AUTORUNS – what to do with results

Topic

New Reply

I was asking about Autoruns results in a thread from Susan “Tasks for the Weekend” on Autoruns.  Posting here as a new topic, as requested:

Please start a new thread and we’ll move your replies to it. Saves cluttering this one with specific problems. cheers, Paul

Paul, can you move my replies? thanks.

Reply | Quote

Replies

I ran autoruns and see a lot of entries that are either yellow or red.  I checked on Bleeping computer startup DB, but didn’t find exact matches.  Also did internet search, but found nothing conclusive.  I could use some help.  What does it mean when an entry is yellow? Red?  Some yellow entries say ‘file not found.’  And some are red, but I think I know what they are (e.g. Intel).  I run MBAM premium & Defender (just ran a full scan yesterday) and

There are things I don’t want – like Skype – can I delete that from autoruns? I don’t see it anywhere else.  Not in my startup on task mgr.  I took snips of each item and put in a word doc. Can I post that here or are there any security issues with posting such data online?  thanks.

Reply | Quote

Hi dmt_3901:

Just an FYI that the How-To Geek site has a 10-part series Using Sysinternal Tools Like a Pro by Lowell Heddings that includes lots of helpful hints for using Autoruns, Process Explorer, Process Monitor, and other Sysinternal tools.  Lesson # 6 in that series is Using Autoruns to Deal with Startup Processes and Malware.

5 users thanked author for this post.

R-Type, windbg, WSeikelein, dmt_3904, NaNoNyMouse

Reply | Quote

[JohnW]

dmt_3904 wrote:

I ran autoruns and see a lot of entries that are either yellow or red. I checked on Bleeping computer startup DB, but didn’t find exact matches. Also did internet search, but found nothing conclusive. I could use some help. What does it mean when an entry is yellow? Red? Some yellow entries say ‘file not found.’ And some are red

This topic of how to interpret and use Autoruns is probably worthy of a thread of its own!

But just running it can provide plenty of info about your PC and the programs that load at start-up. Be careful if you proceed to disable (by un-checking) any items. Read the brief “Help” file in the menu first.

The yellow entries are generally “file not found”, yet there is still a startup entry somewhere on your PC for that. Generally harmless.

If by red, you meant pink, those are generally unsigned. Checking those items with VirusTotal can generally verify them as harmless.

As a rule, I never delete any entries, just uncheck them, and Autoruns will alter your start-up settings so that they do not startup. You can just check them again to revert the change.

And NEVER mess with anything in the Windows folder, unless you really know what you are doing, and can recover your PC. I once rendered my system un-bootable by going there. You can use the options to hide Windows and Microsoft entries from view.

Windows 10 Pro 22H2

• This reply was modified 4 years, 4 months ago by JohnW.
• This reply was modified 4 years, 4 months ago by Paul T.
• This reply was modified 4 years, 4 months ago by Paul T.

9 users thanked author for this post.

windbg, dmt_3904, lmacri, RTEsysadmin, GoldenNorm, WSmezig, WSeikelein, Harv, rc primak

Reply | Quote

thanks, yes probably needs its own thread!  I am concerned about what I see, but that is bc I am ignorant of what they are.  You can always do more harm than good when you start deleting or stopping things when you don’t  know what they’re doing.

Reply | Quote

Oh and ANOTHER question!  I use VT all the time for URLs and files.  But how do I search on a process? e.g. c\windows\syswow64\wow64cpu.dll?  How do I do the search that autoruns does when it is working? This one is pink in autoruns.

Reply | Quote

Right-click is your friend.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

I had a bunch of Windows Media Center files found, in yellow. I don’t use WMC. I unchecked all of them. The Image path was c\windows\ehome\…..

I have a couple Intel files showing in pink. I think that’s ok, intel rapid storage and widi, ???

Adobe type manager – yellow. I unchecked it.

This I don’t know!  windows\syswow64 and system32\wowarmhw – a few variations all dll’s.  They did not come up on VT.  I could not find much online & bleeping comp DB does not have these exact files.   Autoruns is pink and they are in “System\CurrentControlSet\Control\Session Manager\Known Dlls”  I did some checking and they may be valid, but I don’t know for sure.  Anyone know what this is?

Then there is BVTConsumer in yellow. No info.  Cannot find much about it online or in Bleeping Comp DB.

2 Dell Command Power Manager files in pink.  I think they’re ok, but may not need them. I don’t know if I am using power manager.

There is one unidentified file under Excel Addins.  It’s a bunch of characters – looks Hexidecimal – in pink.  No idea what that is.

Any help would be appreciated. thanks.

Reply | Quote

dmt_3904 wrote:

Oh and ANOTHER question! I use VT all the time for URLs and files. But how do I search on a process? e.g. c\windows\syswow64\wow64cpu.dll? How do I do the search that autoruns does when it is working? This one is pink in autoruns.

Like I mentioned earlier, please don’t mess with Windows entries. Anything from Windows or Microsoft should get a pass in here. Focus on 3rd party stuff. For example, disabling entries in “C:\Windows\syswow64” is where I killed my system.

I am replying here because this one is a high priority caution! But please do as PaulT suggested and start a separate troubleshooting thread for Autoruns…

Windows 10 Pro 22H2

2 users thanked author for this post.

rc primak, dmt_3904

Reply | Quote

If indeed autoruns still works or has been made to work again (MS deprecated it long ago), it just tells you what runs when Windows starts.  It’s a great utility.  One of the things that can be done with the results is disabling items you don’t want to start.  There’s a drop down disable setting.  Be sure to File>Save or nothing will change.   Be very sure you know what you’re doing, many if not most of those process are needed to make Windows or programs work.

For example, Nvidia used to add a ton of telemetry processes, some of which could be useful for gamers but for general use just got in the way and compromise privacy; autoruns was useful for disabling them.

When computers were much less powerful than now, autoruns had good general value as long as you understood it.  I can recall disabling a dozen or so unneeded Windows along with program processes and seeing noticeable speed gains.  Today, maybe not so much.  It’s still useful as a diagnostic tool.

1 user thanked author for this post.

dmt_3904

Reply | Quote

[JohnW]

anonymous wrote:

If indeed autoruns still works or has been made to work again (MS deprecated it long ago),

Nope. Sysinternals not deprecated. MS is still updating it, even as recently as last month… see “What’s New” here >

https://docs.microsoft.com/en-us/sysinternals/

Latest on Autoruns v13.98: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Windows 10 Pro 22H2

• This reply was modified 4 years, 4 months ago by JohnW.

4 users thanked author for this post.

RuosChalet, mapletrail, WSeikelein, b

Reply | Quote

I really don’t know what I am doing, need help with these – if anyone has any info:

• Windows Media Center  yellow – I unchecked all of them. I don’t use WMC.  I assume this is ok? All files say not found.
• Adobe Type Manager yellow – I unchecked it. It says it’s not found anyway.
• wow64cpu, wowarmhw, xtajit, wow64win, wow64 all in c:\windows. Pink. Was cautioned not to touch those – windows needs them and I’ve left them alone.  But I could not find any info on what they are.
• Epson Print port – pink. Not verified. I have an Epson printer, I assume it’s ok
• BVTConsumer – yellow. File not found.  I saw a couple things on the internet with same info – but nothing on what is or what to do with it.  Can I disable it? Anyone know what it is?
• Dell Power manager – 2 files. Pink.  I have a Dell. Assume they’re ok. but I have to find out if I even need power manager. I don’t think I am using it.
• One file with only what appears to be a hexidecimal name (e.g. 77FE5583-8B45…..) in Office\Excel\Addins. I don’t know what that is.

Reply | Quote

A file search for the entire name, including extension should return results. However, most results fom a web search don’t tell a lot about the file and many are designed to make people worry they may have malware – these may have some vague malware information and advice to “click here to scan your computer”.  Don’t do it. if uncertain, use the virustotal website to scan your file. Even there, be wary. a score of 1 or 2 from 70 or so malware vendors is often nothing more than false positive. In other words, don’t panic about a low non-zero score.

File.net often gives advice whether removing an autorun is to be avoided.

Processlibrary seems generally reliable for example, click this link so see what it says about wow64cpu.dll That’s not a lot of information but is enough to give a hint to not disable it.

Neuber also gives fairly good information but you need to search for the term using advanced search methods. For example, to search for information relating to lsass.exe, search as follows

“lsass.exe” site:.www.neuber.com

Wikipedia contains some information

Bleeping computers has startups information

 

Because you can switch something off, doesn’t necessarily mean you should. If you use something regularly, why bother. When switching something off  the decision comes back to the wise advice given previously, “do you know what you are doing”.

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

1 user thanked author for this post.

dmt_3904

Reply | Quote

If by red, you meant pink, those are generally unsigned. Checking those items with VirusTotal can generally verify them as harmless.

How do I do this? Every time I ran some file names, VT said not found.  I did that on the search page of VT.

Reply | Quote

You have to upload files for them to be checked, or have a file hash (SHA-256). FileAlyzer can generate those SHA-256 file hashes.

Reply | Quote

To answer the OP’s specific question – What to do with Autoruns results – I suggest:

1. Double-click on the appropriate Autoruns executable.

(Note: Do *not* right-click and select ‘Run as administrator’. In most cases you want Autoruns to report on the user account you normally log into Windows with. If you run it as ‘administrator’ then it will report different ‘per user’ settings. This is easily verified by saving an .ARN file whilst ‘Run as administrator’ then using File > Compare whilst run under the ‘ normal’ account.)

2. From Autoruns’ File menu, select Save and leave the format as Autoruns’ default .ARN format.

3. Zip the .ARN file and attach to a new post. (A typical .ARN file can be ~8MB or more. Neither the .ARN file format nor filesize can be attached directly to a post. Zipping the .ARN file will reduce it to ~250KB.) This will allow others to download and unzip the attachment then load the .ARN file into a local copy of Autoruns.

(Note: The free 7-Zip‘s ‘Ultimate’ compression level produces much smaller Zip files than Windows’ built-in ‘Send to >  compressed (zipped) folder’.)

Hope this helps…

 

2 users thanked author for this post.

dmt_3904, satrow

Reply | Quote

(Weird things started happening when I tried editing this post…am putting up a fresh one. Sorry for any unintentional spamming.)

I’ve finished physical assembly of a new PC we’re building.

(It’s probably just a teensy bit past time for us to be replacing the Windows 7 machine that I built in 2010.)

At some point over the next couple days I should finish exploring the BIOS, and get around to installing Windows 10 (version 1909 is on a USB stick and ready to go). One of the articles I’ve looked at regarding clean install is this one: https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587. It recommends the following:

One of the best things you can do to improve performance is to right click Start Button, choose Task Manager, on Startup tab Disable everything except Flash updater, Sync program, on-demand scanner, or a messenger you need running at all times.  None others are needed and only write themselves there to spy on you. Then type msconfig in Start Search, open System Config, on Services tab tick the box to Hide all MS Services, disable everything else there too.  Check back periodically to keep these lists as clean as possible.  If you have any questions about a listing, Google it to learn what it does or ask us.  For example, no wireless manager or extra software except Windows’ needs to be in between your PC and router.

Is that advice just another way of doing what’s being discussed here with AUTORUNS? Also, does “disable everything else” seem too sweeping?

---
Home machines: Windows 10 Pro (21H2), Windows 7 Home (Group B)
Work machines: Windows 10 Enterprise (21H2)

Reply | Quote

That post is basically rubbish, as evidenced by “Disable everything except Flash updater”. Flash is long deceased and you should not even have it installed.

A new PC with a standard W10 build is very fast and you don’t need to do anything to make it perform better.
You can turn off most of the telemetry with something like ShutUp10 if you feel the need.

When you install 1909, make sure you are disconnected from the internet to prevent Windows auto-updating you to 20H2. Also allows you to easily set up a local account.

cheers, Paul

p.s. I hope you have an M2 SSD in there. The single best speed improvement IMO.

2 users thanked author for this post.

RuosChalet, KevinTMC

Reply | Quote

Thanks for the reply. The Flash bit is indeed out of date…but the article has seen some updating lately. (There is a heads-up about the need to disconnect from the Internet to create a local account, for instance.)

I wasn’t sure which settings tool I wanted to use–have used Spydish before, which is now Privatezilla, but ShutUp10 looks good and may suit me better.

I will try to restrain my instinct to min-max and customize hardware and OS and software past the point of insanity.

(I suppose such behavior flows in part from being old enough to have cut my teeth working with 1980s machines, where it was possible to know exactly what was running and not running, and within what parameters, at all times…and even to be familiar with what every single file on a disk drive was for.)

The new build does have an M2 SSD–just one of the reasons that speed improvements should be striking over my decade-old Phenom II X4 build. (Just last year, I put a SATA SSD in there–first significant upgrade since 2011–and even that was enough for a lovely boost.)

---
Home machines: Windows 10 Pro (21H2), Windows 7 Home (Group B)
Work machines: Windows 10 Enterprise (21H2)

Reply | Quote

With that update I would not change a thing until I had it running, backed up and used it for a week or two.

cheers, Paul

Reply | Quote

anonymous wrote:

You have to upload files for them to be checked, or have a file hash (SHA-256). FileAlyzer can generate those SHA-256 file hashes.

Correct, but when it is working properly with VT, Autoruns hashes them for you. It would take forever to actually auto upload all of the files scanned by Autoruns.

Windows 10 Pro 22H2

Reply | Quote

KevinTMC wrote:

get around to installing Windows 10 (version 1909 is on a USB stick and ready to go)

@KevinTMC
By the end of 2020 PLEASE do not install your 1909 version! You will get ENDless updates right away!

It is is so easy to go to Microsoft’s Windows 10 version October 2020 update page. There look for “Create Windows 10 installation media” and do as described there to create an up-to-date USB drive to upgrade to or install Windows 10 version 20H2.

Reply | Quote

But there are still problems with 20H2 (chkdsk for one). 1909 is relatively bug free.

cheers, Paul

Reply | Quote

Paul T wrote:

But there are still problems with 20H2 (chkdsk for one).

Susan said today, “As I noted last week, this issue was fixed with a cryptic behind-the-scenes update for those who get their updates from Windows update.”

Reply | Quote

Paul T wrote:

But there are still problems with 20H2 (chkdsk for one)

Not for everyone.  “I’ve been contacted by several German blog readers by email and via comments within my German blog (thanks for that). They all pointing to a strange bug, obviously brought to systems with cumulative update KB4592438.”

As for 20H2 in general, I’ve been running it since its release without any problems.  Of course this is anecdotal, but it’s easy enough to check for one’s self simply by making a drive image and upgrading to 20H2.  If problems are encountered, just restore the drive image.  If no problems are encountered, one can do whatever seems best.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

1 user thanked author for this post.

Fred

Reply | Quote

Autoruns shows me 20-odd entries under Task Scheduler for Windows Media Center, in yellow for File Not Found. This is likely because my Win 10 PC was upgraded from Win 7, and MS dropped WMC in Win 10.

Am I safe to disable these entries? If so, what would be preferable, to un-check the entries in Autoruns, or to disable the tasks directly in Task Scheduler?

Reply | Quote

What to switch off is not a straightforward ‘is it safe’ question.  What you don’t need running is part of the decision. Another part is what you want to run.

To get you started, try pressing Ctrl+Alt+Delete to bring up Task Manager.  Click on the Start-up tab. AFAIK these are all non-MS start-ups so should be non-essential BUT some manufacturers may have necessary utilities. Be cautious doing the following

On each of the lines, right-click and choose ‘search online’. That will launch a Bing search. Not all of the results will be dependable. File.net frequently gives you a small overview what the start-up program does. Double check it relates to the Start-up entry. Make you decision based on the description of what the file does and whether you need or want it. (e.g. I want my 3rd party firewall control to run but it is not essential). I currently have a list of 12, 7 of which are stopped. After that, get back to autoruns and do web searches. Some sites are reliable. Others try to get you to run their scammer (er, ‘scanner’).

Once you are certain a startup is not essential AND you don;t want it to run, righ-click and select ‘disable’.

When researching:

File.net is fairly reliable.

ShouldIremoveit.com is fairly reliable.

Processlibrary.com is fairly reliable

If it brings up results during a web search, Neuber.com is fairly reliable.

1 user thanked author for this post.

dmt_3904

Reply | Quote

seeker wrote:

Am I safe to disable these entries?

It’s always safe to disable them, you can re-enable them if required.

cheers, Paul

Reply | Quote

Autoruns shows me 20-odd entries under Task Scheduler for Windows Media Center, in yellow for File Not Found. This is likely because my Win 10 PC was upgraded from Win 7, and MS dropped WMC in Win 10.

I have them too.  WMC does not show in task manager – I had already shut down all unnecessary startup programs.  But I don’t even see it in there (it would show disabled on start up).  I’d like to delete all the WMC files showing in yellow (which means not found, right?).  Any issues with that? Or I can just leave it, I don’t suppose it’s causing any harm, but I like to cleanup where I can.

Reply | Quote

Deliberately cautious wording: If you no longer have WMC, MMC-related entries will be safe to delete.

You should be able to delete entries in yellow (file/entry not found). If you want to be cautious, file search for missing file (e.g. using ‘Everything’). You will not find it. At least, not in the same file path.

Reply | Quote

not ever if I could help it,but power outage takes care of that once awhile,and there is always some problem afterwards, and perhaps the odd time an installation calls for it.

Iam a happy win7 user and will stay that until as long as my computer lasts (or I, LOL)

I am looking the 9th century in the eye and have no yen to learn new tricks and systems.

Bin there,done that.

Joe

Reply | Quote