AKS™ – Feel The Change!

     Need to find out where programs launch themselves from? Check out the following..

      Run - These are the most common startup locations for programs. In HKEY_LOCAL_MACHINE, the file will startup for all users. In HKEY_CURRENT_USER, it will startup only with the current user. By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run

    

      RunOnce Local Machine Key – These keys are designed to be used primarily by Setup programs. Entries in these keys are started once and then are deleted from the key. If there a exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted. All entries in this key are started synchronously in an undefined order. Due to this, all programs in this key must be finished before any entries in HKEY_LOCAL_MACHINE\…\Run, HKEY_CURRENT_USER\…\Run, HKEY_CURRENT_USER\…\RunOnce, and Startup Folders can be loaded. The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunOnceEx

 

    

RunOnce Current User Key

Registry Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunOnce

    

      RunServicesOnce - This key is designed to start services when a computer boots up (only on next startup). These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\…\RunOnce registry can start loading its programs.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServicesOnce 

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunServicesOnce

     

      RunServices – This key is designed to start services as well. These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\…\RunOnce registry can start loading its programs.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\RunServices 

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunServices

Logon Prompt is placed on Screen. After a user logs in the rest of the keys continue.

      ActiveX Component – This is the startup method used by Bifrost
Registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773} – StubPath = "Exe path"

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773} – StubPath = "Exe path"

      

      All Users Startup Folder – For Windows XP, 2000, and NT, this folder is used for programs that should be auto started for all users who will login to this computer. It is generally found at:

Windows XP C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Windows NT C:\wont\Profiles\All Users\Start Menu\Programs\Startup

Windows 2000 C:\Documents and Settings\All Users\Start Menu\Programs\Startup

     

      User Profile Startup Folder – This folder will be executed for the particular user who logs in. This folder is usually found in:

 
Win 9X, ME C:\windows\start menu\programs\startup

Windows XP C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

    

       Explorer Run – These keys is generally used to load programs as part of a policy set in place on the computer or user. Pain RAT server can use this key to run on startup

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\Run

 

        UserInit Key – This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your username. It is possible to add further programs that will launch from this key by separating the programs with a comma.

For example:

  HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe, c:\windows\badprogram.exe.

     This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

Registry Key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

  

       Load Key – This key is not commonly used anymore, but can be used to auto start programs.

Registry Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

    

       Notify – This key is used to add a program that will run when a particular event occurs. Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver. When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will handle this event. Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the malware program to load in such a way that it is not easy to stop.

Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

   

       AppInit_DLLs – This value corresponds to files being loaded through the AppInit_DLLs Registry value.
The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

Registry Key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

     

        ShellServiceObjectDelayLoad – This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID’s InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\ShellServiceObjectDelayLoad

    

       SharedTaskScheduler – This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines..
The entries in this registry run automatically when you start windows.

Registry Key:

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\SharedTaskScheduler

The following are files that programs can autostart from on bootup:

1. c:\autoexec.bat

2. c:\config.sys

3. windir\wininit.ini – Usually used by setup programs to have a file run once and then get deleted.

4. windir\winstart.bat

5. windir\win.ini – [windows] "load"

6. windir\win.ini – [windows] "run"

7. windir\system.ini – [boot] "shell"

8. windir\system.ini – [boot] "scrnsave.exe"

9. windir\dosstart.bat – Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

10. windir\system\autoexec.nt

11. windir\system\config.nt

 

[Source]

 

                                      

       Microsoft is providing a chance to win FREE copy of Windows 7 Ultimate and a nice Windows 7 T-shirt. To get a chance, you just need to go through a small survey and answer 7 questions.

      Essentially the survey is designed to provide Microsoft with an insight on the number of computers participants use, their preferred browser, as well on how they manage anonymous Internet browsing, and the deletion of cache and history data.

     

    After completing the survey, users will be granted a chance to win FREE copy of Windows 7 Ultimate and Windows 7 T-shirt.

    Microsoft has not mentioned any participation limitation.  

  Also the offer is available worldwide.

I wish everyone best of luck. Go fast and complete the survey.

  Thanks to Sofpedia

Windows 7 Survey

              Google Translate is the most widely used free translation service. But translating a webpage or a piece of text can still be a tiresome process: you need to visit Google Translator website, copy/paste the text, choosing the language… Too long!

                

                       

        Google Translate Client is a free translator which translate text in every Windows application such as Outlook, MS Word, Internet Explorer, Firefox and so on. After installing you will see Google Translate Client in the system tray and every time you want to translate some text, all you have to do is select it and click a pop-up "G" icon – the text will be translated instantly!

 

Free download Google Translate Client  v2.0.33 (1.5 MB)

Updated!

       Yes, you read it right .You can change the name of Recycle Bin of your system if you wish. It is very easy and interesting but it require some changes in windows registry.

Follow these steps :-

1. First click on the Start button and click Run

2. Type regedit.exe or just regedit and press enter.

            

3. In regedit editor open HKEY_CLASSES_ROOT folder, in this folder open the CLSID folder then open the {645FF040-5081-101B-9F08-00AA002F954E} folder and then ShellFolder folder at last.

          

4. Here simply change the data value from "40 01 00 20" to "50 01 00 20".

5. Once completed change the "CallForAttributes" dword value to "0×00000000" (double-click and change value data to 0). You must change both of these values to get the rename option to appear

           

    After performing all above steps close registry now check for rename option after right clicking on Recycle Bin icon if it doesn’t appear then restart your computer then again check this time you will find rename option. 

                        

Now you can change new name as you wish.

                         

Isn’t it interesting ?

Enjoy !

 

 

     Today I’m sharing with you 25 useful Windows XP application in which most of them are hidden in Windows and you don’t know about them but these application can be quite useful. So without wasting too much time , here I start..

            

  To run any of these apps go to Start > Run and type the executable name.

1. Character Map = charmap.exe (very useful for finding unusual characters)

2. Disk Cleanup = cleanmgr.exe

3. Clipboard Viewer = clipbrd.exe (views contents of Windows clipboard)

4. Dr Watson = drwtsn32.exe (Troubleshooting tool)

5. DirectX diagnosis = dxdiag.exe (Diagnose & test DirectX, video & sound cards)

6. Private character editor = eudcedit.exe (allows creation or modification of characters)

7. IExpress Wizard = iexpress.exe (Create self-extracting / self-installing package)

8. Microsoft Synchronization Manager = mobsync.exe (appears to allow synchronization of files on the network for when working offline. Apparently undocumented).

9. Windows Media Player 5.1 = mplay32.exe (Retro version of Media Player, very basic).

10.ODBC Data Source Administrator = odbcad32.exe (something to do with databases)

11. Object Packager = packager.exe (to do with packaging objects for insertion in files, appears thave comprehensive help files).

12. System Monitor = perfmon.exe (very useful, highly configurable tool, tells you everything you ever wanted to know about any aspect of PC performance, for geeks only )

13. Program Manager = progman.exe (Legacy Windows 3.x desktop shell).

14. Remote Access phone book = rasphone.exe (documentation is virtually non-existant).

15. Registry Editor = regedt32.exe [also regedit.exe] (for hacking the Windows Registry).

16. Network shared folder wizard = shrpubw.exe (creates shared folders on network).

17. File signature verification tool = sigverif.exe

18. Volume Control = sndvol32.exe (I’ve included this for those people that lose it from the System Notification area).

19. System Configuration Editor = sysedit.exe (modify System.ini & Win.ini just like in Win98! ).

20. Syskey = syskey.exe (Secures XP Account database – use with care, it’s virtually undocumented but it appears to encrypt all passwords, I’m not sure of the full implications).

21. Microsoft Telnet Client = telnet.exe

22. Driver Verifier Manager = verifier.exe (seems to be a utility for monitoring the actions of drivers, might be useful for people having driver problems. Undocumented).

23. Windows for Workgroups Chat = winchat.exe (appears to be an old NT utility to allow chat sessions over a LAN, help files available).

24. System configuration = msconfig.exe (can use to control startup programs)

25. gpedit.msc used to manage group policies, and permissions

     If you know any other hidden windows application then tell us via comments and don’t forget to subscribe my feed

Enjoy!