SysInternals' Autoruns utility digs into your system to find all programs that load and run automatically when Windows starts up.
Autoruns goes beyond just checking your Startup folder. The utility seeks out programs referenced in many obscure Registry keys that most people never know about, system services that might not be visible and Explorer shell extensions.
Here are six ways you can use Autoruns to get to the bottom of many possible problems stemming from unknown or unwanted applications loading automatically.
- Look in Explorer | Shell Extensions/Approved for problem programs that cause Explorer to choke on a right-click. Explorer allows third-party programs to "hook into" it, allowing things like custom right-click context menus on certain files or other actions. If a program was deinstalled or damaged and its shell extension was never properly removed, it might still be stuck here. You can also check to see if malware might be festering here: Look in the Publisher column to determine what's not actually a Microsoft or properly sighted application. If you see something you don't want, uncheck it to disable it.
- Verify code signatures. This option, in the Options program menu, causes the program to verify any programs it finds against its code signature. If there isn't one, or it can't be verified, the words "(Not verified)" will show up in the Publisher column of any of the tabs. Note that this isn't itself a sign of something suspicious, but it can be a useful way to root out unwanted programs.
- Hide signed Microsoft entries. This is another way to tease out unwanted or unknown applications. Select this option, also in the Options menu, and on the next scan, all signed Microsoft code will not be displayed. The implication is that anything signed with a verified Microsoft code signature is OK and can be ignored for now.
- Look in Image Hijacks for possible malware. The Image Hijacks tab lists programs that use custom low-level system hooks. For instance, if you have Sysinternals' Process Explorer set up as your replacement for Task Manager, you'll see it listed here. Anything you see here that doesn't have a verified publisher or doesn't seem familiar at all, should be suspect.
- Look in Internet Explorer for malware. The Internet Explorer subsection has three subsections that are breeding grounds for unwanted applications: the Browser Helper Objects or BHOs section (which is where most spyware get a foothold in IE), the Toolbar and the Extensions section. Some third-party elements in the latter two lists are useful -- for instance, the Java plug-in from Sun Microsystems Inc. may show up in Extensions -- but if you're suffering from crashes because of the behavior of a given extension, try unchecking it here to turn it off for now.
- Look in Winlogon | GinaDLL for possible problem applications when dealing with cantankerous logins or sign-ons. The GinaDLL section in Winlogon allows third-party code authors to create extensions to the login/sign-on process. If one of these extensions creates problems with login, try disabling it from here. Some third-party GinaDLL extensions don't support things like Fast User Switching or the new Welcome Screen functions in Windows XP, so they might need to be manually disabled from here.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
Click here to return to Expert picks: Favorite downloads
This was first published in November 2005