fix(windows): delete autostart script — it looked like malware and froze Settings>Network#1608
Open
joelteply wants to merge 2 commits into
Open
fix(windows): delete autostart script — it looked like malware and froze Settings>Network#1608joelteply wants to merge 2 commits into
joelteply wants to merge 2 commits into
Conversation
joelteply
added a commit
that referenced
this pull request
Jun 11, 2026
…-audit.ps1) Companion to PR #1608. One read-only script the operator runs as admin on any Windows box to surface EVERY autostart vector in one pass: 1. Scheduled tasks with logon/startup/boot triggers 2. HKLM + HKCU Run / RunOnce / WOW6432Node Run keys 3. User + system Startup folders 4. Auto-start services filtered to non-Microsoft paths 5. Win32_StartupCommand (Task Manager Startup view) 6. Currently running cmd.exe / powershell.exe / wsl.exe / airc.exe / continuum* processes with parent + command line Then prints a section 7 'kill suggestions' block matching airc / continuum / wsl / cargo / tailscale signatures — operator copies the unwanted entries to remove them. Read-only by default; no remediation without explicit operator paste. Why: the malware-perception PR (#1608) deleted the one autostart script in source, but machines that already ran historical versions still have ContinuumWSL or related entries persisting. Without an audit script, operators have to manually grep Task Scheduler / regedit / startup folders. This makes finding-and-killing leftovers a single command. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…STEM scheduled task that froze Settings>Network on boot The script registered a 'ContinuumWSL' SYSTEM-level scheduled task that fired wsl.exe at boot, which: 1. Popped a visible terminal window on every login (malware signature). 2. Spun up the vEthernet (WSL) virtual adapter before NlaSvc/WMI had finished enumerating Wi-Fi, causing the Settings -> Network page to freeze on a stalled WCM provider query. Reproduced twice on a fresh HP Omen 5090 with Wi-Fi 7 silicon. 3. Ran tailscaled + sshd + postgres + nvidia-smi probes at boot as SYSTEM, which is hostile install behavior whether or not the intent was legitimate. Perception matters. Silently dropped SYSTEM scheduled tasks that pop terminals and bring up virtual adapters on boot are indistinguishable from malware to a security-conscious user, and they erode trust in the project even when the code is benign. Anyone who actually wants WSL services on boot should use Microsoft's built-in wsl.conf [boot] mechanism inside the WSL distro itself — no Windows-side scheduled task required, no console window, no SYSTEM privileges. Existing installs can clean up via: Unregister-ScheduledTask -TaskName ContinuumWSL -Confirm:$false wsl --shutdown Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…-audit.ps1) Companion to PR #1608. One read-only script the operator runs as admin on any Windows box to surface EVERY autostart vector in one pass: 1. Scheduled tasks with logon/startup/boot triggers 2. HKLM + HKCU Run / RunOnce / WOW6432Node Run keys 3. User + system Startup folders 4. Auto-start services filtered to non-Microsoft paths 5. Win32_StartupCommand (Task Manager Startup view) 6. Currently running cmd.exe / powershell.exe / wsl.exe / airc.exe / continuum* processes with parent + command line Then prints a section 7 'kill suggestions' block matching airc / continuum / wsl / cargo / tailscale signatures — operator copies the unwanted entries to remove them. Read-only by default; no remediation without explicit operator paste. Why: the malware-perception PR (#1608) deleted the one autostart script in source, but machines that already ran historical versions still have ContinuumWSL or related entries persisting. Without an audit script, operators have to manually grep Task Scheduler / regedit / startup folders. This makes finding-and-killing leftovers a single command. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
joelteply
force-pushed
the
fix/windows-no-malware-autostart
branch
from
a900bc8 to
0ca5e52
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Deletes
tools/scripts/windows-setup-autostart.ps1. The script registered aContinuumWSLSYSTEM-level scheduled task that firedwsl.exeat boot, which:vEthernet (WSL)virtual adapter beforeNlaSvc/WMI had finished enumerating the real Wi-Fi adapter, causing Win11's Settings → Network page to freeze on a stalled WCM provider query. Reproduced twice on a fresh HP Omen 5090 with Wi-Fi 7 silicon.tailscaled+sshd+postgres+nvidia-smiprobes at boot as SYSTEM, which is hostile install behavior whether or not the intent was legitimate.The script's intent was a legitimate "make this box reachable via SSH/Tailscale after a reboot" — but the implementation pattern is indistinguishable from malware to a security-conscious operator. Perception matters. Silent SYSTEM-level scheduled tasks that pop terminals and bring up virtual adapters on every boot erode trust in the project even when the code is benign.
The replacement (for anyone who actually wants WSL services on boot): use Microsoft's built-in
wsl.conf [boot]mechanism inside the WSL distro itself. No Windows-side scheduled task. No console window. No SYSTEM privileges.Existing installs — cleanup
Anyone who already ran the script can clean up via:
Reboot. Settings → Network unfreezes.
Test plan
windows-setup-autostart.ps1anywhere else in the treeinstall.ps1)🤖 Generated with Claude Code