Windows Autorun FAQs

Absolutely the perfect way of saying it. :D (considering Neo's previous response)

Hey, you do a lot better than most. I only know one language, not counting computer languages o'course.

True, that's better.

All in all: That article looks great! But I would certainly split it e.g. into several chapters, as to not overwhelm people. Just make sure, that things that belong together get put together.

Greetings,
Nepomuk

minor point:

I laugh a little when I read that wording. I think its better written as:

For the average computer user.....

or

For the typical computer user.....

the reason is that the opposite (or antonym) of "normal" infers a less than complimentary state of being. So if you are not a "normal" computer user you might be an "abnormal" or "odd" or "strange" computer user.

The opposite of "typical" and "average" is more complimentary, you could be "outstandin g" or just "different" , but it would not imply "odd" or "strange".

Then again, I may not be too normal myself.

Edit: the same applies for other uses of normal to describe the user:

A normal Windows user....
A normal computer user....

Hello,

Oh yes....that is more correct or precise. I will modify it in the next draft.

Added to list of modifications needed........

If you see the changelog for the second draft in REPLY #29, then you will recognise that in an attempt to edit the first draft I had added many things that increased the total length of the article. And so, I am planning to split the article into parts such that the flow of article is not disrupted. I will post my ideas soon.

Thanks......
AmbrNewlearner

I think a logical split could be the discussion of what autoruns are and the discussion about how to remove them which would include the various applications/programs you noted at the end of the article.

Hello,

I got an idea.....I think that I should try writing three one article and two subarticles. The three parts could be titled something like:

1. Windows Autorun FAQs (Main article)
2. Windows autostart locations (sub article 1)
3. Programs dealing with windows autoruns (sub article 2)

Now the main article will contain link to [sub article 1] for Que-11 and link to [sub article 2] for Que-16.

So, do you like the idea? I need your suggestions.

Thanks.......
AmbrNewlearner

That sounds like a good idea to me.

Jep, sounds like a plan. Although, I'd maybe even split that main article into two parts. But just maybe. If you can find a good split, great, if not, so be it.

Greetings,
Nepomuk

Yes.

I did something similar a while back with Debugging in VBA. Notice that navigating between the different threads is made as easy as possible.

Hello,

Thanks to all for their suggestions.... .....

The link you provided will prove to be certainly helpful as before seeing this reply I was totally confused about the format of the article. But now I have a great article available at my disposal to help me out. Thanks NeoPa, for the link...........

Thanks......... ........
AmbrNewlearner

NOTE- This article on "Windows Autorun FAQs" applies theoretically to all Windows NT-based OSes till Windows Vista (and probably Vista's successors too). Much of the contents of this article are tested on Windows XP professional SP2 by the author. Some instances of this article may be altogether different/missing on Windows Vista, XP and other Windows NT systems, but I have tried to write a comprehensive article that may not apply in some newer versions of Windows OSes.

Que-1: Before we start, can you please tell me the purpose of this article?
Ans: Well, autoruns play a critical role in any Windows OS. Harmless programs such as important system services, applications e.g. antivirus to malicious ones such as viruses, worms, backdoors etc. use autoruns for their working particularly in windows system. And so, a windows user may come across a situation where he may want to edit autoruns for his windows PC. This article provides an in depth description of autoruns. This article may prove to be useful both to an average windows user and a windows expert.

Que-2: Can you please define autoruns?
Ans: Oh yes...autoruns are the programs which are configured to startup automatically when your Windows system boots and you login to your system. In other words, the term autorun is used in reference to a feature that causes a certain file to open or a certain program to start automatically as soon as a computer with some Windows Operating System is booted up. Some of these you will see as small icons in the system notification area at the bottom right of your screen by the clock. For example:


Que-3: But why do we need autoruns?
Ans: Autoruns have many uses (and many mis-uses too....but we will talk about them later). For example: If you want a program e.g. antivirus to be executed when user logs in to a system then simply adding a entry corresponding to one of autostart locations will add the program to list of autoruns. Next time when you reboot your Windows OS, the program will be executed once the user logs in. To explain further, I would like to quote Mark Russinovich.
Quoting Mark Russinovich (the co-author of Sysinternals Autoruns program along with Bryce Cogswell)- "Upon installation, many applications configure themselves to start automatically when you log on. Applications do this so that they can automatically check for updates, because they use system tray icons to interact with users, or because they add functionality to Windows components such as Windows Explorer. However, most such applications don't ask permission before inserting themselves in your logon process and almost never provide an interface to let you disable their autostart functionality. . . .".

Que-4: In your last answer, you made a reference to "autostart locations". What are they?
Ans: Well, autostart locations simply refer to the list of locations i.e folders, registry keys, files etc. which are searched by Windows OSes for any of autorun entries. See "Windows Autorun FAQs: List of autostart locations" for a list of all autostart locations.

Que-5: But someone told me that autoruns are viruses. Is that true?
Ans: NO - but some viruses use autoruns. If an autostart entry points to a virus or some other malicious file, then this autorun is certainly a virus. By an autorun virus I mean that the virus is executed when a user logs into Windows OS and the virus may then perform malicious activities to any extent depending on it's payload.

Que-6: Wait! wait....What is payload?
Ans: Hmm....SearchSecurity says- "Payload is the eventual effect of a software virus that has been delivered to a user's computer". Payload is code designed to do more rather than just spreading the worm which is another type of malicious file; it might delete files on a system, encrypt important file etc. In simple words, payload is the side-effect of a virus or any malicious file. And yes, even if you don't understand what 'payload' is, it does not matters much as it is not directly related to the present matter of discussion.

Que-7: I heard the term "Auto Starting Pests (ASPs)" somewhere. What does that mean?
Ans: Auto Starting Pest (or ASPs in short) simply refers to the malicious files executed when Windows starts i.e. ASPs are simply "malicious autorun programs". ASPs are also known as ASEPs or Auto Start Extensibility Points sometimes.

Que-8: What are services?
Ans: It is a program that runs invisibly in the background which load and start running whether or not anyone logs into the computer, unlike a program that is launched from one of autostart locations when a user log in to his system.
There are two ways to view Services on your computer. The first is to use msconfig program by typing msconfig.exe in the Run box in the Start Menu and then clicking the Services tab. If you want to simply look at the services which are running or stopped, this is a good option, but there's a better option. The preferred way to make changes to services is to launch services.msc from the Run option on the Start Menu.
Looking at the Services window in services.msc you can see that it has columns for Name, Description, Status, Startup Type and Log On As. This provides a quick overview of all the services on your computer. Detailed information is available by right clicking any of the entries and then select Properties. For more details, visit link below:
Windows XP Services- A list of all the standard services

Que-9: Now that I know the basics, I would like to ask if I can proceed and play with autoruns on my PC without any fear of data loss?
Ans: Oh no...I recommend you to backup all your important data before trying anything mentioned in this article. When a person is tweaking with autoruns, one has to rely on 'Trial and error' method and so anything may go wrong at any instant. You may even end with crashed Windows OS installation, though it would be a rarest of rare case. And yes...Don't fear about problems that may arise due to this as there is enough information in this article to help you out. And even if you face a problem then you can certainly get help from Windows forum of bytes.com.

Que-10: Oh no....Why to play with autoruns when it may crash my system or cause data loss?
Ans: Hmm...There are pretty many matters under Windows OS which require the user to handle with autoruns. I would list two of them below:
1. A most frequently faced case where concept of autorun is widely used is of a system infected with virus. Although most users would leave the virus to be handled by their antivirus software, still there are many who would love to manually delete the virus and all the related malicious entries. And if you are one of them, then this FAQ is for you. Alternatively, if there is some virus which is still not removed by antivirus programs then you might consider removing it manually and in that case you may want to read this FAQs.

2. A slow Windows PC is another such situation where removing unused autostart programs will boost up system performance. It is a common folklore that Windows systems run slower than other systems (e.g. Linux, Unix). Although this is true to a great extent :) , still you can make your Windows box to run a lot better only if you remove unused autorun entries. In daily scenario, all Windows experts receive complaints from users that their Vista PC, in particular,is running really slow. And in most of cases, it is either a bulk of autoruns which slow down a system or the system has the configuration lower than that required by minimum system requirements to run that specific version of Windows Vista.
As an example, I would like to tell you that a friend of mine had a XP system with pretty good configuration which had a boot time of more than 6 minutes. And after removing unused autoruns, the boot time came down to about 75 seconds. (after cleaning up unused programs and context menu entries, bad registry entries, defragmentation of the drive the boot time came down to 52 seconds which is a considered a pretty good boot time).

And so, there's a lot you gain by deleting unused autorun entries than just the safety of important data which you can always backup safely. And so, just backup all your important data and then proceed without any risk or fear. I would like to remind you that removable medias such as CDs, DVDs, Pen/Flash/USB drives are too cheap now a days.

Que-11: Ok...I have backed all my important data. Can you now list all the autostart locations?
Ans: For a comprehensive list of all autostart locations, visit "Windows Autorun FAQs: List of autostart locations".

Que-12: Do I need to remove autoruns from autostart locations manually? Or, Is there some tool/program available for such purpose?
Ans: The best way to prevent a program from running at startup, is to check the program's own options for a way to prevent this. Most good quality programs will provide an option for this.
If you are an average computer user, there are many programs around which will show a list of most of autostarting programs of your system and then you may choose to delete/add an autostart entry.
The best program which allow the user to see a list of autoruns on a PC and modify them is Sysinternals' (now acquired by Microsoft) Autoruns (note that this is the name of a program and not the terminology "autoruns" which is our present matter of discussion). And there's more....Sysinte rnals Autoruns program is a freeware. There are many other free (and non free) programs which deal with autoruns.

NOTE: If you are a Windows expert and comfortable with editing registry, then you can manually remove/add the autorun entry for a program using regedit.exe as most of autostart programs lay hiding somewhere in registry. If you cannot login to your XP installation you can try to edit the registry offline. For these purposes you can either use Offline NT Registry Editor or BartPE CD. Be careful as some things may not be obvious. Try removing one thing at a time and then restarting the computer to see what happened. Changing more than one thing will make it difficult to detect the fault if problems occur. But I don't recommend this for everyone.

Que-13: Does Windows provides any program for autorun programs?
Ans: Yes, Windows does offer a program that will list programs that are automatically started from SOME of these locations. This program known as msconfig.exe, unfortunately, only lists programs from a limited amount of startup keys. To start msconfig.exe, click Start--->Run and type msconfig and press [Enter] or [Return] key. Go to the Startup tab, and uncheck the item there. I would like to mention again that this is not the best program for autorun programs.

Que-14: What is special about Sysinternals Autoruns program?
Ans: This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system boot up or login, and shows you the entries in the order Windows processes them.

Que-15: Well, as you had said previously, that Sysinternals Autoruns is the best program for autoruns. Can you please tell me where to download and how to use Autoruns utility?
Ans: The original web page for Autoruns utility is here and you can download Autoruns utility directly from here.
The second link is a compressed zip file which has both a command line and a graphical version of Autoruns utility. Unzip the downloaded file and look in the compressed folder for a binary executable with the name autoruns.exe. Simply double click it to start the program. You will be prompted to accept a license agreement. If you agree to the terms, click 'agree'. Now you will see a window like this:



NOTE: Except [Logon] tab in the program, all other tabs lists the autorun files most of which are important for stability of a clean Windows system, although there may be some malicious/unwanted entries too. And so, unless you are a windows expert and you know what you are doing, don't mess up with autorun files of any other tab except [Logon] tab [i.e. the tab mentioned in STEP 1].

STEP 1: Click on [Logon] tab. The autorun programs listed under this tab are executed once the user logs in.
STEP 2: This column labeled [Autorun Entry] lists the program and the autostart locations for that program.
STEP 3: This column labeled [Description] provides a description of the corresponding autorun entry (if any). This description may provide some information about the use or purpose of the program; although this is not to be relied upon.
STEP 4: This column labeled [Publisher] lists the name of the company/author for the program. In cases dealing with malicious files (e.g. viruses) this description may provide some help but I repeat that this information is not to be relied upon.
STEP 5: This column [Image Path] lists the actual location of the autoruns on a PC.
STEP 6: This area lists the actual autorun program that is intended to be executed when system boots. If the check box next to it is checked then the autorun is executed on system startup and if it is unchecked then it is not executed/run when system starts. And so, if you don't want a program to act as autorun then simply uncheck the entry next to it's name.
STEP 7: This is actual location (i.e. folder/registry) where a given set of autoruns is located. In Sysinternals Autorun program these entries are highlighted with a different color.

NOTE: Please note that under [Logon] tab, don't remove the check mark next to following entries otherwise you may be in trouble with your Windows installation:
1. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\Use rinit
File: userinit

2. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\She ll
File: explorer.exe

3. Location: HKLM\System\Cur rentControlSet\ Control\Termina l Server\Wds\rdpw d\StartupProgra ms
File: rdpclip
[Let me make it clear that rdpclip.exe is the executable that provides function for Terminal Services server that allows you to copy and paste between server and client. RDPCLIP is not loaded on the client side, i.e. not on the machine using Remote Desktop to connect to a remote machine instead it is loaded on the machine allowing other machines to connect via Remote Desktop. And so if you don't know what this all means then you should better not uncheck it. And if it is unchecked and you want it to autorun then simply check it again]

NOTE: For more help, you can refer to a file named autoruns.chm, i.e. the Help file for Autoruns utility, in the folder you had previously decompressed. You can alternatively post your queries to either Windows forum of bytes.com or Sysinternals Autoruns Forum.

Que-16: OK, so that was enough about autoruns......N ow what about other programs for the same purpose?
Ans: Other than Sysinternals Autoruns, there are only a few programs which are good enough to be used when dealing with autoruns. For a list of some programs that deal with autoruns, visit "Windows Autorun FAQs: Programs dealing with autoruns".

Que-17: But what if I really want to a program to act as an autorun program?
Ans: If you want to autorun a program on windows startup, then simply add it's location to one of autostart locations. This can be done either manually or using many third party freeware application. Some of them are listed above. Two of most commonly used autostart location are:
Que-18: Is there anything else that you would like me to know?
Ans: Yeah...There are two things that I want to tell you:
1. Best of luck
2. Good bye :)


_______________ _______________ _______________ _______________ ___
Appendix 1:Related Links
_______________ _______________ _______________ _______________ ___
Windows Autorun FAQs: List of autostart locations
Windows Autorun FAQs: Programs dealing with autoruns

_______________ _______________ _______________ _______________ ___
Appendix 2: Abbreviations in this article
_______________ _______________ _______________ _______________ ___
%ALLUSERSPROFIL E% = C:\Documents and Settings\All Users
%USERPROFILE% = C:\Documents and Settings\ambr
%windir% = C:\windows
ASEPs = Auto Start Extensibility Points
ASPs = Auto Starting Pests
FAQs = Frequently Asked Questions
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
NT = New Technology (a family of Microsoft Windows operating systems called Windows NT)
OS = Operating System
SPx = Service Pack x[/QUOTE]

Original article: Windows Autorun FAQs

Que: Can you list all the autostart locations for windows?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:

NOTE : These are some abbreviations used in this list. Please note them carefully:
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
%windir% = C:\windows
%USERPROFILE% = C:\Documents and Settings\ambr
%ALLUSERSPROFIL E% = C:\Documents and Settings\All Users


1. Folder:
Above mentioned autostart locations differ on Windows Vista. The locations on windows Vista are as follows:

2. Files:
c:\autoexec.bat
c:\config.sys
%windir%\winsta rt.bat

%windir%\winini t.ini
NOTE: Usually used by setup programs to have a file run once and then get deleted.

%windir%\win.in i
The file looks something like:
windir\win.ini
The file looks something like:
windir\system.i ni
The file looks something like:
Note: Some of files that help auto-starting programs are available only in some older Windows OS. They are listed below:

windir\dosstart .bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

windir\system\a utoexec.nt

windir\system\c onfig.nt


3. Registry:

4. Registry Shell Spawning:

NOTE: The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method and is currently used by Subseven.

NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit wikipedia.

Some other similar entries include:


5. Active-X Component:

You may be amazed but this does start filename.exe before windows explorer (explorer.exe) and any other Program is normally started from run keys.


6. Miscellaneous:

An entry which may be of interest to some is:
NOTE: The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Game.exe.s hs" it displays as "Game.exe" in all programs including Explorer.


7. Hijack points:

These locations can be used to redirect the desktop, network and Internet Explorer.

Original article: Windows Autorun FAQs

Que: Can you list programs that help me to view/modify the autoruns on my Windows PC?
Ans: Other than Sysinternals Autoruns, there are only a few programs which are good enough to be used when dealing with autoruns. Some of them are listed below:

1. Silent runners: Most of the Windows experts know about Sysinternals Autoruns program and consider it the best tool for autorun programs. But there is another VBscript available which is at least equivalent (if not better) to Sysinternals autoruns. It is called Silent Runners.
For average computer users, I would like to tell that "Scripts" are often treated as distinct from "programs", which execute independently from any other application. The web page for Silent Runners is here. Silent Runners is free for personal or internal business use. Silent Runners is not free for commercial use.
The purpose of Silent Runners is to identify the programs that start up with Windows. The original author of Silent Runners is Andrew Aronoff (although many have contributed to development of the script). According to Silent Runners website- "Silent Runners is not an anti-virus, an anti-trojan, or a spyware scanner. It only pinpoints how programs start up i.e. it does not scan the system to identify every trace of malware. The text file it creates can be removed for study or stored as a benchmark".
The script changes absolutely nothing on your system other than adding its report file. It has no option to change anything and no such option will ever be added. Silent Runners can be run simply by double-clicking it. It can also be run from the command line under CScript.exe, in which case output will be directed to the console. It creates a text file and places it, by default, in the same directory as the script.

For more details visit Silent runners FAQs or Using the Script web pages.
Direct download link for Silent runners VBscript

2. ASviewer: Autostart Viewer allows you to see all known autostarts on your system, all on the one screen. It also gives you complete control over the autostart references, and allows you to modify or delete them at will. A list of autostart locations that are monitored on ASviewer is present on this page.
Company/Author- DiamondCS
Key Features:
- Freeware
- Over 50 different autostart locations checked!
- Right-click menu allows you to take complete control over each autostart
- Add New Autostart feature allows you to add new programs to automatically start
- Save/Print functions allow you to take snapshots
- Resizable, easy-to-use interface that shows every autostart on the one display
- All sizes, positions and settings are remembered
Direct download link for ASviewer

3. StartupRun: The StartupRun utility displays the list of all applications that are loaded automatically when Windows boots. For each application, additional information is displayed such as Product Name, File Version, Description, and Company Name in order to allow you to easily identify the applications that are loaded at Windows startup.
Company/Author- NirSoft
Key Features:
- Freeware for personal and non-commercial use.
- If a spyware/adware is found, it is painted in pink color
- Edit, disable, enable and delete the selected startup entries
- Save the list of startup items into a text or HTML files
- Add a new startup entry to the Registry
- Standalone executable (doesn't require any installation process or additional DLLs)
- Command-Line Options
Direct download link for StartupRun

4. Windows XP Startup Tracker: This small GUI (Graphical User Interface) utility will check the Start Menu and the System Registry for items that load at startup. It will also check for Disabled Startup items and changes to the default "Shell" value.
Company/Author- Doug Knox
Key Features:
-Freeware (registration mandatory for a licensed version)
-Support for listing all running Processes and Services
-create a log file each time its run, or choose to create the log file automatically
-Requires VB6 Runtime Library
Direct download link for Windows XP Startup Tracker

5. Startup Inspector for Windows: Startup Inspector for Windows is a Windows platform software that helps both novice and expert user manage Windows startup applications. On www.windowsstartup.com, there are more than 4,900 known programs in the database. Startup Inspector for Windows can thus provide a consultative information on the programs that are running at your Windows startup process. Whether a program is necessary to the system, or is the program a spyware. The "Startup Programs Knowledge Base" is located here.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Scans all programs that are in the Windows Startup Folder, Registry and provide you with a background information of the program.
-Remove harmful programs like spyware, virus, diallers, make your system healthier.
-Remove unnecessary programs like reminders, monitors, improve your system performance.
Direct download link for Startup Inspector for Windows

6. Startup Monitor: Startup Monitor is a small monitoring program, it keep a constant eye on your system's startup entries. When ever a change is made, you will be notified and given a choice to either allow the change or not to change. This program is in Beta version at the time of this writing.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Friendly GUI
-keep an eye on startup applications changes
Direct download link for Startup Monitor

7. Startup Control Panel: Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts.
Company/Author- Mike Lin
Key Features:
-Freeware
-simple to use
-small
Direct download link for Startup Control Panel
Direct download link for Startup Control Panel (Standalone EXE Version)

8. StartupMonitor: StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents annoying programs from registering themselves behind your back.
Company/Author- Mike Lin
Key Features:
-Freeware
-watches the Start Menu's Startup folders and the Run entries in the registry
Direct download link for StartupMonitor

There are many other programs which deal with autoruns but I have tried to produce a list of best of freeware programs that are considered at least equal (if not better) to their commercial counterparts.

NOTE: The licensing status (free/non-free) of programs in this article is at the time when this article was actually written and there is a finite probability that this status may change with time. And so, refer to the original site or contact the author of the program for licensing details.

Hello,

Well, I have posted third draft of my article which has been splitted into three parts. The division of article in three parts is as follows:

1. Windows Autorun FAQs ---------------------------------------->REPLY#42
2. Windows Autorun FAQs: List of autostart locations ---------->REPLY#43
3. Windows Autorun FAQs:Programs dealing with autoruns------>REPLY#44

The splitting is done such that if the reader reads REPLY #42 (main article) then he can easily switch between main article and sub-articles.
_______________ _______________ _______________ _______________ ______

The changelog for draft 3 is as follows:
1. All references to "normal computer user" (and anything similar) changed to "average computer user".
2. In Que-5, "NO - but some viruses are autoruns" changed to "NO - but some viruses use autoruns".
3. Made some changes to NOTE in Que-15.
4. Added section- "Appendix 1: Related links" to main article.



Now that I have splitted the article into three parts, Will you still suggest splitting the main article into two parts?



Any other comments are welcome........ .......
Thanks.........
AmbrNewlearner