[Update] SysInternals Autoruns v7.0

[Gordon Darling]

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

"Last Updated: March 2, 2005 v7.0
Introduction

This utility, which has the most comprehensive knowledge of auto-starting
locations of any startup monitor (A starting list of auto-run locations
was obtained from David Solomon's "Windows Internals" seminar), shows you
what programs are configured to run during system bootup or login, and
shows you the entries in the order Windows processes them. These programs
include ones in your startup folder, Run, RunOnce, and other Registry
keys. You can configure Autoruns to show other locations, including
Explorer shell extensions, toolbars, browser helper objects, Winlogon
notifications, auto-start services, and much more. Autoruns goes way
beyond the MSConfig utility bundled with Windows Me and XP.

Autoruns' "Hide Signed Microsoft Entries " option helps you to zoom in on
third-party auto-starting images that have been added to your system and
it has support for looking at the auto-starting images configured for
other accounts configured on a system. Also included in the download
package is a command-line equivalent that can output in CSV format,
Autorunsc.

You'll probably be surprised at how many executables are launched
automatically!

Autoruns works on all versions of Windows."

Regards
Gordon

 

[/3iff //ullins]

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

excellent analysis tool i bring on every housecall.

 

[Joe Bloggs]

excellent analysis tool i bring on every housecall.

Anyone why it very persistently tries to connect to
<crl.microsoft.com>?

 

[MLC]

_Joe Bloggs_, sabato 05/mar/2005:

Anyone why it very persistently tries to connect to
<crl.microsoft.com>?

Does it happen only opening the help file?
Also other applications do it, when they open a .chm file.
I think it's a Microsoft check for ActiveX or other beasts of this kind...
I usually block it and nothing bad happens, the chm help works well.

 

[Antoine]

Does it happen only opening the help file?
Also other applications do it, when they open a .chm file.
I think it's a Microsoft check for ActiveX or other beasts of this
kind... I usually block it and nothing bad happens, the chm help
works well.

Here the application itself tries to connect to the mentionned url.

 

[MLC]

_Antoine_, sabato 05/mar/2005:

Here the application itself tries to connect to the mentionned url.

It's odd. Here Kerio popups only when I open the help file.

 

[Antoine]

_Antoine_, sabato 05/mar/2005:



It's odd. Here Kerio popups only when I open the help file.

I confirm what I wrote : the program itself requests an outbound
connection with :
- remote service : http (port 80)
- remote address : crl.microsoft.com

I browsed quickly the .exe files in a code-editor (yes, usually not
very helpful I admit) and it contains several urls of this type :
http://www.crl.xxxx.com

 

[/3iff //ullins]

Anyone why it very persistently tries to connect to
<crl.microsoft.com>?

yup. to look at their database of known processes.

 

[/3iff //ullins]

_Antoine_, sabato 05/mar/2005:


It's odd. Here Kerio popups only when I open the help file.

its basically only checking m$ process version info.

 

[/3iff //ullins]

Anyone why it very persistently tries to connect to
<crl.microsoft.com>?

i need to correct my last reply to this.

crl.microsoft.com is the microsoft 'certificate revocation list'. so
it would appear that autoruns is checking for the validity of
certificates for running processes (signed files).

 

[Joe Bloggs]

Here the application itself tries to connect to the mentionned url.

Here as well.

 

[Joe Bloggs]

[...]
crl.microsoft.com is the microsoft 'certificate revocation list'. so
it would appear that autoruns is checking for the validity of
certificates for running processes (signed files).

Thanks, that makes sense. But I wish peogrammers would explain these
things with a popup that asks for permission, or at least in the help
file. In these days of adware and spyware, it would avoid unfounded
suspicions.

 

[Mel]

- remote address : crl.microsoft.com

Verisign CRL -- Any standards-compliant certificate-signed program will
check the Revocation list to see if the program's signature has been
revoked by the issuer.

 

[Antoine]

Verisign CRL -- Any standards-compliant certificate-signed program
will check the Revocation list to see if the program's signature
has been revoked by the issuer.

In that case, imho the software authors could have warned that the
application connected itself to the net to check those crls. All the
more as such online checks, altough technically understandable, are
not very much used by the common registry/system tools.

 

[Mel]

In that case, imho the software authors could have warned that the
application connected itself to the net to check those crls. All the
more as such online checks, altough technically understandable, are
not very much used by the common registry/system tools.

Maybe the authors are unaware of the call Microsoft check their program
does or if they are aware maybe they are unaware how concerned a user
might be that their prigram calls Microsoft. Someone could write to the
Authors and ask.

 

[/3iff //ullins]

[...]
crl.microsoft.com is the microsoft 'certificate revocation list'. so
it would appear that autoruns is checking for the validity of
certificates for running processes (signed files).

Thanks, that makes sense. But I wish peogrammers would explain these
things with a popup that asks for permission, or at least in the help
file. In these days of adware and spyware, it would avoid unfounded
suspicions.

absolutely. or they should at least be noting what the connection is
doing in their program's documentation or on their site's faq...