userinit.exe reading all files during boot

Archived from groups: microsoft.public.windowsxp.general (More info?)

Has anyone ever seen a situation where 'userinit.exe' reads all
application files during reboot? (What I mean by "read" is, according
to Sysinternal's FILEMON, is open, read the first 4096 bytes, close,
continue to the next file.)

It is as if 'userinit.exe' is checking the file versions, but that is
just speculation...

According to Explorer:

c:\windows\system32\userinit.exe 28,160 bytes, created 9/3/2004,
version 5.1.2600.2180
6 answers Last reply
More about userinit reading files boot
  1. Archived from groups: microsoft.public.windowsxp.general (More info?)

    I need to change my name to Odd Bob*...

    Check out some scoop on Userinit.exe:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msgina_dll_features.asp

    "Userinit.exe is an application that is executed by MSGina.dll when the
    user has logged on. It runs in the newly logged-on user's context and
    on the application desktop. Its purpose is to set up the user's
    environment, including restoring net uses, establishing profile
    settings such as fonts and screen colors, and running logon scripts.
    After completing those tasks, Userinit.exe executes the user shell
    program(s). The shell programs inherit the environment that
    Userinit.exe sets up. The specific shell programs that Userinit.exe
    executes are stored in the Shell key value under the Winlogon registry
    key.

    "The Shell key value can contain a comma-separated list of programs to
    be executed. Explorer is the default shell program and will be executed
    if the Shell key value is null or not present. By default, Explorer is
    listed."

    And Microsoft makes this happen by a single registry key?!?!?!? And if
    this key gets munged, and we know this *easily* can happen due to the
    many posts here, the entire XP system breaks and/or is vulnerable to
    exploit.

    Holy #(&^%#%%^ cow!

    --
    * I don't know why I should be called Odd Bob. I just made it up.
  2. Archived from groups: microsoft.public.windowsxp.general (More info?)

    On another machine:

    userinit.exe 24,576 bytes, created 8/29/2002, version 5.1.2600.2180

    Aha! Could it be that the other one is infected?? (i.e. on
    viruslist.com: "a classic appending virus that increases the size of
    infected files by 3 KB.")

    Yes, this "bad" system had a trojan related to "dl.exe" which I am
    still looking into. (Finding technical details on trojans/viruses is
    even more difficult than finding technical details on WIndows!)

    P.S. (Which is why I posted file details.) I have been looking for and
    have not found a reference of Windows system file details as to file
    size, version, etc.

    Anyone know of such a place?
  3. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Ah, check this out (yes, I talk to myself *all* the time):

    http://www.mcse.ms/message1748360.html

    > I got hit by this virus W32.Licum Gaelicum.A now I can't
    > event login to my computer in normal or safe mode. It
    > displays the login screen after entering the password and
    > login in it take me back the login screen.
    > Any ideas on fixing this?

    You won't be able to fix it; the virus has replaced thousands of exe
    files on your hard drive with infected versions. It CANNOT be
    repaired.

    Get your data off and wipe it; good thing for you that this virus only
    goes after exe files.

    --

    Oh!!! Is that a new XP machine? Aren't *you* lucky!
  4. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Seen iexplore.exe do some odd file checking too recently, so quite possible

    Jon

    <dimplewathen@hotmail.com> wrote in message
    news:1123859384.850353.327240@g49g2000cwa.googlegroups.com...
    > Has anyone ever seen a situation where 'userinit.exe' reads all
    > application files during reboot? (What I mean by "read" is, according
    > to Sysinternal's FILEMON, is open, read the first 4096 bytes, close,
    > continue to the next file.)
    >
    > It is as if 'userinit.exe' is checking the file versions, but that is
    > just speculation...
    >
    > According to Explorer:
    >
    > c:\windows\system32\userinit.exe 28,160 bytes, created 9/3/2004,
    > version 5.1.2600.2180
    >
  5. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Yep, same goes for the

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\Userinit

    key itself

    and the


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\UIHost

    key


    Jon

    <dimplewathen@hotmail.com> wrote in message
    news:1123861953.304441.103620@g47g2000cwa.googlegroups.com...
    >I need to change my name to Odd Bob*...
    >
    > Check out some scoop on Userinit.exe:
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/security/msgina_dll_features.asp
    >
    > "Userinit.exe is an application that is executed by MSGina.dll when the
    > user has logged on. It runs in the newly logged-on user's context and
    > on the application desktop. Its purpose is to set up the user's
    > environment, including restoring net uses, establishing profile
    > settings such as fonts and screen colors, and running logon scripts.
    > After completing those tasks, Userinit.exe executes the user shell
    > program(s). The shell programs inherit the environment that
    > Userinit.exe sets up. The specific shell programs that Userinit.exe
    > executes are stored in the Shell key value under the Winlogon registry
    > key.
    >
    > "The Shell key value can contain a comma-separated list of programs to
    > be executed. Explorer is the default shell program and will be executed
    > if the Shell key value is null or not present. By default, Explorer is
    > listed."
    >
    > And Microsoft makes this happen by a single registry key?!?!?!? And if
    > this key gets munged, and we know this *easily* can happen due to the
    > many posts here, the entire XP system breaks and/or is vulnerable to
    > exploit.
    >
    > Holy #(&^%#%%^ cow!
    >
    > --
    > * I don't know why I should be called Odd Bob. I just made it up.
    >
  6. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Start > run > sfc /scannow

    Jon


    <dimplewathen@hotmail.com> wrote in message
    news:1123866093.182909.94640@g49g2000cwa.googlegroups.com...
    > Ah, check this out (yes, I talk to myself *all* the time):
    >
    > http://www.mcse.ms/message1748360.html
    >
    >> I got hit by this virus W32.Licum Gaelicum.A now I can't
    >> event login to my computer in normal or safe mode. It
    >> displays the login screen after entering the password and
    >> login in it take me back the login screen.
    >> Any ideas on fixing this?
    >
    > You won't be able to fix it; the virus has replaced thousands of exe
    > files on your hard drive with infected versions. It CANNOT be
    > repaired.
    >
    > Get your data off and wipe it; good thing for you that this virus only
    > goes after exe files.
    >
    > --
    >
    > Oh!!! Is that a new XP machine? Aren't *you* lucky!
    >
Ask a new question

Read More

Boot Microsoft Windows XP