Sysinternals Autoruns - Comprehensive Startup Identification

Sysinternals Autoruns - comprehensive startup processes identification

I was looking at my Dad's home PC that had some malware on it and despite my brother cleaning up most of the offending software, there were still some annoying messages at startup indicating that although the offending .DLL had been removed, there was still something calling it and trying to launch it at startup.  The RunDLL error message that was being seen was:

There was a problem starting
C:\PROGRA~1\COMMON~1\System\SysMenu.dll
The specified module could not be found.

MSConfig.exe is a built-in Windows tool for showing some startup processes.  Unfortunately, there are many places for a startup process to hide that MSConfig doesn't show.

Luckily for us, Mark Russinovich has created a fantastic tool called Autoruns that shows what processes are being launched and where they are being started from.

The initial screen will show you all of the different startup points - e.g. the Startup folder, HKLM\Software....\Run etc. with the programs and modules that are being launched from each

When you see a line highlighted in yellow, this indicates that the program/module being called no longer exists, but the call still exists.  You can even do a Internet search for details on a particular line right from the application!

The particular piece of rogue software that was troubling my Dad was being started as a scheduled task that had a trigger of 'At logon of any user' selected for its run time.

For me, Autoruns is an important tool in any Sysadmin's toolkit and it will run on Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 8.1.  Although probably less necessary, it will of course run on the server operating systems too - 2003, 2008 and 2012.