file ID, startups, confusing info

[Brynn]

Hi Friends,
I hope everyone has had a good start to this new year!

I've just upgraded from an older version of WinPatrol, to the current v 15.9.2008.1.  I forgot to make note of my Startup Programs, so I'm having to go through the list and look up the ones I'm not familiar with.  When I did this for the previous version, I used the Castle Cops Startup Database, but am sad to see their website has been closed.  So I've found a couple of others, 1 at sysinfo.org, and another at Bleeping Computer.

When I come to the file in WinPatrol titled "Winlogon Userinit" at userinit.exe, I have to look it up.  WinPatrol defines it as

• "The file Winlogon Userinit appears to be a valid Microsoft system file.  It was found in an undocumented system startup location and may be critical to your system."

Nevertheless, I'm curious (as always  :roll:) and turn to the 2 aforementioned databases to search for more info. Sysinfo.org returns 2 results, both defined as malware.  Bleeping Computer returns around 9, also all defined as malware.

Now I've gone from curious to confused.  I googled it, and find some evidence that it is indeed a critical Windows process for Logon.  But just to be safe, I ran all my security scans (which are all clean).  Together with the info provided by WinPatrol itself, I feel fairly confident that it is NOT malware, and that it IS critical to the OS.

So here are my questions:

Why do these fairly reputable databases NOT include an entry which defines userinit.exe as a critical Windows process?  Are they not as reputable as I thought?  Can anyone recommend a better database/website for searching startup programs?  I might note here that my google search turned up a couple of threads from some other forums, where people looked it up just as I did, but got rid of it, having been mislead by such databases, that it's always malware...and having serious trouble getting their computers to function properly once again.  You know, I'm sure these website have disclaimers and such.  But for a known critical file, which has been around for years....  I mean, I could understand if it was new on the market, or somewhat obscure.

And don't get me wrong.  My purpose here is not to smear or criticize either website or database.  If I recall correctly from the 1st time I cleaned up my startup entries with WinPatrol, I ran into similar situations with several files, where the databases did not mention legitimate files, and I had to do a good bit of searching to figure out what to do.  I honestly think there may be some good reason why the legitimate files aren't mentioned.   Can anyone speak to this?

Maybe it's just a feature of such websites which doesn't get updated....much, at all?  Maybe most people who use the databases are much more technically aware than I am?  How is the average computer user to navigate such moderately,  technically difficult issues?  Is there a better way to have approached managing the startup entries?

Thanks for any comments.  I will appreciate any helpful info.
All best.

[Corrine]

Hi, Brynn.

To start, when updating WinPatrol, all you need to do is download the latest version, right-click on Scotty in the system tray, select "Exit Program" and then install the updated program.  All of your settings, history, delayed start-up, etc. will be remembered.

The reason you are discovering a variety of results for Winlogon Userinit is because userinit.exe can be infected.  The legitimate program file is located in \%WINDIR%\System32\.  To provide you with information provided by WinPatrol Plus, I entered userinit.exe in the search box on the Plus tab.  The results are copied below. 

WinLogon Process – USERINIT.EXE

Userinit.exe is a process in Windows NT 3.x or later, Windows 2000, Windows XP and Windows Vista. It specifies the programs that Winlogon runs when a user logs on. By default, Winlogon runs Userinit.exe, which runs logon scripts, reestablishes network connections, and then starts Explorer.exe, the Windows user interface. This file can be configured to add, remove, or substitute programs. We'd recommend against removal.

More information can be found at http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/regentry/12330.asp.

The way in which UserInit.exe and MsGina.dll work has changed in Windows Vista. You can learn more about the chages at http://msdn2.microsoft.com/en-us/library/aa378750.aspx.

Here are some solutions to common problems:,br> Using Windows XP, you find that the My Documents folder opens on system startup - http://support.microsoft.com/default.aspx?scid=kb;en-us;555294.

Desktop icon names do not appear correctly after you restart your Windows XP-based computer - http://support.microsoft.com/kb/835417.

Under Windows 2000 and 2003, you log into Windows and are immediately logged off - http://support.microsoft.com/kb/555648.

How to prevent a computer from running a user logon script in Windows Server 2003 - http://support.microsoft.com/kb/924034.

A modification to the Userinit.exe file can delay the initialization of the spooler until the Windows user interface is initialized to speed up Windows startup in 2000 or 2003 - http://support.microsoft.com/kb/240683/.

Updating the CastleCops databases was discontinued some time prior to CC being closed.  The files are hosted by the developer of Javacool Software and can be found at SystemLookup.

[Brynn]

Thanks for the info, Corrine.
I looked up userinit.exe at SystemLookup, but again, only got malware results.  So I suppose the answer to my problem is to pay for the Plus version of WinPatrol.

Yeah, you know, I've made a really, really honest effort over the years that I've had a computer to learn how to use it, and how to protect it.  But on protection, I seem to have struck out.  I'm beginning to believe it's not possible for the average computer user to see to it's security, without hiring experts or purchasing software.  That's too bad!

Which is not to say I don't appreciate all the help I've found here at LandzDown.  You have always seen me through the problems that have developed for me, as a result of not having found adequate protection on my own.  And I will certainly never forget to thank you.

But I have to say I'm disappointed to learn the job of computer security can't really be learned (outside of paid-for degrees or certifications, software or experts).

Anyway, thanks again Corrine  :D

[Corrine]

Brynn, no, you don't need to pay for a Plus subscription of WinPatrol, however, I would not discourage you since I think WinPatrol is one of the best programs available.  The next time Bill has a special on WinPatrol, I'll be sure to send you a message so you can decide then if you want to get the Plus version (it is a one-time fee).

With regard to System Lookup, you need to be cognizant of the complete information provided.  In particular, at userinit.exe, it is specifically noted that the entry in Startup and in the System32 path is legitimate:

Startup Entry

Note: Located in \%WINDIR%\ Note: Do not remove the legitimate program file in \%WINDIR%\System32\

I assure you, Brynn, that I do not have a paid-for degree or certification in computer security or software.  I spend a considerable amount of time reading and researching -- and realize how little I know.