Windows Core
Why do we need to know about VxD and drivers?
Windows Core Components includes "Active Setup items", "Browser Helper Objects", "Shell Loggers DLLs", "Static VxD" (Windows 9X/Me only) and "Shell DLLs". These components are very important for stable Windows work. You should have administrator privilege to modify these components. Anyway, we suggest you make a backup copy before doing any changes. We give you a simple way to make backup.
Active Setup registry key is used to store information about installed software components and to automatically launch downloaded ActiveX components.
Some examples of the viruses/Trojans that use this method:
SubSeven Trojan, Trojan Oblivion, Backdoor.SchoolBus, I-Worm.Badtrans, etc.
The ShellExecuteHooks registry key contains the list of the COM objects that trap execute commands.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks.
Value Name is the GUID of the COM object.
RegRun automatically determines DLL references to the COM server and displays it in the Program column.. By default you must have the "shell32.dll" item. Never delete this item!
Other objects in this list are not required and may contain viruses and Trojans.
Browser Helper Objects are the COM components that Internet Explorer will load each time it starts up. For example, a BHO could spy all browser events, access the browser's menu and toolbar and make changes, create windows to display additional information, etc.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects
Each subkey of the main key contains information about COM components.
By default the BHO list on your computer is empty. There are no required items.
Shell DLLs.
The registry key called "ShellServiceObjectDelayLoad" is used to automatically load DLL related to Microsoft Explorer.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Each value under this key contains the GUID to the COM objects or to the DLL name. The system will load all DLLs and link them to "explorer.exe" process.
The number of the DLLs used by Explorer is different in different Windows versions.
· Windows 95 and Windows NT4 do not use this key;
· Windows 98/2000 includes only "WebCheck" value. We suppose that the purpose of the "Webcheck" is checking of the Internet Explorer auto updating. Explorer works well without "Webcheck" value.
· Windows XP adds several additional values.
To keep your safety we suggest you to remove all values not related to Microsoft.
VxD tab is visible only under Windows 9X/Me.
"VxD" stands for Virtual "something" Device, where 'x' stands for "something".
Microsoft often names drivers according to this convention, thus "VKD" is the Virtual Keyboard Device. VxDs are loaded into the protected (ring-0) operating system address space, and have full access to the system hardware.
Static VxD are loaded automatically at Windows startup.
Please, do not change required VxD.
Several advanced viruses and Trojans install their own VxD modules to infect your computer.
Remember!
VxD modules work as part of operating system and they have absolute power.
RegRun analyses information about each listed item and displays it on the left pane of the Windows Core window.
In addition to information stripped from the file, RegRun uses Application Database.
Columns description:
1) Type (Necessary/Useless/At your option/Dangerous.)
2) Value Name (Usually this is a unique identifier.)
3) Program/DLL name.
4) Manufacturer (extracted from execution file, may be empty.)
5) Product Name (extracted from execution file, may be empty.)
If you have installed RegRun Gold Edition you may automatically monitor changes in Windows Core Components.
Click on the "Monitor Key" link.