PDA

View Full Version : Why are System.ini entries even identified at Startup?



kduncan5
2006-04-23, 19:23
This is a question for the individual(s) who is(are) responsible for the System.ini entries even appearing in the System Startup option under Advanced Mode with Windows XP.

Why are these entries even identified as running at Startup? You can't do anything with them. If you try, Windows Update won't work any more.

As a computer geek that likes to tweak the living daylights out of his computers, I don't like things running at Startup (AV excluded). I assumed (wrongly) that these System.ini entries were redundant and/or unnecessary and deleted them. Guess what? Windows Update wouldn't work any more, ended up having to either download the Microsoft Baseline Security Analyzer to get my Updates or reformat & reinstall. Used the MBSA for a bit, but because I hadn't done it for awhile anyway I reformatted & reinstalled.

Even having those System.ini entries reported in Spybot's System Startup in the first place is pointless IMHO. Most people who aren't rocket scientists or who haven't come here and done a Search for System.ini will decide they aren't needed, remove them, then wonder why Windows Update won't work anymore. It took me a great deal of time and effort to narrow it down to the System.ini entries.....after making one tweak, then downloading another update, then another tweak, and another update, one at a time, until it came to those entries.

I think it's a mistake that they are even identified by Spybot in the first place.


Just my .02 cents worth, -kd5-

kduncan5
2006-04-29, 16:29
Just in case the powers-that-be never got a chance to see this, I wanted to bump it one time. I think this is important. -kd5-

Zenobia
2006-04-30, 01:18
There's the option to disable,rather than delete the entries from System startup.
I like to tweak,too,but I look for info on everything before I do it.And,I hold nothing and noone responsible when I mess myself up(which I have done a few too many times. :blush: )When those System.ini entries were first included in Spybot's start-up,I went looking to find info on what they were.And,the startup list is in advanced mode,after all.

No offence intended,this is just my own two cents worth. :)

md usa spybot fan
2006-04-30, 21:36
When those System.ini entries were first included in Spybot's start-up,I went looking to find info on what they were.
Why would you want to do something like that? By researching things first, you're taking all the adventure out of tweaking your system.

*****************

I am not "… a computer geek that likes to tweak the living daylights out of his computers …". So having the listing doesn't prompt me to delete things because I usually work under the philosophy "Don't fix what isn't broken". On the other hand it does help me understand and keep track of what's happening on my system. In fact just the other day a new entry showed up on my system:
Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
It was easily recognized that it was new entry because appeared in bold faced type. Seeing the new entry allowed me to research the file (WgaLogon.dll) and determine that it was part of Windows Genuine Advantage.

*****************

Why are these things listed (IMHO).

From the information on Spybot's System Startup screen:


This list displays all programs that will be started along with Windows if you power on your system. …

From:
A Collection Of Autostart Locations, by Tony Kleinkramer
http://forums.subratam.org/index.php?act=Print&client=printer&f=29&t=1063


3. System.ini

[boot]
Shell=Explorer.exe file.exe

Windows XP/NT/2000

During system startup, Windows XP, NT and Windows 2000 consult the "Shell" registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, to determine the name of the executable that should be loaded as the Shell.

By default, this value specifies Explorer.exe.

This can also be specified on a per-user-profile basis (i.e., the corresponding registry key/value under HKEY_CURRENT_USER).

Example of malware using this startup method:

http://www.symantec.com/avcenter/venc/data/backdoor.nibu.h.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSMALL%2EBDD&VSect=T
http://securityresponse.symantec.com/avcenter/venc/data/w32.dss.trojan.html

Additionally, (thank you, Gkweb) Explorer.exe is searched by the system at boot, starting from the root C:\ and finishing at C:\windows\explorer.exe

If malware is named "explorer.exe" and is placed in the root of the drive, the file will be launched without the necessity of modifying any boot files, and it can then launch the real explorer.exe without any notice from the user.

26. Winlogon\Notify (Win XP/2000/NT)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Another well known registry key added to in order to communicate to Winlogon.exe and let it know which procedures to run during an event notification; examples of malware using this technique:

http://vil.nai.com/vil/content/v_100441.htm
http://sarc.com/avcenter/venc/data/pf/adware.look2me.html
http://www.sophos.com/virusinfo/analyses/trojhaxdooru.html
*************

For all you shade tree mechanics out there. If you don't recognize something the next time you under the hood of you car, just rip it out. Then if something stops working, complain to the manufacture that they shouldn't have put that part in plain sight.

kduncan5
2006-04-30, 23:19
Well, it's my fault for not reasearching these (like I usually do) prior to deleting them, I have only myself to blame in that regard. These System.ini entries showed up with XP's Service Pack 2, prior to SP2 I only had one entry running at Startup (my antivirus), and I was used to it just like that. Kinda ticks me off Microsoft did that, but since they've done it, there's nothing anyone can do about it. Without those entries, Windows Update will not work. I can understand your point of view by wanting to report anything and everything that's running at Startup, but these entries are absolutely required if you want to make use of Windows Update. I wish there was a way to exclude the System.ini entries which are absolutely required for the proper functioning of Windows XP (SP2) from appearing in the Startup list so the temptation to delete would become non-existent. Not for me, I've already learned my lesson (as usual, the hard way), but for the ones which will inevitably come after me. -kd5-

Zenobia
2006-05-01, 01:06
Why would you want to do something like that? By researching things first, you're taking all the adventure out of tweaking your system.

:laugh: I'll keep that in mind.