Malwarebytes for Home | Anti-Malware Premium | Free Trial Download

Windows 7 Tips & Tricks

Autoruns : Managing Startup Programs, Files & Objects

The program I'm highlighting here is Autoruns by Sysinternals. The program is free. It can be used for removing unwanted start-up Programs, identifying malware, making missing system files known and much more. After, downloading Sysinternals' Autoruns from the link above. Extract it. (right-click) >>> Extract All >>> Extract. If the contents of the Autoruns folder is examined, there'll be two executables in it.  "Autoruns.exe" the Windows executable & "Autorunsc.exe" the Command-Line executable. I usually move such programs (programs without an installer & from a trusted publisher) to the "C:\Program Files" folder. Then, I make a shortcut to the desired executable\s. In this case the Windows executable "Autoruns.exe" is the only one that can be accessed through a shortcut. To do this: (right-click) the "Autoruns" folder >>> Cut >>> go to the "C:\Program Files" folder (right-click) it >>> Paste. Now, go to the "C:\Program Files\Autoruns" folder >>> (right-click) the executable "Autoruns.exe" >>> Send To >>> Desktop (create shortcut). (right-click) the newly created Shortcut >>> Rename (anything you'd like). I'm a neat-freak so I move the shortcut to an appropriate folder in the Start Menu. (right-click & hold) the Shortcut >>> (drag & hover) over the Start Button >>> (drag & hover) over All Programs >>> (drag & hover) over the chosen Menu Folder >>> (release), (select) Move Here. Now, the Autoruns Program will be easily accessible for later use. Start the program by (right-clicking) the shortcut >>> Run as Administrator. When Autoruns starts it will seem a little intimidating. *READ THE HELP FILE* It will be necessary to size the columns to better see the Entry descriptions. (click & hold) the Separator\s >>> (drag & size) each Column. Become familiar with the Program Menu. Go to "Options" >>> Font >>> (re-size) Font to 10 & (select) Bold. (…just for more ease of use.) Then, go to "Options" >>> Filter Options >>> (select) Verify Code Signatures. This will mark all Entries as either "Verified" or "Not Verified" by Microsoft. "Not Verified" is just that. It doesn't necessarily mean it's bad. Usually it's just non-Microsoft Software that hasn't gone through their verification system. Pink="Not Verified" White="Verified" Yellow="File Not Found" Purple="Location" be it a Registry Entry or in a Folder. Entries are Per-User. To change User Accounts, go to Users >>> (select) desired Account. Lets look at the first Entry, "rdpclip". (right-click) the Entry >>> (select) Jump to Entry. This will take us to the location in the Registry of this Entry. To better understand what this Entry is, (right-click) the Entry >>> (select) Search Online. Research the Entry & determine whether it can be safely Deleted or if it needs to be Replaced from a backup. A very good idea of what each Entry is can be gathered from it's Publisher & Image Path. Before changing any Entry. Go to File >>> Save. This will save a backup file that you can restore from later. It will save as "AutoRuns.arn". The next Entries highlighted in Yellow (file not found) are left-over's from a recent uninstall. Meaning, I know they are safe to delete. To Delete an Entry, (Click) the Entry >>> Entry >>> Delete. It's, also, possible to (right-click) the Entry >>> (select) Delete. The next Entry has no Description or Publisher listed. Because the file is missing. So, I'll (right-click) the Entry >>> Jump to Entry. Taking me to Registry, where more information can be found. It tells me it's the driver for the "Virtual Machine Monitor". Being Virtual Machine is NOT installed on this Computer, it'll be safe to Leave Alone, Delete or Disable the Entry. The next two Entries are more left-over's from another Program that has been uninstalled. You can have "Autoruns" show only 3rd Party Entries Software by going to Options >>> Filter Options >>> (select) Hide Microsoft Entries. This will hide all Microsoft signed Entries. Autoruns, also, breaks start-up Entries into categories. Some Tabs (categories) will only populate if "Hide Windows Entries" in Options is (deselected). These are Boot Execute, KnownDLLs, Winlogon, Winsock Providers, Print Monitors, Sidebar Gadgets, Network Providers and LSA Providers. Remember those two Entries left way back at the start of this video? "rdpclip" & "vmm" If I wanted to test the System without them, but not Delete them. I'd simply (de-select) both Entries and "Autoruns" will disable them. To re-enable them, start "Autoruns" >>> (select) the Entries >>> Close. To use the Command-Line executable, "autorunsc.exe". (right-click) the Command Prompt >>> Run as Administrator. (Type-in) "CD:\Program Files\Autoruns\" >>> Enter. This will Change Directories to the folder where I moved the Autoruns' executables. For a list of switches, at the Command Prompt (type-in) "autorunsc /?" >>> Enter. example: "autorunsc -b" >>> Enter, will list the "Boot Executables" set to run at start-up for the current User.

  Share  Share on Twitter Share on LinkedIn  Save  Save to Pocket