verify or right-click on the entry and select Verify:


And now we can see that the publisher information shows that the file is verified.  A quick caveat here – if an item is listed as “Not Verified”, that does not necessarily mean that the file is malicious (although that is a possibility to keep in mind).  Another possibility is that the file does not have a digital signature – so there is nothing to verify.

Often, it is necessary to compare the settings on a working and non-working machine.  With Autoruns, this process is relatively straightforward.  The process is as follows:

  1. On Machine 1, run Autoruns and save the output (File –> Save) as MACHINE1.ARN – this is going to be our reference file, our baseline if you will
  2. On Machine 2, run Autoruns and save the output (File –> Save) as MACHINE2.ARN (this is optional, but can be useful if you want to save a history of Autoruns logs to see how systems have changed over time)
  3. On Machine 2, go to File –> Compare and select the saved file MACHINE1.ARN.
  4. Autoruns compares the two files and highlights the differences

Take a look at the following example from two Windows Server 2008 systems:


Autoruns highlights any items that are not in the saved file (our reference file) in green.  In our example, our reference machine is not running Windows Mobile Device Center, but my test Windows Server 2008 machine is.  Clearly this is not a standard configuration, and this might be something worth examining.  Believe me when I tell you that this can be a real timesaver when comparing working and problematic systems.

As you’ve noticed, there is a great deal of information in the Autoruns output.  With MSCONFIG, we were able to “Hide all Microsoft Services” using a simple check box on the Services Tab. 


With Autoruns you can do the same thing:


Note that once you select this option, the display is not automatically updated – you will need to rescan the system to refresh the display.  If you were doing a compare, and you decided to Hide Microsoft and Windows entries, you’ll also need to re-run the compare – but you will still maintain your filtered output.  When troubleshooting issues dealing with Internet Explorer Browser Helper Objects, driver start-up issues and third-party Print Monitors, being able to filter the results can definitely help accelerate the process.

We’ve seen some of the power of the GUI version, but what about the other executable in the Autoruns download – AUTORUNSC.EXE?  This is the command line version – it cannot be used to disable or enable startup items, but it can be used to quickly gather data.  When running the command line version of Autoruns, there are some common switches to be aware of:

  • -a: list all the entries for the current user
  • -i: list the Internet Explorer add-ons that are enabled for the current user
  • -m: hide all the signed Microsoft entries
  • -p: list all the Print Monitors

You can get a complete list of the switches by running AUTORUNSC.EXE /? at the command line.  You can also use AUTORUNSC.EXE to create a filtered output for comparison (the .ARN file we used in our Compare example above).  The process simply requires you to redirect the output as follows – in this example, I’m going to export out the Print Monitors: AUTORUNSC.EXE -p > <machinename>.ARN

You can then use the same compare methodology we used above to compare the two systems.  You can open the .ARN file with Notepad (the format is human-readable) to see what is in there – below is the output from one of the Windows Server 2008 systems for the print monitors:

Local Port
Local Spooler DLL
Microsoft Corporation
ba845f37a3d4c7e35e3a179279059b52 (MD5)
9dc8e934ee90dda8de065e9aae9e71561c9eda77 (SHA-1)
9152cff906a7cd7d7f95c7fb9e5c691001af673723cb4c3691ef0b786a802a5b (SHA-256)
Standard TCP/IP Port
Standard TCP/IP Port Monitor DLL
Microsoft Corporation
6f596bba0f90ab8ee1523362b2f16329 (MD5)
526addf6b0a819c3249525c2e34b53c37c1d5f6d (SHA-1)
1eddabe31235bf5da1832da4519314ea92e83586f2230e0ca3dac424caca1728 (SHA-256)
USB Monitor
Standard Dynamic Printing Port Monitor DLL
Microsoft Corporation
5948f2b4fece4f3301d290771f5183cf (MD5)
172d3c6fba6c200028b4ab6fb66998502ff343e1 (SHA-1)
f4112cfca29420e8dc4d6c9758b8caa4b3ea24bd9c672ef17ecbea31f1dc605e (SHA-256)
WSD Port
WSD Printer Port Monitor
Microsoft Corporation
ebec28cf97aef9e8896599b57d8c0205 (MD5)
2bb140d7307d0dda28d1fd50967388b40367f774 (SHA-1)
c8118dfbac1a2b1f2934f7a39bcd2ef66f5eaeda9d183b8c61d5355d30da01b0 (SHA-256)

So there you have it.  If you’ve never used Autoruns before, it’s another useful tool to have in your arsenal when troubleshooting issues.  That brings us to the end of our post.  I hope you enjoyed the post, and found the information useful.

Additional Resources:

- Satyajit Menon

Ask the Performance Team : Who’s That Hiding in my Windows?

No comments:

Blog Archive