Startup DLL Modules
This tab displays startup DLL modules installed on your system. These modules are loaded automatically during Windows startup or later when a particular application starts.
What's A Startup DLL Module?
There're six types of startup modules:
- ShellExecute Hook: These modules are loaded every time you launch a program (using Windows Explorer or by calling the ShellExecute(Ex) function). The modules are notified of the program you launch and can perform any additional task before the the program is actually launched.
- Shell Delay Load Object: These modules are loaded early (even before any human intervention occurs) in the startup process by Explorer.exe every time your computer starts.
- URL Search Hook: A Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, it will use a Url Search Hook to try to find the location you entered.
- App Init DLLs (2K/XP/Server 2003 only): These DLLs are loaded by each Windows-based application running within the current logon session. The AppInit DLLs are loaded via LoadLibrary() during the DLL_PROCESS_ATTACH of User32.dll. As a result, executables that don't link with User32.dll will not load the AppInit DLLs. There are very few executables that don't link with User32.dll.
- Download Manager: A custom download manager for Internet Explorer 5.5 and higher. Extends the functionality of Internet Explorer and WebBrowser applications by implementing a Component Object Model (COM) object to handle the file download process (usually displays a custom user interface for the file download process).
- Notification Package (2K/XP/Server 2003 only): A Winlogon notification package is a DLL which exports functions that handle Winlogon events. For example, when a user logs onto the system, Winlogon calls each notification package's logon event handler function to provide information about the event.
Location
ShellExecute Hooks are located in the registry under the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \Explorer \ShellExecuteHooks
Shell Delay Load Objects are located in the registry under the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \CurrentVersion \ShellServiceObjectDelayLoad
URL Search Hooks are located in the registry under the following key:
HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \URLSearchHooks
App Init DLLs are located in the registry under the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Windows, AppInit_DLLs
Download Manager is located in the registry under one of the following keys:
HKEY_LOCAL_MACHINE Software \Microsoft \Internet Explorer, DownloadUI
HKEY_CURRENT_USER Software \Microsoft \Internet Explorer, DownloadUI
Notification Packages are located in the registry under the following key:
HKEY_LOCAL_MACHINE \Software \Microsoft \Windows NT \CurrentVersion \Winlogon \Notify
The Disable Action
The disable action moves the module's registry entry from its original registry key to a temporary location.
You may need to reboot for the action to take effect.
The Delete Action
The delete action (depending on the selected options):
- Deletes the module registry entry, deletes the module CLSID (if any) from the key: HKEY_CLASSES_ROOT \CLSID;
- Deletes the module file;
- Unregisters the module.
You may need to reboot for the action to take effect.
Properties
| Name | Short description of the module. |
| CLSID | Class identifier (globally unique identifier - GUID) associated with the module. |
| Publisher | The developer (a company or a person) of the module. |
| Program ID | Programmatic identifier - human-readable identifier of the module OLE class (if any). |
| Description | The description of the module retrieved from its file resources. |
| Type | A type of the module: ShellExecute Hook, Shell Delay Load Object, URL Search Hook, App Init DLL, Notification Package or Download Manager |
| File | A full path to the module file. |
| File Version | File version information. The information is retrieved from the file resources. Also includes product version information if it differs from the file version. |
| File Size | File size in bytes. |
| File CRC32 | Cyclic Redundancy Checksum (Check) of the file. |
| File MD5 | Message Digest 5 of the file. |
| File Creation Date | The date the file was created. |
| Location | The location (registry or a folder) of the item. |
| Safe | Indicates whether the item in a safe or in a blocked list. Yes - item is in a safe list. No - item is in a blocked list. N/A - items is not in a safe nor in a blocked list. |
| Status | Indicates whether the item is enabled or disabled. |
| System |
Indicates whether the item is a system item, i.e. originally shipped with Windows. WARNING: Browser Sentinel does not always correctly differentiate third-party items and system items, use this property with care! |