Skip navigation


Hunt down autostart programs wherever they hide

Why does logon take so long? What are all those icons in the system tray? How do I stop programs from starting automatically? How do I get rid of that strange error that keeps cropping up during logon? You've probably heard these questions plenty of times, especially from Windows users who are working on new systems that came preloaded with applications or on older systems on which they've installed numerous programs over time. This month, I'm taking a break from writing about the tools in the Systinternals PsTools suite to discuss a free tool that can answer those questions: Sysinternals Autoruns.

See also, "Managing Autorun Applications" and "Using Autoruns to Determine Which Programs Automatically Run at System Startup."

Upon installation, many applications configure themselves to start automatically when you log on. Applications do this so that they can automatically check for updates, because they use system tray icons to interact with users, or because they add functionality to Windows components such as Windows Explorer. However, most such applications don't ask permission before inserting themselves in your logon process and almost never provide an interface to let you disable their autostart functionality.

Windows Server 2003 and Windows XP include the System Configuration utility (Msconfig.exe), which is based on a similar tool in Windows Me. Msconfig features a Startup tab that lists and lets you disable certain items that run automatically when you log on. However, Msconfig has two major limitations: It displays items from only a fraction of the locations in which autostart applications can hide and it shows limited information about the items it does list. Furthermore, if you run Windows 2000 or Windows NT 4.0, you're out of luck. Neither OS contains Msconfig or other built-in tools to report components that automatically execute at logon.

You can use Autoruns, which Figure 1 shows, not only to identify the applications that have configured themselves to start at logon but to see all the locations where autostart applications might be configured on the system.

Figure 1

Autoruns works on all versions of Windows, including Windows Me and Windows 9x. You can download the tool at

What You See

Autoruns displays each location that contains autostart items, or images, in the order in which the locations are processed during system startup and user logon; all images in each location are listed in alphabetical order. Besides providing insight into the Windows logon process, this order can have important repercussions: Programs that launch first might be overwritten by programs that launch later.

Autoruns displays more information about each image than Msconfig does. Autoruns lists each entry in the subkey, as well as a description of the entry's corresponding image, the company that created the image, and the path to the image file. For example, Figure 2 shows the contents of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey, which Windows Explorer processes during logon.

Figure 2

Msconfig would report the Synchronization Manager entry but would list the entry only as mobsync and would provide the corresponding startup command. As you can see in Figure 1, however, Autoruns lists the entry as Synchronization Manager under its corresponding registry subkey, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The tool lists a description—Microsoft Synchronization Manager—that helps identify the image as being related to offline file synchronization. You can see that the image is from Microsoft—information that can help you remove unnecessary entries created by non-Windows components. And Autoruns lists the path to the image file (C:\WINDOWS\SYSTEM32\MOBSYNC.EXE).

Autoruns obtains the description and company name from the image's version data, which stores details that help identify the image and its purpose. You can examine the rest of an image's version information by selecting the image and choosing Entry, Properties from Autoruns' menu bar or by right-clicking the image and selecting Properties from the context menu.

Autoruns gives you the option to show only images that are unsigned, or not published by Microsoft; just select View, Hide Signed Microsoft Entries. An image is said to be signed when it includes a digital signature issued by a digital signing authority that the system's security policy trusts. Unsigned images' company names will be preceded by (Not verified) in Autoruns' display.

Autoruns doesn't show an image's startup command, but you can find that information by double-clicking the entry or by selecting the entry and choosing Entry, Jump To. If the image is in the registry, Autoruns executes regedit and navigates to the appropriate subkey or entry. If the image is in the file system, which is the case for items in the Start menu's Startup folder, Autoruns opens Windows Explorer and navigates to the directory that contains the image.

Autoruns focuses on images that execute when you log on, but many components run as Windows services and automatically execute when the system boots. For example, to toggle Autoruns' display of autostart services, select View, Show Services; to see Windows Explorer add-ons, select View, Show Explorer Addons.

Where They Hide

Autoruns usually lists more entries than Msconfig because Msconfig is programmed to be aware of only some of the two dozen or so startup entries honored by Windows and its logon components. For example, consider the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry subkey, shown in Figure 1 as HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit. After you interactively log on to a system, the Winlogon process executes the program listed in this subkey (userinit.exe by default). Userinit.exe executes logon scripts, restores drive letter and printer mappings, and applies configured Group Policy settings. Msconfig doesn't list this image.

The list of locations in which applications can configure themselves is astounding (see Top 10, "Windows Program Startup Locations," December 2002, InstantDoc ID 27100 for a few examples), and nowhere does Microsoft documentation provide the entire list. Autoruns has evolved and continues to evolve over time to include more and more of these locations as Autoruns coauthor Bryce Cogswell and I learn of them. For instance, a Microsoft employee recently told us about the HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components subkey, a location not publicly documented by Microsoft or listed by Msconfig but known by a worm that hides its automatic activation there. To see all the locations that Autoruns knows about, select all the View menu items that begin with Show, then select View, Include Empty Locations.

What to Do

Like Msconfig, Autoruns lets you temporarily disable an entry by clearing the item's check box. When you do so, Autoruns moves the entry into a backup location in the registry or file system. For example, if you disable an entry under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run subkey, Autoruns creates an AutorunsDisabled subkey under that registry subkey and moves the entry's value into AutorunsDisabled. When you disable an entry in the Startup folder, Autoruns creates a subdirectory named Autorunsdisabled, into which it moves the disabled entry. When you log on, Windows Explorer opens the Autorunsdisabled folder so that you can see any disabled entries.

Autoruns also lets you permanently delete enabled or disabled entries by selecting the entry and typing Ctrl+D or by selecting Entry, Delete from the menu bar. Before you delete an item, though, you might want to save the Autoruns output to a text file for archiving purposes. To do so, choose File, Save.

Until Next Month

I recommend you run Autoruns as a general housekeeping task on all your computers and make sure you understand all the programs configured to start during logon. You might find things that have crept in over time and that you'll want to remove. As always, please send me details of your experiences with the Sysinternals tools so that I can report about them in this column.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.