Autoruns are applications and processes that are configured to launch at bootup or at logon. There are several ways to cause this to happen. These applications and processes are generally performing desirable activities; however, they may contain vulnerabilities, be specifically planted to introduce vulnerabilities, or even perform destructive processes. It is therefore a wise thing for an administrator or security professional to understand exactly what applications and processes are configured to autorun, and to control these processes carefully.
In addition to the procedures outlined in Task 2.5, there are several utilities that may be useful in the identification and management of autorunning applications and processes.
In Microsoft’s Windows Defender, on the Tools And Settings page, Software Explorer presents several categories of programs that are currently running on a system, including Startup Applications. Windows Defender can be downloaded from www.microsoft.com/windows/products/winfamily/defender/default.mspx.
Another worthy tool to assist with this administrative task is Windows Sysinternals Autoruns. This freeware tool can be downloaded from http://technet.microsoft.com/en-us/sysinternals/bb842062.
Scenario
You are an administrator responsible for the maintenance and security of several servers holding sensitive data. You want to identify the autorun applications and processes and be certain that no undesirable applications or processes are running on these systems.
Scope of Task
Duration
This task should take 60 minutes.
Setup
You will interrogate a system for any autorun applications or processes and attempt to identify them. To accomplish this you will utilize several utilities and look in several locations on the system. You will also interrogate a domain controller to identify any startup, logon, logoff, and shutdown scripts that may be configured.
Caveat
Removing any autorun applications or processes may cause desirable applications and processes to fail. Often, these executables are not obviously named to identify their function. Remove these autorun applications or processes cautiously and test the system after the removal process.
Procedure
You will begin the system interrogation by launching MSConfig, the System Configuration Utility. You will then use Regedit to identify any Run, RunOnce, and RunOnceEx settings. You’ll look at the Startup folders for users on the system, the Config.sys and Autoexec.bat files (for Win16 applications, processes, and drivers), and finally a domain controller to identify any startup, logon, logoff, and shutdown scripts that may be configured.
Win16 applications were written to run on Windows for Workgroups, version 3.11. Win16 apps use the Config.sys and Autoexec.bat files to configure the system environment for these applications. All versions of Windows up to Windows Vista 32-bit and Windows Server 2008 32-bit operating systems provide support for these legacy applications. Windows 7 32-bit provides “some” support for 16-bit applications, but it seems it is spotty, at best. Windows Vista 64-bit, Windows 7 64-bit, and Windows Server 2008 64-bit operating systems do not provide support for Win16 applications.
Equipment Used
For this task, you must have:
- Any Windows XP or Server 2003 system
- For the startup, logon, logoff, and shutdown scripts that may be configured, access to a Server 2003 domain controller
- Local or Domain Administrator access
Details
MSConfig: The Microsoft System Configuration Utility
1. Log on to a system as a Local or Domain Administrator.
2. Select Start ⇒ Run and type MSConfig. Click OK.
3. On the General tab, notice the various startup options available.
4. Select the SYSTEM.INI tab. This file is processed any time a Win16 application is launched.
5. Select the WIN.INI tab. This file is also processed any time a Win16 application is launched.
6. Review these files to identify any applications, processes, or drivers that may be undesirable.
7. Select the BOOT.INI tab. This file provides the Startup menu as you power on a system. Confirm that the paths and default are mapped to desired instances of the operating system.
8. Select the Services tab. Review these services to identify any that may be undesirable. Managing services was covered in Task 2.1.
9. Finally, select the Startup tab. This is a list of applications and processes that launch at startup or logon, configured in the Registry and in the All Users Startup folder.
Review this list. Any applications or processes that you do not recognize can be further researched at the following website: www.processlibrary.com/.
Another website that may be able to identify unknown processes is www.windowsstartup.com/wso/search.php.
10. Clear the check box for any applications or processes that are undesirable.
If the executable is identified as being malicious, it might be prudent to uninstall the application, delete the entry from the Registry, and/or delete the content from the hard drive.
11. Notice the Location column. This identifies the source of execution for the process: the Registry and the All Users Startup folder.
12. Click OK to apply your changes and close the MSConfig application. For your changes to take effect immediately, reboot the system as prompted. Otherwise, select Don’t Reboot.
Regedit Run, RunOnce, and RunOnceEx
1. Select Start ⇒ Run and type regedit. Click OK.
Improper editing of the Registry could cause your system, applications, and/or processes to fail. Make changes only if you are certain of your actions.
2. Expand HKEY_LOCAL_MACHINE ⇒ SOFTWARE ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ Run. (Notice that this path is displayed in the status bar at the bottom of the Registry Editor window.)
3. Expand HKEY_LOCAL_MACHINE ⇒ SOFTWARE ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ RunOnce.
4. Expand HKEY_LOCAL_MACHINE ⇒ SOFTWARE ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ RunOnceEx.
5. Review the entries in these three locations to identify applications and processes that launch at system startup.
6. After a careful review, in the right-hand pane right-click on any undesirable applications or processes and select Delete.
7. Expand HKEY_USERS ⇒ DEFAULT ⇒ Software ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ Run.
8. Review this location to identify applications and processes that launch at every user logon.
9. After a careful review, in the right-hand pane right-click on any undesirable applications or processes and select Delete.
10. Expand HKEY_CURRENT_USER ⇒ Software ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ Run.
11. Expand HKEY_CURRENT_USER ⇒ Software ⇒ Microsoft ⇒ Windows ⇒ CurrentVersion ⇒ RunOnce.
12. Review these two locations to identify applications and processes that launch at user logon.
13. After a careful review, in the right-hand pane right-click on any undesirable applications or processes and select Delete.
14. Close Regedit.
Startup Folder
1. Right-click on the Start button and select Explore All Users.
2. Expand Programs and select Startup.
3. The items in this folder will launch with every user logon. Review these items and delete any that are undesirable by right-clicking on the item and selecting Delete.
4. Right-click on the Start button and select Explore.
5. Expand Programs and select Startup.
6. The items in this folder will launch when the currently logged-on user logs on. Review these items and delete any that are undesirable by right-clicking on the item and selecting Delete.
Autoexec and Config Files
1. Autoexec.nt and Config.nt are in the WindowsSystem32 folder and are triggered when a DOS or Win16 application is launched. They configure the DOS or Win16 (WoWExec) environment. These files can be used to launch applications or processes, drivers, or services.
Autoexec.bat and Config.sys are in the root of the C: drive and are used when the system is booted into down-level operating systems. These files can be used to launch applications or processes, drivers, or services.
2. Launch Explorer. Select the root of the C: drive. In the right-hand pane, locate and click once on Autoexec.bat. Right-click on Autoexec.bat and select Edit.
3. Review Autoexec.bat to identify any applications and processes that are being launched. If you identify any undesirable applications or processes, you can remark out the line by entering REM as the first characters of the line, followed by a tab, or you can delete the line.
4. Select File ⇒ Save.
5. Close the Autoexec.bat file in Notepad.
6. Repeat this process for C:Config.sys, C:WindowsSystem32Autoexec.nt, and C:WindowsSystem32Config.nt.
Startup, Logon, Logoff, and Shutdown Scripts
1. For this task, you will need to log on to a domain controller as a Domain Administrator.
2. After logging into a domain controller as a Domain Administrator, launch Explorer.
3. Expand the drive containing the system files. Drill down to the following path: WindowsSYSVOLsysvolDomainName.comscripts.
Inappropriate modification or deletion of these scripts may cause system services and/or processes to fail. Do not modify any script that you do not fully understand.
This folder should already be shared as the NETLOGON share. This folder may be empty in your environment, but it is the location for all startup, logon, logoff, and shutdown scripts to be deployed by GPOs.
Any scripts located here should be interrogated to confirm that they execute desired processes and do not execute undesirable processes. Edit these scripts as appropriate.
4. When you have interrogated and confirmed the validity of all entries in all scripts, save your work and close Explorer.
5. Log off the domain controller.
Criteria for Completion
You have completed this task when you have reviewed and appropriately adjusted autorun applications and processes located in the Registry, startup folders, and initialization (.INI, .BAT, .SYS, and .NT) files and scripts.