Persnickety Startup Processes

[donking!]

I've just spent a lot of time disabling or hiding startup processes in order to speed up my start up and reduce the drain on system resources. But a couple I just couldn't figure out.

1) tpscrex.exe

This operates the full screen magnifier. I don't need it. But for the life of me I can't find how to stop it from automatically starting. It doesn't show up in the services manager. It doesn't show up in the startup processes listed in the run registry key. Tweakui.exe and group policies don't seem to have anything on it.

I do find it in the registry, when I search. But not anywhere that I can figure out would be the place to disable it.

2) tp4cross.exe

What is this?

3) spoolsv.exe

This is the print spooler. I have it set to manual in the services manager, but it always runs at startup anyway (even though I don't have any printers hooked up to my notebook).

*

For those who want to tweak all the startup processes and services, I really recommend the following two web sites:

http://www.vernalex.com/tools/services/
http://www.dead-eye.net/WinXP%20Services.htm

They have very thorough explanations of these processes. It took a long time for me to work through every one and decide if I need the service or not, but now that I've done it I'm down to 38 startup processes (from about 90 on the as shipped ThinkPad setup). And I've saved about 70Mb of RAM (from these processes).

I also learned along the way (as many no doubt already know) that there are a lot of services, provided by Microsoft, that most of us don't need and that are (no surprise) big security risks and good to shut down.

[andy6387]

there are a few places you might be able to find it.

go to Start -> Run -> type in "services.msc" and hit enter. it may run as a service which you can then disable from that menu.

It could also be in Start -> All Programs -> "Startup"

In the registry it might be under:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

If it's not under any of those, i have no idea. But i can tell you whenever i get my laptop.

[christopher_wolf]

Also, you can try and get certain process utilities from Sysinternals and see exactly what they are doing upon startup.

If they aren't scheduled for startup in the registry, I would have no clue where else to look as Andy stated. It is possible that IBM has a low-level call-handler for their utilties that detects a start-up event and then launches those processes independant from any Windows scheduler. That hypothesis, however, is far fetched at best since I have never heard of or seen any such handlers from IBM that behave in such a manner on any Thinkpad.

[donking!]

Thanks for the ideas guys.

As I explained, I'd already checked in the manage services window and the usual lists of startup items, including all of those locations in the registry.

The tip on the Sysinternals programs is cool though. Those are great little programs. I'd seen the Sysinternals Process Explorer before, but forgot about it. Process Explorer shows tpscrex.exe as a subheading under the ThinkPad hotkey manager process (tphkmgr.exe), which operates the function key features. I'm just guessing, but I think the tphkmgr.exe may have a command in it to run the full screen magnifier process (tpscrex.exe) when it starts up. If that's possible.

Process Explorer also shows me that tp4cross.exe is associated with the trackpoint accessibility features.

It doesn't show me anything about why spoolsv.exe is starting up even though I have it set to manual in the manage services window.

[Hamid]

there are a few places you might be able to find it.

go to Start -> Run -> type in "services.msc" and hit enter. it may run as a service which you can then disable from that menu.

It could also be in Start -> All Programs -> "Startup"

In the registry it might be under:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

If it's not under any of those, i have no idea. But i can tell you whenever i get my laptop.

In Windows XP, you can use the System Configuration Utility instead:

Go to Start --> Run ---> msconfig and then hit enter. Youca see all startup applications and also can modify the services, win.ini and system.ini entries.

HTH,
Hamid

[donking!]

I know about msconfig. It doesn't show me any information that I haven't seen by other methods. Also, for what it's worth, the Win XP advice about configuring services at the dead-eye.net web site I refer to above, suggests that it's better to configure services using the services.msc protocol. Not sure why, but the services.msc protocol does offer a more elaborate and nuanced way of controlling how services work.

[Hamid]

The reason why services.msc is recommended maybe the fact that you can see service dependencies with it (not shown in msconfig), and also you see the path to the executables that actually run the service.

The good point about msconfig however is that you can see almost all of the startups is one place.

Just as a reminder, in the Windows Task Manager, you will see some services running with the svchost.exe. If you want to see the detals for those services, go to the comand prompt and type tasklist /svc.

[astro]

Just as a reminder, in the Windows Task Manager, you will see some services running with the svchost.exe. If you want to see the detals for those services, go to the comand prompt and type tasklist /svc.

That is awesome. Cheers Hamid.

[donking!]

Cool tip on the svchost. Thanks.

Now if I could just figure out what's up with that TpScrex.exe and why the print spooler always runs on startup, even what set at manual in services.

[donking!]

Interesting discovery. I just loaded the Kerio firewall. It notifies one of processes that attempt to launch other processes. As I suspected, tphkmgr.exe is launching tpscrex.exe. I could use Kerio to deny tpscrex.exe from launching. But that seems like an inelegant solution. Still curious if there's a way to modify tphkmgr.exe's behavior.

[Hamid]

Well for the tpscrex.exe, I have to wait and till my T60 gets to me. I have ordered a 2623-D3U, will get it in 10 days.

But I guess the tp in the executuables stand for ThinkPad.

[Hamid]

For the complete list of startups check the bellow locations in the Windows Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
(A Value named "Run" & "Load", under the right-pane)
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\{Username}\Start Menu\Programs\Startup

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellExecuteHooks
The last one is where some malwares use.

EDIT:
HKLM = HKEY_LOCAL_MACHINE
HKCU = HKEY_CURRENT_USER

Hope this helps,
Hamid

[donking!]

But I guess the tp in the executuables stand for ThinkPad.

Yes, I believe tpscrex stands for ThinkPad Sreen (something). And tphkmgr stands for ThinkPad Hot Key Manager.

The only places tpscrex appears in the registry are:

hklm\software\ati technologies inc.
hklm\software\ibm\hotkey_1
hklm\software\ibm\exec
hklm\software\microsoft\windows\currentversion\uninstall\thinkpad fullscreen magnifier

Didn't see anything in those places that seemed like a way to stop tpscrex from starting up.

And in any case, as I said, it appears that tpscrex is not itself a startup process. It's being executed by tphkmgr, which is a startup process. But I don't know much about how one process executes another, so I don't have an idea how to change that.

Thanks for the further thoughts on the matter.

[pundit]

And in any case, as I said, it appears that tpscrex is not itself a startup process. It's being executed by tphkmgr, which is a startup process. But I don't know much about how one process executes another, so I don't have an idea how to change that.

If it really continues to bother you, comb through your hard drive for the corresponding executable or dll, and just delete/rename it. The offending processes will die silently, or complain on their startup. Either way, you know what else to kill/configure to prevent these evil little things from starting.

[christopher_wolf]

Here is something that could help; see, http://www.ccleaner.com/

It will tell you what starts up upon boot and can disable them if you want; does some other nifty things as well.

HTH

[donking!]

If it really continues to bother you, comb through your hard drive for the corresponding executable or dll, and just delete/rename it. The offending processes will die silently, or complain on their startup. Either way, you know what else to kill/configure to prevent these evil little things from starting.

Thanks for the idea. Could you explain a little more what I would be looking for in a dll? Something related to tphkmgr (the process that executes tpscrex)? I don't want to disable tphkmgr, I just want to stop it from executing tpscrex. I don't see any dll files with the name "tpscrex."

(Christopher, thanks for the CCleaner suggestion. I already have that. As far as I can tell it only shows startup processes in the hklm:run directory.)

[Hamid]

You can check to see if tpkhmgr executes tpscrex.exe with strace.

Although strace originally comes from UNIX, there is also a Win32 version. Download it and check if tphkmgr calls tpscrex.exe.

By the way could you please post the contents of the bellow keys:
hklm\software\ibm\hotkey_1
hklm\software\ibm\exec

[pundit]

Thanks for the idea. Could you explain a little more what I would be looking for in a dll?

Hamid's suggestion to use strace will work well. Once you begin to trace system calls, you'll know what is causing your little friend to fire up.

(Is it just me? Or are other people getting some scary sounding message regarding an SMTP error and consequent blacklisting?)

Edit: Said error showed up for my last post, but magically went away.

[donking!]

Hmm. I downloaded StraceNT and ran it. But I think I'm a bit over my head with the information it produced. I didn't see anything that obviously showed tphkmgr executing tpscrex.

On the other hand, I already know that tphkmgr executes tpscrex. As I said above, the Kerio firewall showed me this. My question is how do I modify tphkmgr's behavior?

*

Here's what the two registry keys say:

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ThinkPadSoftwareInstaller\Install\HOTKEY_1
Class Name: <NO CLASS>
Last Write Time: 3/26/2006 - 10:52 PM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: ThinkPad FullScreen Magnifier

Value 1
Name: TPI
Type: REG_DWORD
Data: 0x290

Value 2
Name: Version
Type: REG_MULTI_SZ
Data: 1.16
7AVU12WW

Value 3
Name: Uninstall
Type: REG_SZ
Data: @REG\ThinkPad FullScreen Magnifier

Value 4
Name: Setup
Type: REG_MULTI_SZ
Data: RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.NT 132 C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.inf

Value 5
Name: Parents
Type: REG_MULTI_SZ
Data: HOTKEY

Value 6
Name: SetupType
Type: REG_DWORD
Data: 0x2

Value 7
Name: RegVersion
Type: REG_MULTI_SZ
Data:

Value 8
Name: LastUpdate
Type: REG_BINARY
Data:
00000000 f3 d9 43 26 5f 51 c6 01 - óÙC&_QÆ.

Value 9
Name: DeviceInfo
Type: REG_MULTI_SZ
Data:


And:

Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\EXEC
Class Name: <NO CLASS>
Last Write Time: 3/26/2006 - 10:52 PM
Value 0
Name: 0101F000
Type: REG_SZ
Data: C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

Value 1
Name: ultrazoom
Type: REG_SZ
Data: C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

[CupOfJoe]

Another freeware program -- which is most excellent at showing d*mn near everything (scratch that, it shows everything) that starts up when you boot your machine -- is called "autoruns".

Made by a company called Sysinternals, you can download it here:

http://www.sysinternals.com/Utilities/Autoruns.html


Check out other freeware utilities they have for downloading. They have have some smart folks working there (actually, Mark Russinovich and Bryce Cogswell are the dudes who are very well known in the Windows utilities world as being gurus -- loaded with the technical know-how to delve into the inner working of Windows...)


-CupOfJoe

P.S. -- I have no relation to Sysinternals, just a satisfied user of their software for many years.

[Hamid]

Value 1
Name: ultrazoom
Type: REG_SZ
Data: C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

Try removing this key from HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\EXEC and let me know about the result.

Hamid

[donking!]

Hey, that worked! Thanks Hamid.

Now I can sleep at night.

Seriously, thanks for sticking with me through figuring this out.

[Hamid]

You're welcome. I am glad it worked.

It's really fun and enjoying to blindly solve a problem without having access to the box !