Did you know there are more than 200 configuration locations for Windows startup programs? These are often used to launch malicious software without user interaction. In this post, you will learn how to discover and change Windows startup programs with Sysinternals autoruns.

Yes, you read correctly; there are more than 200 different Autostart Extensibility Points (ASEPs) in Windows. These include various registry keys, scheduled tasks, services, Explorer extensions, Edge plugins, and more. Autostart programs have a legitimate, valuable purpose—they're a great help if, for example, MS Teams is started automatically. On the other hand, there are many free or trial versions of software that computer manufacturers install on new computers, which consume resources. In addition, malicious software often uses the autostart feature to run without user intervention.

In some cases, startup programs and drivers might interfere with each other and may cause the system to become unstable or even crash completely. Sysinternals Autoruns is a great tool that allows you to see and control the startup of a Windows system.

Basic usage of Sysinternals Autoruns ^

When you run Autoruns on a system with UAC (User Account Control) enabled, it starts under a standard user account. While you can use Sysinternals Autoruns with the standard account, doing so prevents you from seeing some ASEP entries. Also, you can't disable or delete some entries. Therefore, I recommend always starting Autoruns with an elevated administrator account.

Autoruns is a tab-based tool. Separate tabs are available for different ASEP types, such as logon or scheduled tasks. Cycle through the tabs for fast filtering of entries. Sysinternals Autoruns is always started on its main tab, called Everything, which shows a one-page summary of everything.

The Sysinternals Autoruns Everything tab is a single page view of all entries

The Sysinternals Autoruns Everything tab is a single page view of all entries

If you are looking for a particular entry, use the Quick filter at the ribbon. It's a full-text filter and works really well. Just type a few characters, which can be present in any field of an entry, and proper results are shown. It's best to use the Quick filter on the Everything tab as it searches all ASEP types.

As you can see in the screenshot, Autoruns uses several highlight colors:

  • Yellow—Indicates a File not found entry whose target isn't found in the expected location
  • Pink—Indicates a suspicious entry, one without a publisher or description or with an invalid image signature
  • Purple—Indicates the location of an entry, such as Task Scheduler
  • Green—Indicates an entry that was added after the last Autoruns scan. This can occur, for example, if a new program is installed while Autoruns is running.

Another useful feature is the context menu, which allows several actions, such as deleting an entry. Two interesting actions are as follows:

  • Jump To Entry—Opens the location where the Autostart entry is configured, for example, a specific registry key.
  • Jump To Image—Opens a Windows Explorer folder with the location of the target image.

Hiding entries ^

By default, Autoruns hides empty ASEP locations and Windows entries. Under Windows entries, you can imagine services, scheduled tasks, drivers, etc. You can unhide them by deselecting the Hide Windows entries in the Options. Don't be surprised; the list of Windows entries is quite large. Under normal conditions, it's not really useful to have them visible.

Windows services are part of Windows entries

Windows services are part of Windows entries

You can also hide all Microsoft entries, which refers to entries in which Microsoft Corporation is the publisher. The last option is Hide VirusTotal Clean Entries, which hides all entries marked as safe by VirusTotal. This requires the entries to be scanned first by VirusTotal; otherwise, the hide option does nothing.

VirusTotal analysis ^

As mentioned above, Autoruns can scan all entries with VirusTotal, a free web service that allows you to analyze a file using over 50 antivirus engines. You can analyze all entries by enabling Check VirusTotal.com in the Scan Options dialog box and rescanning. Autoruns uploads file hashes to the service, and returns the number of antivirus engines that flagged the file. The VirusTotal column will contain a hyperlink. As an additional visual indicator, the link is colored red if any engines flagged the file as suspicious. Suspicious files can be uploaded to VirusTotal for further analysis.

You can also analyze items one at a time by right-clicking an entry and choosing Check VirusTotal from the context menu. Obviously, this feature requires an Internet connection.

Change Windows startup programs ^

One of the core features of Autoruns is the ability to change Windows startup program settings; that is, you can disable or completely delete an entry. Deleting an entry removes it permanently, and it's an irreversible action—there is no rollback or undo button. This is why Autoruns shows a confirmation dialog when you want to delete an entry.

Deleting an entry requires confirmation

Deleting an entry requires confirmation

Only delete entries when you are certain that you know what you are doing. Also, note that deleting or disabling an entry critical for the OS itself may cause instability.

Disabling an entry works a bit differently. You can disable an entry by clearing its checkbox.

Disable an entry just by clearing its checkbox

Disable an entry just by clearing its checkbox

Autoruns leaves a mark behind, so it recognizes disabled entries and can re-enable the entry later. For example, for most registry entries, Autoruns creates an AutorunsDisabled value that stores the original value. Enabling the entry again puts the information back to the original registry value. In the screenshot below, you can see an example of disabled VMware Tools, where Autoruns changed the Start value to 4 (Disabled) and stored the original value 2 in its own AutorunsDisabled value.

Disabling an entry in the registry

Disabling an entry in the registry

Analyze offline systems ^

Another cool feature is Autoruns' ability to view ASEPs of offline instances of Windows. This can be very useful in cases when Windows doesn't boot or is already infected by malware. To perform offline analysis, Autoruns must run on a good instance of Windows, have administrative rights, and have access to the offline instance file system.

In the File menu, choose Analyze Offline System and identify the target Windows directory and a user profile. Note that the registry hives can't be on read-only media.

Saving and comparing results ^

The last feature to cover today is save and compare. Autoruns allows you to save results in two different formats—tab-delimited text and binary (ARN) format. As you may expect, the text format is a human-readable file and can be imported into an Excel table.

The binary format allows you to compare the saved results from different systems. This is not possible with the text format. To compare the results from the same or different systems, select Compare in the File menu. Autoruns will only show entries that are different. Green entries are present only in the original result set, and red entries are only present in the compared result set.

You can automate the capture of Autoruns data with a command line -a option.

Autoruns -a result.arn

To add signature verification, include the -v option. Make sure you don't put the -v between the -a and the filename. The filename must follow the -a parameter.

Subscribe to 4sysops newsletter!

Autoruns -v -a result.arn

Final words ^

Autoruns is a great tool from the Sysinternals suite that helps you identify and change Windows startup programs, drivers, services, and much more. Let me know in a comment below if you have used Sysinternals Autoruns in the past and how you like the tool.

avatar
1 Comment
  1. Allan 2 weeks ago

    Hi Leos:

    I have used the Autoruns to delete or disable applications sparingly.
    Like many Sysinternals apps, it is somewhat forbidding to the average user like myself, with its many settings and functions (but useful).
    There are manuals which document Sysinternals, which I have, but rarely read. They are probably out of date with the many changes made to Sysinternals.
    Good article.

    Allan

    avatar

Leave a reply

Your email address will not be published.

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account