Results 1 to 3 of 3

Thread: How To: Find out what automatically runs in Windows

  1. #1
    Join Date
    Oct 2006
    Location
    Newfoundland, Canada
    Posts
    84
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Post How To: Find out what automatically runs in Windows

    It is important to know what starts automatically when your computer turns on because of several reasons.

    1. Performance:
    The fewer programs that starts when your computer turns on, the faster your computer will boot. Typically every end user’s personal computer I have come across has an upwards of 30 things starting up that are not needed. These things will run in the background and hog resources, inevitably making your computer slower.

    2. Security:
    Hardening:
    The fewer programs you have running, the more secure you are. Let’s say you have a program installed that you never use that runs in the background constantly. Now let’s say if there’s vulnerability for that program and people are actively exploiting it. You are being exposed to that threat for no reason. This is a huge concern for servers as hardening is one of the core principals of security.
    Malware:
    Malware is a program or piece of code that has malicious intent, whether it is tracking your web history or stealing all your passwords. Malware likes to run automatically when you boot up your computer so it can do its job. Malware has a lot of ways to start up as they do not have to care about being gentle or following common programming standards. Some malware is so difficult to remove that you have to flash your CMOS (BIOS) in order to get rid of it. Some malware will write itself to the boot sector of your hard drive so it starts even before your operating system. It can also use a method called ‘root kitting’ which hooks the kernel and runs hidden from the operating system. A lot of malware however does not implement these extreme measures, but some do which is why I will never trust a machine after is has been infected once.

    3. Maintenance:
    It is good to see what is trying to start up when you turn on your computer as some programs may have left traces of itself even after uninstalling. You may notice programs you never use anymore and there’s no need to have them starting up in the background.

    4. Troubleshooting:
    If there’s an error message popping up when you turn on your computer, chances are it is caused by a program that is automatically starting up when you boot into windows or login to your account.

    I have mentioned several methods that programs use to start up when you turn on your computer but I will be focusing on the tools immediately available with Windows. I will however mention tools that can detect these other methods.

    Method 1: ‘Startup’ Folder
    This is probably the easiest part to check. Every Windows operating system comes with a ‘Startup’ start menu item in ‘Program Files’.
    You can check this by going to ‘Start’ -> ‘All Programs’ -> ‘Startup’



    Items listed here are typically shortcuts. These programs will run once you log into your user account. These programs may be user specific or apply to every user who uses the machine. The definite method of checking is to browse to the following:

    Current User:
    Hold ‘Windows Key’ + ‘R’ or open the ‘Run’ prompt for the start menu and type:
    %HOMEPATH%\Start Menu\Programs\Startup



    Once you have entered the directory, you will be brought to the location on your hard drive where the ‘Startup’ start menu item for your account. Again, all items here besides ‘desktop.ini’, which is a Windows file that holds folder settings, will be run automatically.

    All Users:
    Hold ‘Windows Key’ + ‘R’ or open the ‘Run’ prompt for the start menu and type:
    %ALLUSERSPROFILE%\Start Menu\Programs\Startup



    Once you have entered the directory, you will be brought to the location on your hard drive where the ‘Startup’ start menu item for the global account. Again, all items here besides ‘desktop.ini’, which is a Windows file that holds folder settings, will be run automatically.



    The difference between the two locations is that anything in the ’All Users’ Startup folder will apply to all accounts on the machine whereas ones in the ‘Current User’ are only specific to the account you are currently logged in as.

    Method 2: Services Microsoft Management Console (MMC)
    This MMC snap-in will show you all registered services on the operating system. Services listed here are the essential components of the Windows operating system so you must be careful of what do. Typically malware doesn’t use this method of automatically starting up, but a lot of ‘bloatware’ such as programs that come prebundled with your computer are registered here. If you are unsure of a program listed here, just search on Google for the name to find out more about it and whether or not you need it.
    To access this snap-in, simply type ‘services.msc’ into the run prompt.





    Once the snap-in loads, you can sort them by ‘Startup Type’ by clicking the column heading. This will sort all the ‘Automatic’ services so you can see what automatically starts. Some have ‘Automatic (Delayed)’ which means they do not run immediately at boot but later in the boot process. If you wish to disable a service, right click and select ‘Properties’ or you can double click on the item. In this window, you can tell the service to ‘Start’, ‘Stop’, ‘Pause’, or ‘Resume’. You can also designate the ‘Startup type’ in this window. If the program is something you do not want starting up when your computer turns on, select the drop down and select ‘Disabled’ or ‘Manual’ if you are unsure if it is needed. Some services here may refuse to stop because of dependencies of other services so you may need to close those as well.



    There is more information on the services management console here: http://en.wikipedia.org/wiki/Windows_service

    Method 3: Registry Hive
    The last common method of checking is checking the registry for items that start up automatically. Thankfully, there aren’t a lot of places in here that are triggered to automatically run. The registry is the same in terms of finding these paths between Windows XP and Windows 7. The only differentiation is whether or not you are running an x64 operating system. If you are running in 64bit, you will have to check an additional location.

    There is a global folder in the registry as well that automatically runs programs listed in it and there are also user specific folders residing in each users registry hive. A registry hive is a registry database pertaining to a specific user or the computer as a whole.

    First we will check what automatically runs on a global basis. To run the registry editor, go to the Run prompt and type ‘regedit’.



    Once the registry editor loads, you will see a pane on the left with the registry tree structure. You will want to expand ‘HKEY_LOCAL_MACHINE’ . Then expand ‘SOFTWARE’, ‘Microsoft’, ‘Windows’,’CurrentVersion’,’Run’. You can also check the ‘RunOnce’ folder for items that will run once the next time you log in.



    All the keys listed to the right once you select the ‘Run’ folder are programs that run when you log into windows. There is a name and there is a path to the program. If you are unsure of certain applications in here, either Google the name or the path of the program for more information. In order to remove a program, simply right click and click ‘Delete’ or press the delete key on your keyboard once the item is selected. You may also right click and select ‘Modify’ to be able to highlight and copy the information so you can search for it. You can also edit the paths here but it isn’t recommended.

    If you are running a 64bit operating system ,you will have to check an additional location. You will want to expand ‘HKEY_LOCAL_MACHINE’ . Then expand ‘SOFTWARE’, ‘Wow6432Node’, ‘Microsoft’, ‘Windows’,’CurrentVersion’,’Run’. You can also check the ‘RunOnce’ folder for items that will run once the next time you log in.

    To check what runs automatically upon logging in on the current account, you must go to the following location. Expand the following: ‘HKEY_CURRENT_USER’, ‘SOFTWARE’, ‘Microsoft’, ‘Windows’, ‘CurrentVersion’,’ Run’. You can also check the ‘RunOnce’ folder for items that will run once the next time you log in.

    There is more information on the registry editor here: http://support.microsoft.com/kb/136393

    Method 4: System Configuration Utility (msconfig)
    This is the easiest method that combines all the previous, but I saved it for last simply to teach you where the actual locations are and how to utilize certain tools. To access the System Configuration Utility, go to the Run prompt and type ‘msconfig’.



    If you go to the ‘Services’ tab, that lists everything in the ‘services.msc’ that we discussed earlier. The ‘Startup’ tab includes everything in the ‘Startup’ folders and the locations in the registry we also discussed earlier.



    There is more information about the System Configuration Utility here: http://support.microsoft.com/kb/310560

    Other Tools:
    Autoruns by Sysinternals:
    This tool is one of my favourites as it tells you everything that automatically starts when you boot Windows. It has a very comprehensive UI and covers almost everything.
    Available for download here: http://technet.microsoft.com/en-us/s...rnals/bb963902

    RootkitRevealer by Sysinternals:
    This tool aids in the detection of root kits that are installed on your system. I find it really useful as it is fairly extensive and quite a powerful tool.
    Available for download here: http://technet.microsoft.com/en-us/s...rnals/bb897445

    Malwarebytes:
    I personally love this antivirus and I use it frequently on any machine I have to work on if diagnosing a malware issue. It is free but it also has a paid version.
    Available for download here: http://www.malwarebytes.org/

    Online Antivirus/Diagnosis:
    Upload any file to this websites and it will use a wide range of virus scanners to see if the file is infected:
    http://virusscan.jotti.org/en
    http://www.virustotal.com/

    Want to test an unknown binary? Upload it to this website and it will run an analysis on it and tell you what the program does in terms of writing to the hard drive, registry, network activity, etc.
    http://anubis.iseclab.org/

    Credentials: CEH, CCSP
    Last edited by Gimpy666; 11-26-2011 at 07:37 PM.

  2. #2
    Join Date
    Jan 2010
    Posts
    5,227
    Mentioned
    6 Post(s)
    Quoted
    60 Post(s)

    Default

    Looks like a solid guide. Nice work.

  3. #3
    Join Date
    Oct 2006
    Location
    Newfoundland, Canada
    Posts
    84
    Mentioned
    0 Post(s)
    Quoted
    0 Post(s)

    Default

    Quote Originally Posted by i luffs yeww View Post
    Looks like a solid guide. Nice work.
    Just following these steps can actually make a slow computer fairly fast again, giving that you defragmented the hard drive, updated applicable drivers, etc.

    Nothing compares to a full wipe of a machine though and starting from scratch or an image of when it was first created.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •