Autoruns and StartupControlPanel
The following 2 freeware utilities are my favorite to monitoring & manage programs and processes located at various startup points on a system:
Autoruns scans other areas and has the option to save its findings as a text file or its own ARN format which can be used later own for comparison to current listing.
StartupControlPanel has a user friendly interface and also a nice feature which moves all deleted entries to its 'Deleted' section providing a way to easily restore them later on.
It is best not to delete the entries under the 'Deleted' tab as this would permanently remove them, so be absolutely certain the related entries are and will never be needed.
AUTORUNS
I typically check the 'Hide Windows Entries' option, then click on the Refresh button to have the program rescan and hide the common Windows entries. Why should you do this?
2 reasons;
- By excluding Windows entries, you exclude system critical entries that you might accidentally delete or disable and cause serious issues.
- Secondly, once the Windows entries are excluded, the list becomes much shorter, making it easier to scan and spot the 3rd party entries, missing/invalid entries, and those that might belong to a malicious software.
Note: One caveat to excluding the Windows entries that I can think of is the exclusion of "Kernel Fault Check" type startup entries from not showing up on the list. These typically are Scandisk calls due to unexpected shutdowns or Blue Screen of Deaths.
If the system booted up and running fine, it would be better to delete these entries so once in a while you might want to uncheck "Hide Windows Entries" option.
Most users, if needed, should only modify the top sections where the section path refers to either 'HKLM\..\...\Run' or 'HKCU\..\...\Run' the locations in the registry.
For the rest of the listing, please ask the advice of a knowledgeable person or at least use the 'Search Online' feature to conduct an online search by right-clicking on the currently highlighted entry. This action will automatically open the default Internet browser and conduct an online search:
If you'd like to verify the application signatures you can do so by checking the option 'Verify Code Signatures' under Options and pressing F5 to refresh the list (scans with this options takes longer!):
To save the Autoruns scan results to a log file, from the file menu on top:
1. Click File
2. Click Save...
3. Pick a location where you would be able to find it easily
4. Select the 'Save as type' as either 'Autoruns Data (*.arn)' or 'Text (.txt)'
5. Type in a File name (usually Autoruns followed by the current date is a good idea. Example: "Autoruns July 10.txt" or "Autoruns 05.18.2009.arn")
6. Click Save
If you choose 'Text (.txt) under 'Save as type' then the log file will be in plain text format. This is the suitable format for attaching to e-mails or online forums.
The other format is Autoruns Data (.arn) which is suitable to take a snapshot of the settings and store it for later on.
If you save the log file as 'Autoruns Data' file, you will be able to use the 'Compare' feature which compares the changes from the snapshot with the current entries.
Compare function only displays the entries (with a green background) that were disabled before but now enabled or vice versa.
It will not, however, show any differences that references entries that were deleted after the snapshot was taken:
When you open a previously saved log file with ARN extension, it will display the log file as a snapshot as it was saved but once you hit F5 (Refresh) it will do a new scan and override it with the new scan results. Same thing goes when using the 'Compare' feature. Looking up a previously saved log file with .arn extention will not help you restore any deleted entries but at least you will know what is missing or changed which could be very helpful diagnosing problem with various different system issues as well as Malware related infections so I strongly recommend everyone to create a snapshot of their system after a fresh install or before they are about to commit major changes, updates, installations, etc.
TIP: To find an entry based on a key word could be helpful, click on the toolbar icon next to 'Refresh' button that looks like binoculars.
WARNING: Much like most Registry Cleaners, Autoruns checks the file system to see if the path given for a specific file in the registry is valid or not.
If the path for a specific file points to an invalid location, Autoruns will display that entry as 'File not found'.
It doesn't have any sophisticated search & locate function to know if the file was moved or renamed. Even though this will ever be an issue, if you have doubts, please check to make sure the file is indeed not present on the system.
Even a fresh install of Windows XP has multiple 'File not found' entries which can be deleted:
Generally, improperly uninstalled applications, accidentally deleted registered components/device drivers/operating system files and/or after using malware cleanup tools on an infected system could result in having 'File not found' entries.
NOTE: Autoruns stores the disabled entries at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
STARTUPCONTROLPANEL
There are 7 tabs of which 6 are functional and for the most part only 5 are normally used.
1) Startup (user) refers to the shortcuts placed in the C:\Documents and Settings\username\Start Menu\Programs\Startup path. Normally, startup entries appear here due to a program option that the user selected.
2) Startup (common) refers to the shortcuts placed in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup path. The startup entries that appear here are commonly placed by the program in question during its installation.
3) HKLM / Run refers to the Local Machine run entries located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run path. The startup entries that appear here are commonly placed by the program in question during its installation.
4) HKCU / Run refers to the Current User run entries located at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run path. Normally, startup entries appear here due to a program option that the user selected.
5) Run Once refers to the Local Machine run entries located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce path. Generally, an entry will appear here if a program needed an extra step to complete its uninstallation or another one-time process that couldn't be done without a system restart.
Examples of such entries:
Spybot failed to delete all selected infection related entries for whatever reasons, it might prompt the user to see if the process to be run on next bootup so it could be completed.
You connected remotely to another PC using Netmeeting, the program will place an entry to remove cached application files/settings on next boot up. You uninstalled a program (legit or malware) and it prompted that certain files would be removed on next startup. If the related program is an identified spyware type application be careful! Some of these pesky apps could place a startup entry here that could re-initiate the programs installation or launch some other apps, pop-ups, etc.
If you are ever in doubt about a startup entry, always start with disabling (clearing the box next to it) the entry first!
Once you confirm that it is something malware related or something you no longer need/want, then you could delete it. StartupControlPanel allows recovering previously deleted startup entries so it is very safe compared to Autoruns. I urge novice users to use StartupControlPanel instead of Autoruns unless otherwise instructed by an expert.
Unlike Autoruns, StartupControlPanel also creates a 'Deleted' location where it saves deleted entries which can be recovered later on (if needed), much like Windows Recycle Bin.
To recover a deleted entry from the 'Deleted' section in SCPL:
1. Click 'Deleted' tab
2. Right-click on the entry to be recovered
3. Move cursor over to 'Send to' option then select the desired location to move the entry
Another really cool feature of SCPL is the ability to run any of the listed startup entries even if they are disabled or deleted:
To run any of the listed entries simply right-click on it and click 'Run Now':
SCPL stores the disabled entries at:
HKEY_CURRENT_USER\Software\mlin\StartupCPL\Disabled
and the deleted entries at:
HKEY_CURRENT_USER\Software\mlin\StartupCPL\Deleted
Final Note: Use only one of these utilities to prevent confusion and mistakes.. First disable an entry to see if it is something that effects your daily computing or not. If it made no difference or overall system appeared to be running faster, then delete that entry. For everyday use, SCPL is definitely an easier, more practical and safer tool to use. After installing a program, use SCPL to see if it created any related startup entries without informing you or not. One strength Autoruns has is that it also displays Windows tasks. I am seeing more and more legit programs create startup tasks that are not critical and typically slow down the bootup/login times.
~TL
