Executing programs before the shell comes up?
Some programs, especially common with defragmenters, start themselves up, even before windows is full loaded.
One example is this program, which defragments the page file:
http://www.sysinternals.com/Utilities/PageDefrag.html
If you start it, chose the option "defragment at next boot", and then reboot, you will very much see what I mean.
So, my question is: How to do something like that too?
The shell for a console will always come up, however, for a windows program, if you don't make a window, you get no window. So, put your program in the registry so that windows loads it up first and executes it.
Here are a few links that might help.
STARTUP PROGRAM LOADING
Windows Program Automatic Startup Locations
Launching an Application on Windows Startup
Looking over pagedfrg.exe in a pe file hacking tool reveals that a device driver (pagedfrg.sys) and a system service exe (pgdfgsvc.exe) are stored in the resource section of that utility. Either of those files could accomplish the task.
Using Regmon to monitor the registry activity of pagedfrg.exe after selecting the "defrag at next boot" option reveals the following activities:
143 304.01150513 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
144 304.01153564 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
155 320.61981201 pagedfrg.exe:1472 SetValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
So it appears that
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
is the registry key to focus on - plug that key into google web and google groups and start reading. YMMV.
STARTUP PROGRAM LOADING
Windows Program Automatic Startup Locations
Launching an Application on Windows Startup
Looking over pagedfrg.exe in a pe file hacking tool reveals that a device driver (pagedfrg.sys) and a system service exe (pgdfgsvc.exe) are stored in the resource section of that utility. Either of those files could accomplish the task.
Using Regmon to monitor the registry activity of pagedfrg.exe after selecting the "defrag at next boot" option reveals the following activities:
143 304.01150513 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
144 304.01153564 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
155 320.61981201 pagedfrg.exe:1472 SetValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
So it appears that
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
is the registry key to focus on - plug that key into google web and google groups and start reading. YMMV.
Thanks.
Googling gave me these links:
http://www.sysinternals.com/Information/NativeApplications.html
http://www.sysinternals.com/Information/NativeApi.html
It seems only "native" apps can be executed with bootexecute (and no, win32 isn't native).
Interesting.
Googling gave me these links:
http://www.sysinternals.com/Information/NativeApplications.html
http://www.sysinternals.com/Information/NativeApi.html
It seems only "native" apps can be executed with bootexecute (and no, win32 isn't native).
Interesting.
Quote:Original post by LessBread
Here are a few links that might help.
STARTUP PROGRAM LOADING
Windows Program Automatic Startup Locations
Launching an Application on Windows Startup
Looking over pagedfrg.exe in a pe file hacking tool reveals that a device driver (pagedfrg.sys) and a system service exe (pgdfgsvc.exe) are stored in the resource section of that utility. Either of those files could accomplish the task.
Using Regmon to monitor the registry activity of pagedfrg.exe after selecting the "defrag at next boot" option reveals the following activities:
143 304.01150513 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
144 304.01153564 pagedfrg.exe:1472 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
155 320.61981201 pagedfrg.exe:1472 SetValue HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute SUCCESS "autocheck autochk *"
So it appears that
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
is the registry key to focus on - plug that key into google web and google groups and start reading. YMMV.
I'm on Windows XP (no SP packages, crash my system for some reason), and have not installed that software, but I'm not finding a BootExecute folder anywhere in the Control folder. Either it's installed with the program and launched by something else, or an update from Windows I haven't gotten. Just my little heads up.
It's not a folder, it's a key in
HKLM\System\CurrentControlSet\Control\Session Manager
The entry type is REG_MULTI_SZ. After selecting the "run at next boot" option from pagedfrg the value of this entry is
autocheck autochk *
pgdfgsvc C 1 -o
which tells me that the application invoked at boot is the service app stored in the resource section of pagedfrg.exe. This machine is running XP sp2.
@VeryBoringNickName - check out google groups too.
HKLM\System\CurrentControlSet\Control\Session Manager
The entry type is REG_MULTI_SZ. After selecting the "run at next boot" option from pagedfrg the value of this entry is
autocheck autochk *
pgdfgsvc C 1 -o
which tells me that the application invoked at boot is the service app stored in the resource section of pagedfrg.exe. This machine is running XP sp2.
@VeryBoringNickName - check out google groups too.
Quote:Original post by LessBread
It's not a folder, it's a key in
HKLM\System\CurrentControlSet\Control\Session Manager
The entry type is REG_MULTI_SZ. After selecting the "run at next boot" option from pagedfrg the value of this entry is
autocheck autochk *
pgdfgsvc C 1 -o
which tells me that the application invoked at boot is the service app stored in the resource section of pagedfrg.exe. This machine is running XP sp2.
@VeryBoringNickName - check out google groups too.
I feel stupid, forgot that if it's a file there's no slash at the end... It's just that you said "in," so I expected a folder. Thanks for the clarification.
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement