With the development of computer technology, the capabilities of automatic startup gradually expanded and reached such a level that there was a serious need for user control over autostart processes. Indeed, today almost any program, from software from computer hardware manufacturers to free application software, tries to make the user happy with constant updates, offers of discounts when switching to paid products, advertising, etc. In addition, often such not very desirable software can collect information about the user himself and send data via the Internet to an unknown person and to an unknown destination. Therefore, startup monitoring is becoming increasingly popular among computer system users. Standard Windows tools, such as the msconfig.exe
or a modified Windows 10 task manager with the “Startup” tab is better than nothing, but still, software products with the ability to monitor the maximum number of startup elements, allowing you to simply, conveniently and safely manage automatically starting processes starting from the driver, are becoming more popular among literate users and ending with scripts or application programs.
General information about the Autoruns program.
Autoruns
is a free utility program from the Sysinternals Suite package of
the Windows Sysinternals
from Microsoft, designed to control autorun in the Windows environment.
MSConfig
utility , which is included with standard Windows software.
You can download the program either as part of the Sysinternals Suite package or as a separate archive using links on the pages of the Windows Sysinternals section of the Microsoft TechNet resource. The program does not require installation on the system - just download and unpack the Autoruns.zip archive into any folder and run the executable file autoruns.exe
or
autoruns64.exe
(64-bit Windows only).
The archive contains documentation in English autoruns.chm
, a text file with a brief description and license agreement
eula.txt
and executable files for 32-bit and 64-bit operating systems for the graphical interface utility
Autoruns
, and the command line utility
Autorunsc
.
Autoruns
is one of the most popular software products in the Sysinternals Suite system administration and research software package, and perhaps the most informative and convenient tool for tracking points of automatic startup of processes in Windows, including hidden or unusual ones, often used by viruses and other malicious software (malware). Autoruns shows you which programs are configured to run during the boot process, when users log in, and when other system events occur, and information about programs that automatically start is displayed in the order in which they start.
Finding and eliminating malicious software that has entered the Windows environment is one of the main areas of using Autoruns.
The program allows you to obtain a complete list of autostart locations, identify their location, explore startup methods and sequences, detect hidden entry points, and also block, if you choose, the autostart of an unnecessary process. The enormous capabilities and ease of use of this utility made it simply necessary to include Autoruns in the toolkit for practical system research.
To realize all the potential capabilities of Autoruns, the utility must be run under an account with administrator rights. In addition to working in the environment of the active operating system (the OS in which you are working), you can use the utility to analyze startup points of another OS, the system directory of which and the directory with the user profile can be selected using the main menu ( File - Analyze Offline System
).
the Autoruns.exe executable
, the main program window will appear on the screen:
The program interface consists of five parts - menu bar
(menu bar),
toolbar
(toolbar),
autorun source filter
tabs data output area
in the form of a list with fixed line elements describing the automatically launched process, and an area at the bottom of the screen detailing
the properties
of the selected process.
The list of autorun points is displayed in the order in which Windows processes them during the boot and user registration process. By default, the Everything
with a display
of all possible
autorun points displayed in the main window in accordance with the options specified by the
Options
of the main menu. As options (information display parameters), you can select:
Include Empty Location
— showing empty sections.
Typically, this option is disabled. Hide Microsoft and Windows Entries
- hide autorun points for Microsoft products and Windows processes itself.
Hide Windows Entries
- hide autorun points used by Windows itself.
Verify Code Signature
- Verify digital signatures of program modules.
The verification status will be displayed in the Author column of the Publisher
and can be
Verified
- verified or
Not Verified
- failed. Internet access is required to verify digital signatures.
When changing display parameters, you need to refresh the screen (press F5
).
Information about autorun points in the data window is divided into several columns
Autorun Entry
— program name.
Each program is accompanied by a startup point value (registry key, startup folder, scheduler task folder). The entry about the executable file corresponds to the flag for enabling/disabling autorun. The presence of a checkmark in front of the name means that the process will be launched, if absent, the process is blocked. If the blocked process is already running, then disabling autorun will remain in effect for the next system reboot. The blocking process can be disabling a driver or service through the registry, deleting a shortcut from the startup folder, or disabling the execution of a task by the scheduler. Description
- a brief description of the automatically launched process.
Publisher
- The author of the program.
The digital signature verification sign can be displayed as part of the Publisher column (Veryfied, or Not Veryfied). The presence and reliability of a digital signature is a sign that the process is not malicious. The unreliability or absence of a digital signature, as a rule, should attract attention to this record. However, unsigned files may not always be a virus or other unwanted software, since the presence of a digital signature is not a mandatory standard for software manufacturers. Image Path
- path and name of the executable file.
The Autoruns program divides all autorun elements into groups corresponding to various autorun categories. The category is selected by selecting the desired tab:
Everything
— all autorun points known to the Autoruns utility are displayed.
Logon
— displays information about autorun elements associated with the initialization of user profile settings by the
Winlogon
(Userinit), the user shell (Shell), as well as various programs launched during the registration process, using elements of the “Autorun” folder, registry keys Run, RunOnce, Load and etc.
In the latest versions of Autoruns, a User
, allowing you to switch to displaying autorun points for individual users or system accounts (Local System, Network, etc.). If you select a different account type, the list of autorun points for the “Logon” tab will change.
Explorer
— information about Shell Extensions of Windows Explorer and executable event handler modules (Shell Execute Hooks) is displayed. Malicious programs often use the introduction of their entries into this group of autorun elements, providing the ability to control the infected system. The most common cases:
— Adding an entry to the registry key to autorun programs for the current user HKCU\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
- The same technique for all users
HKLM\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
HKLM\SOFTWARE\
registry key Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit defaults to the string value
C:\WINDOWS\system32\userinit.exe.
The key contains a comma at the end of the entry, and Windows will automatically launch any programs that are listed after this comma.
So, for example, the entry C:\WINDOWS\system32\userinit.exe,%TEMP%\svchost.exe
will ensure that in addition to the standard userinit.exe program, also svchost.exe is launched, which in no way can be located in the temporary files folder \TEMP and generally run from this group of autorun points.
Anything after userinit.exe
needs to be deleted—these entries allow malware to run.
userinit.exe
performs the user profile initialization sequence and launches the shell, which in the Windows environment is
Explorer.exe
. Explorer implements a graphical user interface (GUI) - a desktop, tools for working with shortcuts, folders, files, etc. If Explorer.exe fails to start, the user receives a blank desktop without any controls.
To start the user shell, data from the registry key HKLM\SOFTWARE\ Microsoft\Windows NT\CurrentVersion\ Winlogon\ Shell
The default string value for this key is
Explorer.exe
. If it is different, then most likely there is a viral infection.
Malicious programs can also use one-time autorun points (RunOnce, RunOnceEx parameters), rewriting the contents of these registry keys after each reboot or user registration.
Additional information about a suspicious file can be obtained by using the Internet search engine (Menu Entry - Search Online
) or via the right-click context menu. The easiest way is to send the suspected file to be checked by online scanners. For example, to the website VirusTotal.com
Internet Explorer
- displays a list of browser helper objects (BHO - Browser Helper Objects), Internet Explorer (IE) control panel elements, registered ActiveX elements, additional modules (plugins) built into the Internet browser (browser).
Exploiting vulnerabilities in Internet browsers is one of the most common methods of virus infection. A modern browser is actually a complex software package, a kind of interpreter of content received from the pages of visited sites, and in addition, it is a software product whose properties can be expanded or changed using settings and additional software modules, including those implemented by third-party developers. These properties of Internet browsers are also used by malware creators. In addition to viruses, various unwanted software modules can be added to the browser that replace the search engine, download advertising, track user actions, replace the home page, etc. In most cases, a sign of unwanted software is an unknown publisher, information about which is displayed in the Publisher
.
Services
— a list of system services automatically loaded by Windows is displayed. System services (services) are loaded before user registration in accordance with the settings determined by registry keys
HKLM\SYSTEM\CurrentControlSet\Control
HKLM\SYSTEM\CurrentControlSet\Services
Services that do not have a description, a digital signature, or that have an invalid digital signature should be checked first. An additional sign of unreliability can be the service starting from an unusual place - the temporary files directory \TEMP, user profile directories, a directory with a strange name. The executable files of the vast majority of system services are located in the \WINDOWS\System32 folder.
Drivers
— a list of drivers is displayed that are allowed to run (the
Start
in the registry section related to the driver is not equal to
4
, which means the driver is disabled.) Sometimes there are serious viruses that use rootkit technologies to mask their presence in the system. In the event of such an infection, the malware installs a special driver that intercepts system calls and corrects the results of their execution in such a way as to prevent detection of its files, processes, and network connections. In serious cases, Autoruns will not help, and you will need to use special software to detect rootkits
Scheduled Tasks
— displays a list of tasks scheduled for execution by the Task Scheduler. Sometimes malware runs by creating a special task for the Windows Task Scheduler. The Autoruns utility allows you to get a list of tasks and disable any of them.
Image Hijacks
— displays information about the use of the symbolic debugger of individual processes, the list and parameters of which are specified in the registry section
HKLM\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\Image File Execution Options
Also, autorun points are displayed, where it is possible to start executable files in addition to the command interpreter (command processor), and when opening any files with the .exe extension
Appinit DLLs
— a list of all DLLs registered in the system is displayed.
Used to connect user libraries loaded using user32.dll The registry key HKLM\SOFTWARE \Microsoft \Windows NT\ CurrentVersion\Windows \Appinit_Dlls
usually does not contain any entries, but can be used by legitimate programs, as well as malware, since it provides injecting your DLL into all user processes that use the user32.dll call. If the key contains the name of a dll, you need to analyze information about the publisher, digital signature, and, if necessary, perform an online check on VirusTotal.
Known DLLs
— a list of DLLs that are loaded into application programs that reference them. The search for malicious DLLs can be performed using the same algorithm - analysis of the description, information about the publisher, the presence and reliability of the digital signature, and, if necessary, checking with VirusTotal.
Boot Execute
- programs that should be executed early in Windows startup (for example, a scheduled disk check at the next system reboot)
Winlogon Notifications
— a list of DLLs that are registered to be triggered when events occur related to user logon or logoff (logon/logoff), startup of the screen saver, shutdown or reboot.
Winsock Providers
— a list of Windows service providers for accessing network functions. Typically, these are DLLs that can be loaded to allow applications to interact with network services. Sometimes antivirus or firewall libraries may be present in the list.
LSA Providers
— list of registered LSA (Local Security Authority) providers. LSA is part of a system for verifying user credentials and assigning a Security Context based on the user's account.
Print Monitors
— a list of printer drivers that are loaded according to entries in the registry section
HKLM\SYSTEM\CurrentControlSet\Control\Print\ Monitors
Sidebar Gadgets
— a list of gadgets installed by users of Windows 7 and later OS
Office
— information about additional modules of office software.
The main menu (menu bar) of the Autoruns program.
The purpose of some menu items in the Autoruns utility is discussed above.
File main menu items
Find
- Search for text in the current Autoruns output window.
Load
— open a previously saved Autoruns report from a file
Save
— save the current Autoruns log.
Compare
- compares the current Autoruns report with a previously saved one. Allows you to quickly identify new startup elements that have appeared since the comparison report was saved. New elements are highlighted in green.
Entry main menu items
Entry menu items
refer to the selected report item on the current Autoruns screen. All options are also available from the right-click context menu.
Delete
— Remove autorun item.
It is impossible to restore a deleted element using the Autoruns utility itself. Thoughtlessly deleting critical startup elements can lead to system crash. In order not to delete an element, but only to block it, you need to reset the checkbox (uncheck it) in the first column of the line of this element. Copy
- Copies the selected row data to the clipboard.
Verify
— Verify the digital signature of the selected element.
Jump to
- as in most Sysinternals products, allows you to quickly jump to the registry key or Windows directory that is associated with a given startup point.
A very convenient mode that allows you to save time and nerves when analyzing information. The transition can also be performed by double-clicking on the selected element. Search Online
- Autoruns will launch an Internet browser and use it to search for autorun point information associated with the current report item.
We use a search mechanism for which we configure the browser, for example, Yandex search Properties
- Display the properties of the executable file of an automatically launched process.
Process Explorer
- Launch
Sysinternals'
Process Explorer Process Explorer must be present, and it must be possible to launch it using the path in the path
Program features
This utility allows you to check all automatically launched system components, including installed applications and services. The well-honed functionality of the system makes it easy to find the required program or search for specific types of applications to be launched.
What the program can do:
- full scan of running applications;
- the ability to stop and start selected programs;
- displays the full properties of the startup object;
- monitoring of potentially dangerous programs.
The application allows you to conduct a comprehensive scan of programs allowed to autorun. It has a built-in filter that allows you to search for programs in certain categories:
- system registry;
- standard startup folder;
- Windows 10 services;
- and etc.
Autorunsc is a variant of Autoruns for use on the command line.
Autorunsc is a command line variant of Autoruns. Convenient to use for collecting and processing data about automatically running processes on remote computers, tracking changes in autorun, etc.
Command line format:
autorunsc [-a[*]
-bobjects executed in the early stages of loading;-cwrite the output to a CSV file;-dapplication initialization DLLs;-eExplorer add-ons;-gsidebar mini-applications (gadgets);-himage file interceptors (Image hijacks);-iInternet Explorer additional components-lItems that automatically start when you log in (this is the default);-mdo not show items digitally signed by Microsoft;-nWinsock protocol providers;-pprint monitor drivers;-rLSA providers;-sservices in automatic startup mode and drivers not disabled;-tassigned tasks;-vcheck digital signatures;-wWinlogon elements;-xprint output in XML format;-zset an inactive Windows system to scan; user - show startup objects for the specified user account.Examples of using:
autorunsc/?
— display a hint on how to use the program.
autorunsc –a *
— display all autorun elements in this system.
autorunsc64.exe -a * |find /i "adobe"
— display all startup elements associated with Adobe software products.
autorunsc –ab
— display autorun elements associated with loading this system.
autorunsc –s *
— display information about automatically starting services and drivers.
autorunsc –s * > services.txt
- the same as in the previous example, but with the results written to a text file.
autorunsc64.exe -aw –m
— display information about startup items for Winlogon, excluding entries for Microsoft software products.
autorunsc64.exe -aw –x
- the same as in the previous example, but with the results presented in XML format.
Practical recommendations for using Autoruns.
One of the main purposes of Autoruns is to search for and neutralize malicious software. Powerful capabilities for examining and neutralizing startup elements make it easy to deal with an infection that has entered the system. Any virus that is deprived of the ability to run automatically becomes completely harmless, such as a regular text file stored on a computer.
If you have any doubts about any autorun item listed in the Autoruns output list, try conducting detailed research on it using the following techniques:
— Analyze the description, information about the publisher, the presence and reliability of the digital signature. — Double-click on the item being examined and check its autostart point in the registry or file system directory. — Use the Search Online
or CTRL+M for more information about your online search results.
— If you have a saved log of previous sessions, compare the current data with the saved ones (menu File — Compare
).
— Submit the file for online verification by VirusTotal.com. If the file is malicious, with a high degree of probability, the VirusTotal service will confirm this fact. — For a detailed analysis of the activity of a suspicious process, use the related utility Process Explorer
from Sysinternals. You can directly call the utility through the context menu item for the selected autorun item.
Today, Autoruns, supported by developers for many years, is one of the most effective programs for controlling autoruns. However, real-time autorun monitoring programs are becoming increasingly popular. Such programs start automatically and constantly monitor the state of startup elements, taking action when any software tries to “register” for automatic start. It is clear that the main disadvantages of such programs are the increased consumption of system resources and the inability to fully control all autorun elements. An example of monitoring programs would be the free Anvir Task Manager
, characterized by increased resource consumption, and less voracious, but significantly inferior in capabilities to
PT Startup Monitor
.
Top of page | to Home Page
Working with the Autoruns interface
You can download the Autoruns tool from the SysInternals website like everyone else and run it without installation.
Note: Autoruns doesn't require you to run as administrator, but it actually makes sense to just do so since there are several features that won't work otherwise, and there's a good chance your malware is running as administrator.
When you first launch the interface, you will see many tabs and a list of things that automatically start on your computer. The Everything tab displays everything from each tab by default, but it can be a little confusing and lengthy, so we recommend just browsing through each tab individually.
It's worth noting that by default, Autoruns hides all built-in components in Windows that are set to run automatically. You can enable the display of these elements in the settings, but we don't recommend it.
Disabling programs and services from startup
To disable any item in the list, you can simply uncheck the box. That's all you need to do, just go through the list and remove everything you don't need, restart your computer and start it again to make sure everything is ok.
Note: some malware will constantly track the places where they have set their autorun and immediately return the value back. You can use the F5 key to rescan and see if any entries have returned after you disabled them. If one of them appears again, you should use Process Explorer to pause or kill this malware before disabling it here.
