Elf Qrin's Cyber Lab

since 1999

Autostart programs in Windows
v2.0 r01Jan2001 fr04Aug2000
by Elf Qrin

Many programs, when installed, configure the system to make automatically start their useless and resources consuming preloads or archivers every time you boot up.

These are the ways to autolaunch a program in Windows, check them all and clean them up to have a more efficient system:

  1. Calling Windows as win filename.exe from autoexec.bat

  2. Including it in winstart.bat

  3. Using the commands LOAD=filename.exe or RUN=filename.exe in win.ini, under the [windows] section.

  4. Using the command Shell=Explorer.exe filename.exe in system.ini, under the [boot] section.

  5. Copying it or linking it in the directory C:\WINDOWS\Start Menu\Programs\StartUp. The actual name changes according to the language of Windows and it's stored in the Startup entry of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders.

  6. Launching it, from one of the following keys in the registry:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
      [the key must be recreated after every launch]
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
      [the key must be recreated after every launch]
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
      [the key must be recreated after every launch]
    • HKEY_CLASSES_ROOT\exefile\shell\open\command
      [instead of "%1" %* . This method is very unstandard and "dirty"]

Even if such autostart methods are clean, still programs can be launched in "stealth mode" (without making the user aware of it) using other Windows properties as triggers:

  1. The NeverShowExt entry in the registry key HKEY_LOCAL_MACHINE\Software\CLASSES\ShellScrap contains file extensions that are never shown even if you activated "show all extensions" in the Windows Folder Properties, so that if "exe" is included under such entry, a file could be named "picture.jpg.exe", and the system would show only "picture.jpg" even if it's actually an executable file (which will be executed double clicking on it).

  2. A program can also be launched exploiting the autolaunch feature of some common software, such as ICQ. In this specific case a file called "APP_NAME" could be launched creating the registry key HKEY_CURRENT_USER\Software\Mirabilis\ICQ\Agent\Apps\APP_NAME with the following entries Enable="Yes", Parameters="", Path="C:\PATH\APP_NAME.EXE", Startup="".

  3. Using the Registry Shell Spawning capability of Windows, a specified program can be launched each time a file with a certain extension is started, setting it in the (Default) entry of the registry key HKEY_CLASSES_ROOT\EXTENSIONfile\shell\open\command, for example if we want to launch filename.exe every time another exe file is opened we should change the (Default) entry in HKEY_CLASSES_ROOT\exefile\shell\open\command from the standard "%1" %* to filename.exe "%1" %*.
    If we want to apply this technique to files that aren't executables, such as HLP or MID, we should make filename.exe to invoke the actual file reader for that format (like C:\WINDOWS\winhlp32.exe %1 or "C:\Windows\mplayer2.exe" /Play "%L") in order to remain invisible to the user.

Of course, the "filename.exe" of the examples could be a file that invokes more executable files.

As a general rule, the only useful items are SystemTray "SysTray.exe", and drivers add-ons needed to make special hardware work properly, such as mice with two wheels and third button, or keyboards with special keys. They are generally located into HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. If you installed TweakUI there should also be Tweak UI "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices. Another thing you may keep is an antivirus (which slows down overall system performance, but it's extremely useful, especially if you are a newbie).
Everything else is almost always completely useless.
Also, check for duplicated entries: sometimes programs, even when actually useful, are launched in more than one way.

Note that RunOnce and similar keys are generally used to complete software installations at the next boot, such as when you get a message like "This installation requires to restart your system to be completed, you want to reboot now or later?"

If your system is clean, when you invoke the task monitor (CTRL+ALT+DEL) just after booting Windows, you should get only Explorer, SysTray, and the required drivers for special hardware (which doesn't include that useless tools installed together with most video card drivers).

Talking about having a "clean" system, the root directory is often full of useless files. These are the only files which *must* reside in the root directory in order to make the system work: AUTOEXEC.BAT, COMMAND.COM, CONFIG.SYS, IO.SYS (hidden), MSDOS.SYS (hidden). If you have a fixed size swap file there must be also WIN386.SWP. Norton Speed Disk creates a file called SD.INI (hidden) with your optimization preferences for such drive. Some devices, like certain video cards create further files which tipically have a .BIN extension.