One common complaint about Windows is that there is no one central location where programs can be triggered to run automatically at startup or login.
To be fair, this complexity is unavoidable because of the number of things that depend in some way on a startup process: the shell, the user login, the system's auto-started services and programs that need to run after login to complete an installation process. Most of the programs that have allowed a user to explore what's started automatically by the system have been limited to a few Registry locations, but don't really cover the whole picture.
Now we have Autoruns, a utility courtesy of the geniuses at Sysinternals, Mark Russinovich and Bryce Cogswell. Autoruns scans all of the locations within the system Registry that contain information about programs started automatically at boot or login, and returns them all in a comprehensive, interactive and tab-organized report. The reports list Registry entries as well as paths to the executable image (if any) referred to in that entry.
Here's a quick overview of the categories Autoruns covers:
Logon: Everything that runs when the current user logs in, including the shell itself (typically explorer.exe).
Services: All automatically started system services, including whatever summary information is available about that service.
Explorer: Extensions loaded into Explorer itself, which includes shell extensions. If you hide all Microsoft-signed extensions (one of the program's options), you can see a list of all third-party shell add-ons -- useful for debugging problems with Explorer that can arise if a troublesome shell extension is installed and never removed correctly.
Internet Explorer: Extensions loaded by IE. If you hide all Microsoft-signed code, you can use this list to determine if an allegedly removed third-party add-on is still present in IE and causing problems -- or if there are third-party add-ons you never authorized to be installed.
Scheduled Tasks: Any programs set by the Task Scheduler.
Boot Execute: Executables that run during early in the boot process, such as disk checking tools.
Image Hijacks: A very esoteric and powerful category of auto-run. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key in the Registry allows you to provide custom execution options for specific program images; I wrote previously about some really amazing things you can do with this particular key, such as block some applications from running at all.
AppInit: DLLs registered with the system that load with all processes.
KnownDLLs: DLLs registered with the system as described in Microsoft Knowledge Base Article 164501; also used to disambiguate 16- and 32-bit editions of DLLs.
Winlogon: All tasks run at Windows logon, regardless of the user.
Winsock Providers: All network protocols loaded by the system. Some malicious software programs like to install their own network components here, so browsing this list can be useful if you suspect you've been infected by such a program.
Right-clicking on any entry will let you launch a Google search on that item, as well as look for a corresponding image name in Sysinternal's excellent Process Explorer. There's also a command-line version in addition to the GUI version, which can generate text reports, and the program runs on both 32- and 64-bit editions of Windows.
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!
This was first published in August 2005