Cleaning up after installing Java in Windows XP

Sun just issued an update to Java that closes some critical security bugs. The latest and greatest is now version 6 update 17.

This means that many Windows XP users, like myself, will be installing the new version of Java. Like many other products, Java installs pieces of itself all over the place, including components that run automatically every time Windows boots.

One rule of Defensive Computing is that the less software running in the background the better. With this in mind, here is a guide to the parts of Java that can be safely disabled on Windows XP.

The first defensive tactic is during the installation. No one needs the Yahoo toolbar, yet it gets installed by default along with Java. Watch for the checkbox and opt out. Sun has been including optional software with Java for a long time now.

Less obvious is the fact that Java installs a new Windows service. To see it, go to the Control Panel -> Administrative tools -> Services  and look for the Java Quick Starter service. This can be safely disabled. I've done so for a long time without any noticeable side effect.

Java depends on a program called SunJavaUpdateSched, that runs at boot time, to update itself. The program is jusched.exe and it resides in
C:\Program Files\Java\jre6\bin\

You can also live without this program.

Instead of having Java check for updates to itself, I depend on Secunia. They offer a great email based notification service as part of their Online Software Inspector.

This offers two advantages over Java checking for its own updates: no software runs all the time in the background and you get notified of updates to 23 other popular applications too. For more on Secunia's  Online Software Inspector see my recent article in Datamation Free, Comprehensive Windows Patch Notification: Secunia.

Surprisingly, telling Java not to automatically update itself, does not prevent jusched.exe from running at boot time.

Java is configured using the Java applet in the Control Panel. It has an Update tab with a checkbox for automatically checking for updates. Un-checking it, doesn't seem to do anything.

I control auto-started programs using the excellent and free Startup Control Panel program from Mike Lin. Highly recommended. And, there is a portable version. Yesterday, I made my case for portable applications. They are the best thing since sliced bread.

After installing Java, the first time you run Firefox it tells you that a new add-on has been installed. The first time you run Internet Explorer, it says nothing, despite the fact that Java has likewise infiltrated IE. Reason 312 of the 500 reasons to use Firefox.

The new Java Quick Starter extension to Firefox can be safely disabled. Java applets run just fine in Firefox without it. You can test this, and see what version of Java is installed at my JavaTester.org site. 

Like Microsoft did with some .NET framework software, Sun has installed the Firefox extension in such a way that it can't be removed. But disabling it should suffice, even for us pessimists.