Frustrated that your Windows PC is slow when booting, or logon takes forever to complete? Wish you could stop programs from auto starting or worried you may have spyware?
For many Windows users this is a common occurrence that seem impossible to fix unless your a seasoned System Administrator.
Many tools exist that will help dig inside your Computer but end up being incomplete with identifying all possible locations where programs can hide.
Fortunately a tool called Autoruns does exist and is capable of hunting down every program that autostarts during boot or when you logon.
Autoruns is a powerful Windows utility that shows you what programs are configured to run (auto start) during system bootup or login. Included locations are programs in your Startup folder, Run, RunOnce, and other Registry keys, browser add-ons and File Explorer add-ons.
Autoruns works on all versions of Windows including Windows XP, Server 2003 64-bit Edition (for x64) and can be downloaded from Microsoft Technet site (formally Sysinternals).
Once downloaded, unzip the contents into a folder and run autoruns.exe. The first tab Autoruns displays is everything that autostarts on your Computer.
Autoruns includes 15 tabs that you can select to display areas such as Internet Explorer, Services, and Logons where programs can auto start.
Three modes exist for displaying programs that can be set in the Options menu:
Include Empty Locations – will display locations of known location that programs can autostart. By default this setting is uncheck.
Verify Code Signatures – will display on Systems that support image signing verification (icon next to program name). "Not Verified" will display if an image does not exist.
Hide Microsoft Entries – omits images that have been signed by Microsoft.
After selecting a mode, you will need to refresh the list from the menu under File.
Autoruns has an interaction feature by right clicking on a program. You can Search Online for programs that you do not recognize, or Jump To the location of the program such as the Registry or Startup folder, or display Properties of the selected item.
If you also have Process Explorer running, Autoruns will switch to Process Explorer to show process information for the program that was selected.
One feature that make Autoruns standout from other utilities is the ability to take save a snapshot of all entries, then compare the entries after installing applications or making configuration changes. When comparing changes, items diplayed in "green" represent new items. To save, select Save from the File menu.
Word Of Caution
When troubleshooting your Computer for slow startups or logon problems, it is best to isolate one program at a time by deselecting the program. Make sure you document all changes in the exact order you made before testing and BACKUP all personal data. Although you can delete programs, it is recommended not to delete unless you are a Computer Professional.
More Autoruns information can be found at Sysinternals forums.
Logon – this entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations.
Explorer – Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks.
Internet Explorer – this entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions.
Services – all Windows services configured to start automatically when the system boots.
Drivers – This displays all kernel-mode drivers registered on the system except those that are disabled.
Scheduled Tasks – Task scheduler tasks configured to start at boot or logon.
AppInit DLLs – this has Autoruns shows DLLs registered as application initialization DLLs.
Boot Execute – native images (as opposed to Windows images) that run early during the boot process.
Image Hijacks – image file execution options and command prompt autostarts.
Known DLLs – this reports the location of DLLs that Windows loads into applications that reference them.
Winlogon Notifications – shows DLLs that register for Winlogon notification of logon events.
Winsock Providers – shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can uninstall them, but cannot disable them.
LSA Providers – shows registers Local Security Authority (LSA) authentication, notification and security packages.
Printer Monitor Drivers – displays DLLs that load into the print spooling service. Malware has used this support to autostart itself.