Every time Windows starts up, numerous third-party programs and processes start with it. Even a brand-new PC will invariably come with various vendor-specific apps and add-ons preinstalled. And as you use your computer and install the applications and tools you actually require, these too will drop startup items onto your PC, to the point where there might be literally dozens of programs firing up in the background before you’ve even logged in.
Is this a problem? Not to the extent it used to be. A modern computer with an SSD can launch a whole batch of programs at once with relatively little impact on performance, and in an age when even entry-level laptops have 8GB of RAM, you’d need an enormous number of startup items chugging away in the background to run out of memory.
This isn’t to say that startup items are a non-issue, however. Even if these little add-ons load smoothly, they are still consuming resources that you might not want to waste. More to the point, they can interfere with your user experience by inserting themselves into menus, cluttering your system tray or even causing resource conflicts and system errors. Even if a startup item isn’t doing any harm at all the bottom line is that you still have every right to know exactly what’s running on your own computer, and to decide whether or not it should be allowed to execute automatically.
Finding startup items
The simplest way to get an overview of all your startup items is to open the Windows 10 Settings app and navigate to Apps | Startup. This brings up an easy-to-read list of self-launching programs, along with the name of each one’s publisher and an estimate of its system impact. This estimate is determined by tracking each item’s CPU and disk usage during the startup process, and then categorising each item as follows:
High impact: Uses more than one second of CPU time or more than 3MB of disk I/O (input/output) at startup.
Medium impact: Uses 300 to 1,000ms of CPU time or between 300KB and 3MB of disk I/O.
Low impact: Uses less than 300ms of CPU time and less than 300KB of disk I/O.
There’s also a switch next to each item that lets you prevent it from running – which could make a real difference to the boot speed and overall responsiveness of your PC.
Before taking that step, though, you might want to unearth a bit more information about each item – and this is available via the Windows Task Manager. Open this up (either via the Start menu or by pressing Windows+Shift+Esc), click on the Start-up tab and you’ll again see a list of all the programs that run at boot time, along with each one’s impact and other information.
This is just a fraction of what the Task Manager can tell you, however. For starters, we suggest you right-click in the Task Manager’s column-heading area and enable the “CPU at start-up” and “Disk I/O at start-up” columns; this reveals the actual readings on which the impact assessments are based. You might find that two processes rated as “High impact” are in fact making vastly different demands on your processor and storage. In the upper-right of the window, you’ll also see a readout of how long it took your computer’s BIOS to initialise at the last boot: it may well be that tweaking some settings can reduce this time and get you to the desktop more quickly.
Another column that’s worth turning on is “Running now”. As you’d expect, this shows whether a startup item is currently running, so you can see at a glance which programs terminate once they’ve done their job, and which hang around in the background, consuming resources and potentially getting in your way.
Another reason why an item might not be running now is if you’ve disabled it, either in the Settings app or via the “Disable” button in the bottom-right corner of the Task Manager. The default “Status” column shows whether each startup item is enabled or disabled, and you can activate the “Disabled time” column to see precisely when each disabled item was turned off.
The last two columns we’d draw your attention to are “Command line” and “Start-up type”. The former shows you the full path to the program that’s launched when Windows starts – which could be useful if you don’t recognise something from its name and publisher. The latter shows either “Folder” if the item is being launched because there’s a shortcut to it in one of Windows’ Startup folders, or “Registry” if it’s specified by a Registry key.
Functionally, it makes no difference whether a startup item is launched from a folder or via the Registry – but if you want to explore these locations for yourself then naturally you’ll need to access them in different ways. Startup folders can be easily browsed using the File Explorer: if you’re the only person with an account on your computer, they’ll be located at these two paths:
The former of these contains shortcuts to programs that launch when you (personally) log on, while the latter contains items that apply to all users. Any additional user accounts on your system will also have their own Startup folders, within their own user directory. If you’ve disabled any items then the relevant shortcuts will be moved to a parallel folder in the same location called “STARTUP-”.
If navigating through all those folders seems like a drag, you can alternatively type “shell:startup” or “shell:common startup” into the address bar of an Explorer window to jump to the startup folder for the current user or all users respectively.
With Registry items, most third-party apps will be found in one of these two locations:
Just as with the Startup folders, the first location contains details of programs that should run when you log on, while the second contains startup items for everyone. If you’re browsing through the Registry, you’ll also see keys in the same locations called “RunOnce”: as you’d expect, these specify files that should be launched at the next startup, but not again after that – which is helpful for finishing up installation or uninstallation procedures.
Startup folders and Registry values are the most common ways of setting startup items, but there’s a third way. As we’ve discussed in a previous feature (see issue 301, p38), the Windows Task Scheduler can be set to launch applications and scripts whenever certain trigger events occur – and two of the available triggers are “at startup” and “at logon”.
If you want to create your own startup items, this is the route we’d recommend. The Task Scheduler’s step-by-step wizard makes the process almost foolproof, and offers all sorts of advanced controls that you don’t get with other methods, such as the ability to apply time and date restrictions, the option to skip execution if the computer is running on battery power or away from your home network, and an easy interface for managing the permissions that your app will launch with. It also provides a handy central console for managing your custom tasks and checking their execution history.
The catch is that startup tasks created in this way don’t appear in the Task Manager (nor the Windows 10 Settings app). This means they can easily slip under the radar when you’re troubleshooting – and that doesn’t just apply to your own tasks, but those created by third-party applications too. If you’re hunting high and low for something that seems to be running every time you start your computer, but can’t see it in the Task Manager’s Start-up pane, you may find that it’s been hidden here instead.
So far we’ve focused on applications that launch at startup, but software installers can also inject shell extensions, background services and other bits of code into your system. It can be very difficult to keep track of these because they’re defined in a large number of different Registry locations, and aren’t shown by Windows’ built-in startup-management tools.
To get a full picture of what’s running at startup, therefore, you need a more advanced tool – one that can scour your Registry and hard disk, and expose every component that isn’t part of a pristine, untampered-with Windows 10 installation. Fortunately, such a tool exists: it’s called Autoruns and is part of Microsoft’s Sysinternals library for administrators and power users. You can download it for free from pcpro.link/307autoruns.
Using Autoruns is simplicity itself. The tiny 1.6MB installation package arrives as a simple ZIP file (including 32-bit and 64-bit versions of both the main tool and the command-line Autorunsc variant); this can be unpacked to any destination you like, and you can launch the program by double-clicking on the appropriate executable file, which for most of us will be autoruns64.exe. You’ll be prompted to agree to a licence then confronted by the main Autoruns window, showing dozens (or quite possibly hundreds) of self-starting executables and extensions.
There’s no two ways about it, this list view is quite overwhelming – and in fact it represents only a fraction of the processes that run each time your computer starts up because it doesn’t include standard Windows components. If you want to view these as well, open the Options menu and untick “Hide Windows Entries”. Once you have seen just how huge this makes the list, you’ll probably want to tick it again.
While Autoruns presents you with a daunting quantity of data, it’s not too hard to understand. It helps a lot to know what the coloured stripes mean: the blue lines are simply dividers that indicate whereabouts in the Registry or file system the references that follow are located. The pink lines, meanwhile, highlight items that don’t have a valid publisher certificate (and if you look in the Publisher column you’ll see that their provenance is marked as “Not verified”). This doesn’t necessarily mean they’re untrustworthy, but if you’re trying to track down something dodgy, the red entries are a good place to start. Yellow lines indicate a broken reference, such as a Registry value that points to a file that’s no longer there: this isn’t a problem at all, as Windows just skips over such entries, but it may be useful to see what’s missing.
There’s a fourth colour that can appear too, though you won’t see it the first time you launch Autoruns. If you use the File | Save function to take a snapshot of all your startup items, you can later use the File | Compare function to check the current state of your system against that saved record; any entries that weren’t present in the older file will be in green. If you plan ahead, this feature makes it easy to keep track of new startup items as they arrive on your system.
The information Autoruns provides about each startup item is largely explained by the column headings at the top of the list. Similar to the Task Manager’s Start-up view, Autoruns shows the name and description of each item, the publisher, the path to the “image” – that is, the file or component that’s being launched – and a timestamp showing when that item was last modified (sadly, there’s no easy way to see when the reference was created or edited). You can click on any item to see some extra data in the bottom pane of the window, such as the file size and version.
The last column is headed “VirusTotal”, and if this is the first time you’ve used Autoruns its contents will be empty because the VirusTotal component is disabled by default. It’s worth turning on, though, as it adds a valuable extra level of insight into what’s on your system.
To enable it, simply open the Options menu, select Scan options, tick “Check VirusTotal.com” in the dialog that appears, then hit Rescan. You’ll be prompted to accept a user agreement, and then you’ll see the VirusTotal column quickly become populated with numbers like “0/66”. This means that the specific item has been checked against 66 different malware databases, and none of them has flagged it as dangerous. You can click on the rating to see exactly which databases were used: some big industry names are represented, including Bitdefender, Kaspersky and Symantec, so if an item gets a clean bill of health then you can be confident that it’s kosher. If the number of warnings is more than zero, the VirusTotal rating appears in red; again you can click on it to see what warnings were generated.
Unlike the Task Manager, Autoruns doesn’t have any extra columns to discover – all the information is on display from the off. You can, however, drag the dividers around to change the width of individual columns and make the list easier to read.
Once you’ve got the hang of the Autoruns interface, the biggest challenge is the sheer number of records to take in. Luckily, these can be broken down into more manageable chunks. Directly above the column headings, you’ll notice no fewer than 19 tabs representing different sorts of startup item – and the one that’s selected by default is “Everything”. Click on the “Logon” tab to the right of it and Autoruns will switch to showing only items that are set to launch when you log in. This will be of a much more manageable length, and most of the items should already be familiar.
If you do see something that you don’t recognise, Autoruns can help you out here as well: click on any item and hit Ctrl+M (or right-click and select “Search Online…”) to launch an instant web search for its filename. As with any search, there’s no guarantee that useful results will come back, but it should at least give you a clue what you’re dealing with.
Once you’ve got to grips with whatever’s shown on the Logon tab, the good news is that all the other tabs work in just the same way. The Explorer tab shows components that insert themselves into your contextual menus, add overlays to icons and so forth, while other tabs such as Scheduled Tasks and Services should be self-explanatory.
There are a few more tricks that can help you focus on what you’re looking for. Under the Options menu you’ll see a setting to “Hide Microsoft Entries”: this can be very helpful for tracking down third-party add-ons. There’s also a small text field labelled “Filter:” at the top of the window, which you can type into to view only items from your selected tab that contain a specific string in any field.
There’s just one last thing you’re probably wondering about, and that’s what to do about any unwanted startup items that Autoruns may reveal. The nuclear option is to click on any item and hit the Del key to remove it (or right-click and select Delete from the contextual menu). We don’t recommend doing this, though: it won’t delete the program itself, but it will permanently remove it as a startup item, and when you’re dealing with items buried deep in the Registry, this can have unpredictable consequences. A much safer way is to simply untick the box next to its name. This disables the item, but allows you to reactivate it at any time by simply reticking
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.