Autoruns which means the color red. Setting up application startup on Windows operating systems

Many users, after working with the operating system for a long time and after installing/uninstalling various applications, often have questions about startup applications. Along with the operating system, applications that you do not need may be loaded, or vice versa, an application that should launch automatically is not visible in the notification area after the system boots, and system performance and startup time may deteriorate significantly. In order to avoid these problems, I suggest understanding the processes that are executed when the operating system boots and with startup installed applications.

Loading the operating system

It is important to note that in fact Windows boot does not start from the moment you approach personal computer and turned it on or rebooted it, the process of loading the operating system actually begins directly with its installation. During the installation process, HDD is prepared for its participation in the system boot process. At this time, components are created that are involved in loading the basic input/output system (BIOS). These components include:

• Winload.exe - loads the Ntoskrnl.exe process and its dependent libraries, and also loads drivers for installed hardware;
• Winresume.exe - allows you to restore the system after long-term inactivity (hibernation) and is responsible for the hibernation file (Hiberfil.exe);
• Ntoskrnl.exe - initializes the boot and startup execution subsystems system drivers for devices, and also prepares the system to work with standard applications and loads the smss.exe process;
• Hal.dll is an integral part of the code executed in kernel mode, which is launched by the Winload.exe boot module, loaded together with the kernel;
• Smss.exe (Session Manager Subsystem Service) is a session management subsystem in Windows. This component is not part of the Windows kernel, but its operation is extremely important to the system;
• Wininit.exe - loads Service control manager (SCM), Local Security Authority process (LSASS), and local session manager (LSM). This component also initializes the system registry and performs certain tasks in initialization mode;
• Winlogon.exe - manages safe entry user and launches LogonUI.exe;
• Logonui.exe - displays the user login dialog;
• Services.exe - loads and initializes system services and drivers installed by default.

It is important to understand that device drivers are a critical part of the boot process. When specifying an operating system partition, installation program writes the boot sector. Boot sector Windows provides information about the partition structure and format to the Bootngr file. Bootmgr does its job while the operating system starts its life cycle in real time. Bootmgr then reads the BCD file from the \Boot folder located on the system partition. If the BCD file contains settings for resuming from hibernation, Bootmgr starts the Winresume.exe process, which will read the contents of the file to resume the system from hibernation.

If two or more systems exist in the BCD entry, then Bootmgr displays to the user boot menu to select the operating system. After selecting the system, or if you only have one operating system installed, the Winload.exe process loads. This process loads the files located in the boot partition and starts initializing the kernel. Winload.exe does the following:

Then the initialization of the kernel and executive subsystems begins. After Windows calls Ntoskrnl, it passes the bootloader block parameter data, which contains the system paths of the boot partition generated by Winload to describe physical memory in system. Upon completion of two stages (Session 0 and Session 1) of kernel initialization, the processes Smss.exe, Csrss.exe and Wininit start. Smss calls the subsystem configuration executive manager to complete initialization system registry.

After this, the process of launching the Winlogon system shell is launched, the parameters of which are specified in the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit. Winlogon notifies the system of registered network service providers that have passed the Microsoft Network Provider Identification (Mpr.dll).

The last step in booting the system is the process of automatically launching applications when you boot and enter the operating system.

Autorun control

You can see most of the applications that automatically start with the operating system in the notification area. I talked about methods for customizing the notification area in the article, so within the scope of this article, customizing the notification area will not be considered. To manage startup applications, users of Windows operating systems usually use the utility "System configuration".

System Configuration Utility

Program "System configuration" is a Windows operating system utility designed to manage startup programs and system startup, as well as identify problems that may prevent the operating system from starting normally. Using this utility, you can change boot settings, disable services and automatically started programs. This utility first appeared in the Windows 98 operating system, providing a convenient interface for performing its tasks. The utility is called by the MSConfig.exe file, which is located in the System32 folder of the partition with the installed operating system. A huge disadvantage of this utility is the inability to add a new element to autorun. To open this utility, do any of the following:

The following screenshot shows the utility "System configuration":

There are five tabs in the current utility:

• Are common. On this tab you can select the download option: "Normal startup"- the operating system starts in the usual way, "Diagnostic run"- the system boots only using basic services and drivers, and "Selective launch"- in addition to the main services and drivers, selected services and automatically loaded programs are also loaded with the operating system.
. On this tab you can find the operating system boot options as well as Extra options debugging such as "No GUI"- the welcome screen is not displayed when loading, "OS Information"- During the loading process of the operating system, loaded drivers and so on are displayed.
• Services. This tab contains a list of only those services that start automatically with the operating system, as well as the current status of each service. Due to the fact that the installed software can install its services, you without basic knowledge system services You may have trouble finding services that are not installed with your operating system by default. By checking the box "Do not display Microsoft services", only third-party applications will appear in the list of services. To disable a service, simply uncheck its box.
. The tab is responsible for downloading applications, as well as certain utility utilities that are not downloaded through services. As you can see in the previous screenshot, this tab is divided into five columns. These columns were created so that you can know the name of the startup application, the publisher of the program, the path indicating where the program was downloaded from, the location of the registry key or program shortcut, and the date the program was disabled from startup. To prevent a specific startup item from starting the next time you boot, uncheck the corresponding box.
• Service. On this tab you can find a list of diagnostic tools that allow you to monitor the health of your system. To launch any tool displayed in this tab, select it and click the button "Launch".

More experienced users may want to not only disable unnecessary startup programs, but also add their own programs to start automatically along with the operating system. To do this, you will need to use the system registry tools.

Managing autorun using the system registry

In the system registry, you can find application startup settings for the computer account and the current user account. Applications that launch with account computer, do not depend on which account the user logged into the system. You can find these settings under HKLM\Software\Microsoft\Windows\CurrentVersion\Run. The applications that run under a user account may differ for each account. You can find these settings under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

In order to add a new application (program "Registry Editor") to autostart the Windows operating system for all existing users, follow these steps:

But for more experienced users of Windows operating systems, the utility works "System configuration" and two registry keys may not be enough, since it is unknown what was loaded with the system besides startup programs and system services. To find out about all the processes that were running with your system, the Autoruns utility from Sysinternals will help you.

Working with the Autoruns utility

Autoruns by Mark Russinovich and Bryce Cogswell helps check the maximum number of autorun hostings for programs configured to run during the boot or login process, unlike any other autorun monitoring program. Version 8.61 is now available and can be downloaded from the following link. This program is absolutely free and one of its advantages is that all programs are displayed in the order in which the operating system processes them. In fact, such programs can be located not only in the Run sections, but also in RunOnce, ShellExecuteHooks, ContextMenuHandlers and other sections of the system registry. This program can be used on both 32-bit and 64-bit Windows operating systems.

Before you run this utility for the first time, a license agreement dialog box will appear. Read it and click on the button "Agree".

After loading the current program, you will see applications configured to start automatically, where you can find the names of the applications and registry keys that store information about their launch, a brief description of the application, publisher, and the path to the file or library to launch.

The items that Autoruns displays belong to several categories, which can be viewed on the program's 18 tabs. In this article we will not consider each tab, but it is worth noting that the program categories include: objects that are automatically launched when you log in, additional components conductors, additional components Internet Explorer, scheduler tasks, application initialization DLLs, early boot objects, Windows services, and much more.

On each tab you can:

• launch any selected application by double-clicking on the program name;
• open the registry key that contains application startup settings by double-clicking on the line with the registry key or selecting the command "Jump to" from the context menu;
• open the properties dialog of the selected object (to do this, select the command from the context menu "Properties");
• open Process Explorer with tab "Image" for the selected object, as well as find information about the object you are interested in;
• disable an object that starts automatically by unchecking the corresponding box;
• delete an object using a context menu command or button "Delete";
• view auto-launch items for other user accounts by selecting the desired menu item "User".

By default, Autoruns displays all applications and libraries that start automatically with the operating system. To display only those applications that are registered in the registry keys \Software\Microsoft\Windows\CurrentVersion\Run, go to the tab "Login".

In addition to the applications that start automatically with the operating system, you can view all the tasks assigned by the scheduler when you boot or log in. To do this, go to the tab "Scheduled tasks". On this tab, when selecting the context menu command "Jump to" or double-clicking on a specific object will open the snap-in "Task Scheduler" with the specified task.

You can save startup objects by clicking a button "Save" in the toolbar or by selecting this command on the menu "File". The report will be saved with the extension *.arn or *.txt. To load previously saved Autoruns data, use the command "Open" menu "File".

Using the Autoruns utility to manage autorun objects using the command line

If you prefer to work with the console, you can also use the commands in the Autoruns utility. With it, you can perform the same actions as with the Autoruns utility, only using command line, outputting information to a console window or redirecting command output to text file. Due to the fact that this utility can only be opened using the command line, to work with Autoruns, follow these steps:

1. Open a command prompt as administrator;
2. Go to the folder where you downloaded the Autoruns utility, for example “C:\Program Files\Sysinternals Suite\”;
3. Run the utility with the required parameter.

The following options are available:

A - display of all autorun elements;

B - displays information about objects that are loaded in the early stages of system boot;

C - export the displayed data to a CSV file;

D - display DLLs application initialization;

E - display extensions Windows Explorer;

G - display gadgets side Windows panels and desktop;

H - display of Hijacks elements;

I - display additional elements Internet browser Explorer;

K - display of known DLLs;

L - display of elements that are launched automatically when you log in;

M - do not display objects with a Microsoft digital signature;

N - displays Winsock protocol providers;

O - display of codec elements;

P - display of print monitor drivers;

R - display of LSA security providers;

S - displays services in automatic startup mode and not disabled drivers;

T - display of task scheduler elements;

V - verification of digital signatures;

W - display of Winlogon elements;

X - export the displayed data to an XML file;

User - displays automatically launched objects for the specified user account.

For example, if you only need to view items that automatically start at logon, use the utility with the -l option, as shown below:

Conclusion

This article explains how to configure the items that automatically start applications when you boot and sign in to the Windows operating system. The process of loading the Windows 7 operating system is briefly described, and methods of working and monitoring autorun using the system utility are also discussed. "System configuration", changing autorun elements using the system registry, principles of working with Autoruns applications and the console version of Autoruns from Sysinternals. With the help of the information contained in the article, you can correctly configure startup applications of your operating system.

Autorun (autoload) of programs is a tool that allows you to quickly create the user’s desired working environment without human intervention by automatically starting a pre-prepared set of programs. The vast majority of modern home computers constantly perform a lot of automatic running programs, the existence of which users have no idea. As well as ideas about where these programs came from, and why they are needed at all, and who really needs them? Although, for most, this is not so important, until problems arise with increased resource consumption (the computer began to “slow down”), excessive Internet traffic, advertising spam, virus infection, loss of documents, passwords, and money.

With development computer technology, automatic startup capabilities gradually expanded and reached such a level that there was a serious need for user control over autostart processes. After all, today almost any program, starting from software from computer hardware manufacturers and ending with free application software, tries to make the user happy with constant updates, offers of discounts when switching to paid products, advertising, etc. In addition, often such not very desirable software can collect information about the user himself and send data via the Internet to an unknown person and to an unknown destination. Therefore, autorun monitoring is becoming increasingly popular among users. computer systems. Standard Windows tools, such as utility msconfig.exe or a modified Windows 10 task manager with the “Startup” tab is better than nothing, but still, software products with the ability to monitor the maximum number of startup elements, allowing you to simply, conveniently and safely manage automatically starting processes starting from the driver, are becoming more popular among literate users and ending with scripts or application programs.

General information about the Autoruns program.

Autoruns- free utility program from the Sysinternals Suite section Windows Sysinternals from Microsoft, designed to control autorun in the Windows environment. The utility has a wider range of capabilities than the utility program MSConfig, which is included with standard Windows software.

You can download the program either as part of the Sysinternals Suite package or as a separate archive using links on the pages of the Windows Sysinternals section of the Microsoft TechNet resource. The program does not require installation on the system - just download and unpack the Autoruns.zip archive into any folder and run executable file autoruns.exe or autoruns64.exe(Windows 64-bit only). The archive contains documentation on English language autoruns.chm, a text file with a short description and license agreement eula.txt and executable files for 32-bit and 64-bit OS GUI utilities Autoruns, and command line utilities Autorunsc.

    Autoruns is one of the most popular software products software package for administration and research of the Sysinternals Suite system, and perhaps the most informative and convenient tool to track points of automatic launch of processes in Windows, including hidden or unusual ones, often used by viruses and other malicious software (malware). Autoruns shows you which programs are configured to run during the boot process, when users log in, and when other system events occur, and information about programs that automatically start is displayed in the order in which they start.

Finding and eliminating malicious software that has entered the Windows environment is one of the main areas of using Autoruns.

The program allows you to get full list autostart locations, identify their location, explore the launch methods and sequence, detect hidden entry points, and also block, if you choose, the autostart of an unnecessary process. The enormous capabilities and ease of use of this utility made it simply necessary to include Autoruns in the toolkit for practical system research.

To realize all the potential capabilities of Autoruns, the utility must be run under an account with administrator rights. In addition to working in the environment of the active operating system (the OS in which you are working), you can use the utility to analyze autorun points of another OS, the system directory of which and the directory with the user profile can be selected using the main menu ( File - Analyze Offline System).

After running the executable Autoruns.exe, the main program window will appear on the screen:

The program interface consists of five parts - menu bar(menu bar), toolbar(toolbar), tabs autorun source filters, data output area in the form of a list with fixed elements of lines describing the automatically starting process, and an area at the bottom of the screen, with detailing properties selected process.

The list of autorun points is displayed in the order in which Windows processes them during the boot and user registration process. By default, the tab opens Everything with display all possible autorun points displayed in the main window in accordance with the options specified by the item Options main menu. As options (information display parameters), you can select:

Include Empty Location- show empty sections. Typically, this option is disabled.
Hide Microsoft and Windows Entries- hide startup points for Microsoft products and Windows processes
Hide Windows Entries- hide autorun points used by Windows itself
Verify Code Signature- Check digital signatures of software modules. The verification status will be displayed in the program author column Publisher and maybe Verified- passed the test and Not Verified- I failed. Internet access is required to verify digital signatures.

When changing display parameters, you need to refresh the screen (click F5).

Information about autorun points in the data window is divided into several columns

Autorun Entry- program name. Each program is accompanied by a startup point value (registry key, startup folder, scheduler task folder). The entry about the executable file corresponds to the flag for enabling/disabling autorun. The presence of a checkmark in front of the name means that the process will be launched, if absent, the process is blocked. If the blocked process is already running, then disabling autorun will remain in effect for the next system reboot. The blocking process can be disabling a driver or service through the registry, deleting a shortcut from the startup folder, or disabling the execution of a task by the scheduler.
Description- a brief description of the automatically launched process.
Publisher- Author of the program. The digital signature verification sign can be displayed as part of the Publisher column (Veryfied, or Not Veryfied). The presence and reliability of a digital signature is a sign that the process is not malicious. The unreliability or absence of a digital signature, as a rule, should attract attention to this record. However, unsigned files may not always be a virus or other unwanted software, since the presence of a digital signature is not a mandatory standard for software manufacturers.
Image Path- path and name of the executable file.

The Autoruns program divides all autorun elements into groups corresponding to various autorun categories. The category is selected by selecting the desired tab:

Everything- all autorun points known to the Autoruns utility are displayed.

Logon- displays information about autorun elements associated with initializing user profile settings by the system service Winlogon(Userinit), user shell (Shell), as well as various programs launched during the registration process, using elements of the Startup folder, registry keys Run, RunOnce, Load, etc. IN latest versions Autoruns item added to the main menu User, which allows you to switch to displaying autorun points for individual users or system accounts (Local System, Network, etc.). If you select a different account type, the list of autorun points for the "Logon" tab will change.

Explorer- displays information about Shell Extensions of Windows Explorer, executable modules of event handlers (Shell Execute Hooks)
Often malware use the introduction of their own entries into this group of autorun elements, providing the ability to control the infected system. The most common cases:

Adding an entry to the registry key to autorun programs for the current user
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Same reception for all users
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Adding a file or link to a virus file in the Startup folder
- Adding an entry to the Winlogon service parameters section
A registry key is used to initialize the user profile
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit standardly accepting a string value
C:\WINDOWS\system32\userinit.exe,
The key contains a comma at the end of the entry, and Windows will automatically launch any programs that are listed after this comma. So, for example, recording C:\WINDOWS\system32\userinit.exe,%TEMP%\svchost.exe will ensure that in addition to the standard userinit.exe program, it will also launch svchost.exe, which in no way can be located in the \TEMP folder of temporary files and generally launched from this group of autorun points. Everything written after userinit.exe need to be deleted - these entries enable the launch of malicious programs.
userinit.exe performs the user profile initialization sequence and launches the shell, which is used in the Windows environment Explorer (Explorer.exe). Explorer implements a graphical user interface (GUI) - a desktop, tools for working with shortcuts, folders, files, etc. If Explorer.exe fails to start, the user receives a blank desktop without any controls.

To start the user shell, data from the registry key is used
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell The standard string value of this key is Explorer.exe. If it is different, then most likely there is a viral infection.

Malicious programs can also use one-time autorun points (RunOnce, RunOnceEx parameters), rewriting the contents of these registry keys after each reboot or user registration.

Additional information about a suspicious file can be obtained by using the Internet search engine (Menu Entry - Search Online) or via the right-click context menu. The easiest way is to send the suspected file to be checked by online scanners. For example, to the website VirusTotal.com

Internet Explorer- displays a list of browser helper objects (BHO - Browser Helper Objects), Internet Explorer (IE) control panel elements, registered ActiveX elements, additional modules (plugins) built into the Internet browser (browser).

Exploiting vulnerabilities in Internet browsers is one of the most common methods of virus infection. A modern browser is actually a complex software package, a kind of interpreter of content received from the pages of visited sites, and in addition, it is a software product whose properties can be expanded or changed using settings and additional software modules, including those implemented by third-party developers. These properties of Internet browsers are also used by malware creators. In addition to viruses, various unwanted software modules can be added to the browser that replace the search engine, download advertising, track user actions, replace home page and so on. In most cases, a sign of unwanted software is an unknown publisher, information about which is displayed in the Publisher.

Services- a list of system services automatically loaded by Windows is displayed. System services (services) are loaded before user registration in accordance with the settings determined by registry keys

HKLM\SYSTEM\CurrentControlSet\Control

HKLM\SYSTEM\CurrentControlSet\Services

Services that do not have a description, a digital signature, or have an invalid digital signature should be checked first. An additional sign of unreliability can be the service starting from an unusual place - the temporary files directory \TEMP, user profile directories, a directory with a strange name. The executable files of the vast majority of system services are located in the \WINDOWS\System32 folder.

Drivers- displays a list of drivers that are allowed to run (parameter Start in the registry section related to the driver is not equal 4 which means disabling the driver.) Sometimes there are serious viruses that use rootkit technologies to mask their presence in the system. In the event of such an infection, the malware installs a special driver that intercepts system calls and corrects the results of their execution in such a way as to prevent detection of its files, processes, network connections. In serious cases, Autoruns will not help, and you will need to use special software to detect rootkits

Scheduled Tasks- displays a list of tasks scheduled for execution by the Task Scheduler.
Sometimes malware runs by creating a special task for the Windows Task Scheduler. The Autoruns utility allows you to get a list of tasks and disable any of them.

Image Hijacks- displays information about the use of the symbolic debugger of individual processes, the list and parameters of which are specified in the registry section

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

Also, autorun points are displayed, where it is possible to start executable files in addition to the command interpreter (command processor), and when opening any files with the .exe extension

Appinit DLLs- a list of all DLLs registered in the system is displayed. Used to connect user libraries loaded using user32.dll
Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls usually does not contain any entries, but can be used by legitimate programs, as well as malware, since it ensures that its DLL is injected into all user processes that use the user32.dll call. If the key contains the name of a dll, you need to analyze information about the publisher, digital signature, and, if necessary, perform an online check on VirusTotal.

Known DLLs- a list of DLLs that are loaded into application programs that reference them.
The search for malicious DLLs can be performed using the same algorithm - analysis of the description, information about the publisher, the presence and reliability of the digital signature, and, if necessary, checking with VirusTotal.

Boot Execute- programs that should be executed early in Windows startup (for example, a scheduled disk check at the next system reboot)

Winlogon Notifications- a list of DLLs that are registered to be triggered when events occur related to user logon or logoff (logon/logoff), startup of the screen saver, shutdown or reboot.

Winsock Providers- list of providers Windows Services to access network functions. Typically, these are DLLs that can be loaded to allow applications to interact with network services. Sometimes antivirus or firewall libraries may be present in the list.

LSA Providers- list of registered LSA (Local Security Authority) providers. LSA is part of a system for verifying user credentials and assigning a Security Context based on the user's account.

Print Monitors- a list of printer drivers that are loaded according to entries in the registry section

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors

Sidebar Gadgets- list of gadgets installed by users of Windows 7 and later OS

Office- information about additional modules of office software.

The main menu (menu bar) of the Autoruns program.

    The purpose of some menu items in the Autoruns utility is discussed above.

    Main menu items File

Find- search for text in the current Autoruns output window.
Load- open a previously saved Autoruns report from a file
Save- save the current Autoruns log.
Compare- comparison of the current Autoruns report with the previously saved one. Allows you to quickly identify new startup elements that have appeared since the comparison report was saved. New elements are highlighted in green.

Main menu items Entry

    All menu items Entry refer to the selected report item on the current Autoruns screen. All options are also available from the right-click context menu.

Delete- Remove autorun item. It is impossible to restore a deleted element using the Autoruns utility itself. Thoughtlessly deleting critical startup elements can lead to system crash. In order not to delete an element, but only to block it, you need to reset the checkbox (uncheck it) in the first column of the line of this element.
Copy- Copying the data of the selected line to the clipboard.
Verify- Check the digital signature of the selected element.
Jump to- as in most Sysinternals products, allows you to quickly navigate to the registry section or Windows directory that is associated with a given autorun point. A very convenient mode that allows you to save time and nerves when analyzing information. The transition can also be performed by double-clicking on the selected element.
Search Online- Autoruns will launch an Internet browser and use it to search for information about the autorun point associated with the current report item. We use a search mechanism for which we configure the browser, for example, Yandex search
Properties- Display properties of the executable file of an automatically started process.
Process Explorer- Run the utility Process Explorer from Sysinternals to monitor the activity of a selected process. Process Explorer must be present and it must be possible to launch it using the path in the environment variable path

Autorunsc is a variant of Autoruns for use on the command line.

Autorunsc is a command line variant of Autoruns. Convenient to use for collecting and processing data about automatically running processes on remote computers, to track changes in autorun, etc.

Command line format:

autorunsc [-a[*][b] [c] [d] [e] [g] [h] [i] [k] [l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z ] | [user]]]

Command line options:

*	show all elements;
-b	objects executed in the early stages of loading;
-c	write the output to a CSV file;
-d	application initialization DLLs;
-e	Explorer add-ons;
-g	sidebar mini-applications (gadgets);
-h	image file interceptors (Image hijacks);
-i	additional Internet components Explorer
-l	Items that automatically start when you log in (this is the default);
-m	do not show items digitally signed by Microsoft;
-n	Winsock protocol providers;
-p	print monitor drivers;
-r	LSA providers;
-s	services in automatic startup mode and drivers not disabled;
-t	assigned tasks;
-v	check digital signatures;
-w	Winlogon elements;
-x	print output in XML format;
-z	set an inactive Windows system to scan;
user	show startup objects for the specified user account.

Examples of using:

autorunsc/?- display a hint on how to use the program.

autorunsc –a *- display all autorun elements in this system.

autorunsc64.exe -a * |find /i "adobe"- display all startup elements associated with Adobe software products.

autorunsc –a b- display autorun elements associated with loading this system.

autorunsc –s *- display information about automatically starting services and drivers.

autorunsc –s * > services.txt- the same as in the previous example, but with writing the results to a text file.

autorunsc64.exe -a w –m- display information about startup items for Winlogon, excluding entries for Microsoft software products.

autorunsc64.exe -a w –x- the same as in the previous example, but with the results presented in XML format.

    One of the main purposes of Autoruns is to search and neutralize malicious software. Powerful capabilities for examining and neutralizing startup elements make it easy to deal with an infection that has entered the system. Any virus that is deprived of the ability to run automatically becomes completely harmless, such as a regular text file stored on a computer.

If you are unsure about any autorun item listed in the Autoruns output list, try conducting detailed research using the following techniques:

Analyze the description, information about the publisher, the presence and reliability of the digital signature.
- Double-click on the item being examined and check its autostart point in the registry or file system directory.
- Use the context menu Search Online or the keyboard shortcut CTRL+M for more information about your Internet search results.
- If you have a saved log of previous sessions, compare the current data with the saved ones (menu File-Compare).
- Submit your file for online verification by VirusTotal.com. If the file is malicious, with a high degree of probability, the VirusTotal service will confirm this fact.
- For a detailed analysis of the activity of a suspicious process, use a related utility from Sysinternals. You can directly call the utility through the context menu item for the selected autorun item.

Today, Autoruns, supported by developers for many years, is one of the most effective programs for controlling autoruns. However, real-time autorun monitoring programs are becoming increasingly popular. Such programs start automatically and constantly monitor the state of startup elements, taking action when any software tries to “register” for automatic start. It is clear that the main disadvantages of such programs are the increased consumption of system resources and the inability to fully control all autorun elements. An example of monitoring programs would be free Anvir Task Manager, characterized by increased resource consumption, and less voracious, but significantly inferior in capabilities PT Startup Monitor .

Instructions

Insert the disc into the drive and wait for the information to load on it. When the program autorun window appears, select the desired action. If this window does not appear when you start the disk, it means it was blocked for various reasons. In this case, launch it manually.

Open “My Computer” and select the drive with the disk you need and double-click on it with the left mouse button. If no changes have occurred this time, right-click on it and select “Open” from the context menu. A disk browsing window will appear - find autorun.exe among the files and folders and double-click on it with the left mouse button.

If you need to install any program that is located on your hard drive or removable drive, open the directory and find autorun.exe in it and run it, after which you will see the main installation menu. Please note that in some cases, autorun may not start due to the use of a limited account on the computer.

If you are logged into the operating system under an account with limited rights, right-click on the authorization and select the “Open as administrator” context menu item. You will see a window where you will need to enter a password, if one was set when you initially configured the operating system settings.

Log into the operating system under an administrator account, open the directory containing AutoRun, and launch it. Sometimes problems when opening an autorun may be due to the fact that the media or drive does not cope well with reading discs. Try copying it from the disk to your computer along with the rest of the content, or downloading another distribution of the program or game.

Helpful advice

Disable autostart on your computer, this will help avoid viruses from removable media.

If you need to create a startup file for a disk or for any other purposes, it is not necessary to resort to the help of specialized programs. The simplest autorun file can be made in text editor without the use of additional knowledge. Autorun file (Autorun.inf) – used by Windows to automatically launch any application.

You will need

• Any text editor.

Instructions

After you have downloaded the required Windows version, format your flash. After that download UNetbootin program. It will help you burn Windows. After downloading, install the program on your computer. Launch it. Find the "Disk Image" line and select the ISO value. Opposite the “File image” line there is a file browsing button. Click this button and enter the path to Windows image.

Find the “Type” line in the program window and specify the value “ USB device" Opposite the “Media” line, select the flash drive on which Windows will be installed, and then click OK. The process of writing the operating system to the flash drive you specified will begin. Finishing Windows process will be installed on the flash drive.

Now enter the BIOS and enable the ability to boot from USB drive. Also select a flash drive as the first source for starting the system. Save to BIOS settings and log out. The computer will reboot and the process of starting the operating system from the flash drive will begin.

The actions of users who are trying to somehow speed up the startup and operation of the version of the Windows operating system installed on their computer look completely natural. Due to the fact that the system’s own tools do not allow for absolutely complete and fine-tuning of parameters, a lot of special applications are being developed for such purposes. And one of the most interesting is Autoruns. How to use the program, using absolutely all its capabilities in the Windows environment, will be discussed further. In addition, we will pay special attention to some important settings, since excessive attention to disabling system components that are unnecessary, as it seems to the user, can lead to the most unforeseen consequences.

What kind of program is Autoruns: main purpose

So what is this app? Based on the official description of the developer, as well as taking into account many reviews from users and specialists, the application primarily refers to tools fine tuning operating system in terms of activating or disabling its components, which start immediately upon boot, but are completely unnecessary for the average user. In addition, many note that the application can also act as a kind of informative utility that produces the most complete reports about running services and processes. In this regard, it is somewhat reminiscent of the well-known Process Explorer application. However, few people know that this application capable of scanning the system both for the presence of virus threats and for the integrity, presence or absence of certain important files. Thus, the Autoruns program can be called both an optimizer and an antivirus. As for the second, of course, one can argue, since the application issues notifications by referring exclusively to online resources with anti-virus databases, and not to generally recognized proven tools. Nevertheless, the application quite often detects hidden threats that are not detected by either standard or portable anti-virus applets.

Where can I download the application?

As for downloading the installation distribution, the most natural solution is to download the utility directly from the developer’s website. No less often, when performing a search on the Internet, you can find links to technical service Microsoft support, not to mention the countless resources on the Internet.

The application is distributed completely free of charge and includes two main components - Autoruns and Autorunsc (in official release). However, the average user will only need the first utility.

Note: unfortunately, the Russian-language version of this system utility is not available on the official resource, so you will have to download the Russified modification from another source.

How to install Autoruns for Windows in Russian?

Now we assume that the installation package is fully downloaded.

The latest version 13.91 installer takes up just over 3.6 MB of disk space and includes the Autoruns manual as a compiled HTML help file (only in official version). The Russian-language modification consists of just one EXE file.

To install/start the program, this executable file is used, which in Windows systems version seven and higher (unless the built-in superuser login is disabled) should be run exclusively as an administrator. It is not necessary to install the Autorunsc applet from the full release, since it is designed to work using the command line, and for the average user, the usual GUI. Next, you must agree to the license agreement, after which the program starts. Please note that the utility does not need to be installed in the usual sense, since it is portable.

First launch and familiarization with the interface

Finally, the program is launched. Now let's move on directly to how to use Autoruns in Russian for Windows 7 or any other version of the system.

The main window by default displays all active running processes. The main panel includes several standard menus and special tabs that are responsible for certain settings. If you have ever used the application, the obvious similarity between Autoruns and this utility is immediately apparent. The process window opens in expanded form and contains information not only about the name of the process itself, but also about the path where the files are located, information about digital signatures of publishers, installation date (time stamp) and suspicions of the possible presence of viruses (Virus Total).

Pre-configuration for users registered on the computer

Since the instructions for Autoruns are not presented in the Russian version, you can download the English package and read it in English. If there is no such desire, let's move on to directly setting up the main components. First of all, you need to select a user if there are several registration records in the system. To do this, use the corresponding menu on the top panel. However, if there is only one user and is, so to speak, his own administrator, this item may not exist.

Main Options Menu Components

When talking about how to use Autoruns.exe, you shouldn't overlook some important options for displaying system components, processes, and services. First go to the selection menu and pay attention to the default settings.

Of the first four points, it is recommended to leave only concealment activated Windows records, which will prevent damage to vital components of the operating system itself. Everything else can be edited, and at the same time you can get information about possible suspected viruses.

Note: not all system processes can be run as administrator by default, so in the file menu of the Autoruns program (File), any marked process or service can be launched with elevated privileges.

Scan Options

Now you need to configure the scanning options, which will subsequently be applied to automatically detect problems with the ability to correct errors and failures, as well as activate additional controls.

To do this, in the same selection menu, you should go to the corresponding item, and in the options window, mark all lines except the first one, so that scanning is carried out not only in the location of the selected user, but also in all other places (viruses can hide anywhere). After this, you need to click the rescan button and wait for the scan results to appear.

Test results

If missing objects are detected, program warnings will be issued automatically.

So, for example, when a message appears regarding the remote launcher Opera browser, in the example above, this indicates that there is an entry in the registry about this object, but the file itself is missing.

The results can be marked in different colors, and for them there are some numbers and figures in the virus threat detection column. White highlighting indicates that everything is fine with the process, its files and additional attributes.

Pink marks objects that do not have a digital signature, and yellow marks files that are physically absent from the hard drive, for which there are still entries in the registry.

In the virus scan report, the first number corresponds to the number of suspicious threats found, and the second number corresponds to total number checks. Some processes may not be viruses. In addition, it is worth taking into account the errors of the verification tools themselves. You can clarify the information by clicking on the selected result, after which you will be redirected to an Internet resource containing detailed description suspicious file or process.

Note: you can often find some iObit software products included in the risk group. But it is better not to touch the optimizers, protectors and uninstallers of this developer, since they are not viruses. However, if such components have red numbers in the report, it is recommended to disable them in the startup section.

How to use Autoruns: what to delete or disable in autorun?

Now let's move on to one of the most important sections - autostart of services and applications that start with Windows. The difference in comparison with the system configurator (msconfig) can be felt immediately. Autorun Manager or the startup management tool in the described utility assumes that all processes are initially displayed in the main window. To deactivate an element, simply uncheck the line containing it. But how to use Autorun Manager without accidentally disabling something important? By and large, you can deactivate almost everything, leaving only the command line, antivirus and components, for example, those related to the operation of touchpads on laptops. But if you act wisely, it is better to disable only the processes marked in pink.

To be sure, you can visit the executable applets tab when the system starts. If empty locations are shown there, you can also delete them or, if necessary, find information in an online search.

Login Components

The login tab that corresponds to the Logon process disables elements that the user does not need, but some of them can also be deactivated in the main process window. Since Windows components are not displayed (this option was disabled during the preliminary setup stage), you will not cause any harm to the system.

Explorer options

But, speaking about how to use Autoruns, special attention should be paid to the built-in parameters file manager, known as "The Conductor". Deactivating selected components on this tab allows you to remove them from the context menu, which in the operating system itself can be done either through the registry or using third party programs. Here - at will.

Internet Explorer Settings

Now a few words about how to use Autoruns in terms of browser settings. In principle, based on statistics, today few users use the built-in Windows browser IE or its more advanced analogue Edge, so the settings presented on this tab can be left untouched (or deleted altogether).

Scheduled tasks, started services, Office components, gadgets and printers

As for scheduled tasks, it is recommended to disable only those you know. If the purpose of the process is not known to you, it is better not to touch such components at all unless absolutely necessary. You shouldn’t experiment too much with services either. If there is such a need, disable, again, only those that you know or that are marked with threats. It is better not to edit the driver, codec, provider or image tabs.

But the MS Office launch components can be completely deactivated, since for the most part they relate exclusively to unnecessary add-ons. Finally, if you do not use print services (there are no connected printers) and side panels, all elements of the corresponding tabs can also be disabled.

And only after applying all the settings described above can you reboot the system and make sure that it starts much faster than before.

Possible errors and failures

We figured out how to use Autoruns. It remains to say a few words about possible errors and the consequences of disabling some processes. Many users complain that sometimes it becomes impossible to roll back Windows. Apparently, this is due precisely to the shutdown of the service responsible for this. When setting up, hide system components, as described above. You can also come across complaints that when services like Mail.Ru are deactivated Agent program freezes. In this situation, it is advisable to first disable autostart in the applet itself. As a last resort, you can try to uninstall and then reinstall the program if you really need it and were not installed as some kind of affiliate software. However, other errors can be corrected using similar methods.

At the same time, if you want to protect yourself from the possible consequences of applying your own settings, before using the program, do at least backup copy registry using the export function in the editor itself (regedit). Restore everything Windows settings from the created REG file without using automatic or manual rollback using system tools, it will be possible to simply roll back from such a copy.

Continuing the series of articles about freely distributed utilities, we bring to your attention an overview of the Autoruns utility, which allows you to control the startup of components, services and applications at system startup. You can download the utility at . The archive size is 139 kilobytes.

The utility does not require installation. Just unpack the archive and run autoruns.exe. An example of the utility's main window is shown in the figure below.

After launching the utility, the main window lists objects that are automatically launched when the system starts. To disable the launch of a specific object, simply uncheck the box next to its name. Disabling does not remove autorun, but only disables it. Later, you can enable autorun by returning the checkbox next to the name of the previously disabled autorun component.

To remove a component from startup, you can use the context menu, which is called up by right-clicking on the object name, or select the object and click Ctrl+D.

To view the shortcut to launch an application or the registry key that launches it, you can use the menu item Entry Jump to. Explorer or Registry Editor will open and you will be taken to the location where the application is running.

Autoruns makes it easy to get Additional information about the application or service that is shown in the main program window. To do this, select the application you are interested in and click Ctrl+G or select from the menu Entry Google. Autorun will generate a request and send it to the search engine Google system, the results of which can be viewed in a browser.

To view file properties, automatic start which is executed when the system boots, just highlight the item of interest in the main Autoruns window and select from the menu Entry Properties. A file properties window will open, similar to the one that opens by right-clicking a file in Explorer and selecting Properties.

If necessary, you can view information about startup libraries, Explorer extensions, services, and libraries that are registered to display events that occur when you log in. To obtain all this information, you need to check one of the boxes Show AppInit DLLs, Show Explorer Addons, Show Services, Show Winlogon Notifications on the menu View. You can manage the autorun of the listed objects in the same way as described above.

Autoruns allows you to view those folders and registry keys that can be used to autostart applications, but are not currently used. To display these places you need to select from the menu View Include Empty Locations.

If you have a large number of entries in the main program window, it may be useful to hide those that are digitally signed by Microsoft ( View Hide Signed Microsoft Entries). Disabling the display of such entries will allow you to quickly find an autoloading object.

The Autoruns utility can also be run from the command line. The file used for this is autorunsc.exe, which is located in the same archive as autoruns.exe. Keys for working with Autoruns from the command line are given in the documentation for the utility.

Autoruns can be very useful when “cleaning” your computer of self-installed modules that can open pages, replace the start page in the browser, when treating certain types of viruses, and when optimizing the boot speed of the system as a whole. The utility relieves the user of the need to have before his eyes a list of places from which the application can be launched when the system boots and relieves him of the need to manually check all such places.