Windows Autorun FAQs

I don't like the answer to Que-5.

The answer should be NO. Autoruns are not inherently viruses, but a virus may use an autorun just as any other program may.

I can see where you're coming from on this Markus, but if you read "malware" for "virus" (Technically virus refers to only those units of malware that propagate themselves further upon infection) and look at the whole package (rather than simply any executable code) as that "virus", then this is not wrong. That entry can certainly be considered as part of the malware package.

Malware packages often consist of many and various elements, including those that deal with payload, avoidance of detection, propagation, etc. An autorun entry is certainly one of those elements.

As this article is so long and I am so very busy at the moment I cannot commit to looking at this any time soon I'm afraid.

If I get the opportunity I will.

Of course, but I still think the answer is wrong, maybe not a huge wrong like gay marriages in the state of California*, but still misleading. Autoruns are not viruses (virii?) but can be used with a virus. That's like saying 'Edited for content'**.

* Tis a joke.
** Maybe an extreme analogy, but it conveys my dismay towards the subject. ;)

Firstly, let me apologise for editing your post. I felt I must of course, but regretted it nevertheless :(

As to your point - Fundamentally, I agree. Possibly a little misleading, but in the context of someone putting together such a large document in a language I would guess is not their first, not a bad effort by any means.

Does this mean they should not consider changing it as per your suggestion? No. That would probably benefit.

As to the pluralisation of "virus". It has never, and could never, make any sense to think of this as "virii". As explained in http://en.wikipedia.org/wiki/Plural_of_virus this could only be the plural of a word "virius". "Viri" (more weary than wiry) which might have been the case if it were not already the plural of "vir" (man) is clearly not right either.

In fact, as a "mass noun" (already representing plural), it requires no explicitly plural form (at least didn't in the days of the ancient romans). Actually, the correct plural is "viruses" of course.

Ah, no apology needed. It was an extreme statement, and could of possibly offended others.

/goes to read about the Plural of Virus.

Thanks, Neo - not of the matrix sort.

Indirectly it is.

My son (18) took Neo (N30) as his gaming tag and when I joined in I came in as NeoPa. It encouraged the others to cut me some slack ;) Eventually I became an admin of the clan so no longer necessary, but I kept it anyway :)

Aha, wow. I wish I had a story like that behind my name. 'cept, I was just born.

I'm definitely going to play games with my son. I'll be the coolest dad around.

You forget already how it works.

You need to see if he'll ALLOW you to play with him first. If he's 15 (when this all started for him) then he'll probably be embarrassed even to admit he HAS parents.

Hello,

I just need a quick advice. I got my hands on a number of autostart locations that existed in Pre-XP Windows OS. Now, I want to add them to the list of autostart locations in Que-11. If I add them then this will increase the length of the article. My mind says that I should add them (although they dont apply to modern Windows OS) but then I want some advice. Should I add them or instead I should dump them away?

Thanks........
AmbrNewlearner

Hello,


No problems......A nd I must thank you to hold on a discussion (that I was expected to handle) with markus. I was looking at your discussion but due to C++ studies I could not reply to this thread.

BTW, it is still unclear to me whether I should try modifying Que-5 as suggested by Markus? (Arghh......I hate my disability to understand standard English sometimes)

Thanks........
AmbrNewlearner

Do you think, you could somehow split this into several parts? If so, that would probably be the best solution. That way you could add those locations and improve the readability. I did something similar with my Java Exceptions article and my current Linux article. (By the way, I'm still waiting for KUB to lay it out as he wanted to and then move it to the articles section...)
I'd say, it should be edited into something like "NO - but some viruses are autoruns. It's like with animals: elephants are mammals, but not all mammals are elephants."

Greetings,
Nepomuk

NOTE- This article on "Windows Autorun FAQs" applies theoretically to all Windows NT-based OSes till Windows Vista (and probably Vista's successors too). Much of the contents of this article are tested on Windows XP professional SP2 by the author. Some instances of this article may be altogether different/missing on Windows Vista, XP and other Windows NT systems, but I have tried to write a comprehensive article that may not apply in some newer versions of Windows OSes.

Que-1: Before we start, can you please tell me the purpose of this article?
Ans: Well, autoruns play a critical role in any Windows OS. Harmless programs such as important system services, applications e.g. antivirus to malicious ones such as viruses, worms, backdoors etc. use autoruns for their working particularly in windows system. And so, a windows user may come across a situation where he may want to edit autoruns for his windows PC. This article provides an in depth description of autoruns. This article may prove to be useful both to a normal windows user and a windows expert.

Que-2: Can you please define autoruns?
Ans: Oh yes...autoruns are the programs which are configured to startup automatically when your Windows system boots and you login to your system. In other words, the term autorun is used in reference to a feature that causes a certain file to open or a certain program to start automatically as soon as a computer with some Windows Operating System is booted up. Some of these you will see as small icons in the system notification area at the bottom right of your screen by the clock. for example:


Que-3: But why do we need autoruns?
Ans: Autoruns have many uses (and many mis-uses too....but we will talk about them later). For example: If you want a program e.g. antivirus to be executed when user logs in to a system then simply adding a entry corresponding to one of autostart locations will add the program to list of autoruns. Next time when you reboot your Windows OS, the program will be executed once the user logs in. To explain further, I would like to quote Mark Russinovich.
Quoting Mark Russinovich (the co-author of Sysinternals Autoruns program along with Bryce Cogswell)- "Upon installation, many applications configure themselves to start automatically when you log on. Applications do this so that they can automatically check for updates, because they use system tray icons to interact with users, or because they add functionality to Windows components such as Windows Explorer. However, most such applications don't ask permission before inserting themselves in your logon process and almost never provide an interface to let you disable their autostart functionality. . . .".

Que-4: In your last answer, you made a reference to "autostart locations". What are they?
Ans: Well, autostart locations simply refer to the list of locations i.e folders, registry keys, files etc. which are searched by Windows OSes for any of autorun entries. See also Que-11 in the same FAQs for a list of all autostart locations.

Que-5: But someone told me that autoruns are viruses. Is that true?
Ans: NO - but some viruses are autoruns. If an autostart entry points to a virus or some other malicious file, then this autorun is certainly a virus. By an autorun virus I mean that the virus is executed when a user logs into Windows OS and the virus may then perform malicious activities to any extent depending on it's payload.

Que-6: Wait! wait....What is payload?
Ans: Hmm....SearchSecurity says- "Payload is the eventual effect of a software virus that has been delivered to a user's computer". Payload is code designed to do more rather than just spreading the worm which is another type of malicious file; it might delete files on a system, encrypt important file etc. In simple words, payload is the side-effect of a virus or any malicious file. And yes, even if you don't understand what 'payload' is, it does not matters much as it is not directly related to the present matter of discussion.

Que-7: I heard the term "Auto Starting Pests (ASPs)" somewhere. What does that mean?
Ans: Auto Starting Pest (or ASPs in short) simply refers to the malicious files executed when Windows starts i.e. ASPs are simply "malicious autorun programs". ASPs are also known as ASEPs or Auto Start Extensibility Points sometimes.

Que-8: What are services?
Ans: It is a program that runs invisibly in the background which load and start running whether or not anyone logs into the computer, unlike a program that is launched from one of autostart locations when a user log in to his system.
There are two ways to view Services on your computer. The first is to use msconfig program by typing msconfig.exe in the Run box in the Start Menu and then clicking the Services tab. If you want to simply look at the services which are running or stopped, this is a good option, but there's a better option. The preferred way to make changes to services is to launch services.msc from the Run option on the Start Menu.
Looking at the Services window in services.msc you can see that it has columns for Name, Description, Status, Startup Type and Log On As. This provides a quick overview of all the services on your computer. Detailed information is available by right clicking any of the entries and then select Properties. For more details, visit link below:
Windows XP Services- A list of all the standard services

Que-9: Now that I know the basics, I would like to ask if I can proceed and play with autoruns on my PC without any fear of data loss?
Ans: Oh no...I recommend you to backup all your important data before trying anything mentioned in this article. When a person is tweaking with autoruns, one has to rely on 'Trial and error' method and so anything may go wrong at any instant. You may even end with crashed Windows OS installation, though it would be a rarest of rare case. And yes...Don't fear about problems that may arise due to this as there is enough information in this article to help you out. And even if you face a problem then you can certainly get help from Windows forum of bytes.com.

Que-10: Oh no....Why to play with autoruns when it may crash my system or cause data loss?
Ans: Hmm...There are pretty many matters under Windows OS which require the user to handle with autoruns. I would list two of them below:
1. A most frequently faced case where concept of autorun is widely used is of a system infected with virus. Although most users would leave the virus to be handled by their antivirus software, still there are many who would love to manually delete the virus and all the related malicious entries. And if you are one of them, then this FAQ is for you. Alternatively, if there is some virus which is still not removed by antivirus programs then you might consider removing it manually and in that case you may want to read this FAQs.

2. A slow Windows PC is another such situation where removing unused autostart programs will boost up system performance. It is a common folklore that Windows systems run slower than other systems (e.g. Linux, Unix). Although this is true to a great extent :) , still you can make your Windows box to run a lot better only if you remove unused autorun entries. In daily scenario, all Windows experts receive complaints from users that their Vista PC, in particular,is running really slow. And in most of cases, it is either a bulk of autoruns which slow down a system or the system has the configuration lower than that required by minimum system requirements to run that specific version of Windows Vista.
As an example, I would like to tell you that a friend of mine had a XP system with pretty good configuration which had a boot time of more than 6 minutes. And after removing unused autoruns, the boot time came down to about 75 seconds. (after cleaning up unused programs and context menu entries, bad registry entries, defragmentation of the drive the boot time came down to 52 seconds which is a considered a pretty good boot time).

And so, there's a lot you gain by deleting unused autorun entries than just the safety of important data which you can always backup safely. And so, just backup all your important data and then proceed without any risk or fear. I would like to remind you that removable medias such as CDs, DVDs, Pen/Flash/USB drives are too cheap now a days.

Que-11: Ok...I have backed all my important data. Can you now list all the autostart locations?
Ans: Here is a comprehensive list of all autostart locations for Windows OSes:

NOTE : These are some abbreviations used in this list. Please note them carefully:
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
%windir% = C:\windows
%USERPROFILE% = C:\Documents and Settings\ambr
%ALLUSERSPROFIL E% = C:\Documents and Settings\All Users

1. Folder:
Above mentioned autostart locations differ on Windows Vista. The locations on windows Vista are as follows:

2. Files:
c:\autoexec.bat
c:\config.sys
%windir%\winsta rt.bat

%windir%\winini t.ini
NOTE: Usually used by setup programs to have a file run once and then get deleted.

%windir%\win.in i
The file looks something like:
windir\win.ini
The file looks something like:
windir\system.i ni
The file looks something like:
Note: Some of files that help auto-starting programs are available only in some older Windows OS. They are listed below:

windir\dosstart .bat ---> Used in Win95 or 98 when you select the "Restart in MS-DOS mode" in the shutdown menu.

windir\system\a utoexec.nt

windir\system\c onfig.nt


3. Registry:

4. Registry Shell Spawning:

NOTE: The key should have a value of Value "%1 %*", if this is changed to "server.exe %1 %*", the server.exe is executed EVERYTIME an exe/pif/com/bat/hta is executed. Known as Unknown Starting Method and is currently used by Subseven.

NOTE- Subseven (also known as Sub7) is the name of a popular backdoor program. For more information visit wikipedia.

Some other similar entries include:


5. Active-X Component:

You may be amazed but this does start filename.exe before windows explorer (explorer.exe) and any other Program is normally started from run keys.


6. Miscellaneous:

An entry which may be of interest to some is:
NOTE: The NeverShowExt key has the function to HIDE the real extension of the file (here) SHS. This means if you rename a file as "Game.exe.s hs" it displays as "Game.exe" in all programs including Explorer.


7. Hijack points:

These locations can be used to redirect the desktop, network and Internet Explorer.
Que-12: Do I need to remove autoruns from autostart locations manually? Or, Is there some tool/program available for such purpose?
Ans: The best way to prevent a program from running at startup, is to check the program's own options for a way to prevent this. Most good quality programs will provide an option for this.
If you are a normal computer user, there are many programs around which will show a list of most of autostarting programs of your system and then you may choose to delete/add an autostart entry.
The best program which allow the user to see a list of autoruns on a PC and modify them is Sysinternals' (now acquired by Microsoft) Autoruns (note that this is the name of a program and not the terminology "autoruns" which is our present matter of discussion). And there's more....Sysinte rnals Autoruns program is a freeware. There are many other free (and non free) programs which deal with autoruns.

NOTE: If you are a Windows expert and comfortable with editing registry, then you can manually remove/add the autorun entry for a program using regedit.exe as most of autostart programs lay hiding somewhere in registry. If you cannot login to your XP installation you can try to edit the registry offline. For these purposes you can either use Offline NT Registry Editor or BartPE CD. Be careful as some things may not be obvious. Try removing one thing at a time and then restarting the computer to see what happened. Changing more than one thing will make it difficult to detect the fault if problems occur. But I don't recommend this for everyone.

Que-13: Does Windows provides any program for autorun programs?
Ans: Yes, Windows does offer a program that will list programs that are automatically started from SOME of these locations. This program known as msconfig.exe, unfortunately, only lists programs from a limited amount of startup keys. To start msconfig.exe, click Start--->Run and type msconfig and press [Enter] or [Return] key. Go to the Startup tab, and uncheck the item there. I would like to mention again that this is not the best program for autorun programs.

Que-14: What is special about Sysinternals Autoruns program?
Ans: This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system boot up or login, and shows you the entries in the order Windows processes them.

Que-15: Well, as you had said previously, that Sysinternals Autoruns is the best program for autoruns. Can you please tell me where to download and how to use Autoruns utility?
Ans: The original web page for Autoruns utility is here and you can download Autoruns utility directly from here.
The second link is a compressed zip file which has both a command line and a graphical version of Autoruns utility. Unzip the downloaded file and look in the compressed folder for a binary executable with the name autoruns.exe. Simply double click it to start the program. You will be prompted to accept a license agreement. If you agree to the terms, click 'agree'. Now you will see a window like this:



NOTE: Except [Logon] tab in the program, all other tabs lists the autorun files most of which are important for a stable system in a clean system, although there may be some malicious/unwanted entries too. And so, unless you are a windows expert and you know what you are doing, don't mess up with autorun files of any other tab except [Logon] tab [i.e. the tab mentioned in STEP 1].

STEP 1: Click on [Logon] tab. The autorun programs listed under this tab are executed once the user logs in.
STEP 2: This column labeled [Autorun Entry] lists the program and the autostart locations for that program.
STEP 3: This column labeled [Description] provides a description of the corresponding autorun entry (if any). This description may provide some information about the use or purpose of the program; although this is not to be relied upon.
STEP 4: This column labeled [Publisher] lists the name of the company/author for the program. In cases dealing with malicious files e.g. viruses this description may provide some help but I repeat that this information is not to be relied upon.
STEP 5: This column [Image Path] lists the actual location of the autoruns on a PC.
STEP 6: This area lists the actual autorun program that is intended to be executed when system boots. If the check box next to it is checked then the autorun is executed on system startup and if it is unchecked then it is not executed/run when system starts. And so, if you don't want a program to act as autorun then simply uncheck the entry next to it's name.
STEP 7: This is actual location (i.e. folder/registry) where a given set of autoruns is located. In Sysinternals Autorun program these entries are highlighted with a different color.

NOTE: Please note that under [Logon] tab, don't remove the check mark next to following entries otherwise you may be in trouble with your Windows installation:
1. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\Use rinit
File: userinit

2. Location: HKLM\SOFTWARE\M icrosoft\Window s NT\CurrentVersi on\Winlogon\She ll
File: explorer.exe

3. Location: HKLM\System\Cur rentControlSet\ Control\Termina l Server\Wds\rdpw d\StartupProgra ms
File: rdpclip
[Let me make it clear that rdpclip.exe is the executable that provides function for Terminal Services server that allows you to copy and paste between server and client. RDPCLIP is not loaded on the client side, i.e. not on the machine using Remote Desktop to connect to a remote machine instead it is loaded on the machine allowing other machines to connect via Remote Desktop. And so if you don't know what this all means then you should better not uncheck it. And if it is unchecked and you want it to autorun then simply check it again]

NOTE: For more help, you can refer to a file named autoruns.chm, i.e. the Help file for Autoruns utility, in the folder you had previously decompressed. You can alternatively post your queries to either Windows forum of bytes.com or Sysinternals Autoruns Forum.

Que-16: OK, so that was enough about autoruns......N ow what about other programs for the same purpose?
Ans: Other than Sysinternals Autoruns, there are only a few programs which are good enough to be used when dealing with autoruns. Some of them are listed below in brief:

1. Silent runners: Most of the Windows experts know about Sysinternals Autoruns program and consider it the best tool for autorun programs. But there is another VBscript available which is at least equivalent (if not better) to Sysinternals autoruns. It is called Silent Runners.
For normal computer users, I would like to tell that "Scripts" are often treated as distinct from "programs", which execute independently from any other application. The web page for Silent Runners is here. Silent Runners is free for personal or internal business use. Silent Runners is not free for commercial use.
The purpose of Silent Runners is to identify the programs that start up with Windows. The original author of Silent Runners is Andrew Aronoff (although many have contributed to development of the script). According to Silent Runners website- "Silent Runners is not an anti-virus, an anti-trojan, or a spyware scanner. It only pinpoints how programs start up i.e. it does not scan the system to identify every trace of malware. The text file it creates can be removed for study or stored as a benchmark".
The script changes absolutely nothing on your system other than adding its report file. It has no option to change anything and no such option will ever be added. Silent Runners can be run simply by double-clicking it. It can also be run from the command line under CScript.exe, in which case output will be directed to the console. It creates a text file and places it, by default, in the same directory as the script.

For more details visit Silent runners FAQs or Using the Script web pages.

Direct download link for Silent runners VBscript

2. ASviewer: Autostart Viewer allows you to see all known autostarts on your system, all on the one screen. It also gives you complete control over the autostart references, and allows you to modify or delete them at will. A list of autostart locations that are monitored on ASviewer is present on this page.
Company/Author- DiamondCS
Key Features:
- Freeware
- Over 50 different autostart locations checked!
- Right-click menu allows you to take complete control over each autostart
- Add New Autostart feature allows you to add new programs to automatically start
- Save/Print functions allow you to take snapshots
- Resizable, easy-to-use interface that shows every autostart on the one display
- All sizes, positions and settings are remembered

Direct download link for ASviewer

3. StartupRun: The StartupRun utility displays the list of all applications that are loaded automatically when Windows boots. For each application, additional information is displayed such as Product Name, File Version, Description, and Company Name in order to allow you to easily identify the applications that are loaded at Windows startup.
Company/Author- NirSoft
Key Features:
- Freeware for personal and non-commercial use.
- If a spyware/adware is found, it is painted in pink color
- Edit, disable, enable and delete the selected startup entries
- Save the list of startup items into a text or HTML files
- Add a new startup entry to the Registry
- Standalone executable (doesn't require any installation process or additional DLLs)
- Command-Line Options

Direct download link for StartupRun

4. Windows XP Startup Tracker: This small GUI (Graphical User Interface) utility will check the Start Menu and the System Registry for items that load at startup. It will also check for Disabled Startup items and changes to the default "Shell" value.
Company/Author- Doug Knox
Key Features:
-Freeware (registration mandatory for a licensed version)
-Support for listing all running Processes and Services
-create a log file each time its run, or choose to create the log file automatically
-Requires VB6 Runtime Library

Direct download link for Windows XP Startup Tracker

5. Startup Inspector for Windows: Startup Inspector for Windows is a Windows platform software that helps both novice and expert user manage Windows startup applications. On www.windowsstartup.com, there are more than 4,900 known programs in the database. Startup Inspector for Windows can thus provide a consultative information on the programs that are running at your Windows startup process. Whether a program is necessary to the system, or is the program a spyware. The "Startup Programs Knowledge Base" is located here.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Scans all programs that are in the Windows Startup Folder, Registry and provide you with a background information of the program.
-Remove harmful programs like spyware, virus, diallers, make your system healthier.
-Remove unnecessary programs like reminders, monitors, improve your system performance.

Direct download link for Startup Inspector for Windows

6. Startup Monitor: Startup Monitor is a small monitoring program, it keep a constant eye on your system's startup entries. When ever a change is made, you will be notified and given a choice to either allow the change or not to change. This program is in Beta version at the time of this writing.
Company/Author- www.windowsstartup.com
Key Features:
-Freeware
-Friendly GUI
-keep an eye on startup applications changes

Direct download link for Startup Monitor

7. Startup Control Panel: Startup Control Panel is a nifty control panel applet that allows you to easily configure which programs run when your computer starts.
Company/Author- Mike Lin
Key Features:
-Freeware
-simple to use
-small

Direct download link for Startup Control Panel
Direct download link for Startup Control Panel (Standalone EXE Version)

8. StartupMonitor: StartupMonitor is a small utility that runs transparently (it doesn't even use a tray icon) and notifies you when any program registers itself to run at system startup. It prevents annoying programs from registering themselves behind your back.
Company/Author- Mike Lin
Key Features:
-Freeware
-watches the Start Menu's Startup folders and the Run entries in the registry

Direct download link for StartupMonitor

There are many other programs which deal with autoruns but I have tried to produce a list of best of freeware programs that are considered at least equal (if not better) to their commercial counterparts.

NOTE: The licensing status (free/non-free) of programs in this article is at the time when this article was actually written and there is a finite probability that this status may change with time. And so, refer to the original site or contact the author of the program for licensing details.

Que-17: But what if I really want to a program to act as an autorun program?
Ans: If you want to autorun a program on windows startup, then simply add it's location to one of autostart locations. This can be done either manually or using many third party freeware application. Some of them are listed above. Two of most commonly used autostart location are:
Que-18: Is there anything else that you would like me to know?
Ans: Yeah...There are two things that I want to tell you:
1. Best of luck
2. Good bye :)


_______________ _______________ ____________
Appendix 1: Abbreviations in this article
_______________ _______________ ____________
%ALLUSERSPROFIL E% = C:\Documents and Settings\All Users
%USERPROFILE% = C:\Documents and Settings\ambr
%windir% = C:\windows
ASEPs = Auto Start Extensibility Points
ASPs = Auto Starting Pests
FAQs = Frequently Asked Questions
HKCU = HKEY_CURRENT_US ER
HKLM = HKEY_LOCAL_MACH INE
HKCR = HKEY_CLASSES_RO OT
NT = New Technology (a family of Microsoft Windows operating systems called Windows NT)
OS = Operating System
SPx = Service Pack x

Hello,

I have posted the second draft of my article in REPLY #28 above.

The changelog for second draft is as follows:
1. All the references of "wanna" changed to "want to".
2. Added about 45 new autostart locations in Que-11.
3. Checked for grammatical mistakes using word processor.
4. In Que-11, (in sub section-4 titled Registry Shell Spawning) a NOTE had been mistakenly added inside CODE tags in first draft. Necessary changes were made.
5. All references to "NOTE" are added with [b][u] tags.
6. Removed a lot of unnecessary parentheses () from the article (although I have kept some parentheses which I thought were necessary).
7. All references to "dont" are changed to "don't".
8. All references to "Que-x" and "Ans" are surrounded with tags.
9. Made some chages to subsections (1) and (2) of Que-10.
10. Added section-7, "Hijack points" to Que-11.
All comments are welcome.......

Thanks.........
AmbrNewlearner

Rather than saying "NO - but some viruses are autoruns.", try instead "NO - but some viruses use autoruns.".