How to change the boot sequence in the autoruns program. How to install Autoruns for Windows in Russian? Presetting for Users Registered on the Computer

Of those programs that you quickly get used to, they are so useful. The utility not only helps to manage startup applications, but also allows you to solve whole line problems that are common to Windows computers.

The secret behind Autoruns' success is very simple: it combines the functionality of the Task Manager and the Services utility with some additional features in one handy application.

Unfortunately, many users do not know about Autoruns or simply do not know how to use this utility. For those who are new to Autoruns - or just want to brush up on what they already know - here are five helpful tips for using this tool.

1. Don't rely solely on Autoruns to protect you from online threats

Yes, Autoruns allows you to prevent the automatic launch of malware, spyware and some viruses, but this does not mean that the utility can provide comprehensive system protection against cyber threats. In fact, Autoruns should not be considered a security tool at all. The program can temporarily help protect against viruses and malware, but is not able to prevent their penetration into the system. The only truly sane way to use Autoruns to fight viruses is to temporarily disable suspicious applications for their subsequent removal.

2. Use Autoruns to manage startup programs

It makes no sense to add and remove programs from the "Startup" folder (Startup) manually if there are Autoruns. The utility copes with this task much more efficiently. With Autoruns you can see a list of all running programs and enable or disable unnecessary ones. This does not remove disabled applications from the list, so it is very easy to re-enable them later. This eliminates the need to look for the program's executable file and create a shortcut in the Startup folder. In addition, Autoruns allows you to manage applications that are normal mode hidden from the user.

3. Use Autoruns to Manage Internet Explorer Add-ons

Some Internet Explorer add-ons can disrupt the normal operation of the system, and I have had to deal with such situations more than once. The easiest way to disable a broken toolbar or plugin is through Autoruns. This is especially useful if the add-on is preventing IE from launching. Just open Autoruns, go to the "Internet Explorer" tab and disable the suspicious plugin. If you don't know which add-on is causing the problem, disable all but one of them and try running . If the browser does not start, then this add-on is to blame. Disable it, enable all the others and restart IE, and remove the faulty plugin or try reinstalling it.

4. Search background information in the Internet

Autoruns has a great built-in search feature that allows you to highlight an item and search the web for related information. This is especially true if no information about the process is specified (except perhaps a registry key, and that's it). Before taking any action, click on the object right click mouse and select the "Search Online" option. Autoruns will redirect you to a browser with a list of search results for the exact object name. This will help you understand exactly what function it performs. this process. For example, on the tab "Everything" (All) there is an object "pku2u.dll". If you select it and use an Internet search, you can find out that this DLL is an integral component, which means that you should not remove or disable it.

5. Save your settings

I use the save, load and export feature of Autoruns very often.
This allows you to apply different startup configurations on the same computer. To take advantage of this feature, configure Autoruns to perform a specific task and save the configuration via the File | Save" (File | Save). The settings will be saved in a file with the extension ".arn". To load a specific configuration, use the File | Open” (File | Open) and select the desired settings file. Be sure to keep at least one file with a verified working Autoruns configuration in stock. It is useful not only for restoring settings in case of any failure, but also for comparing with the current configuration, which can be done using the “File | Compare" (File | Compare). Select a file to compare and click Open. All new objects that are not present in the original configuration will be highlighted in green. This is very convenient because it allows you to quickly remove unnecessary objects, which are not present in the checked configuration.

Lifesaver

The Sysinternals Autoruns utility should be in the arsenal of every self-respecting administrator. It not only helps fight malware and viruses, but also allows you to fine tuning applications in the car Windows boot. When used properly, Autoruns helps maintain normal smooth operation systems.

In this article, I will tell you about a utility program called Autoruns for full control autoload on your computer. What is it for? First, you can turn it off with unnecessary programs and services that you don't need right after the computer boots (which you can then manually start if necessary). The more such programs are loaded along with the computer, the longer it can generally boot up and come to full "combat" readiness. Secondly, in case of any problems in Windows, the Autoruns utility can help you disable the source of the problem in the form of an autoloading program, service, or driver.

In each Windows versions there is also a built-in ability to manage autorun programs, but the fact of the matter is that only autorun programs can be configured there, and most often this system utility does not pick up all programs. And, accordingly, you cannot see in detail the whole range of startup programs from different sections of the system and programs, as well as drivers and services.

The Autoruns program was previously released by Sysinternals and in 2006 the entire company was bought by Microsoft. All programs are now owned by Microsoft.

Downloading and running the Autoruns program

The latest version of the program is available from the official Microsoft website via a direct link:

The program is downloaded to ZIP archive. It will work without installation on the computer, i.e. it will run directly from the folder.

Unpack the archive before starting the program.

Do not work with the program directly from the archive! This applies to any program.

After unpacking the archive, there will be 4 files in the folder with the program to run. Run the file named Autoruns and you will see the program window.

Files named Autorunsc are intended for using the program in command line mode. The x64 prefix at the end of the filename indicates that the program is only meant to run on 64-bit Windows systems and it's better to run the normal version of Autoruns anyway (for 32-bit systems).

Working with Autoruns

Program interface

After starting the program window will look like this:

The program officially supports only English, but even so it is not difficult to deal with the program.

All autostart services in the program are divided into sections (1). By opening a tab with the desired section, a list of related services will appear in the center of the window.

If the Everything tab is open (displaying services from all sections at once), then the list will show the division by sections (2). Some services are marked yellow(3). This means that the file to run this program / service / service does not exist in Windows and only an entry in the registry remains. Such records can be deleted without consequences. Pink (4) highlights those services that the program considers suspicious. However, you should not focus entirely on the logic of the program, since it often considers even really safe programs suspicious.

Everything that is ticked (as a rule, it is more than 90% of the list) is loaded automatically for you either at system startup or when other events are performed.

It is most convenient to use the main Everything section, since everything is displayed through it at once. Separately, as a rule, you may need to look into the sections:

scheduled tasks. Programs scheduled to run through the Windows Task Scheduler utility.

services. Windows autostart services are listed here.

drivers. Downloadable from Windows drivers(programs for managing computer devices).

winlogon. Programs that start when Windows starts.

logon. Programs that run when a user logs on to Windows.

All other sections are easier to view through the general Everything tab.

The autoload output list is made in the form of a table. Purpose of the table columns:

auto run entry. The autorun file itself, the driver, and the service are listed here.

description. This column displays a description for each startup item, from which you can often see what this or that item is for.

Publisher. The publisher of the file, i.e. the developer. If it is specified in brackets Verified, then the publisher is verified, i.e. this is the original file, and not some kind of spoofed (for example, by a virus).

image path. The path to the file in Windows Explorer.

Timestamp. File modification time. Sometimes it may appear here wrong time, for example, in the future.

VirusTotal. The result of checking autorun files for the possibility of infection through the virustotal.com website.

Autoload settings

To disable the necessary services from startup, simply uncheck the boxes next to them. Changes are applied immediately next boot Windows, those services that you previously unchecked will no longer be loaded.

You need to work with autoload very carefully! When you disable many services, your system may end up not booting!

I strongly recommend that before you start looking for the source of the problem by disabling some items from startup, turn off the display of all Windows system services in the settings, namely from Microsoft. To do this, open the Options menu and select Hide Microsoft Entries. The Hide Windows Entries item will turn off automatically.

Leave the Hide Empty Location option always enabled, as it allows you to hide empty entries.

When services are disabled from startup, their corresponding entries in the Windows registry will still remain. To completely remove a service from startup, right-click on it and select Delete.

You should delete only those startup items that remained after the removal of the programs themselves! After deleting something from startup, it will not be possible to restore it later! Therefore, before deleting something thoroughly, first check the operation of the computer simply by disabling the desired service without deleting it.

To see which file and (or) entry in the Windows registry a particular startup item belongs to, right-click on it and select one of the options: Jump to Entry or Jump to Image.

By choosing the first option, the Windows registry will open immediately on the entry that corresponds to the selected autorun item.

Choosing the second option will open the Windows Explorer folder with the file that corresponds to the selected autorun item.

This is useful when you need to know what exactly the file is in autorun and where it is located visually in Windows Explorer.

Thus, you can disable either unnecessary programs, services, drivers from the system startup, or by sequential shutdown (for example, 5-10 pieces) and check, find the source of the problem in Windows.

Conclusion

The Autoruns program can be very useful in cases where you need to fix some kind of problem in the system, for example, to permanently get rid of some advertising banner or a virus, in the case when the antivirus does not remove everything and the virus is still active.

The Autoruns program once helped me fix a problem in Windows 10 related to the driver. Then my computer did not restart, did not turn off and could not go into any of the sleep modes. By sequentially disabling startup items through the Autoruns program, we managed to identify a failed driver in the system!

Also, of course, through this program, you can simply disable programs you don’t need from autorun in order to unload Windows at the stage of loading it.

But always use the program with caution!

Like

Like

tweet

There are many ways to automatically launch programs, they can be tracked by special programs. About the best further, but first about which programs are most often registered in Windows startup.

What happens in autoload

Antiviruses. This is the most frequent programs, which sit in the startup of most computers. Of course, provided that you care about the security of your computer.

Driver components. For example, driver Intel video cards prescribe programs with obscure names hkcmd and igfxtray, designed to work with hot keys and display the settings icon in the tray (near the clock). AMD and nVidia also have similar programs.

Drivers for digital cameras like to prescribe programs at startup that track the fact that the camera is connected and offer to do something with the photos.

The Realtek sound card driver gives registration to the RAVCpl64.exe program - this is the Realtek HD Manager, without which the sound in some cases will not be directed to the connected headphones.

The usefulness of a lot of software that comes with drivers is questionable, but you have to be careful. Fortunately, everything can be turned back on.

Programs for correct operation laptop from the manufacturer. If Windows is installed on a laptop, then there will be n-th number of programs for autoloading WiFi control, hotkeys, power saving and so on. You can refuse something, something is necessary.

If after reinstalling windows on a laptop, half of the functions did not work even after installing the necessary drivers - the problem is precisely in the missing auxiliary software. Go to the manufacturer's website and download the required from the page of your laptop model.

Programs for the correct operation of a desktop PC. Owners of PC builds from eminent manufacturers Acer, Dell and others may find software similar to the laptop helper. Most often, these are programs for encrypting and backing up information, the removal of which will not interfere with the operation of the computer.

Toolbars, adware, viruses. Frequent guests on the computers of even advanced users. Do you get ads when you open your browser? The computer in a sugary voice promises profit from investing money in another pyramid? Is your VKontakte password constantly stolen? It's all of them - trojans and advertising chr ... bullshit.

stand apart services. Programs that we do not see doing important (and not so) work. Standard Services It's better not to disable Windows, because it's third-party - you can. For example, the popular PowerDVD player installs the PowerDVD RC Service (PDVDServ.exe). It is needed to control video playback from the remote control. That's just it is not always there, the service can be turned off.

System programs. Without them, your computer will not work as it should. This includes the Explorer program (explorer.exe), in combination - the Desktop, services and drivers that are part of the system. They are easy to distinguish from outsiders, should not be turned off.

Why clean autoload?

Maybe leave everything as it is?

If you are lazy, you are afraid or everything suits you - close the tab and live in peace further. But if a rebellious spirit lives in you, who wants your computer to boot faster so that incomprehensible programs stop appearing, cleaning up startup will the right step. Just be careful and do it with a fresh mind.

By learning how to clean startup, you can make it easier for any computer (or laptop) that falls into your hands. This requires a little of your time, as well as a program like or autoruns.

Autoruns program

The free Autoruns program will let you know about all the programs that run after you turn on your computer.

You can download Autoruns from a direct link. The language is only English. There are Russian versions of Autoruns on the Internet, but not the fact that they will be the newest.

You don’t need to install the program (and it won’t work), just unzip the file somewhere autoruns.exe.

There are two versions in the archive - autoruns.exe(about it later) and the console version autorunsc.exe, which most home computer users do not need.

I advise you to run the program as an administrator so that it gets the maximum rights in the system and can disable everything-everything-everything.

When you first start the program, you need to agree to the license agreement by clicking "Agree".

I strongly advise you to create a restore point before disabling something. If you don't know what it is, read the chapter of my other article about the AVZ program.

Program window

Autoruns is easy to use. The main window of the program is a list with a list of all programs that start when Windows boots. Tab Everything needed to show all launched programs in a crowd, the remaining tabs are only separate launch methods:

A large number of tabs and lines can confuse you. Fortunately, it is possible and necessary to filter "unnecessary" items. Not by unchecking the box (this is an exclusion of the program from autorun), but by using the settings, which I will discuss later. When will it disappear most of points, easier to understand.

Enabling virus scanning

We need to remove Windows components and isolate probable viruses. To do this, press the menu Options - Scan Options - mark the checkboxes, as in the screenshot below, click Rescan:

To better understand what you are doing, I will tell you about the points:

• Scan only per-user locations- only programs in the user folder are scanned. Useless item, because viruses can be in any folder of the disk.
• Verify code signatures- each program, including the system one, has a digital signature that proves that this program is from such and such a publisher and that the file has not been changed (the program code of the virus has not been embedded). The checkbox on this item is needed to determine the substitution of system files, which is done by many malicious programs.
• Check VirusTotal.com- checking for viruses of each autorun element using the VirusTotal online service. In fact, this is a check by several dozen antiviruses. It does not give a 100% guarantee of detection, because there may be a harmless program in autorun, which in turn will launch a virus, this cannot be identified. Requires a working internet. If you get a window "You must agree...", press Yes/Yes.
• Submit Unknown Images- sends for checking those programs that are not found in antivirus databases. If you have a slow Internet, it can greatly slow down the autorun check (up to 10-15 minutes), but you can be sure that everything will be checked.

After pressing Rescan the program will update the list for a long time, checking each program for its "harmfulness".

If you do not have the Internet, I advise you to download any and check your computer with them. Unfortunately, because of this, it will not be possible to find out if there were viruses in the autoload: the antivirus will remove them without notifying you whether they started automatically.

We remove viruses from startup - what do different colors mean

At this point, we need a tab Everything to see all the ways to launch programs.

After updating the list, some items will turn yellow and pink colors, some will have red numbers next to them.

Items highlighted in yellow should not be touched. Yellow color indicates that there is no program, but there is an item in startup. Unfortunately, Autoruns does not always correctly determine whether the driver files are in place and highlight them in yellow, disabling it leads to glitches up to the inability to start the operating system, so it’s better not to touch them until you figure out what’s what.

Pink points and numbers indicate problems:

If you see inscriptions like 16/57, then most likely this entry starts virus. The number on the left (16) reports how many antiviruses detected malware, on the right (57) - how many scanned everything. Clicking on the inscription opens a page with details: which antiviruses worked, what is the name of the infiltrated evil, when it was first discovered. If you see the operation of one or two antiviruses (1/57), then this is in 99% of cases false alarm and this point can be ignored.

If you want, you can google by name and find out the details, but the most important thing is to do the following:

1. Uncheck from such a point. This disables autorun of the program, which is equivalent to deletion, only you can then return everything back (in case of a false alarm).

2. Think about changing your antivirus because it was silent. O free antiviruses, able to compete with the "big" brothers, I was back in 2012. The advice is still relevant today.

3. Reload computer and run Autoruns again. If time is precious, just click F5 on the keyboard - this will update the list. It will help to detect viruses that return themselves to startup. If there are any, I advise you to check your computer with a free one, which removes threats more aggressively. There is also free program, which is used by many specialists, but it is difficult to master for beginners. Next, I will talk about how to remove such programs manually.

Items highlighted in pink require attention. They mean that the program does not have a digital signature. Even viruses can have a digital signature if the creators forked out, so you should pay attention to the absence only when programs from Microsoft - authors of Windows do not have it.

An example of the fact that everything is fine with the file is below:

If it were (Not verified) Microsoft Corporation, it would be worthwhile to figure out what kind of program or whose component it is. But this is for the advanced, for starters, the checkbox should be removed only in the case of a red inscription on the right.

Bottom line: we run through the list on the “Everything” tab (“All”), disabling the detected viruses, and restart the computer.

We clean autoload - Logon tab

After removing evil spirits, many items will probably remain. Your hands are itching to turn them off, right? After all, you feel that the computer will turn on even faster.

I'll reveal a secret - you can disable everything on the tab Logon and the computer will even work. But it's better to be safe.

On the menu Options programs autoruns Check the boxes for the first three items:

Then go to the tab Logon(“Login”) and uncheck all items in the list, except for those in the column Publisher eat (Verified) Microsoft Windows(usually the first item), as well as from the list in the next chapter.

What should not be turned off

You should not disable programs that come with a sound card driver, video cards, and so on. Reason: resulting glitches. Will not switch audio output to headphones when plugged in, additional buttons keyboards won't work, there may be problems running games, and so on.

look at the column Publisher("Publisher"). If there is something from the list, do not touch the item:

• Microsoft Windows;
• Microsoft Corporation;
• Adobe Systems;
• Google Inc.;
• Intel Corporation;
• Advanced Micro Devices;
• nVidia;
• ESET;
• Realtech;
• Kaspersky;
• Comodo;
• Broadcom;
• ...as well as items with the brand name of your laptop / PC. For example, Acer.

The name may not match exactly. For example, for some reason, Intel has a different publisher:

stands apart antivirus. In autorun, it can be represented as one item or several. Theoretically, it is impossible to disable the autorun of modern antiviruses using the Autoruns program, because antiviruses continuously monitor their startup entries, in practice this happens. In any case, you can always return the checkbox.

After rebooting, the computer will turn on much faster. The tray will also be clean (the area with icons near the clock):

This means that most programs no longer turn on when you start Windows. There is no Skype, no pop-up panels, nothing extraneous. Lyapota!

Cleaning up - Scheduled Tasks and Services

Not always a simple unchecking removes the program from startup. For example, cheeky advertising module Ask Toolbar just can't be turned off. After restarting the computer, the item will be added again:

What to do in this case? Beyond the tab Logon programs can be launched in a variety of ways. Again, turn off the item that appears, look carefully at the line and bypass the tabs in turn Scheduled Tasks(“Scheduled Tasks”) and Services("Services"). Somewhere there are entries of programs similar to those disabled earlier:

We take off the jackdaws from them too. The Ask Toolbar mentioned above, by the way, will still appear again, about such tenacious programs further.

Be careful with the tab Drivers!

It is tempting to disable all items in other tabs, for example, drivers. Disabling drivers can cause your operating system to stop loading. How to restore a computer, but this lesson is for the patient and only if there is a second computer at hand. Disable only those items on this tab whose publisher (Publisher column) matches the disabled tab item logon. And even better - do not touch anything there until you encounter programs that cannot be disabled.

Bottom line: first we disable everything on Logon, then similar on the Scheduled Tasks and Services tabs.

If programs are added again

After the reboot, do the enabled items still appear in the Autoruns list? There are two reasons:

1. The program (virus?) was running at that moment. It constantly checks itself in autoload and, if the entry is deleted, it returns. The Autoruns program removes the entry from Windows Registry immediately, as soon as you uncheck the checkbox in the list, but does not check if the entry has been added again. You can see this by refreshing the list (by clicking F5 on keyboard).

2. When the program closes, it checks the entry again. When the computer is restarted, upon receiving a shutdown signal, the malware adds itself again.

You need to remove the bastard.

On the tab Logon right click on the item to be added again - Jump to Image. The folder with the desired program will open. Her exact name can be found in the column " image path«:

Right-click on the file (in our case it is tbnotifier) and rename it to, for example, tbnotifierblablabla:

Sometimes renaming fails due to the "File blah blah blah opened in the program blablabla2". In this case, press Ctrl+Shift+Esc, will start Task Manager. On the tab in detail look for the mentioned programs. In my case, this is one program, you can have several:

Mouse click on a line - End the task - End the process.

Then return to autoruns and go to tab Services. Again Jump to image on the item, the jackdaw on which reappeared and rename the same as before. If it didn’t work out due to the same error (“The file is open in ...”), see the name of the service (first column), run Task Manager, go to tab Services, look for such an item, right-click on it - Stop:

Try renaming the file again. Surely everything will work out.

Don't forget to look in the folder Scheduled Tasks and see - suddenly a jackdaw appeared on something again? Take off - now the malware will not bother you.

You can see tab Drivers, because there may be a malware driver. If you see something on this tab, it looks like an item on the tab that appears again and again Logon, it means that you "ran into" a serious virus from developers who know their business. The “virus-driver” + “virus in autorun” scheme is rare, I advise you to google the names of the programs you are running - all of a sudden there will be tips on correct removal such villains.

Close Autoruns, Task Manager and restart your computer. If, nevertheless, the jackdaws returned (what an ambush!), Do the same again, but instead of turning off the computer through the Start menu, restart the computer with the button on the system unit or pull out the battery, power cord from the laptop. Such a hard reboot will prevent the malware from knowing that the computer is shutting down and needs to add entries again. Unfortunately, there is a small chance of corrupting the disk file system, so ... only at your own peril and risk! My experience is that it works. There are other ways, this is the fastest at the expense of reliability.

Windows 8 and 10 have their own Startup tab in Task Manager. You can try to disable the stubbornly running program there.

What else can be disabled?

You can go further and disable more more programs. The computer will start even faster, there will be no delays when starting programs and opening folders. To do this, you will have to explain what the rest of the tabs are for and how the auto works in general. Windows startup. This extensive topic is for a separate article. As soon as it appears, I will add a link.

Like

Like

Autorun (autoload) of programs is a tool that allows you to quickly create the desired program without human intervention. working environment user by automatically starting a pre-prepared set of programs. The vast majority of modern home computers are constantly running a lot of automatically running programs, the existence of which users have no idea. As well as ideas about where these programs came from, and why they are needed at all, and who really needs them? Although, for the majority, this is not so important, until there are problems with increased resource consumption (the computer began to “slow down”), the occurrence of exorbitant Internet traffic, advertising spam, virus infection, loss of documents, passwords, money.

With development computer technology, the possibilities of automatic launch gradually expanded and reached such a level that there was a serious need for user control over autorun processes. Indeed, today almost any program, ranging from software from computer hardware manufacturers and ending with free application software, tries to make the user happy constant updates, offers discounts when switching to paid products, advertising, etc. In addition, often such, not very desirable software, can collect information about the user himself with sending data via the Internet to no one knows who and no one knows where. Therefore, startup monitoring is becoming more and more popular among users of computer systems. Standard Tools Windows such as utility msconfig.exe or a modified Windows 10 task manager with the “Startup” tab is better than nothing, but nevertheless, software products with the ability to monitor are becoming more in demand among competent users maximum number autorun elements that allow you to simply, conveniently and safely manage automatically starting processes from the driver to scripts or application programs.

General information about the Autoruns program.

autoruns- a free utility from the Sysinternals Suite section Windows Sysinternals from Microsoft, designed to control autorun in the Windows environment. The utility has a wider range of features than the utility program MSConfig, which is part of the standard Windows software.

You can download the program as part of the Sysinternals Suite package, or as a separate archive using the links on the pages of the Windows Sysinternals section of the Microsoft TechNet resource. The program does not require installation in the system - just download and unzip the Autoruns.zip archive to any folder and run the executable file autoruns.exe or autoruns64.exe(for 64-bit Windows only). The archive contains documentation for English language autoruns.chm, text file with brief description and license agreement eula.txt and executable files for 32-bit and 64-bit OS GUI utilities autoruns, and command line utilities Autorunsc.

    autoruns is one of the most popular software products the Sysinternals Suite software package for system administration and research, and perhaps the most informative and convenient tool for tracking automatic start points for processes in Windows, including hidden or unusual ones often used by viruses and other malicious software (malware). Autoruns shows you which programs are set to run at boot, user logon, and other system events, with information about automatically starting programs displayed in the order in which they are started.

Finding and eliminating malicious software that has infiltrated the Windows environment is one of the main directions use autoruns.

The program allows you to get full list autostart locations, identify their location, explore ways and sequence of launch, detect hidden entry points, and block, by choice, autostart of an unnecessary process. The huge possibilities and ease of use of this utility made it simply mandatory to include Autoruns in the toolkit for practical research systems.

To realize the full potential of Autoruns, the utility must be run under an account with administrator rights. In addition to working in the environment of the active operating system (the OS in which you are working), you can use the utility to analyze the startup points of another OS, the system directory of which and the directory with the user profile can be selected using the main menu ( File - Analyze Offline System).

After launch executable file autoruns.exe, the main program window will appear on the screen:

The program interface consists of five parts - menu bar(menu bar), toolbar(toolbar), tabs autostart source filters, output area in the form of a list with fixed elements of lines describing the automatically starting process, and an area at the bottom of the screen, with property detailing selected process.

The list of autostart points is displayed in the order in which they are processed by Windows during the boot process and user registration. By default, a tab opens. Everything with display all possible autorun points displayed in the main window in accordance with the options specified by the item Options main menu. As options (parameters for displaying information), you can select:

Include Empty Location- Show empty sections. Usually, this option off.
Hide Microsoft and Windows Entries- hide autostart points Microsoft products and processes of Windows itself
Hide Windows Entries- hide autostart points used by Windows itself
Verify Code Signature- Check digital signatures of software modules. The verification status will be displayed in the column of the author of the program Publisher and maybe verified- has been tested and Not Verified- I failed. Internet access is required to verify digital signatures.

When you change the display settings, you need to refresh the screen (press F5).

Information about autostart points in the data window is divided into several columns

Autorun Entry- program name. Each program is accompanied by an autorun point value (registry key, autorun folder, scheduler task folder). The entry about the executable file corresponds to the flag for enabling/disabling autorun. The presence of a checkmark in front of the name means that the process will be launched, the absence - the process is blocked. If the blocked process is already running, then disabling autorun will be in effect for the next system reboot. The blocking process can be disabling a driver or service through the registry, deleting a shortcut from the startup folder, disabling the execution of a task by the scheduler.
Description - short description automatically started process.
Publisher- The author of the program. The digital signature verification flag can be displayed as part of the Publisher column (Veryfied, or Not Veryfied). The presence and validity of a digital signature is a sign that the process is not malicious. The inaccuracy or absence of a digital signature, as a rule, should draw attention to this entry. However, unsigned files may not always be a virus or other unwanted software, since the presence of a digital signature is not a mandatory standard for software manufacturers.
Image Path- path and name of the executable file.

The Autoruns program divides all autorun elements into groups corresponding to various categories autorun. The category is selected by choosing desired tab:

Everything- displays all autorun points known to the Autoruns utility.

Logon- displays information about autorun elements related to the initialization of user profile settings by the system service Winlogon(Userinit), user shell (Shell) and various programs, launched during the registration process, using the items in the AutoPlay folder, the Run, RunOnce, Load registry keys, and so on. AT latest versions Autoruns item added to the main menu user, which allows you to switch to the display of autostart points for individual users, or system accounts (Local System, Network, etc.). If you select a different type of account, the list of autostart points for the "Logon" tab will change.

explorer- displays information about Shell Extensions of Windows Explorer, executable modules of event handlers (Shell Execute Hooks)
Malicious programs often use the introduction of their own entries into this group of autorun elements, which provide the ability to control the infected system. The most common cases:

Adding an entry to the registry key to autorun programs for the current user
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Same trick for all users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adding a file or a link to a virus file in the "Startup" folder
- Adding an entry to the parameters section of the Winlogon service
The registry key is used to initialize the user profile
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit standard accepting a string value
C:\WINDOWS\system32\userinit.exe
The key contains a comma at the end of the entry, and Windows will automatically start any programs that are listed after this comma. So, for example, the entry C:\WINDOWS\system32\userinit.exe,%TEMP%\svchost.exe will ensure that, in addition to the standard userinit.exe program, it will also launch svchost.exe, which in no way can be located in the \TEMP temporary files folder and generally run from this group of autorun points. Everything written after userinit.exe must be removed - these entries provide the launch of malicious programs.
userinit.exe executes the user profile initialization sequence and launches the shell (shell), which in the Windows environment is used Explorer (Explorer.exe). Explorer implements GUI user (GUI) - desktop, tools for working with shortcuts, folders, files, etc. If Explorer.exe fails to start, then the user gets a blank desktop without any controls.

To start the user shell, data from the registry key is used
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell The standard string value of this key is - Explorer.exe. If it is different, then it is most likely viral infection.

Malicious programs can also use one-time autostart points (RunOnce, RunOnceEx parameters), overwriting the contents of these registry keys after each reboot or user registration.

Additional information about a suspicious file can be obtained by using the search mechanism on the Internet (Menu Entry - Search Online) or using the context menu of the right mouse button. And the easiest way is to send the suspected file for verification online scanners. For example, to the site VirusTotal.com

Internet Explorer- displays a list of browser helper objects (BHO - Browser Helper Objects), elements of the Internet Explorer (IE) control panel, registered ActiveX controls, additional modules (plugins) built into the Internet browser (browser).

Exploiting vulnerabilities in Internet browsers is one of the most common methods of virus infection. The modern browser is actually complex software package, a kind of interpreter of the content obtained from the pages of visited sites, and in addition, it is a software product, the properties of which can be extended or changed using settings and additional software modules, including those introduced by third-party developers. These properties of Internet browsers are also used by malware creators. In addition to viruses, various unwanted software modules, performing the substitution of the search mechanism, downloading advertising, tracking user actions, substitution home page etc. In most cases, a symptom of unwanted software is an unknown publisher, information about which is displayed in the field Publisher.

Services- displays a list of system services automatically loaded by Windows. System services (services) are loaded before user registration in accordance with the settings defined by registry keys

HKLM\SYSTEM\CurrentControlSet\Control

HKLM\SYSTEM\CurrentControlSet\Services

Services that do not have a description, a digital signature, or an invalid digital signature should be checked first. An additional sign of unreliability may be starting the service from an unusual place - the \TEMP directory of temporary files, user profile directories, a directory with a strange name. The executable files for the vast majority of system services are located in the \WINDOWS\System32 folder.

Drivers- displays a list of drivers that are allowed to run (parameter Start in the registry key related to the driver is not equal to 4 which means disabling the driver.) Sometimes there are serious viruses that use rootkit technology to mask their presence in the system. In the event of such an infection, the malware installs a special driver that intercepts system calls and corrects the results of their execution in such a way as to exclude detection of its files, processes, network connections. In severe cases, Autoruns will not help and you will need to use special software to detect rootkits

Scheduled Tasks- displays a list of tasks scheduled for execution by the scheduler (Task Scheduler).
Sometimes malware makes it possible to launch itself by creating a special task for the Windows Task Scheduler. The Autoruns utility allows you to get a list of tasks and disable any of them.

Image Hijacks- displays information about the use of the symbolic debugger of individual processes, the list and parameters of which are set in the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Also, autorun points are displayed, where it is possible to start executable files in addition to the command interpreter ( command processor), and when opening any files with the .exe extension

Appinit DLLs- displays a list of all registered in DLL system. Used to connect user libraries loaded using user32.dll
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls usually does not contain any entries, but may be used legal programs, as well as malware, since this ensures that its DLL is injected into all user processes using the user32.dll call. If the key contains the name of some dll, you need to analyze the information about the publisher, digital signature, and, if necessary, execute online check on VirusTotal.

Known DLLs- list DLLs, which are loaded into the applications that reference them.
The search for malicious DLLs can be performed using the same algorithm - analysis of the description, information about the publisher, the presence and reliability of a digital signature, and, if necessary, a check on VirusTotal.

Boot Execute- programs to be executed on early stage Windows boot (for example, a scheduled disk check on the next system reboot)

Winlogon Notifications- a list of DLLs that are registered to fire on events related to user login or logout (logon/logoff), splash screen startup, shutdown, or reboot.

Winsock Providers- List of Windows service providers for accessing network functions. Usually these are DLLs that can be loaded for applications to interact with network services. Sometimes the antivirus or firewall libraries may be listed.

LSA Providers- List of registered LSA (Local Security Authority) providers. The LSA is part of a system for checking user credentials and assigning a Security Context based on the user's account.

Print Monitors- a list of printer drivers that are loaded according to entries in the registry key

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

Sidebar Gadgets- list of gadgets installed by users of Windows 7 and later OS

office- information on additional modules office software.

The main menu (menu bar) of the Autoruns program.

    The purpose of some menu items of the Autoruns utility is discussed above.

    Main menu items file

Find- search for text in the current Autoruns output window.
load- open a previously saved Autoruns report from a file
Save- save the current Autoruns log.
Compare- comparison of the current Autoruns report with the previously saved one. Allows you to quickly identify new autorun items that have appeared since the compared report was saved. New items are highlighted in green.

Main Menu Items Entry

    All menu items Entry refer to the highlighted report item on the current Autoruns screen. All options are also available from the right-click context menu.

Delete- Remove the autorun item. Reestablish removed element using the Autoruns utility itself is not possible. Mindless deletion is critical important elements autostart can crash the system. In order not to delete an element, but only to block it, you need to reset the checkbox (uncheck) in the first column of the line of this element.
Copy- Copying the data of the selected line to the clipboard.
Verify- Check the digital signature of the selected element.
jump to- as in most Sysinternals products, allows you to quickly navigate to that registry key or Windows directory The that is associated with this autostart point. Highly convenient mode, allowing you to save time and nerves when analyzing information. The transition can also be performed by double-clicking on the selected element.
Search Online- Autoruns will launch a web browser and use it to search for information about the autorun point associated with the current report item. The search mechanism is used, to which we configure the browser, for example, Yandex search
Properties- Display the properties of the executable file of the automatically started process.
Process Explorer - Run the utility Process Explorer from Sysinternals to monitor the activity of the selected process. Process Explorer must be present and must be able to be launched using the path in environment variable path

Autorunsc is a variant of Autoruns for use on the command line.

Autorunsc is a variant of the Autoruns program for running in command line. It is convenient to use for collecting and processing data about automatically starting processes on remote computers, for tracking changes in autorun, etc.

Command line format:

autorunsc [-a[*][b] [c] [d] [e] [g] [h] [i] [k] [l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z ] | [user]]]

Command line options:

Examples of using:

autorunsc /?- display a hint on using the program.

autorunsc –a *- display all autorun items in this system.

autorunsc64.exe -a * |find /i "adobe"- display all startup items associated with Adobe software products.

autorunsc –a b- display autorun items related to the boot of this system.

autorunsc -s *- display information about automatically starting services and drivers.

autorunsc –s * > services.txt- the same as in the previous example, but with the results written to a text file.

autorunsc64.exe -aw -m- display information about startup items for Winlogon, excluding entries for Microsoft software products.

autorunsc64.exe -aw -x- the same as in the previous example, but with the presentation of the results in XML format.

    One of the main purposes of Autoruns is to find and neutralize malicious software. Powerful capabilities for researching and neutralizing autorun elements make it easy to deal with an infection that has infiltrated the system. Any virus that is deprived of the ability to automatically run becomes completely harmless, just like a regular text file stored on a computer.

If you have any doubts about any of the autorun items listed in the Autoruns output list, try to investigate it in detail using the following techniques:

Review the description, publisher information, and the presence and validity of the digital signature.
- Perform double click by the element under investigation and check its autostart point in the registry or file system directory.
- Use context menu Search Online or the key combination CTRL+M to get additional information by Internet search results.
- If you have a saved log of previous sessions - compare the current data with the saved ones (menu File Compare).
- Submit the file for online verification by VirusTotal.com. If the file is malicious, it is highly likely that the VirusTotal service will confirm this fact.
- For a detailed analysis of the activity of a suspicious process, use a related utility from Sysinternals. You can use the direct call of the utility through the context menu item for the selected startup item.

Today, Autoruns, supported by developers for many years, is one of the most effective autorun control programs. However, startup monitoring programs are becoming more and more popular in real scale time. Such programs run automatically and constantly monitor the status of startup items, taking action when any software tries to "register" for automatic start. It is clear that the main disadvantages of such programs are the increased consumption of system resources and the inability to full control all autostart items. An example of monitoring programs can be free Anvir Task Manager, characterized by increased resource consumption, and less voracious, but significantly inferior in capabilities PT Startup Monitor .

I don’t know about you, but I have a strong impression that what less program size, the better and more useful it is. That's why I love little programs.

Here is today's description of the Autoruns program, another proof that the functional benefit of the program does not depend on its size.

Autoruns is designed to display absolutely all startup items of the operating system. Naturally, in it you can (and should) disable or even delete unnecessary entries for automatic loading of programs, services, services ...

The program is initially portable, there is no need to install it - download it (235 kb.) And run it right away ...

For more or less experienced users, there is nothing further to explain here - the program found and showed us absolutely everything that is automatically loaded with the system.

It remains to analyze the displayed information a little and speed up Windows startup by disabling everything superfluous. It is not as difficult and scary as it seems.

For inexperienced and novice hackers, I will try to show and explain the logic that I followed when disabling or deleting unnecessary startup items.

ATTENTION! NECESSARILY! In order to avoid problems during startup, the appearance of various errors, and so on ...

First: instead of deleting suspicious items, disable them first and only after a couple of days, if everything works well, you can delete them.

Secondly: if you absolutely do not know what a line or program is, do not bother, do not touch this autoload item !!!

So, we have a bunch of different tabs in the main program window ...

Let's choose, for example, "Sidebar Gadgets". I DON'T HAVE A SIDE PANEL! IT'S DISABLED! What can be autoload? What autoload?

It turns out that the gadget of my antivirus lies there peacefully and slows down the startup of the system - I delete it by clicking the RIGHT mouse button on the line and selecting in context menu"Delete" !

I am not using the service Windows Mail"I'm deleting it!

Why do I need a whole service, constantly running, that monitors the release of updates for Skype? It will be necessary - I myself will manually check and update this program! I'm deleting this post!

Again 25 - service Windows Help I have disabled over two years ago! And again this Skype - I don’t have it in autoload, but is there some kind of item here? I don’t even understand - I delete it!

I don’t need a program for connecting to a server via FTP in autoload, I launch it myself when necessary! I delete! Again the sidebar - delete!

Eh, where is my Chapaevskaya checker? We go to the "Codecs" tab and faint! Everything that you see can be disabled from autoload! Everything! Why?

Because any self-respecting video player has its own built-in codecs!!! And what's more - these personal codecs of the player also do not need to be downloaded all at once! When you start the video, the player will turn on the codec that it needs to play.

How did I know that these are the codecs of some player? Checked the path to the file...

So, for half an hour I waved my sword in autoload. Then I rebooted the system and checked all the programs that flickered in Autoruns and the items of which I so cruelly deleted - EVERYTHING WORKS GREAT WITHOUT PROBLEMS!

Oh yes, I completely forgot. There were also lines painted in yellow with the inscription "Not found". Deleted them in the first place, even forgetting to take a screenshot. There were about seven of them!