Windows Startup, Startup Manager, Startup Programs

Startup Manager

Startup Manager window contains following items:

  • Programs that run on Windows startup, or on user login.
  • Non Microsoft services that run on Windows startup.
  • Internet Explorer extensions: browser helper objects, toolbars, menu items.
Hint. Disable or delete startup programs that you don't need, and your PC will run much faster.


What are Startup entries
Startup entries are programs (exe or dll) that are launched by Windows automatically.

What is enable, disable and delete
If the startup entry is enabled it will be launched.
If the startup entry is disabled it will not be launched, but you can enable it later. Disabling is the same as placing to Quarantine.
If you delete startup entry, you will not be able to enable or restore it later.

Which startup entries should be disabled
You should disable startup entry if you don't want it to be launched.
E.g. you suspect it's a virus, or it's an annoying program.
Attention: If you disable by mistake some Windows components you may broke your Windows and it will not be launched next time.

Columns in Startup Manager

  • Check mark – If the item is disabled, check mark is cleared.
  • Name - Name of section in registry or name of startup program file. If item is unchecked, it will not be launched on startup.
  • Value - Command line: path to executable startup programs file and parameters
  • Product - Description of startup program provided by file vendor
  • Security Risk - Overall security risk for this startup program. 'No risk' - reliable program. 'Low'/'Medium' - pay attention, check on Virustotal. 'High' - remove this item. To change security risk on your opinion, in the context menu click 'Change Security Rating, Add Comment...' and add your comment to this item.
  • Company - Product vendor
  • Startup location - Where from startup program was loaded
  • When Added to Startup - When startup program was detected first time. Startup programs detected in the last week are marked.
  • State - Is the corresponded process running
  • Status - Enabled items run on Windows startup. Disabled startup programs does not run on Windows startup.
  • Delayed Startup - Use Delayed Startup to speed up your computer's startup process. Delayed startup programs will be started 1 minute (delay time can be customized) after Windows is loaded. So you can start using computer not waiting while Windows loads all startup programs. To move a startup program to the delayed startup list select "Move to Delayed Startup List" in context menu on Startup page.

 

 

Menu commands in Startup Manager

 

File

Save HijackThisPro Log... – Save information about system to the file in HijackThis format

Save Startup Report as Html... - Save list of startup programs to html file

Export Startup to File... - Save list of startup programs to reg file

Import Registry File... – import data from reg file to system registry

Exit – exit program

 

Startup

Detailed Info Double Click – Show/hide detailed info window

Change Security Rating, Add Comment... – Change security rating of a file and add user comment to the file

File Properties Alt+Enter - Target File Properties

System Menu Shift+RClick – Show system context menu

 

Navigate

Show File In Explorer – Open Explorer and select file that run on startup

Switch To Process – Open Process window and select process of the startup program

Open Entry Location in Registry – Open Registry Editor and select startup program

Open Entry Location in Services Manager – Open Services Manager

Open Entry Location in Explorer - Open Explorer and select file that is located in startup location

Switch to Service - Open Services window and select the service of the startup program

 

Run Now – Run startup program

Stop Process – Stop process of the startup program

Edit Delayed Startup Program – Edit startup delay time or restore from Delayed Startup List

Move to Delayed Startup List – Move startup program to Delayed Startup List

Disable (Quarantine) – Disable startup program from running on Windows startup

Enable - Enable disabled startup program for running on Windows startup

 

Startup Position of Window

Run on Startup as Floating Icon - Create floating icon for the window of application after it is loaded on startup

Run on Startup as Icon in System Tray - Hide window of application to system tray after it is loaded on startup

 

Edit

Delete Entry Del – Delete record from Windows startup list

Edit Entry... – Change name, path or parameters

Add Entry... - Add new program to startup

 

Check with AntiViruses on VirusTotal - Check file with 30 AntiVirus engines on site VirusTotal.com

 

Search in Web

Google - Search information about startup program in Google

Google News - Search information about startup program in Google News

 

Text Operations

Copy to Clipboard - Copy to clipboard full information about startup program

Copy Path - Copy to clipboard path of startup program file

Find... Ctrl+F – Find text in the window

Find Next F3 – Find text in the window

 

Refresh F5 – refresh data in the window

 

View

Columns – select columns to show/hide in the window

Toolbar – show/hide toolbar

Grid – show/hide grids in all windows

Status Bar - show/hide status bar

Detailed Info - Show/hide detailed info window

 

Text Colors

Security Risk Rate [red/yellow/green] – Enable/disable colors of security analysis

Hide Microsoft Programs [grey] – Show programs of Microsoft with grey text color

Mark New Startup Entries [bold] – Mark new startup programs with bold font

Mark Running Programs [blue] – Mark running startup programs with blue text color

 

 

Windows Startup

Registry key that are monitored for programs that are being run by Windows automatically:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%SystemDrive%\Documents and Settings\<username>\Start Menu\Programs\Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Common Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Common AltStartup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common Startup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Common AltStartup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, AltStartup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, Startup
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, AltStartup

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows, run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKCU\Software\Microsoft\Internet Explorer\UrlSearchHooks
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions
HKCU\Software\Microsoft\Internet Explorer\Extensions
HKCU\SOFTWARE\Microsoft\Internet Explorer\MenuExt

Extended Startup

User Logon
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\AlternateShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\IconServiceLib
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\policies\system\Shell
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\Stubpath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnConnect
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CE Services\AutoStartOnDisconnect

Explorer Extensions
HKEY_MACHINE_AND_USER\Software\Classes\Protocols\Filter
HKEY_MACHINE_AND_USER\Software\Classes\Protocols\Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\Source
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad     
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\*\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\PropertySheetHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\CopyHookHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\DragDropHandlers     
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\PropertySheetHandlers     
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ColumnHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\DragDropHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ExtShellFolderViews
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\PropertySheetHandlers     
HKEY_MACHINE_AND_USER\Software\Microsoft\Ctf\LangBarAddin
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Explorer Context Menu
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\*\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\Background\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Directory\ShellEx\ContextMenuHandlers
HKEY_MACHINE_AND_USER\Software\Wow6432Node\Classes\Folder\ShellEx\ContextMenuHandlers

Audio Video Codecs
HKEY_MACHINE_AND_USER\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
HKEY_MACHINE_AND_USER\Software\Classes\Filter
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance
HKEY_MACHINE_AND_USER\Software\Classes\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance

Execute on Boot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\BootExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SetupExecute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Execute
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\S0InitialCommand
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ServiceControlManagerExtension

Execution Hijacks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger
HKEY_MACHINE_AND_USER\Software\Microsoft\Command Processor\Autorun  
HKEY_MACHINE_AND_USER\Software\Classes\exefile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\comfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\batfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\piffile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\cmdfile\Shell\Open\Command
HKEY_MACHINE_AND_USER\Software\Classes\.exe
HKEY_MACHINE_AND_USER\Software\Classes\.com
HKEY_MACHINE_AND_USER\Software\Classes\.bat
HKEY_MACHINE_AND_USER\Software\Classes\.pif
HKEY_MACHINE_AND_USER\Software\Classes\.cmd
HKEY_MACHINE_AND_USER\Software\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW\cmdline
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WOW\wowcmdline
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger

Application Initialization
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions\RemoteRpcDll

Known DLLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDlls

Winlogon Notifications
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ServiceControllerStart  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\LsaStart  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost  
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\DllName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SaveDumpStart
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\Credential Provider Filters
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\PLAP Providers
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe
HKEY_CURRENT_USER\Control Panel\Desktop\Scrnsave.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BootVerificationProgram\ImagePath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\BITS\IGDSearcherDLL

Winsock Service Providers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries64

Print Drivers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Monitors\Driver

Local Security Authority
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SecurityProviders
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Authentication Packages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Notification Packages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Security Packages

Network Providers
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder