How to manage Windows Startup

Introduction

It's a good practice to frequently inspect the startup locations, for better security. This is the first step to detect a trojan or a virus. As you know, the System Configuration Utility ( MSConfig.exe ) will not list applications loaded in all possible startup locations. Most other entry points are hidden and unknown to the end-user. This article will provide a clear picture about the start locations of applications and drivers. Some of the following locations are not applicable to Windows 95/98/ME systems.

Startup locations

HKCU refers to HKEY_CURRENT_USER
HKLM refers to HKEY_LOCAL_MACHINE

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows 
(In right-pane, Value named "Run" & "Load")

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\{Username}\Start Menu\Programs\Startup

Note  Items marked in blue are those which MSCONFIG can manage.

Advanced stuff - additional Windows Startup launch-points

Silentrunners.org covers many more startup launch-points. It is possible that some malware is present in any of the locations described. Additionally, it's worth verifying the contents of ShellExecuteHooks key here:

HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ShellExecuteHooks

Inspecting all the keys manually may be tiring. Your best bet is to use a third-party software to inspect the startup. There are many utilities which can track/log the startup entries. The following utility is very impressive.

Autoruns - A utility that covers most of the start locations.  The latest version allows you edit the startup for other user profiles (Windows 2000/XP) as well. Autoruns Homepage

Caution: Don't delete or disable the entry named Userinit, as you will be unable to logon to Windows XP.

 

Related Microsoft Knowledgebase articles

• A Definition of the Run Keys in the Windows XP Registry
• INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
• Definition of the RunOnce Keys in the Registry
   

Kernel Mode components (More information)

[HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems] contains a list of available subsystems.

[HKLM\SYSTEM\CurrentControlSet\Services\servicename]. The Service Control Manager initializes services that the Start entry designates as Auto-load.

If a driver/service prevents you from starting Windows, load Recovery Console and use the listsvc command. This lists all the Services/drivers. To disable a service/driver, type disable <service/driver name> in the Recovery Console.

View and manage Windows XP Services and Drivers

ServiWin - A utility that displays the list of installed drivers and services on your system. For some of them, additional useful information is displayed: file description, version, product name, company that created the driver file, and more. In addition, ServiWin allows you to easily stop, start, restart, pause, and continue service or driver, change the startup type of service or driver (automatic, manual, disabled, boot or system), save the list of services and drivers to file, or view HTML report of installed services/drivers in your default browser.

• To view Services list, click the View menu and choose Services [F8 key]
• To view Drivers list, click the View menu and choose Drivers [F7 key]
• To find out the list of third-party drivers, sort the column named Company

You may also use DriverQuery command built-in with Windows XP, to view the list of all the device drivers installed in your system. You can transfer the list to a file for troubleshooting purposes. Type driverquery /? in Command Prompt for more information:

Usage / Examples:

DRIVERQUERY /SI  [This lists the drivers signing status, whether Signed or Unsigned]
DRIVERQUERY /V   [ Generates a detailed report ]
DRIVERQUERY       [ Lists all device drivers ]

To redirect the output to a file, use:

DRIVERQUERY /SI  >C:\driverslist.txt

Published: June 27, 2004
Updated : June 25, 2005

ServiWin Homepage

Copyright � 2006 Ramesh Srinivasan. All rights reserved.
Windows XP Troubleshooting - http://windowsxp.mvps.org

 

---

You can help keep The Sierra Help Pages alive by helping to defray some of the costs of hosting this site. If it has been of help to you, please consider contributing to help keep it online.

Thank you.

Top

• Back
• Main General Help page

Home | Sierra Game Help | Walkthroughs | Hints, Tips & Spoilers | Utilities | Links | Forums | Search

© 2006 to present The Sierra Help Pages. All rights reserved. All Sierra games, artwork and music © Sierra.