Windows Autorun FAQs

NOTE- This article on "Windows Autorun FAQs" applies (theoretically) to all Windows NT-based OSes till Windows Vista (and probably Vista's successors too). Much of the contents of this article are tested on Windows XP professional SP2 (by the author). Some instances of this article may be altogether different/missing on Windows Vista, XP and other Windows NT systems, but I have tried to write a comprehensive article that may not apply in some newer versions of Windows OSes.

Que-1: Before we start, can you please tell me the purpose of this article?
Ans: Well, autoruns play a critical role in any Windows OS. Harmless programs such as important system services, applications (e.g. antivirus) to malicious ones such as viruses, worms, backdoors etc. use autoruns for their working (particularly in windows system). And so, a windows user may come across a situation where he may want to edit autoruns for his windows PC. This article provides an indepth description of autoruns. This article may prove to be useful both to a normal windows user and a windows expert.

Que-2: Can you please define autoruns?
Ans: Oh yes...autoruns are the programs which are configured to startup automatically when your Windows system boots and you login to your system. In other words, the term autorun is used in reference to a feature that causes a certain file to open or a certain program to start automatically as soon as a computer with some Windows Operating System is booted up. Some of these you will see as small icons in the system notification area at the bottom right of your screen by the clock. for example:


Que-3: But why do we need autoruns?
Ans: Autoruns have many uses (and many mis-uses too....but we will talk about them later). For example: If you want a program (e.g. antivirus) to be executed when user logs in to a system then simply adding a entry corresponding to one of autostart locations will add the program to list of autoruns. Next time when you reboot your Windows OS, the program will be executed once the user logs in. To explain further, I would like to quote Mark Russinovich.
Quoting Mark Russinovich (the co-author of Sysinternals Autoruns program along with Bryce Cogswell)- "Upon installation, many applications configure themselves to start automatically when you log on. Applications do this so that they can automatically check for updates, because they use system tray icons to interact with users, or because they add functionality to Windows components such as Windows Explorer. However, most such applications don't ask permission before inserting themselves in your logon process and almost never provide an interface to let you disable their autostart functionality. . . .".

Que-4: In your last answer, you made a reference to "autostart locations". What are they?
Ans: Well, autostart locations simply refer to the list of locations (folders, registry keys, files etc.) which are searched by Windows OSes for any of autorun entries. (See also Que-11 in the same FAQs for a list of all autostart locations).

Que-5: But someone told me that autoruns are viruses. Is that true?
Ans: YES and NO (I mean that the answer is partly yes and partly no). If an autostart entry points to a virus (or some other malicious file), then this autorun is certainly a virus. By an autorun virus I mean that the virus is executed when a user logs into Windows OS and the virus may then perform malicious activities to any extent (depending on it's payload).

Que-6: Wait! wait....What is payload?
Ans: Hmm....SearchSecurity says- "Payload is the eventual effect of a software virus that has been delivered to a user's computer". Payload is code designed to do more rather than just spreading the worm (another type of malicious file)- it might delete files on a system, encrypt important file etc. In simple words, payload is the side-effect of a virus (or any malicious file). And yes, even if you dont understand what 'payload' is, it doesnot matters much (as it is not directly related to the present matter of discussion).

Que-7: I heard the term "Auto Starting Pests (ASPs)" somewhere. What does that mean?
Ans: Auto Starting Pest (or ASPs in short) simply refers to the malicious files executed when Windows starts i.e. ASPs are simply "malicious autorun programs". ASPs are also known as ASEPs (Auto Start Extensibility Points) sometimes.

Que-8: What are services?
Ans: It is a program that runs invisibly in the background which load and start running whether or not anyone logs into the computer, unlike a program that is launched from one of autostart locations when a user log in to his system.
There are two ways to view Services on your computer. The first is to use msconfig program by typing msconfig.exe in the Run box in the Start Menu and then clicking the Services tab. If you want to simply look at the services which are running or stopped, this is a good option, but there's a better option. The preferred way to make changes to services is to launch services.msc from the Run option on the Start Menu.
Looking at the Services window (in services.msc) you can see that it has columns for Name, Description, Status, Startup Type and Log On As. This provides a quick overview of all the services on your computer. Detailed information is available by right clicking any of the entries and then select Properties. For more details, visit link below:
Windows XP Services- A list of all the standard services

Que-9: Now that I know the basics, I would like to ask if I can proceed and play with autoruns on my PC without any fear of data loss?
Ans: Oh no...You need (and I recommend) to backup all your important data before trying anything mentioned in this article. When a person is tweaking with autoruns, one has to rely on 'Trial and error' method and so anything may go wrong at any instant (you may even end with crashed Windows OS installation, though it would be a rarest of rare case). And yes...Dont fear about problems that may arise due to this as there is enough information in this article to help you out. And even if you face a problem then you can certainly get help from Windows forum of bytes.com.

Que-10: Oh no....Why to play with autoruns when it may crash my system or cause data loss?
Ans: Hmm...There are pretty many matters (under Windows OS) which require the user to handle (or play with) autoruns. I would list two of them below:
1. A most frequently faced case (where concept of autorun is widely used) is of a system infected with virus. Although most users would leave the virus to be handled by their antiVirus software, still there are many who would love to manually delete the virus (and all the related malicious entries). And if you are one of them, then this FAQ is for you.

2. A slow Windows PC is another such situation where removing unused autostart programs will boost up system performance. It is a common folklore that Windows systems run slower than other systems (e.g. Linux, Unix). Although this is true to a great extent :) , still you can make your Windows box to run a lot better only if you remove unused autorun entries. In daily scenario, all Windows experts receive complaints from users that their Vista PC (specifically) is running really slow. And in most of cases, it is either a bulk of autoruns which slow down a system or the system has the configuaration lower than that required by minimum system requirements to run that specific version of Windows Vista.
As an example, I would like to tell you that a friend of mine had a XP system with pretty good configuration which had a boot time of more than 6 minutes. And after removing unused autoruns, the boot time came down to about 6 minutes. (after cleaning up unused programs and context menu entries, bad registry entries, defragmentation of the drive the boot time came down to 52 seconds which is a considered a pretty good boot time).

And so, there's a lot you gain by deleting unused autorun entries than just the safety of important data (which you can always backup safely). And so, just backup all your important data and then proceed without any risk or fear(remember removable medias such as CDs, DVDs, Pen/Flash/USB drives are too cheap now a days).

Que-11: Ok...I have backed all my important data. Can you now list all the autostart locations?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:

NOTE : These are some abbreviations used in this list. Please note them carefully:
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
%windir% = C:\windows


1. Folder:

2. Files:
c:\autoexec.bat
c:\config.sys
%windir%\winsta rt.bat

%windir%\winini t.ini
NOTE: Usually used by setup programs to have a file run once and then get deleted.

%windir%\win.in i
The file looks something like:
windir\win.ini
The file looks something like:
windir\system.i ni
The file looks something like:
Note: Some of files that help autostarting programs are available only in some older Windows OS. They are listed below:

windir\dosstart .bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

windir\system\a utoexec.nt

windir\system\c onfig.nt


3. Registry:


4. Registry Shell Spawning:

NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit wikipedia.

Some other similar entries include:


5. Active-X Component:

You may be amazed but this does start filename.exe before windows explorer (explorer.exe) and any other Program is normally started from run keys.


6. Miscellaneous:

An entry which may be of interest to some is:
NOTE: The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Game.exe.s hs" it displays as "Game.exe" in all programs including Explorer.

Que-12: Do I need to remove autoruns from autostart locations manually? Or, Is there some tool/program available for such purpose?
Ans: The best way to prevent a program from running at startup, is to check the program's own options for a way to prevent this. Most good quality programs will provide an option for this.
If you are a normal computer user, there are many programs around which will show a list of most of autostarting programs of your system and then you may choose to delete/add an autostart entry.
The best program which allow the user to see a list of autoruns on a PC (and modify them) is Sysinternals' (now acquired by Microsoft) Autoruns (note that this is the name of a program and not the terminology "autoruns" which is our present matter of discussion). And there's more....Sysinte rnals Autoruns program is a freeware. There are many other free (and nonfree) programs which deal with autoruns.

NOTE: If you are a Windows expert and comfortable with editing registry, then you can manually remove/add the autorun entry for a program (as most of autostart programs lay hiding somewhere in registry). If you cannot login to your XP installation you can try to edit the registry offline. For these purposes you can either use Offline NT Registry Editor or BartPE CD. Be careful as some things may not be obvious. Try removing one thing at a time and then restarting the computer to see what happened. Changing more than one thing will make it difficult to detect the fault if problems occur. But I dont recommend this for everyone.

Que-13: Does Windows provides any program for autorun programs?
Ans: Yes, Windows does offer a program that will list programs that are automatically started from SOME of these locations. This program known as msconfig.exe, unfortunately, only lists programs from a limited amount of startup keys. To start msconfig.exe, click Start--->Run and type msconfig and press [Enter] or [Return] key. Go to the Startup tab, and uncheck the item there. I would like to mention again that this is not the best program for autorun programs.

Que-14: What is special about Sysinternals Autoruns program?
Ans: This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.

Que-15: Well, (as you had said previously) that Sysinternals Autoruns is best tool. Can you please tell me where to download and how to use Autoruns utility?
Ans: The original web page for Autoruns utility is here and you can download Autoruns utility directly from here.
The second link is a compressed zip file which has both a command line and a graphical version of Autoruns utility. Unzip the downloaded file and look in the compressed folder for a binary executable with the name autoruns.exe. Simply double click it to start the program. You may be prompted to accept a license agreement. If you agree to the terms, click 'agree'. Now you will see a window like this:



NOTE: Except [Logon] tab in the program, all other tabs lists the autorun files most of which are important for a smooth system (in a clean system) although there may be some malicious/unwanted entries too. And so, unless you are a windows expert and you know what you are doing, dont mess up with autorun files of any other tab except [Logon] tab [i.e. the tab mentioned in STEP 1].

STEP 1: Click on [Logon] tab. The autorun programs listed under this tab are executed once the user logs in.
STEP 2: This column labeled [Autorun Entry] lists the program and the autostart locations for that program.
STEP 3: This column labeled [Description] provides a description of the corresponding autorun entry (if any). This description may provide some information about the use or purpose of the program (although this is not to be relied upon).
STEP 4: This column labeled [Publisher] lists the name of the company/author for the program. In cases dealing with malicious files (e.g. viruses) this description may provide some help (but this information is not to be relied upon).
STEP 5: This column [Image Path] lists the actual location of the autoruns on a PC.
STEP 6: This area lists the actual autorun program that is intended to be executed when system boots. If the check box next to it is checked then the autorun is executed on system startup and if it is unchecked then it is not executed/run when system starts. And so, if you dont want a program to act as autorun then simply uncheck the entry next to it's name.
STEP 7: This is actual location (folder/registry) where a given set of autoruns is located. In Sysinternals Autorun program these entries are highlighted with a different color.

NOTE: Please note that under [Logon] tab, dont remove the checkmark next to following entries otherwise you may be in trouble with your Windows installation:
1. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\Use rinit
File: userinit

2. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\She ll
File: explorer.exe

3. Location: HKLM\System\Cur rentControlSet\ Control\Termina l Server\Wds\rdpw d\StartupProgra ms
File: rdpclip
[Let me make it clear that rdpclip.exe is the executable that provides function for Terminal Services server that allows you to copy and paste between server and client. RDPCLIP is not loaded on the client side, i.e. not on the machine using Remote Desktop to connect to a remote machine instead it is loaded on the machine allowing other machines to connect via Remote Desktop. And so if you dont know what this all means then you should better not uncheck it. And if it is unchecked and you want it to autorun then simply check it again]

NOTE: For more help, you can refer to a file named autoruns.chm (Help file for Autoruns utility) in the folder you had previously decompressed. You can alternatively post your queries to either Windows forum of bytes.com or Sysinternals Autoruns Forum.

Que-16: OK, so that was enough about autoruns......N ow what about other programs for the same purpose?
Ans: Other than Sysinternals Autoruns, there are only a few programs which are good enough to be used when dealing with autoruns. Some of them are listed below in brief:

1. Silent runners: Most of the Windows experts know about Sysinternals Autoruns program and consider it the best tool for autorun programs. But there is another VBscript available which is atleast equivalent (if not better) to Sysinternals autoruns. It is called Silent Runners.
For normal computer users, I would like to tell that "Scripts" are often treated as distinct from "programs", which execute independently from any other application. The web page for Silent Runners is here. Silent Runners is free for personal or internal business use. Silent Runners is not free for commercial use.
The purpose of Silent Runners is to identify the programs that start up with Windows. The original author of Silent Runners is Andrew Aronoff (although many have contributed to development of the script). According to Silent Runners website- Silent Runners is not an anti-virus, an anti-trojan, or a spyware scanner. It only pinpoints how programs start up i.e. it does not scan the system to identify every trace of malware. The text file it creates can be removed for study or stored as a benchmark.
The script changes absolutely nothing on your system (other than adding its report file). It has no option to change anything and no such option will ever be added. Silent Runners can be run simply by double-clicking it. It can also be run from the command line under CScript.exe, in which case output will be directed to the console. It creates a text file and places it, by default, in the same directory as the script.

For more details visit Silent runners FAQs or Using the Script web pages.

Direct download link for Silent runners VBscript

2. ASviewer: Autostart Viewer allows you to see all known autostarts on your system, all on the one screen. It also gives you complete control over the autostart references, and allows you to modify or delete them at will. A list of autostart locations that are monitored on ASviewer is present on this page.
Company/Author- DiamondCS
Key Features:
- Freeware
- Over 50 different autostart locations checked!
- Right-click menu allows you to take complete control over each autostart
- Add New Autostart feature allows you to add new programs to automatically start
- Save/Print functions allow you to take snapshots
- Resizable, easy-to-use interface that shows every autostart on the one display
- All sizes, positions and settings are remembered

Direct download link for ASviewer

3. StartupRun: The StartupRun utility displays the list of all applications that are loaded automatically when Windows boots. For each application, additional information is displayed (Product Name, File Version, Description, and Company Name), in order to allow you to easily identify the applications that are loaded at Windows startup.
Company/Author- NirSoft
Key Features:
- Freeware for personal and non-commercial use.
- If a spyware/adware is found, it is painted in pink color
- Edit, disable, enable and delete the selected startup entries
- Save the list of startup items into a text or html files
- Add a new startup entry to the Registry
- Standalone executable (doesn't require any installation process or additional DLLs)
- Command-Line Options

Direct download link for StartupRun

4. Windows XP Startup Tracker: This small GUI (Graphical User Interface) utility will check the Start Menu and the System Registry for items that load at startup. It will also check for Disabled Startup items and changes to the default "Shell" value.
Company/Author- Doug Knox
Key Features:
-Freeware (registration mandatory for a licensed version)
-Support for listing all running Processes and Services
-create a log file each time its run, or choose to create the log file automatically
-Requires VB6 Runtime Library

Direct download link for Windows XP Startup Tracker

5. Startup Inspector for Windows: Startup Inspector for Windows is a Windows platform software that helps both novice and expert user manage Windows startup applications. On www.windowsstartup.com, there are more than 4,900 known programs in the database. Startup Inspector for Windows can thus provide a consultative information on the programs that are running at your Windows startup process. Whether a program is necessary to the system, or is the program a spyware. The "Startup Programs Knowledge Base" is located here.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Scans all programs that are in the Windows Startup Folder, Registry and provide you with a background information of the program.
-Remove harmful programs like spyware, virus, diallers, make your system healthier.
-Remove unnecessary programs like reminders, monitors, improve your system performance.

Direct download link for Startup Inspector for Windows

6. Startup Monitor: Startup Monitor is a small monitoring program, it keep a constant eye on your system's startup entries. When ever a change is made, you will be notified and given a choice to either allow the change or not to change. This program is in Beta version at the time of this writing.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Friendly GUI
-keep an eye on startup applications changes

Direct download link for Startup Monitor

7. Startup Control Panel: Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts.
Company/Author- Mike Lin
Key Features:
-Freeware
-simple to use
-small

Direct download link for Startup Control Panel
Direct download link for Startup Control Panel (Standalone EXE Version)

8. StartupMonitor: StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents annoying programs from registering themselves behind your back.
Company/Author- Mike Lin
Key Features:
-Freeware
-watches the Start Menu's Startup folders and the Run entries in the registry

Direct download link for StartupMonitor

There are many other programs which deal with autoruns but I have tried to produce best of freeware programs that are considered at least equal to (if not better than) their commercial counterparts.

NOTE: The licensing status (free/non-free) of programs (in this article) is at the time when this article was actually written and there is a finite probability that this status may change with time. And so, refer to the original site or contact the author of the program for licensing details.

Que-17: But what if I really want to a program to act as an autorun program?
Ans: If you want to autorun a program on windows startup, then simply add it's location to one of autostart locations. This can be done either manually or using many third party freeware application (some of them are listed above). Two of most commenly used autostart location are:
Que-18: Is there anything else that you would like me to know?
Ans: Yeah...There are two things that I wanna tell you:
1. Best of luck
2. Good bye :)


_______________ _______________ ____________
Appendix 1: Abbreviations in this article
_______________ _______________ ____________
%windir% = C:\windows
ASEPs = Auto Start Extensibility Points
ASPs = Auto Starting Pests
FAQs = Frequently Asked Questions
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
NT = New Technology (a family of Microsoft Windows operating systems called Windows NT)
OS = Operating System
SPx = Service Pack x