Windows

Identify and remove unnecessary startup tasks with Autoruns

When it comes to what is run at startup on a Windows server, it can be difficult to determine where something is launched. A Sysinternals tool makes this task easy.

A Windows server's lifecycle can have many factors that affect the system's operating integrity. Sometimes drivers, program installations, management software, or even malware can run at startup and become difficult to remove.

Too often, we go through the normal places to look for the startup components. I've hacked through the registry, the startup folder, Windows services, and the Plug and Play device driver inventory to see where I can stop a piece of software from running. Fortunately, I now know about the Sysinternals Autoruns tool, which provides a way to see what is launched on the server in a number of locations. The Autoruns tool allows you to visually see what is running at boot and where it is being controlled; also, you have the option to turn it off in the Autoruns console. Figure A shows the boot execute section of Autoruns on a Windows Server. Figure A

Click the image to enlarge.

Autoruns is a good compliment to the netstat command, which shows you which executable is using a TCP/IP port. You can use these tools in tandem to backtrack a suspect process and remove it from startup if required.

The AutoRuns tool that TechRepublic blogger Scott Lowe wrote about in 2007 has been updated to include two new categories for Windows servers: codecs and sidebar gadgets. The 16 other core categories are available in the December 2009 version 9.57 of Autoruns. The autorunsc.exe command is also available for a command-line version of the tool; this can be a good way to set a baseline for future troubleshooting. Running the autorunsc.exe command will only be useful in a list capacity, compared to the graphical tool's ability to remove entries. Figure B shows the autorunsc.exe command output. Figure B

Click the image to enlarge.

If you have used Autoruns to look what is called at startup, let us know what you think of the tool.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday.

Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

16 comments
Randolph_67
Randolph_67

A great tool indeed. I use it frequently, almost on a daily basis, together with Process Explorer, also from SysInternals

cmatthews
cmatthews

I've prefered TCPview over Netstat for years. I like right-clicking to hard-close established sessions from malware. I use Process explorer to suspend the app. till Autoruns can track down how things keep launching. Note: A lot of malware have helper apps that act as watchdogs to make sure the malware stays running. If you kill the app, often it starts again with another name... (so suspend the app, till you find out what's watching it). Don't be afraid to right-click-kill explorer.exe with Process Explorer - often BHO's are set to run with Explorer - it can be restarted from the run menu in Process Explorer afterward. For larger corporate infections, I have seen what IP's malware/virus's connect to, and was immediately able to drop packets at the gateway before things went crazy (I use older P3's as high-end routers running Endian, Smoothwall or IPcop).

mrbobyu
mrbobyu

There is another to track the start up programs on start up. Run: msconfig choose start up program and u can remove the programs running on start up quick and clean.

rb4711
rb4711

I run one server on location and one virtual server at my service provider running client applications. The virtual server was not setup by my team so this tool will come in handy. You do not want anything causing hiccups for your clients. The updates for sidebars is great. Thanks for sharing this information.

charlotte
charlotte

The article states that Sysinternals is for servers. Can it be used on PCs? Or is there something comparable?

pgit
pgit

I'd never used much from sysinternals until recently, a few of these tech republic blogs pointed me toward some of the most useful windows tools I've seen in a long while. Thanks for this one, I have been hammering on a lot of win boxes lately trying to minimize the startup objects, using msconfig mostly. This tool is much more effective.

ScottCopus
ScottCopus

We use Sysinternals Autoruns a LOT in building our computer lab images at our University. It's great to be able to disable (and re-enable) ANY startup item quickly for troubleshooting purposes. It works on ANYTHING that is auto-started..... such as... Startup shortcuts, Windows services, drivers, network libraries, printer drivers, browser helper objects & plugins, etc, etc! I also have used it to "speed up" some Windows servers that have become slow to login. I went into Active Setup\Installed Components to disable those new-user startup checks. Some were slowing down my login and disabling a few of them really helped. Scott

arthurkuhns
arthurkuhns

I have used Autoruns for years to speed up computers and as an aid in malware removal. Love this tool

cmatthews
cmatthews

Definitely not so "quick and clean" as some sites promote: Some pro's have advised against this: http://forums.majorgeeks.com/showthread.php?t=149804 http://www.blackviper.com/AskBV/XP25.htm From http://support.microsoft.com/kb/310560 "...System Configuration utility helps you find problems with your Windows XP configuration. It does 'not' manage the programs that run when Windows starts..." ---- clip ---- Many people use MSconfig as a long term solution to control startup processes and services. You will also see many websites condoning use of MSconfig and teaching you how to use it for controlling startups. This is a very bad idea for many reasons: 1. MSconfig was designed to be used only as a temporary debugging/troubleshooting tool. It was not meant to be used for long term solutions. 2. MSconfig does not show all startups anyway. 3. If you uninstall programs while they are being disabled with MSconfig, they will not be uninstall properly and you will have to resort to manual registry editing to properly get everything removed. MSconfig will leave orphan entries if/when installed software is uninstalled while under the control of MSconfig . When/if MSconfig is turned back to normal startup, it will give errors on boot due to those orphan entries. 4. MSconfig and Services: * If you uninstall programs while you have some of the programs services being controlled with MSconfig, the programs will not be uninstall properly and you will have to resort to manual registry editing to get everything properly removed. * When you uncheck a service in msconfig, you completely disable it. If you uncheck the wrong one, you may not be able to restart your computer. * It is safer to control services by using Control Panel, Administrative Tools, Services (this runs services.msc). 5. You can lock malware items into your registry that you may not see anymore until some point in time where you switch back to Normal Startup mode and now you can cause total reinfection of your PC with the malware. You need to remove the malware not mask it. --- end clip --- I hope this helps clear the MSconfig issue ;-)

cmatthews
cmatthews

Suggestion try them all: These tools do not require any install. You can try them from the live site: http://live.sysinternals.com/ or download the Winternals-Suite (zip file - about 11meg), open it and dump all files into a folder; preferably within the path (I use c:\windows) Anytime you need one, you can get it from the run menu, windows-key-R, or even from task manager (or it's super-sibling: Procexp.exe) If you find any that don't run, try an older version from: http://www.filehippo.com/download_process_explorer/history/ http://www.filehippo.com/download_autoruns/history/ Autoruns video: http://www.youtube.com/watch?v=gbnFXfAgi7o Process Explorer Videos: http://www.youtube.com/watch?v=qA-VBVUxLDg http://www.youtube.com/watch?v=hmN8usQy_QU Interesting note: Many of these tools go back over 12 years (sad folks are just talking about them now..) History: http://en.wikipedia.org/wiki/User:Whiteglasses/Process_explorer_history_of_changes

Rolland St-Onge
Rolland St-Onge

If needed to be run on client workstations, I suggest the Windows support tools that comes with the CD. It's got a lot of good tools for the workstations

Rolland St-Onge
Rolland St-Onge

I have some tools running on a WinXP PRO SP3 machine. Haven't tried all but some works fine

dave
dave

Used this tool many, many times. Can even disable some malware.

S. Giesbrecht
S. Giesbrecht

Love it. I use it to clean up unwanted apps (including virus/malware).

michaelsaltmarsh
michaelsaltmarsh

Couldn't agree more :D This with process explorer, and to the extreme a bart pe disk works wonders in an xp environment. Works good with vista too, but i haven't had a chance to try it windows 7 yet, haven't really had a need ;D