Sign in with
Sign up | Sign in
Your question

userinit.exe reading all files during boot

Last response: in Windows XP
Share
Anonymous
August 12, 2005 12:09:44 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Has anyone ever seen a situation where 'userinit.exe' reads all
application files during reboot? (What I mean by "read" is, according
to Sysinternal's FILEMON, is open, read the first 4096 bytes, close,
continue to the next file.)

It is as if 'userinit.exe' is checking the file versions, but that is
just speculation...

According to Explorer:

c:\windows\system32\userinit.exe 28,160 bytes, created 9/3/2004,
version 5.1.2600.2180
Anonymous
August 12, 2005 12:52:33 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

I need to change my name to Odd Bob*...

Check out some scoop on Userinit.exe:

http://msdn.microsoft.com/library/default.asp?url=/libr...

"Userinit.exe is an application that is executed by MSGina.dll when the
user has logged on. It runs in the newly logged-on user's context and
on the application desktop. Its purpose is to set up the user's
environment, including restoring net uses, establishing profile
settings such as fonts and screen colors, and running logon scripts.
After completing those tasks, Userinit.exe executes the user shell
program(s). The shell programs inherit the environment that
Userinit.exe sets up. The specific shell programs that Userinit.exe
executes are stored in the Shell key value under the Winlogon registry
key.

"The Shell key value can contain a comma-separated list of programs to
be executed. Explorer is the default shell program and will be executed
if the Shell key value is null or not present. By default, Explorer is
listed."

And Microsoft makes this happen by a single registry key?!?!?!? And if
this key gets munged, and we know this *easily* can happen due to the
many posts here, the entire XP system breaks and/or is vulnerable to
exploit.

Holy #(&^%#%%^ cow!

--
* I don't know why I should be called Odd Bob. I just made it up.
Anonymous
August 12, 2005 1:15:32 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

On another machine:

userinit.exe 24,576 bytes, created 8/29/2002, version 5.1.2600.2180

Aha! Could it be that the other one is infected?? (i.e. on
viruslist.com: "a classic appending virus that increases the size of
infected files by 3 KB.")

Yes, this "bad" system had a trojan related to "dl.exe" which I am
still looking into. (Finding technical details on trojans/viruses is
even more difficult than finding technical details on WIndows!)

P.S. (Which is why I posted file details.) I have been looking for and
have not found a reference of Windows system file details as to file
size, version, etc.

Anyone know of such a place?
Related resources
Anonymous
August 12, 2005 2:01:33 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Ah, check this out (yes, I talk to myself *all* the time):

http://www.mcse.ms/message1748360.html

> I got hit by this virus W32.Licum Gaelicum.A now I can't
> event login to my computer in normal or safe mode. It
> displays the login screen after entering the password and
> login in it take me back the login screen.
> Any ideas on fixing this?

You won't be able to fix it; the virus has replaced thousands of exe
files on your hard drive with infected versions. It CANNOT be
repaired.

Get your data off and wipe it; good thing for you that this virus only
goes after exe files.

--

Oh!!! Is that a new XP machine? Aren't *you* lucky!
August 12, 2005 8:14:28 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Seen iexplore.exe do some odd file checking too recently, so quite possible

Jon

<dimplewathen@hotmail.com> wrote in message
news:1123859384.850353.327240@g49g2000cwa.googlegroups.com...
> Has anyone ever seen a situation where 'userinit.exe' reads all
> application files during reboot? (What I mean by "read" is, according
> to Sysinternal's FILEMON, is open, read the first 4096 bytes, close,
> continue to the next file.)
>
> It is as if 'userinit.exe' is checking the file versions, but that is
> just speculation...
>
> According to Explorer:
>
> c:\windows\system32\userinit.exe 28,160 bytes, created 9/3/2004,
> version 5.1.2600.2180
>
August 12, 2005 9:13:06 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Yep, same goes for the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit

key itself

and the


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\UIHost

key


Jon

<dimplewathen@hotmail.com> wrote in message
news:1123861953.304441.103620@g47g2000cwa.googlegroups.com...
>I need to change my name to Odd Bob*...
>
> Check out some scoop on Userinit.exe:
>
> http://msdn.microsoft.com/library/default.asp?url=/libr...
>
> "Userinit.exe is an application that is executed by MSGina.dll when the
> user has logged on. It runs in the newly logged-on user's context and
> on the application desktop. Its purpose is to set up the user's
> environment, including restoring net uses, establishing profile
> settings such as fonts and screen colors, and running logon scripts.
> After completing those tasks, Userinit.exe executes the user shell
> program(s). The shell programs inherit the environment that
> Userinit.exe sets up. The specific shell programs that Userinit.exe
> executes are stored in the Shell key value under the Winlogon registry
> key.
>
> "The Shell key value can contain a comma-separated list of programs to
> be executed. Explorer is the default shell program and will be executed
> if the Shell key value is null or not present. By default, Explorer is
> listed."
>
> And Microsoft makes this happen by a single registry key?!?!?!? And if
> this key gets munged, and we know this *easily* can happen due to the
> many posts here, the entire XP system breaks and/or is vulnerable to
> exploit.
>
> Holy #(&^%#%%^ cow!
>
> --
> * I don't know why I should be called Odd Bob. I just made it up.
>
August 12, 2005 10:36:26 PM

Archived from groups: microsoft.public.windowsxp.general (More info?)

Start > run > sfc /scannow

Jon


<dimplewathen@hotmail.com> wrote in message
news:1123866093.182909.94640@g49g2000cwa.googlegroups.com...
> Ah, check this out (yes, I talk to myself *all* the time):
>
> http://www.mcse.ms/message1748360.html
>
>> I got hit by this virus W32.Licum Gaelicum.A now I can't
>> event login to my computer in normal or safe mode. It
>> displays the login screen after entering the password and
>> login in it take me back the login screen.
>> Any ideas on fixing this?
>
> You won't be able to fix it; the virus has replaced thousands of exe
> files on your hard drive with infected versions. It CANNOT be
> repaired.
>
> Get your data off and wipe it; good thing for you that this virus only
> goes after exe files.
>
> --
>
> Oh!!! Is that a new XP machine? Aren't *you* lucky!
>
!