Skip navigation
Startup 1.JPG

How to Track Down and Remove Startup Programs in Windows

The increasing use of personal devices increases need to track down and remove startup programs in Windows.

One of the realities about Windows is that the operating system makes it very easy for software to start up automatically when the PC is booted. This has become a common practice of legitimate software vendors that want to make sure that an updater or some other mechanism is always running in the background, but automatic startup capabilities are also commonly exploited by malware. In any case, it is sometimes necessary to remove startup programs. Even if it’s not actually malicious, background software can potentially weaken security, diminish a PC’s performance and adversely impact the device’s stability.

In business environments, there are typically strict controls in place that prevent the installation of rogue software. If something does happen to get installed, it’s usually easier to reimage the machine than to try to hunt down and remove the unwanted software. Today, however, many people are still working from home, often from a personal PC. As such, reimaging the operating system is not an option. In those cases, there may be little choice but to figure out where the unwanted software is being launched from and remove it.

To remove startup programs, you need to consider two main things. The first factor is the operating system. Newer Windows 10 builds have options that older operating systems do not. The second factor is whether the application needs to be removed altogether, or if you simply want to prevent the application from running at startup.

Let’s tackle the easy one first. If you have an application that needs to be present on the system but that should not launch at startup, and you are running a newer Windows 10 build, then there is an easy way to prevent it from launching automatically. Just go to Settings and click on Apps, followed by Startup. The Startup screen lets you control which applications are allowed to start when you log in. You can see what this looks like in Figure 1. Incidentally, if you are running an older version of Windows, you can access similar options through the Task Manager’s Startup tab.

Startup 1.JPG

Figure 1

You can prevent applications from launching automatically by disabling them in Settings.

So what about rogue or poorly written applications that cannot be disabled through Settings? Unfortunately, those applications can be a little bit tricky to track down because they can potentially be called from so many different places within the operating system.

The first place that you should look in your quest to remove startup programs is the Windows Registry. Remember, it’s a good idea to make a backup prior to modifying the Registry. At any rate, there are several different locations within the Registry that can be used to launch programs upon Windows startup. These include:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

You will notice that the first five Windows Registry keys reference HKEY_CURRENT_USER. These Registry keys are unique to each user profile on the machine. As such, if a particular user is having problems with unwanted programs, then you will need to make sure that you are logged in as that user when you check those areas of the Registry.

It’s also possible that some of these Registry locations will not exist. Some (those referencing Wow6432Node) are only applicable to 64-bit operating systems. Other Registry locations (those referencing Policies) exist only if a Group Policy is being used.

Once you have gone through the Registry, there are two more locations to check as you work to remove startup programs. First, it’s a good idea to check the computer’s local security policy. Some malware authors create settings within the local security policy that will put malware back in place if it is removed from startup. There are two locations within the local security policy that you should check. These include:

Computer Configuration \ Administrative Templates \ System \ Run

User Configuration \ Administrative Templates \ System \ Run

The other location that you should check is the Startup folder. Back in the days of Windows 3.x, the operating system included a Startup window. If a user wanted a program to launch at Startup, they could simply place it into that window. Even though the Startup window is long gone, there is a little known Windows 10 equivalent. You can find the startup folder at C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.

As you can see, there are any number of different ways for an unwanted program to launch at startup. With a little bit of work, however, it is possible to remove startup programs.

 

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish