Home Page The Script Download Launch
Points
Terms
of Use
Proceduresclick on an item in the list Thanksclick on an item in the list SAXPAR Win 8
Install
Contact

Silent Runners

Silent Runners.vbs - list every program that starts up with Windows


The purpose of “Silent Runners” is to identify the programs that start up with Windows.

It was first made available to members of the NTBugTraq mailing list in a post on 12 May 2004. The first version posted was actually revision 10. An updated version is available for download here. The revision history is found in comments at the bottom of the script file. Old versions are archived here.

“Silent Runners” is not an anti-virus, an anti-trojan, or a spyware scanner. It only pinpoints how programs start up — it does not scan the system to identify every trace of malware. The text file it creates can be removed for study or stored as a benchmark.

It runs under Windows 95, Windows 98 (Standard Edition and Second Edition), Windows Me (Millennium Edition), Windows NT 4.0 Workstation, Windows NT 4.0 Server, Windows 2000 Professional, Windows 2000 Server, Windows XP Home, Windows XP Professional 32-bits & 64-bits, Windows Server 2003 32-bits & 64-bits, Windows Vista 32-bits & 64-bits, Windows 7 32-bits & 64-bits, Windows Server 2008 R2 (64-bits) and Windows 8 Professional 32-bits & 64-bits.

It is written in VBScript (version 5.1 or greater) and relies on WMI to query the registry. WMI is installed by default on every Windows version since “Me”. It is not installed by default on Windows 95/98 or Windows NT 4.0 and, unfortunately, it is no longer offered for download by Microsoft for those systems. If a compatible version of VBScript isn't installed and you’re running Windows XP, the script will direct your browser to the appropriate Microsoft download site. If you’re running Windows 95/98 or Windows NT 4.0, VBScript is no longer offered for download by Microsoft for those systems, either. (You can contact me to obtain WMI and/or VBS for Windows 95, 98 and NT 4.0.)

The script changes absolutely nothing on your system (other than adding its report file). It has no option to change anything and no such option will ever be added. However, it is offered without any warranty of any kind, either express or implied. You use it, then, at your own risk.

“Silent Runners” can be run simply by double-clicking it. It can also be run from the command line under CScript.exe, in which case output will be directed to the console.

It creates a (Unicode) text file readable by any recent text editor (Notepad works fine) and places it, by default, in the same directory as the script. To store the file somewhere else, provide the directory as a command line parameter. If the output directory name contains spaces, embed it in quotes. To specify an output directory with WScript.exe, create a shortcut to the script and then add the output directory to the Target field.

See this procedure to compare two versions of the text file.

The output file name is Startup Programs followed by the name of your PC in parentheses, the date in year-month-day format and the time in hour.minute.second format and then the extension .txt. Thus, the file created by the script launched at 15:34:10 (3:34:10 p.m.) on a PC named “Foo” on 10 June 2004 would be:
Startup Programs (Foo) 2004-06-10 15.34.10.txt

The output file summarizes everything the script thinks you ought to know. What does ought to know mean? It means that the script will report any non-default value it finds anywhere it looks. What's a default value? It's something that's put there by Microsoft when Windows is installed. For instance, in every Windows installation, the default shell is explorer.exe. If the script finds explorer.exe listed as the shell, it won't add that to the output file.

Does that mean that everything in the output file is suspicious? No. It means that the script, based on its limited code, couldn't figure out if certain things were suspicious or not, so it put it in the output file so you could go figure it out.

Under some circumstances, the script will alert about suspicious data. It will do this by prefacing the entry in the output file with the symbols <<!>> or <<H>> and an explanatory note will be placed in the report footer. This does not mean that the PC is infected. It does mean that such a line is atypical and bears very close scrutiny.

The script completes most of its checks in under 2 minutes. One check can take much longer – the search of all directories of local fixed drives for DESKTOP.INI DLL launch points. (This check is identified by superscript “1” in the “O/S” column on the Launch Points page.) This search has been made supplementary and can be activated either by answering “No” to the script's first message box and “Yes” to the message box that follows it or by starting the script with the “-supp” parameter:
C:\directory_containing_the_script>"silent runners.vbs" -supp


To force the script to show everywhere it looks and everything it finds, start it from the command line with the “-all” parameter:
C:\directory_containing_the_script>"silent runners.vbs" -all
The output file will only show the launch points that apply to your PC's operating system.

Script parameters can also be conveniently added to a shortcut's Target field.

Note that the “-all” and “-supp” parameters are mutually exclusive — you can use one or the other, but not both.

To see a list of the registry keys, INI-file sections, files, and folders that are checked for launch points, click here.

To see a detailed, illustrated procedure for downloading and running the script, click here.




Copyright 2013 by Andrew Aronoff