The Startup Process


When a computer is powered up, all the various layers between the hardware and the visible interface have to be prepared, or initialized , from the bottom up. The hardware is initialized first. A circuit on the computer's motherboard sends a reset signal to each chip, module, and external hardware device, to set the hardware to a known state. The reset signal places the Intel or Intel-compatible processors used in Windows PCs in what is called real mode , in which the processor addresses memory by physical hardware addresses and in which there are no restrictions on memory or hardware access. The CPU then begins retrieving instructions from a fixed memory address, FFFFFFF0 in hexadecimal. PC motherboards are constructed with a built-in read-only memory chip (ROM) or electrically erasable and reprogrammable memory (FLASH) at that address. This chip contains a set of programs called the Basic Input Output System (BIOS) and its instructions initialize the computer, test its hardware, and load an operating system.

BIOS Startup

A handful of companies produce the BIOS code used in most PCs, and the goings-on inside the BIOS are proprietary. Even the mechanism by which the BIOS is updated in FLASH is secret. However, although the specifics are not public, the boot process goes something like this:

1.
A hardware reset puts the CPU in Real mode, and it begins executing instructions starting at the Real-mode segmented address FFFF:0000 hex, which is presented on the address bus as the 32-bit physical address FFFFFFF0.

2.
The BIOS chip responds to addresses at the highest end of the memory range. It usually contains a jump instruction at FFFFFFF0 that points to the BIOS cold-start initialization routines.

3.
The initialization routine disables interrupts and any known hardware devices, so that any pending hardware operations initiated before reset will not disrupt the startup process, and sets the CPU's memory segment registers to access low memory. A stack is created for interrupt and subroutine data storage. Interrupt vectors (pointers to subroutines used to handle hardware service requests ) are set in low memory for hardware and software interrupts.

4.
The CPU's memory management registers are set and the CPU is switched to 32-bit protected mode so that it can detect, configure, test, and initialize memory beyond the 1MB Real mode limit. Although early motherboards required you to manually enter memory timing settings, modern DIMM memory contains setup information that is read from the memory modules during startup.

5.
The BIOS constructs in memory a list of all known hardware devices and their required interrupt, DMA, and I/O port requirements. Settings for non-Plug and Play ISA bus devices should have been entered into the BIOS setup screens by the user . Plug and Play devices are detected through a complex and peculiar mechanism: bits on the computer's external bus are used to slowly pulse out serial data in a manner not unlike an old time Morse code telegraph system.

6.
Some hardware devices respond not only to the CPU's Input/Output (I/O) instructions but also have ROMs, hardware registers, and display buffer memory that is mapped into the standard memory range, and which is readable and perhaps writable as if it were regular system memory. The BIOS scans memory at every 2,048 byte boundary for special "signature" values that mark the presence of a BIOS ROM. These are commonly found on SCSI disk adapters and network adapters so that the BIOS can boot from these nonstandard disks or from the network.

If found, the routines in these ROMS are called and allowed to initialize their corresponding hardware, and if the user chooses, are used instead of the standard motherboard BIOS program to load the operating system at step 6.

7.
If the BIOS is configured for a nonPlug and Play operating system, the BIOS assigns and configures interrupt, DMA, and I/O port addresses for all Plug and Play devices. For a Plug and Play operating system, resource allocation and initialization is left to the operating system.

8.
Standard mass storage devices and any detected adapter option ROMs (disk or network) are searched in the user-configured order ("boot order"). The devices are initialized and scanned to find the first device that is online and contains a recognized file system with a valid bootstrap program. The bootstrap program is read from the device and control passes to that program to continue the initialization process.

Note

To read about Plug and Play and other hardware specifications, check out www.microsoft.com/whdc/resources/respec/ specs .


When the BIOS or user selects the bootstrap device, a bootstrap loader is used to bring in the actual operating system.

Bootstrap Loaders

As the previous section discussed, the BIOS program stored on the motherboard contains the instructions your PC needs to start up, test itself, and access the keyboard, display, and mass storage devices. Because the BIOS can't know in advance what operating system you're going to use, or how or where that operating system is stored on your disks, or how it's to be read from disk and started up, an intermediate startup program is used, called a bootstrap loader or OS loader . This is a very small operating system-specific program that the BIOS can find and read into memory; the loader is then responsible for actually starting up your operating system. All bootable media use a standard layout so that the BIOS can find the loader.

Note

Disk organization and bootstrap structures are described in detail in Chapter 10, "Windows File Systems."


The BIOS begins the bootstrap process by reading the first 512 bytes stored on whatever startup disk is used, whether it's a floppy disk, hard disk, CD, DVD, Zip disk, Jazz disk, or other removable disk. This block of data is called the boot sector and it begins with the bootstrap loader specific to your operating system; it's placed there when you install the OS. It must end with the bytes 55 and AA (hexadecimal), so only 510 bytes are available for the boot program itself. The block is stored starting at address 0000:7C00 and executed there.

Note

You can replace a missing or damaged boot sector loader using the Windows Recovery Console's fixboot command, discussed in Chapter 12, "Windows Troubleshooting."


The boot sector loader contains whatever instructions are necessary to

  • Identify what file system is used on the disk media.

  • Locate and read into memory a secondary, larger, more comprehensive loader program called the secondary loader , which is stored elsewhere on the disk.

  • Transfer control to the secondary loader, which then continues the operating system's bootstrap process

Because the secondary loader program is not limited to 510 bytes in size , it can do the more sophisticated job of examining the disk's file system and directory structures. The process of locating the secondary loader depends on the medium and operating system in use:

  • Floppy disks The bootstrap loader in the first block of a bootable MS-DOS floppy disk contains a small program that interprets the disk's FAT-12 file system to locate files MSDOS.SYS and IO.SYS , which are stored as the first files on the disk (or IBMBIO.SYS and IBMDOS.SYS , in the early DOS versions distributed by IBM). These files are read into memory and contain the code needed to complete MS-DOS's initialization.

  • Hard disks The disk's first block contains, in addition to the bootstrap loader code, a table that indicates the location of one or more partitions on the disk. One partition is marked as the active partition. The first 512-byte block of the active partition is called the Master Boot Record (MBR), and it begins with the code for the secondary loader, followed by the disk's partition table. The primary boot loader relocates itself in memory, calculates the disk location of the MBR, reads it into memory at address 0000:7C00, and runs it.

    When a disk is configured for booting by MS-DOS, Windows 9x, or Windows Me (using the format/s or sys commands), the secondary boot loader locates and reads in files MSDOS.SYS and IO.SYS . Early versions of MS-DOS required these files to be stored at fixed locations on the disk, but later versions are able to examine the FAT file system tables and root directory to locate these files wherever they were physically placed on the disk. (They can move if, for example, the system files are updated after other files have been stored on the disk.)

    For Windows XP, 2000, and NT, the secondary boot program determines whether the disk is formatted with the FAT or NTFS file system, and then locates and reads into memory the file ntldr , which is stored as a hidden file in the drive's root directory. Ntldr which, as you might guess if you've been keeping count, is a tertiary loader continues the startup process. We'll discuss the NT startup procedure shortly.

    Note

    You can replace a missing or damaged Windows XP or 2000 Master Boot Record using the Windows Recovery Console and the fixmbr command, discussed in Chapter 12.


  • CDs and DVDs Bootable CDs and DVDs contain a data block called the Booting Catalog, which lists one or more bootable operating systems. For each bootable operating system, there is a corresponding block-by-block copy or image of an entire (and probably small) bootable hard drive partition. A BIOS that is capable of booting from CD or DVD drives makes it temporarily appear (to itself!) during a boot from CD that an additional hard drive had been detected during startup. Attempts to read data blocks from this virtual hard drive are turned into reads of the corresponding block in the recorded disk image. The standard first-sector boot program is read in from this disk image, and the normal hard disk boot process continues as described in the previous paragraph. The secondary and subsequent bootstrap programs don't actually need to "know" that a CD is being used. As long as they rely on the BIOS to read data from what they think is a regular disk drive, the BIOS can perform the necessary sleight-of-hand to get the data from the CD. This method is used on the Windows Setup CD and on bootable Linux distribution discs.

  • Networks Some network adapters contain BIOS extension ROMS (described earlier) that permit the computer to be booted over a LAN. Typically these ROM-based bootstrap programs broadcast to the network to locate a boot server. The boot server responds by selecting an appropriate boot disk image file, which it transmits to the booting computer. The network BIOS ROM stores this data in memory, and as with the CD boot process, modifies BIOS's data tables to add a virtual hard or floppy disk. The normal boot process continues from there. The first sector of the image contains a bootstrap loader that uses standard BIOS calls to read subsequent data, which is retrieved from the disk image stored in memory. (And, not surprisingly, if the operating system that is being loaded overwrites the section of memory that contains the disk image before the bootstrap process is complete, it crashes.) Network booting can be used to perform Windows Setup on a corporate network, or to load a "thin client" terminal program on a diskless computer. It's also commonly used on network-based computers such as Sun workstations.

The next few sections discuss how the Windows boot-up process continues.

Windows XP/2000/NT Startup

Although Windows 9x and Me computers actually boot up MS-DOS and then start up Windows, Windows NT and its descendentsWindows 2000 and XPhave a completely different startup mechanism.

For Windows NT and relatives, the bootstrap process begins as described previously. However, the active partition's secondary loader takes things in a different direction. The secondary loader determines whether the disk is formatted with the FAT or NTFS file system, and then locates and reads file ntldr from the root directory of the boot partition, and ntldr continues the boot process.

Ntldr locates file boot.ini , also stored in the root folder of the boot partition. Boot.ini contains a list of operating system choices, and optionally , multiple entries for Windows, each with different startup options specified, which can be used to recover from failures and for debugging purposes. If you install your operating systems carefully and in the right order, boot.ini can also contain entries that allow you to select between MS-DOS, Windows 9x, Windows 2000, XP, Linux, and possibly other operating systems. The section "Boot Options," later in this chapter discusses boot.ini further.

For each operating system choice, boot.ini contains a file path that points to a Windows folder or to a folder that contains a file that contains an alternate secondary-boot sector. If there is more than one choice, ntldr displays a menu. If you make a selection, or if a timeout period elapses, ntldr starts the highlighted operating system. You can also press F8 during a very small time window during the startup process, which makes ntldr display the built-in Windows Advanced Options menu. This menu includes the option to boot in Safe mode, with a minimal set of drivers, along with several other startup options.

If MS-DOS, Windows 9x, or Windows Me is selected from the boot menu, ntldr reads a saved copy of the boot sector installed by the older OS (for example, bootsect.dos ). The standard DOS or Windows 9x boot process continues from there.

For Windows NT, 2000, and XP, ntldr runs the program ntdetect.com , which collects information about the installed hardware. It performs some hardware detection itself and collects other information from tables left in memory by the BIOS. If multiple hardware profiles are loaded, at this point ntldr may also stop and display the Hardware Profiles/Configuration Recovery menu.

Ntldr then locates files ntoskrnl .exe and hal.dll in the system32 folder under the selected Windows folder. These two files form the Windows kernel , the foundation on which the operating system is based.

The Windows NT Kernel

Windows NT, 2000, and XP are all based on a kernel layer that provides basic, fundamental services to mediate access to hardware, start and stop processes, control the CPU's hardware, manage multiple CPUs if present, manage memory, and so on. Differences between motherboard and CPU designs are handled by the kernel's Hardware Abstraction Layer (HAL), which performs CPU hardware management functions for the kernel and higher levels of Windows, without requiring them to know the details of the particular hardware implementation. The standard HAL versions provided with Windows XP are listed in Table 4.1.

Table 4.1. Standard Windows XP HAL versions

HAL Name

Original
Filename

Used For

Advanced Configuration and Power Interface (ACPI) PC

halacpi.dll

A single-processor motherboard that complies with the ACPI configuration and power management specification.

ACPI Multiprocessor PC

halmacpi.dll

An ACPI-compliant multiprocessor mothe board with two or more CPUs installed (or with one or more dual- core or hyperthreading CPUs).

ACPI Uniprocessor PC

halaapci.dll

An ACPI-compliant multiprocessor motherboard with one single core, nonhyperthreading CPU installed.

Compaq SystemPro Multiprocessor or 100% Compatible

Halsp.dll

A Compaq SystemPro or compatible server motherboard.

MPS Uniprocessor PC

halapic.dll

A non-ACPI compliant multiprocessor motherboard with a single processor installed.

MPS Multiprocessor PC

halmps.dll

A non-ACPI compliant multiprocessor mothe board with two or more processors installed.

Standard PC

hal.dll

A non-ACPI compliant single-processor motherboard.

Other

 

Custom HALs may be written and provided by computer manufacturers.


Note

Windows Setup detects your CPU and motherboard type during setup, and automatically selects the appropriate HAL version. The HAL module is copied to your \windows\system32 folder with the name hal.dll no matter which version was selected. If you need to force Setup to make another choice, visit support.microsoft.com and search for Knowledge Base Article 299340. This article describes a procedure that lets you manually choose a HAL version.

On Windows XP, Windows automatically switches between multiprocessor and uniprocessor HALs and kernels ; you no longer need to reinstall Windows or use the Device Manager if you change the number of processors, for example, by enabling Hyperthreading or installing a dual-core CPU.


The "NT Kernel" is actually not "Windows." The Windows that you are familiar with, the graphical interface, is actually implemented in layers above the kernel, by the 32-bit Windows (Win32) subsystem. And in fact other operating system environments (subsystems) such as UNIX and OS/2 can also take advantage of the NT Kernel. Microsoft provided an OS/2 subsystem that made it possible to run character-mode OS/2 programs on Windows NT and 2000, although it's not provided with Windows XP. The UNIX (actually, POSIX) subsystem provided with Windows NT and 2000 is now called Interix, and it's available as a free download for Windows XP Professionalsee Appendix A for more information.

In addition to loading the kernel and HAL into memory, ntldr locates and loads the Registry's component files. It examines the Registry for value HKEY_LOCAL_MACHINE\System\Select\Current or HKEY_LOCAL_MACHINE\System\Select\LastKnownGood , depending on the selected boot mode, and creates key HKEY_LOCAL_MACHINE\System\CurrentControlSet , which is an "alias" to HKEY_LOCAL_MACHINE\System\ControlSet nnn , where nnn is the value retrieved from Select.

It then examines key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles to see whether there multiple profiles are defined. If more than one profile is defined and is feasible to load, ntldr displays another menu on the console, and again, if the user does not make a selection, a default setting is used.

With the desired Hardware Profile determined, ntldr scans Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services for entries with a Type value of 1, which indicates a kernel-level device driver. Drivers that are marked for Boot time startup are loaded by ntldr . At this point, the Windows kernel takes over.

The kernel performs two initialization phases. In the first phase, a minimum of services are initialized: the HAL, the Memory Manager, the Object Manager, the Security Reference manager (which is ultimately responsible for all access control under Windows, including files, Registry keys, synchronization objects, and internal data structures), and the Process Manager. The display is now switched for the first time from the text mode set up by the BIOS to a graphics mode and the small Windows startup progress bar is displayed.

Now, all systems are reinitialized and the startup process starts in earnest. Device drivers and filter drivers are loaded, in the order specified by the Load Ordering list show in Table 4.2, and the Session Manager Subsystem (SMSS) starts. It loads the Win32 subsystem ( win32k.sys ). At this point, it's fair to say that Windows itself, rather than just the generic kernel, is running. The second Windows graphical startup screen is displayed. The Windows Service Controller ( services.exe ) is started, and services are started, as described later in the chapter under Windows Services.

Table 4.2. Windows XP Driver, Filter, and Service Load Ordering
  1. System Reserved

  1. Boot Bus Extender

  1. System Bus Extender

  1. SCSI miniport

  1. Port

  1. Primary Disk

  1. SCSI Class

  1. SCSI CDROM Class

  1. FSFilter Infrastructure

  1. FSFilter System

  1. FSFilter Bottom

  1. FSFilter Copy Protection

  1. FSFilter Security Enhancer

  1. FSFilter Open File

  1. FSFilter Physical Quota Management

  1. FSFilter Encryption

  1. FSFilter Compression

  1. FSFilter HSM

  1. FSFilter Cluster File System

  1. FSFilter System Recovery

  1. FSFilter Quota Management

  1. FSFilter Content Screener

  1. FSFilter Continuous Backup

  1. FSFilter Replication

  1. FSFilter Anti-Virus

  1. FSFilter Undelete

  1. FSFilter Activity Monitor

  1. FSFilter Top

  1. Filter

  1. Boot File System

  1. Base

  1. Pointer Port

  1. Keyboard Port

  1. Pointer Class

  1. Keyboard Class

  1. Video Init

  1. Video

  1. Video Save

  1. File System

  1. Event Log

  1. Streams Drivers

  1. NDIS Wrapper

  1. COM Infrastructure

  1. UIGroup

  1. LocalValidation

  1. PlugPlay

  1. PNP_TDI

  1. NDIS

  1. TDI

  1. NetBIOSGroup

  1. ShellSvcGroup

  1. SchedulerGroup

  1. SpoolerGroup

  1. AudioGroup

  1. SmartCardGroup

  1. NetworkProvider

  1. RemoteValidation

  1. NetDDEGroup

  1. Parallel arbitrator

  1. Extended Base

  1. PCI Configuration


Finally, the Windows logon process, winlogon.exe , is started. Winlogon.exe displays the Welcome screen or logon dialog. At this point, a user can log on, although for a short time, Windows services not essential for logon such as the IIS web server are still loading.

The Logon Process

When you log on using the Welcome Screen or logon dialog (the only option on corporate networks), Windows checks the logon name and password against the local account database, or in the case of a domain logon, forwards the logon request to a domain controller for verification. Successful domain logons may be cached on the local computer to speed future logons .

Note

For more detailed information about the domain logon process, search microsoft.com for the Microsoft Technet article "How Interactive Logon Works."


The User Profile

When a user has successfully authenticated him- or herself, the user profile is loaded. The profile is a folder stored under Documents and Settings, and it contains several significant files and folders:

  • The ntuser.dat and ntuser.dat.log files, the user's Registry hive file and its transaction file (a file that helps protect against corruption should the system crash while the Registry is being updated). The user's Registry hive is loaded under HKEY_USERS , and an alias key named HKEY_CURRENT_USER is created that points to this data.

  • The Desktop folder, which contains the user's personal desktop items. The contents of this folder and the Desktop folder under the All Users profile folder are combined and displayed on the user's desktop.

  • The Start Menu folder, which contains the user's personal start menu items. The contents of the folder and the Start Menu under the All Users profile folder are combined and displayed on the user's Start menu.

  • The My Documents folder contains the user's personal files. (Windows Explorer displays this folder's name as "My Documents" for the logged-on user, but as " xxx 's Documents," where xxx is another user's logon name, when displaying other users' profile foldersbut the folder is actually still named My Documents, unless the name has been changed in the Registry.)

  • Cookies, Favorites, Local Settings, Application Data, My Recent Documents, NetHood, PrintHood, and other folders contain data for specific applications including history lists, bookmarks, email files, and so on. These files may be moved to alternate locations in some cases.

The first time a user logs on to a given computer, a new profile folder is created. For local users, the new profile is a copy of the Default User profile folder. (A simple copy will not work, as Registry key and file permissions must be modified to match the user to whom the profile belongs. This is why user profiles must be managed from the System Properties dialog, using the User Profile management dialog.)

For users on a corporate domain network whose account is set up as a Roaming User Profile, the profile folder must be copied from a server. At logoff , changes will be copied back to the server, and on the next logon, only changes made to the network profile since the last local logon must be copied down again. The Windows File Replication Service manages this process. In this way, the user's settings and My Documents folder "follow" her on the network and are available at any computer. (On such networks, email is typically not stored locally on the computer, but is kept in a central mailbox repository and accessed over the network using IMAP or Exchange services.)

Policy

Group or Local Computer policy is applied next. Group Policy is a function of the Windows Server Active Directory system, and it is constructed from one or more sources, depending on the policy groups and/or containers to which the user and the computer itself are assigned. The resulting set of policy (RSOP) is transmitted to the computer from a domain server.

Policy is actually a set of Registry entries that add to, or supercede when overlapping regular Registry entries, and cannot be modified by the user using the Registry editor. Windows components and applications look at this combined set of Registry data for settings that restrict or enforce certain behavior. This feature is used not only to tighten security by limiting users' ability to make configuration changes, but also to ensure consistent and appropriate configuration for all users of an organization.

The User Environment

The environment variable list is created from the following sources, in the following order:

1.
Automatic definitions created by the system, including USERPROFILE, USERNAME and so on.

2.
Set commands in autoexec.bat in the %systemroot% drive (usually C:\).

3.
The system environment list, configured from the System properties dialog Advanced tab, and stored in the Registry under key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment . Environment variables within definitions, such as %USERPROFILE% , are substituted if possible.

4.
The user's personal environment list, configured from the System properties dialog Advanced tab, and stored in the Registry under key HKEY_CURRENT_USER\Environment .

If more than one source defines the same environment variable, the last definition is the one that is kept, with the exception of the PATH variable. If there are multiple definitions of PATH, the first definition is kept, a semicolon is added, and the additional definition is appended. This way, PATH accumulates all paths defined in the various sources. Changes to the first two sources only take effect after a reboot or on your next logon. Changes to the third and fourth sources take effect the next time you start a program; for example, on opening a new command prompt window.

Startup Programs

When the user profile has been loaded, winlogon starts the user's shell program, which is by default explorer.exe , the standard Windows Explorer program. When it recognizes that it is being run as the user's first application, however, it knows that it's being asked to act as the user's desktop shell, so it displays the desktop, taskbar, and Start menu.

Tip

If explorer.exe is terminated or crashes, winlogon should automatically start another copy. If your desktop icons and taskbar disappear and don't start coming back within a few seconds, you can help the process along by pressing Ctrl+Alt+Del, viewing the Applications tab, clicking New Task, and entering explorer as the program name.


Explorer.exe is the default shell, but another program could be used just as well, such as cmd.exe which would give you a command prompt window with no Start menuor perhaps a custom program of your own devising. The shell program is specified in the registry by the value Shell under the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon . If this value is present, it is used to determine the user's shell program; otherwise , the same key and value under HKEY_LOCAL_MACHINE is read, which specifies the systemwide default. Be very careful if you decide to change the systemwide setting as you could render your system unusable if you specify an improper program.

Tip

I have seen spyware programs that exploit this Registry entry by adding a program name after explorer.exe . This leaves Explorer as the shell but also runs the spyware as soon as anyone logs on. To fix this, press F8 when Windows boots (see the discussion of Safe mode later in this chapter) and select Safe Mode with Command Prompt. Log on, run regedit , and repair the Shell Registry value. Remove the program from any other startup program entries in which it appears (see the discussion that follows ), and delete the program's .Exe file(s). Then, restart Windows.


While the desktop icons are being collected and displayed, startup scripts and startup programs are run from the following sources:

  • Scripts specified by Group Policy (or Local Computer Policy) under User Configuration, Windows Settings, Scripts (Logon/Logoff), Logon

  • Logon script specified by the user profile (configurable, for example, under Computer Management, Local Users and Groups, Users, username Properties, Profile tab).

  • Shortcuts, files, or programs in the All Users profile subfolder Start Menu\Programs\Startup . Shortcuts and programs are executed. Files are opened using the associated application.

  • Shortcuts, files or programs in the user's profile, subfolder Start Menu\Programs\Startup .

  • 16-bit Windows programs listed in \windows\win.ini under the [windows] section in run= entries and load= enTRies.

  • Programs listed in Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run .

  • Programs listed in Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce .

  • Programs listed in Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx .

  • Programs listed in Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run .

  • Programs listed in Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce .

  • Programs listed in Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceEx .

At this point, the user is completely logged on and ready to work.

Note

Besides the Shell Registry entry and the list of startup program sources listed previously, there is one other method that I've seen spyware authors use to install and run programs in a sneaky manner: creating a bogus print monitor. Print monitors are DLLs (program library modules) loaded by the Windows printing system, and they run in the context of the currently logged on user. If a program appears in the Task Manager's Processes under your username, and you can't find it listed in any other startup location (the Winlogon\Shell value, the Run Registry entries and Startup folder under All Users and your own user account, and the win.ini file), look for a bogus print monitor entry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors . Spyware can install a DLL here, Windows will load it, and it then starts the spyware application that you see in the Processes list. If you find such an entry, boot Windows in Safe Mode with Command Prompt, log on, run regedit , and delete the bogus key under Monitors . There will most likely be several start techniques in use, so you'll need to check carefullysee the "Shell" tip mentioned previously.





Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net