XP Startup/profiles
 

Here's one for the WinWiz team (I cannot find the previous thread from the poster where we discussed 'All Users'?)

How do I determine (and change) which programmes start up before I select a user? If I go too quickly to my admin user a/c I often get less than a full house in the sys tray, so I am obviously cutting short the process, whereas if I leave it a while all is well.

The 'start-up' folder in all users is pretty well empty (1 entry). If it is a case of loading the 'all users' reg into regedit I will need help!!

Is it simply a case of tidying/clearing out the 'all users' Programme folder?

Don't know if this will help or not: How to modify the Group Policy for programs that run at user logon on a computer that is running Windows XP

Hi BOAC

Strange behaviour. I can't figure out a set of circumstances that would prevent programs loading, regardless of whether you are fleet of foot in logging in or tarry a while. I often log in as quickly as possible and have never experienced what you have.

This makes me wonder if there is a particular application that is misbehaving. Are you able to describe what's missing from your full house? Is it the same everytime?

There are several places where programs load during startup. I find msconfig and Hijackthis perfect for letting me see everything and control what loads. Generally speaking, the system registry and the startup program groups are where most things load. You already know the startup groups, the other places to inspect are;

HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run and it's equivalent key in HKEY_LOCAL_MACHINE.

The programs in these keys begin to load as soon as a user logs in. HKCU is loaded from a file in your user profile when you log on and is unique to each user. Don't be tempted to move programs from one to the other unless you are sure of what you are about. For example, a program loaded in HKCU can very reasonably assume that the current user registry "hive" is both loaded and unique to the logged in user. If that program where to load from HKLM and started before HKCU has finished loading, that would not be true and would likely result in tears.

You can run msconfig from the run box or a command prompt. Hijackthis is downloadable.

This article describes in some detail the entire startup process. If you find it too long or technical, I'm sure that googoo would find simpler explanations.

Troubleshooting the Startup Process

Hope this helps.

Regards

Simon

msconfig was never designed to control the startup sequence permanently but only for troubleshooting (as MS are careful to point out).

Mike Lin's "Startup Control Panel" - Mike Lin's Home Page - has been around for years and is still one of the best (and free) utilities for controlling autostart entry points (ASEPs).

Mac

Thanks all - most of that I am familiar with. The stuff that doesn't load is not consistent and not over-'important'. The problem with 'all the above' is that I cannot run MSConfig etc in the 'all users' area before user selection and I am unsure how to examine the 'all users' NTUSER.DAT.

As far as I can see this is a problem occurring before I actually 'log-in'

There is no "ntuser.dat" for all users. The registry is either machine wide or per user. The machine wide bits are stored in system.dat including HCR, HKLM and HCC.

MSCONFIG will show you everything that the registry loads, per user (for the currently logged in user) and machine wide. Hijackthis is well worth a visit as it shows everything including stuff like browser helper objects and even the obscure stuff like winlogin notification handlers (incidentally, where the cleverest and most difficult to expunge viruses sometimes hide).

To help your troubleshooting, the only things that should load before you log on are the OS itself, device drivers and services. HKML is not processed until after you log in, followed by HKCU and the startup groups. With the exception of drivers and services, it is not possible for programs you install, or malware, to load before you login unless they interfere with the boot loader, drivers or services. This wiki page gives a simpler explanation of everything that happens and in what order.

Windows NT startup process - Wikipedia, the free encyclopedia

What do you make of this? There has been a NTusers.dat in all users since 2000 on my machines.
The Default User and All User Folders

The default contents placed inside all these folders in Richard's profile come directly from the same folders in the Default User profile. However, when Richard logs on, he may see icons or folders inside My Documents, Start Menu, and Desktop that do not appear in his own profile directories. These extra items are displayed as if they were part of Richard's profile, but in fact they are part of the All Users profile that also resides on the computer. In fact, the settings from the
All Users\NTUSER.DAT

file also are available to Richard. The All Users profile is a great way of adding new items to every user's profile on the client without having to add every item manually. During installation, NT-aware software tends to ask whether the installation is just for the user installing the software or whether it is for all users of the client. If the software is told that it is for all users, then it modifies the All Users profile by default.

security suite
 

dunno if original question has been answered but I have found that launching applications before the security suite has finished its leisurely start up sweep can cause some things not to start up properly and be absent from the system tray. With Kaspersky anyway..............

Thanks Mr O - a good lead. I'm not sure where the AV and firewall start - I assume they run at original boot before user logon (that is one of the things I am trying to establish), and neither am I sure whether they could delay as you say - I don't think Avast or ZA run any sort of 'sweep'? .

services
 

It was the post above which referenced services starting up which made me remember. From what I think I have seen, they all add services and I presume it is these that are invoked at kick-off.

...and deployed MSI installs via Group Policy, etc.

Any advances on posts #6 and #7?

Programs in Systray
 

All startup programs are started. Some icons do not appear in SysTray probably because the related programs were not loaded yet when explorer.exe came up.
Use Process Explorer by Sysinternals to verify this. If you select explorer.exe, then Restart, you will see your Systray fully populated.

You can control what programs/services/drivers autostart for each account using Autoruns.

OK, Milsa - yes, I have autoruns. I need some help now to find out how to use it to solve my 'problem' if you could. Which tab do I need to look at to see if there are any 'start-up' calls before log-in?

No answer to #12, so I assume we all agree now there is a All Users\NTUSER.DAT - anyone know what it does?

Good question !

Under Users, if you select SYSTEM, LOCAL SERVICE or NETWORK SERVICE, I would think that everything which autostarts for these accounts will come up regadless of any user logon.

NTUSER.DAT is the HKEY-CurrentUser portion of the registry for that user, so I would surmise it's the portion that gets amalgamated with the relevant user's HKCU in order to provide the registry amalgamation ;)

(not 100% on that, but i'm sure others would know). :}

don't know if it's been answered yet but found this stuff
 

Recover Windows XP Product Key from ntuser.dat in Corrupted or Unbootable System My Digital Life

provides a link to a download to read the .dat file

but

the NTUSER dat file is actually one of your Registry files. Unlike the other Registry files, NTUSER.DAT is stored in your personal Documents and Settings folder and contains the entire contents of the HKEY_LOCAL_USER branch of the Registry. You can’t delete it because it’s in use and protected, and you wouldn’t want to because otherwise you’ll mess up your whole computer! It will grow as you install more software that creates keys and sub keys in this branch of the Registry, and so is perfectly normal. To summarise: leave NTUSER.DAT alone.

In Windows XP, 2000, and 2003 there are several Registry files. These files are named without a file extension and are stored in the Windows\System32\Config folder. These files are named Software, System, SAM, Security, Default, and UserDiff. There is one more Registry file and it does have a file extension, NTuser.dat. In Windows XP, 2000 and 2003. NTuser.dat is stored in the users folder under the Documents and Settings folder. Each user has their own NTuser.dat file. The NTuser.dat file stores all settings that each user selects; these settings will override settings stored in the System file.

The function of each file is different. Security stores information about security. The SAM file stores information about the Security Accounts Manager service. Neither of these two files, Security and SAM, are viewable in RegEdit, unless you reset the permissions. System stores all the information about hardware. Software stores information about your software and how Windows will perform and the default Windows settings. The Default file, stores all the default user settings, the NTuser.dat file overrides the default user settings. The UserDiff file stores information about the corresponding SubKeys in the HKEY_USERS Hive for each registered user.

Appreciate the link to 'loadhive.exe' - thanks. I'll have a look tomorrow to see if it will read the allusers dat file.

Hi BOAC. Sorry, been busy for a while..

I am assuming that you are not logging onto a domain with group policies.

Always happy to be proved wrong, means I learn something, but I maintain that there is no all users ntuser.dat. I used to earn a living doing mass deployments of Windows desktops fully customised so I have a great deal of experience with user profiles and have yet to see NTUSER.DAT for all users. NTUSER.POL (group policies for all users) but not NTUSER.DAT.

It is possible to manually create a profile with the settings you want and then copy it to all users, which will then create NTUSER.DAT in the all users directory, but even then, this is simply merged with your HKCU when loaded. You can then modify any key you have permissions to which is why "all users" software settings should be stored in HKLM where you would not normally have permission to change them.


You can check easily enough.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

This key shows you every file loaded in the registry - where each hive has been loaded from. You can also simply browse c:\documents and settings\all users ensuring that you are not hiding system and hidden files (Tools->Folder Options->View).

Anyway, it's a moot point as the only places that stuff loads from the registry, ignoring services and drivers, is HKCU and HKLM.

As I've said a couple of times before, Hijackthis is the best tool I know for showing everything that loads and where from. The other key point is, despite what others have said, that only devices and services load before you log on. The load behaviour is clearly shown in the technet article, and more simply in the Wiki, in my previous posts.

So, back to your problem. It is strange behaviour and Mr Optimistic seems to have the best bet so far. Something loading after you log in (and therefore probably loaded from HKCU, HKLM or a startup group) that is interfering with other applications loading. Most likely some sort of malware protection.

Hope this helps

Cheers

Simon