How To Use The Startup Database.

This mini-tutorial is designed to give you a small introduction in Windows startup programs and how to use the Windows Startup Program Database to determine if these programs should be allowed to startup on your computer.


Introduction

For a program to work it must be started. Programs are started in three ways. The first way is if you actually start it yourself by launching it. The second way is for one program to start another program. Finally the third way, is for a program to be configured to automatically start when the operating system boots up. The type of programs that start via the third way are what we call Windows Startup Programs and are the types of programs that the Startup Databases focuses on.

The reason why we want to be concerned with automatic startup programs is because they consume resources on your computer for programs. In order to optimize your machine to peak performance, we want only those programs that are necessary to run, to be allowed to run, and disable the rest. Unfortunately there are many different ways for a program to launch automatically when Windows starts. Luckily for us, though, there are programs that allow us to cut through this confusion and see the various programs that are automatically starting when windows boots. The program we recommend for this, because its free and detailed, is Autoruns from Sysinternals.

When you run this program it will list all the various programs that start when your computer is booted into Windows. For the most part, the majority of these programs are safe and should be left alone unless you know what you are doing or know you do not need them to run at startup.

At this point, you should download Autoruns and try it out. Just run the Autoruns.exe and look at all the programs that start automatically. If you are using Windows Vista, 7, or 8 you should run Autoruns as an Administrator so that it works properly. Once it's loaded, don't uncheck or delete anything at this point. Just examine the information to see an overview of the amount of programs that are starting automatically. When you feel comfortable with what you are seeing, move on to the next section.

How the Startup Database is layed out

The Windows Startup Database is listing of various startup programs with associated information about them. With each entry we provide what we know about the program such as it's startup name as it appears in the registry and various autorun listing programs, its location, the filename, how it is started, the files description, and whether or not it should be allowed to run.

For each program there is a status key that describes how we recommend the program should be allowed to operate. This status key is broken down as follows:

? - Unsure as to whether it needs to run or not, but not malware.

N - Not necessary to run as it can be started as needed.

U - Its up to the user. Its not necessary to run for the computer to work, but may be important enough to have running for some users.

Y - Yes, this program is necessary to run in order for the computer or a program to operate correctly.

X - This is considered malware or undesirable to have on the machine as it can cause problems.

Now that you have an understanding of how the Startup Database is laid out, lets move on to how to query the startup programs on your computer to the database.


Understanding the output of Autoruns and applying it to the Startup Database

When you runs Autoruns it will list all the known automatic startup locations and the programs that are loading via them. Below is an image where we have numbered 3 startup entries that I have on my machine and which are being loaded via the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I will show you how to interpret that information and the search for it in the database to determine if these programs are valid and should be allowed to run.

 

As you can see from the image, we have numbered 3 different programs that are automatically starting up. Lets start breaking down the various entries and how they can be searched for in the database.

The first entry labeled number 1 would be broken down as:
 

Name: AVG7_CC
Filename: avgcc.exe
Location: c:\program files\grisoft\avg free\avgcc.exe

Now by going to the Startup Database and entering a search for AVG7_CC or avgcc.exe in the startup database, I see that it returns the following entry:

http://www.bleepingcomputer.com/startups/AVGCC.exe-459.html

This entry tells me that this file is the AVG 7.0 Control Center and since it has a status of Y it should be allowed to run. I know I have AVG installed so I will therefore leave this program alone.

The second entry labeled number 2 would be broken down as:

 

Name: AVG7_EMC
Filename: avgemc.exe
Location: c:\program files\grisoft\avg free\avgemc.exe

When I search for this file in the database, it has this entry as a result:

http://www.bleepingcomputer.com/startups/AVG7_EMC-460.html

This entry tells me that this file is the AVG Anti-Virus 7.0 Email Cleaner and that it scans incoming and outgoing email for viruses. It also gives it a status of Y, which means it is necessary to run. Since I agree, as noone wants viruses in their email, I leave this entry alone.

The third entry labeled number 3 would be broken down as:

 

Name: nwiz
Filename: nwiz.exe
Location: c:\windows\system32\nwiz.exe

This time when I search for the filename, I run into a problem. This particular file has two entries. One saying thats it's part of a Nvidia display driver and the other saying it is a worm. It would be easy to panic here, but lets take a closer look at the resulting entries:

http://www.bleepingcomputer.com/startups/nwiz.exe-3752.html
http://www.bleepingcomputer.com/startups/nwiz.exe-3838.html

Yes, both entries have the same filename, but their names are different. The worm has a name of Norton Wizzard and Nvidia one has a name of nwiz. Since I know that autoruns reported this entrie's name as nwiz, I know that it is not the worm, but rather the legitimate file. The entry does, though, say that this program is not necessary to start so I therefore want to disable it.

Instructions on how to disable the entry are in the next section.

How to disable a startup entry

If you run into a startup entry like Nwiz above that is recommended to be disabled, or you find a piece of malware and want to remove its startup entry you simply need to uncheck the checkbox in autoruns next to that entries name.

For example with the Nwiz example above, since the database stated it is not necessary to run, I would simply remove the check next to that entry and close the program. The next time I reboot that program will no longer startup automatically.

Conclusion

Now that you know how to use the Windows Startup Program Database, go download autoruns and get started optimizing your computer.

For more information and answers to commonly asked questions on this site visit the New User Orientation Center.

Edited by Grinler, 01 July 2024 - 01:35 PM.

someone owes me about 3 hours of my life, all I tried to do was answer Bobby's questions to a practice log and I seen this great program when looking for something in the database and the problem I am having is this, I downloaded it and then I ran it and when I run it my Windows Word program opens and it asks me what format do I want to use and I tried all 3 but they all look nothing like the nice looking orogram in the pictures?? It just looks like c++ code or something in my "Word" window??

Am I doing something wrong here? I downloaded it and just opened it with the "run" command?

Thanx!

Thats strange...you are running autoruns.exe?

How do I see what programs run on Windows Startup?

Did you read the first post in this topic?

Hi.

Is it usual for the database not to find a file name?
I searched for vcsmpdrv and vcsmpdrv.sys - and there were no entries.

ahhgg, I think I should have asked that last question in a new topic - oops

IThe database does not contain every program. You need to google for the filename if its not found in the database.

Thank you for this resource. I've successfully downloaded autoruns.exe and now need to go through the list. It is quite an enormous list but I look forward to learning about my start up programs.

I clicked on the autoruns link and tried download and install the program. The link took me to:

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml

Instead of an exe file I got a page with:

The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

Has autoruns been withdrawn? Moved? Did I do something wrong?

Thanks for any help someone can give me. I need all I can get!

Worked for me.
Here's a direct link to the download, PeteBlair:
http://www.sysinternals.com/Files/Autoruns.zip

Hello I have tried both the above links for autorun and gotten the cannot display page. Is there another way to get this program?

I've just found this line...
&Links File not found: C:\WINDOWS\system32\ieframe.dll
is it safe to just uncheck it?

Hi there!
About: Windows Program Automatic Startup Locations
I have some years of experience in XP but, I found something very nice that I can not handle. The story:
I did install Family KeyLogger, for trial. So, at every startup a have a nice little window warning me that my pc is monitored. Fine. I did an uninstall, the warning window still there at startup. I did a new install and a new uninstall. Guess? Yes, I still have the little window. I jumped in registry and in .ini files: nothing. I tried procexp.exe from sysinternals (very nice!) and I found out that the window it is a separate thread of explorer and explorer it is using a temp file (exe file afterall with tmp extension) to create the thread with a procedure from kernel32.
Now I am looking for help, first time in 8 years So I invite you to this challenge. KMint21 Software is the company i believe. And me NOD32 it is telling me that Family Kelloger is some kind of virus when i do the download (i do not think so).
If this is not the wright place for this post i am sorry.
If my english look pour it is so and I apologize.
Tks!

Hi.

Where is the "status code" you speak of for the first item on my list I am looking up...

rdpclip

I cannot find where this status code is.

Thanks.