Apr 15, 2008
How To Identify Programs That Slows Down Your Computer During Startup
Many tools exist that will help dig inside your Computer but end up
being incomplete with identifying all possible locations where programs
can hide. Fortunantly a tool called Autoruns does exist and is capable
of hunting down every program that autostarts during boot or when you
logon.
Autoruns is a powerful Windows utility that shows you what programs are
configured to run (auto start) during system bootup or login. Included
locations are programs in your startup folder, Run, RunOnce, and other
Registry keys, browser add-ons and File Explorer add-ons.
Autoruns works on all versions of Windows including Windows XP, Server
2003 64-bit Edition (for x64) and can be downloaded from Microsoft
Technet site (formally Sysinternals). As of this article it is unknown
if Autoruns is supported on Windows Vista.
Once downloaded, unzip the contents into a folder and run autoruns.exe.
The first tab Autoruns displays is everything that autostarts on your
Computer
Autoruns includes 15 tabs that you can select to display areas such as
Internet Explorer, Services, and Logons where programs can auto start.
Autoruns Modes
Three modes exist for displaying programs that can be set in the Options menu:
Include Empty Locations - will display locations of known location that
programs can autostart. By default this setting is uncheck.
Verify Code Signatures - will display on Systems that support image
signing verification (icon next to program name). "Not Verified" will
display if an image does not exist.
Hide Microsoft Entries - omits images that have been signed by Microsoft.
After selecting a mode, you will need to refresh the list from the menu under File.
Autoruns Features
Autoruns has an interaction feature by right clicking on a program. You
can Search Online for programs that you do not recognize, or Jump To
the location of the program such as the Registry or Startup folder, or
display Properties of the selected item. If you also have Process
Explorer running, Autoruns will switch to Process Explorer to show
process information for the program that was selected.
One feature that make Autoruns standout from other utilities is the
ability to take save a snapshot of all entries, then compare the
entries after installing applications or making configuration changes.
When comparing changes, items diplayed in "green" represent new items.
To save, select Save from the File menu.
Word Of Caution
When troubleshooting your Computer for slow startups or logon problems,
it is best to isolate one program at a time by deslecting the program.
Make sure you document all changes in the exact order you made before
testing and BACKUP all personal data. Although you can delete programs,
it is recommended not to delete unless you are a Computer Professional.
Tab Definitions
Logon - this entry results in scans of standard autostart locations
such as the Startup folder for the current user and all users, the Run
Registry keys, and standard application launch locations.
Explorer Select this entry to see Explorer shell extensions, browser
helper objects, explorer toolbars, active setup executions, and shell
execute hooks.
Internet Explorer - this entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions.
Services - all Windows services configured to start automatically when the system boots.
Drivers - This displays all kernel-mode drivers registered on the system except those that are disabled.
Scheduled Tasks - Task scheduler tasks configured to start at boot or logon.
AppInit DLLs - this has Autoruns shows DLLs registered as application initialization DLLs.
Boot Execute - native images (as opposed to Windows images) that run early during the boot process.
Image Hijacks - image file execution options and command prompt autostarts.
Known DLLs - this reports the location of DLLs that Windows loads into applications that reference them.
Winlogon Notifications - shows DLLs that register for Winlogon notification of logon events.
Winsock Providers - shows registered Winsock protocols, including
Winsock service providers. Malware often installs itself as a Winsock
service provider because there are few tools that can remove them.
Autoruns can uninstall them, but cannot disable them.
LSA Providers - shows registers Local Security Authority (LSA) authentication, notification and security packages.
Printer Monitor Drivers - displays DLLs that load into the print
spooling service. Malware has used this support to autostart itself.
Many tools exist that will help dig inside your Computer but end up
being incomplete with identifying all possible locations where programs
can hide. Fortunantly a tool called Autoruns does exist and is capable
of hunting down every program that autostarts during boot or when you
logon.
Autoruns is a powerful Windows utility that shows you what programs are
configured to run (auto start) during system bootup or login. Included
locations are programs in your startup folder, Run, RunOnce, and other
Registry keys, browser add-ons and File Explorer add-ons.
Autoruns works on all versions of Windows including Windows XP, Server
2003 64-bit Edition (for x64) and can be downloaded from Microsoft
Technet site (formally Sysinternals). As of this article it is unknown
if Autoruns is supported on Windows Vista.
Once downloaded, unzip the contents into a folder and run autoruns.exe.
The first tab Autoruns displays is everything that autostarts on your
Computer
Autoruns includes 15 tabs that you can select to display areas such as
Internet Explorer, Services, and Logons where programs can auto start.
Autoruns Modes
Three modes exist for displaying programs that can be set in the Options menu:
Include Empty Locations - will display locations of known location that
programs can autostart. By default this setting is uncheck.
Verify Code Signatures - will display on Systems that support image
signing verification (icon next to program name). "Not Verified" will
display if an image does not exist.
Hide Microsoft Entries - omits images that have been signed by Microsoft.
After selecting a mode, you will need to refresh the list from the menu under File.
Autoruns Features
Autoruns has an interaction feature by right clicking on a program. You
can Search Online for programs that you do not recognize, or Jump To
the location of the program such as the Registry or Startup folder, or
display Properties of the selected item. If you also have Process
Explorer running, Autoruns will switch to Process Explorer to show
process information for the program that was selected.
One feature that make Autoruns standout from other utilities is the
ability to take save a snapshot of all entries, then compare the
entries after installing applications or making configuration changes.
When comparing changes, items diplayed in "green" represent new items.
To save, select Save from the File menu.
Word Of Caution
When troubleshooting your Computer for slow startups or logon problems,
it is best to isolate one program at a time by deslecting the program.
Make sure you document all changes in the exact order you made before
testing and BACKUP all personal data. Although you can delete programs,
it is recommended not to delete unless you are a Computer Professional.
Tab Definitions
Logon - this entry results in scans of standard autostart locations
such as the Startup folder for the current user and all users, the Run
Registry keys, and standard application launch locations.
Explorer Select this entry to see Explorer shell extensions, browser
helper objects, explorer toolbars, active setup executions, and shell
execute hooks.
Internet Explorer - this entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions.
Services - all Windows services configured to start automatically when the system boots.
Drivers - This displays all kernel-mode drivers registered on the system except those that are disabled.
Scheduled Tasks - Task scheduler tasks configured to start at boot or logon.
AppInit DLLs - this has Autoruns shows DLLs registered as application initialization DLLs.
Boot Execute - native images (as opposed to Windows images) that run early during the boot process.
Image Hijacks - image file execution options and command prompt autostarts.
Known DLLs - this reports the location of DLLs that Windows loads into applications that reference them.
Winlogon Notifications - shows DLLs that register for Winlogon notification of logon events.
Winsock Providers - shows registered Winsock protocols, including
Winsock service providers. Malware often installs itself as a Winsock
service provider because there are few tools that can remove them.
Autoruns can uninstall them, but cannot disable them.
LSA Providers - shows registers Local Security Authority (LSA) authentication, notification and security packages.
Printer Monitor Drivers - displays DLLs that load into the print
spooling service. Malware has used this support to autostart itself.
__________________
