Tuesday, May 14, 2019

Windows Startup Location Order : Windows Application Startup locations


List of registry keys that can start a program when Windows boots. Applies to Windows 9x thru Win10, see reference articles here and here


I. Windows Boot Device Drivers

These drivers are loaded first as they are required for the proper operation of hardware such as storage devices. Boot device drivers will be located under the following key and have a Startvalue equal to 0.

Registry Keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

1 )Windows will now perform various tasks

2) start the Winlogon process.

3) Then starts the service control manager that loads services & drivers that are set for auto-start.

Windows Auto-start Services & Drivers –The (SCM) process (\Windows\System32\services.exe), will now launch any services or drivers that are marked with a Start value of 2.

Registry Keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

II. RunServicesOnce

- This key is designed to start services when a computer boots up. These entries may continue running even after you log on, but must be completed before the

HKEY_LOCAL_MACHINE\...\RunOnce registry can start loading its programs.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

II. RunServices

- This key is designed to start services as well. These entries can also continue running even after you log on, but must be completed before the HKEY_LOCAL_MACHINE\...\RunOnce registry can start loading its programs.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

The Windows logon prompt is shown on the Screen. After a user logs in the rest of the keys continue.

Notify - This key is used to add a program that will run when a particular event occurs. Events include logon, logoff, startup, shutdown, startscreensaver, and stopscreensaver. When Winlogon.exe generates an event such as the ones listed, Windows will look in the Notify registry key for a DLL that will handle this event. Malware has been known to use this method to load itself when a user logs on to their computer. Loading in such a way allows the malware program to load in such a way that it is not easy to stop.

Registry Key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

III. UserInit Key

- This key specifies what program should be launched right after a user logs into Windows. The default program for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that restores your profile, fonts, colors, etc for your user name. It is possible to add further programs that will launch from this key by separating the programs with a comma. For example:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit =C:\windows\system32\userinit.exe,c:\windows\badprogram.exe.

This will make both programs launch when you log in and is a common place for trojans, hijackers, and spyware to launch from.

Registry Key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

IV. Shell Value

- This value contains a list of comma separated values that Userinit.exe will launch. The default shell for Windows is explorer.exe, though there are legitimate replacements that have been made. When userinit.exe starts the shell, it will first launch the Shell value found in HKEY_CURRENT_USER. If this value is not present, it will then launch the value found in HKEY_LOCAL_MACHINE.

Registry Key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell

The rest of the Autostart locations will now be processed.

V. RunOnce Local Machine Key

- These keys are designed to start programs synchronously  for current machine or user. Entries in these keys are started once The RunOnce keys may be ignored in Safe Mode depending on OS version.

Registry Keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Windows 10 : Run keys (machine, all users)

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
  • HKLM\System\CurrentControlSet\Services
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    • VI. Run

    - These are the most common startup locations for programs to install auto start from. By default these keys are not executed in Safe mode. If you prefix the value of these keys with an asterisk, *, it will run in Safe Mode.

    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Windows 10 : Run keys (individual user)

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (only on 64-bit systems)
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce (runs the program/command only once, clears it as soon as it is run)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (runs the program/command only once, clears it as soon as execution completes)
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    • VII & VIII. All Users & Current User Startup Folders

    Windows XP, NT, 2000:

    Autostart folder of the current user

    Win 9X, ME
    c:\windows\start menu\programs\startup

    Windows XP
    C:\Documents and Settings\LoginName\Start Menu\Programs\Startup

    Autostart folder of all users

    Windows XP
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    Windows NT
    C:\wont\Profiles\All Users\Start Menu\Programs\Startup

    Windows 2000
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup

    Windows 10:

    Autostart folder of the current user

  • shell:startup
  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

    • Autostart folder of all users

  • shell:common startup
  • %programdata%\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp



    • IX. RunOnce Current User Key -

    These keys are designed to be used primarily by Setup programs. Entries in these keys are started once and then are deleted from the key. If there is an exclamation point preceding the value of the key, the entry will not be deleted until after the program completes, otherwise it will be deleted before the program runs. This is important, because if the exclamation point is not used, and the program referenced in this key fails to complete, it will not run again as it will have already been deleted. The RunOnce keys are ignored under Windows 2000 and Windows XP in Safe Mode. The RunOnce keys are not supported by Windows NT 3.51.

    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


    X. Explorer Run

    - These keys are generally used to load programs as part of a policy set in place on the computer or user.

    Registry Keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    Load Key - This key is not commonly used anymore, but can be used to auto start programs.

    Registry Key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

    AppInit_DLLs - This value corresponds to files being loaded through the AppInit_DLLs Registry value. The AppInit_DLLs registry value contains a list of dlls that will be loaded when user32.dll is loaded. As most Windows executables use the user32.dll, that means that any DLL that is listed in the AppInit_DLLs registry key will be loaded also. This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. The user32.dll file is also used by processes that are automatically started by the system when you log on. This means that the files loaded in the AppInit_DLLs value will be loaded very early in the Windows startup routine allowing the DLL to hide itself or protect itself before we have access to the system.

    Registry Key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    ShellServiceObjectDelayLoad - This Registry value contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

    The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

    SharedTaskScheduler - This section corresponds to files being loaded through the SharedTaskScheduler registry value for XP, NT, 2000 machines. The entries in this registry value run automatically when you start windows.

    Registry Key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler




    Posted by at No comments:
    Labels: , ,

    Tuesday, May 7, 2019

    GMail sample filter using OR and AND logical operators

    I had a need to filter all emails coming from autotrader or cargurus or autolist and I wanted the emals be placed moved into a label of my choosing. To achieve this we can use the following Search. We can then save this Search as a Filter/ The Filter then will have an action to move emails that match this criteria to a label.

    • - To use OR operator: simply type OR or a | (pipe char) blank space

    subject:(Best OR Vimeo)

    subject:(Best | Vimeo)

    • - To use AND operator: type AND

    subject:(Now AND Vimeo)

    So lets build the search,

    1) Get your search right:

    from:(*autolist.com | *autotrader.com | *cargurus.com)

    2) Now build the filter, here is a screen recording of how I did this

    Finished Example See here

    Here are some great links with examples:

    https://emailanalytics.com/25-gmail-search-operators-that-will-make-you-a-gmail-pro/

    https://digitalinspiration.com/gmail-search-4355

    https://webapps.stackexchange.com/questions/92004/how-to-use-or-operator-in-gmail

    Posted by at No comments:
    Labels:

    Monday, April 29, 2019

    SharePoint : Create a button or link in a list that can Check Workflow Status or Start an MS Flow

    1. Create link on List to check Workflow Status (OnPrem SP2010/2013 & SPO ModernUI)

    Example of link column on list to view Workflow Status: View Example of link to Workflow Status:

    SPO Modern UI:

    SharePoint Column Formatting ModernUI : column formatting to customize SharePoint

    0. Get GUID of list :

    e.g: 8B418B49-95E8-4851-9CBB-F04542182AB5

    1. Add Column,

    e.g: See Here

    2. Set Column Customization: e.g:

    SPO: COLUMN Customizations Cool!

    {

    "$schema": "https://developer.microsoft.com/json-schemas/sp/column-formatting.schema.json",

    "elmType": "a",

    "txtContent": "@currentField",

    "attributes": {

    "target": "_blank",

    "href": "='[YourSite]/_layouts/15/Workflow.aspx?List={8B418B49-95E8-4851-9CBB-F04542182AB5}&ID=' + [$ID]"

    }

    }

    3. View List

    OnPrem

    0. Get GUID of list :

    e.g: 8B418B49-95E8-4851-9CBB-F04542182AB5

    1. Calculated Column:

    e.g: See here

    2. Apply Formula:

    ="https://smhi365.sharepoint.com/sites/MigrationTest/_layouts/15/Workflow.aspx?List={8B418B49-95E8-4851-9CBB-F04542182AB5}&ID="&ID

    2. Create a buttin to start an MS Flow:

    Example showing button and link:

    More Details Here:

    https://wonderlaura.com/2018/07/18/button-in-sharepoint-list-to-trigger-microsoft-flow/

    Posted by at No comments:
    Labels:

    Thursday, April 25, 2019

    Check .Net Framework Version on any Windows Machine

    1. Open the command prompt (i.e Windows + R → type "cmd").
    2. Type the following command, all on one line: This will list all the .NET versions.

    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

    Results: http://prntscr.com/ngyyuz


    1. To get the latest .NET 4 version; Type following cmd, on a single line:

    reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v version

    results: http://prntscr.com/ngyyxn

    Posted by at No comments:
    Labels: , , ,

    Tuesday, April 16, 2019

    Powershell + Windows Service : Disable and Stop a Service if it is Enabled and Running.

    1. Create Script

    2. Create bat file to call Script

    3.Schedule Windows task to invoke bat file every (n) minutes

    Name: AutoStopStartService.ps1

    In my case I am stopping Windows Update, since Win10 likes to restart/re-enable Windows Update it seems every day atleast, even if the Admin disables it!

    1. Script: see here

    param (

    [string]$service = $(throw "-service is required.")

    )

    write-output 'AutoStopStartService()-> START, svc is $service'

    # get service

    $ServiceName = $service

    $arrService = Get-Service -Name $ServiceName

    # get start mode

    write-output $arrService.Status

    $stu = Get-WmiObject -Class Win32_Service -Property StartMode -Filter "Name='$service'" | Select StartMode;

    # if not Disabled, Disable it

    if ($stu -NotMatch 'Disabled')

    {

    write-output 'AutoStopStartService()-> DISABLE it!'

    Start-Sleep -seconds 10

    set-service $ServiceName -startuptype disabled

    }

    # if Running, Stop it

    if ($arrService.Status -ne 'Running')

    {

    write-output 'AutoStopStartService()-> Service already stopped!'

    }

    else

    {

    write-output 'AutoStopStartService()-> STOP IT!'

    Stop-Service $ServiceName

    Start-Sleep -seconds 10

    $arrService.Refresh()

    Write-Host 'Service NEW STATUS-> ' $arrService.Status

    }

    # done

    write-output 'AutoStopStartService()-> DONE'

    Exit


    2. Create bat file to call Script

    powershell .\AutoStopStartService.ps1 -service wuauserv -WindowStyle Hidden

    3.Windows Task: Schedule to invoke bat file every (n) minutes

    See here

    Posted by at No comments:

    Sunday, March 24, 2019

    Customize Find in Files Find Results format of results

    So Im using VS 2017, find in files, the Find Results is displaying an awful long result for each file name found as the result of a search. This makes it difficult to quickly ascertain the fie name. Previous versions of VS by default displayed the file name, it seems (for me atleast) that VS 2017 is displaying the Full name in Find Results. See example here





    To resolve we would like to view FileName or relative full name in the Find Results.
    To do this, we need to implement a per version solution for VS:

    >= VS 2017

    • Close Visual Studio 2017
    • Open regedit
    • Open bin file:
    "C:\Users\[userName]\AppData\Local\Microsoft\VisualStudio\15.0_f294cc8e\privateregistry.bin"
    • Select HKEY_LOCAL_MACHINE from the left bar
    • Select File > Load Hive...
    • Load the privateregistry.bin file from %localappdata%\Microsoft\VisualStudio\15.0_[instanceid]{RootSuffix}\privateregistry.bin. The RootSuffix for a normal VS installation will be blank. This is mostly used for the experimental instance
    • Name the key whatever you want (e.g. "VS2017") when prompted
    • From there, you should be able to view the entries just like any normal registry.
    • Customize it according to accepted answer's suggestions.
    • Once you're finished, you need to make sure that you "Unload" the private registry, by selecting the "root" key ("VS2017" in this example) and selecting File > Unload Hive . If you don't do this, VS won't be able to read the privateregistry.bin file when it runs, causing major problems
    < VS 2017
    Using regedit:
    See article Customize how Find in Files results are displayed in the Find Results Window:
    Example here


    Format specifiers:
    Files
    • $p - path
    • $f - filename
    • $v - drive/unc share
    • $d - dir
    • $n - name
    • $e - .ext
    Location
    • $l - line
    • $c - col
    • $x - end col if on first line, else end of first line
    • $L - span end line
    • $C - span end col
    Text
    • $0 - matched text
    • $t - text of first line
    • $s - summary of hit
    • $T - text of spanned lines
    Char
    • \n - newline
    • \s - space
    • \t - tab
    • \\ - slash
    • \$ - $
    Posted by at No comments:
    Labels: , ,

    IE 11 and SharePoint Detect Compatibility Mode

    Strange but true:

    Identifying compatibility view in IE11 without the use of Developer tools (F12)

    It’s possible to parse used IE version and its mode from User Agent string. And you don’t even have to do that yourself: there’s actually a small JavaScript-library called IE-truth, that does this for you. You can find it here: https://github.com/Gavin-Paolucci-Kleinow/ie-truth


    Using this library, you can implement something like this in the script editor web part in SharePoint:

    <span id="browserVersion"></span>
<script src="//cdn.rawgit.com/Gavin-Paolucci-Kleinow/ie-truth/master/ie-truth.js" type="text/javascript"></script>   <script type="text/javascript">// < ![CDATA[
// < ![CDATA[
var IE = IeVersion();
var elem = document.getElementById("browserVersion");
elem.innerHTML = "Is your browser using compatibility mode: " + IE.CompatibilityMode;
// ]]>
</script>

    Full Source of source script as of 201903:

    function IeVersion() {
    //Set defaults
    var value = {
		IsIE: false,
		IsEdge: false,
		EdgeHtmlVersion: 0,
		TrueVersion: 0,
		ActingVersion: 0,
		CompatibilityMode: false
	};   //Try to find the Trident version number
	var trident = navigator.userAgent.match(/Trident\/(\d+)/);
	if (trident) {
		value.IsIE = true;
		//Convert from the Trident version number to the IE version number
		value.TrueVersion = parseInt(trident[1], 10) + 4;
	}   //Try to find the MSIE number
	var msie = navigator.userAgent.match(/MSIE (\d+)/);
	if (msie) {
	    value.IsIE = true;
        	//Find the IE version number from the user agent string
		value.ActingVersion = parseInt(msie[1]);
	} else {
		//Must be IE 11 in "edge" mode
		value.ActingVersion = value.TrueVersion;
	}   //If we have both a Trident and MSIE version number, see if they're different
	if (value.IsIE &amp;&amp; value.TrueVersion &gt; 0 &amp;&amp; value.ActingVersion &gt; 0) {
		//In compatibility mode if the trident number doesn't match up with the MSIE number
		value.CompatibilityMode = value.TrueVersion != value.ActingVersion;
	}   //Try to find Edge and the EdgeHTML vesion number
	var edge = navigator.userAgent.match(/Edge\/(\d+\.\d+)$/);
	if (edge)
	{
		value.IsEdge = true;
		value.EdgeHtmlVersion = edge[1];
	}
	return value;
}
    Posted by at No comments:
    Subscribe to: Posts (Atom)