Ram & Reason: Knowledge is Power: SIW and Autoruns

        By Rob Rice   September 2006

     
Knowing the intimate details of your PC is a necessity when troubleshooting or repairing. Now, having said that, Windows does provide a lot of information but it is not always easy to find or accessible by a simple click of the mouse. For example, if you lose your Windows Key, how do you find it? Is a high temperature on my hard drive or CPU causing my system lockups? What processes are currently running or what programs start when I start Windows?

Two free programs, SIW and Autoruns will answer these questions and provide answers to questions you have not even thought of yet!

SIW - System Information for Windows
Written by Gabriel Topala, SIW is an easy to use program that, “Performs computer configuration analysis and diagnostics”. With no installation required, it is just click and run. It can be loaded on to your USB flash drive, transported, and run straight from the flash drive. Detailed information is presented in a simple interface about such items as: network traffic, CPU, motherboard, chipset, BIOS, CPU, PCI/AGP, USB and ISA/PnP devices, memory, monitor, video card, disk drives, CD/DVD devices, SCSI devices, S.M.A.R.T., ports, network cards, printers, operating system, installed programs, hot fixes, processes, services, serial numbers (CD keys), users, open files, system uptime, network, and network shares. If that were not enough, real-time information for CPU, memory and pagefile usage is also available. Just click on the Secrets links to reveal passwords hidden behind asterisks.

Several basic network tools are also thrown in such as ping, trace and Whois to name just a few. The program can run in batch mode and can create an HTML report; however, be careful when creating a report since all system information is logged by default, including passwords! To choose which items should be documented, go to Tools in the top menu bar and choose Options.

SIW will run on, Microsoft Windows 98/Me/NT4/2000/XP/Server 2003/Media Center/Tablet PC/Windows 2003 Server R2/Windows Server 2003 x64/Windows XP x64/Vista.

Autoruns – by Mark Russinovich and Bryce Cogswell
Like SIW, Autoruns does not need to be installed on your hard drive and weighing in around 725KB; you can put it on a floppy. Written by the good folks over at Sysinternals, this latest tool will show you the current auto-start applications and the full list of Registry and file system locations available for auto-start configuration. Auto-start locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), image hijacks, boot execute images, logon notification DLLs, services and Winsock providers.



An auto-start entry can be disabled by removing the check in the check box or removed entirely by simply selecting the entry and pressing the delete key.

With a right-click of the mouse button a handy menu is displayed and there you will find one of my favorite features; if you don’t know what a particular auto-start program is, an option to look up a file with a Google Web search is available. Select the file you have a question about, right-click and choose Google. The number of folks using Autoruns is growing and with that growth is an increase of people seeking answers, fortunately others are sharing their knowledge. In another words, it’s getting easier to find information on those obscure programs that start up every time you log in to windows.

You can hide the Microsoft entries by selecting the Hide Microsoft Entries in the Options menu. This will allow you to zoom in on suspect or unfamiliar entries. Select entries in the User menu to view auto-starting images for different user accounts.

The various selection tabs include:
• Logon This entry results in scans of standard auto-start locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations.
• Explorer Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks.
• Internet Explorer This entry shows Browser Helper Objects (BHOs), Internet Explorer toolbars and extensions.
• Services All Windows services configured to start automatically when the system boots.
• Drivers This displays all kernel-mode drivers registered on the system except those that are disabled.
• Scheduled Tasks Task scheduler tasks configured to start at boot or logon.
• AppInit DLLs This has Autoruns shows DLLs registered as application initialization DLLs.
• Boot Execute Native images (as opposed to Windows images) that run early during the boot process.
• Image Hijacks Image file execution options and command prompt auto-starts.
• Known DLLs This reports the location of DLLs that Windows loads into applications that reference them.
• Winlogon Notifications Shows DLLs that register for Winlogon notification of logon events.
• Winsock Providers Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can uninstall them, but cannot disable them.
• LSA Providers Shows registers Local Security Authority (LSA) authentication, notification and security packages.
• Printer Monitor Drivers Displays DLLs that load into the print spooling service. Malware has used this support to auto-start itself.
Autoruns works on all versions of Windows including Windows XP 64-bit Edition (for x64) and Windows Server 2003 64-bit Edition (for x64).
By themselves SIW and Autoruns are two terrific free programs, but using both creates the potential to stop problems cold. These are definitely two “must have” pieces of software!
Autoruns is available from Sysinternals (Now a wholly owned subsidiary of Microsoft Corporation):

http://www.sysinternals.com/Utilities/Autoruns.html
SIW is available from Gabriel Topala’s website: http://www.gtopala.com


Rob Rice is a member computer specialist in Anchorage, Alaska and a graduate of the Candler School of Theology, at Emory University, Atlanta GA. Rob can be contacted at articles@isp.com.