One of Microsoft’s more popular TechNet/Sysinternals power utilities, Autoruns provides a detailed view into apps that start automatically in Windows.
It’s a powerful tool for sniffing out malware, system performance problems, and obsolete-but-still-running code.
I gave an introduction to Autoruns this past March, and then Microsoft updated it in October. Here’s what’s new.
For a review of Autoruns’ capabilities, see the March 19, 2015, Best Utilities story, “A tour through the powerful Autoruns utility.” If you like Autoruns, you might also want to review Process Explorer, which I wrote about in the Feb. 5 and Feb. 12 Best Utilities columns.
As with those previous articles, I contacted Tektegrity’s IT senior consultant Joshua Erdman, who guided me through the latest updates. They include:
- VirusTotal is now integrated into Autoruns; it lets you check whether a suspicious executable (.exe) file might be malware.
- Find MS Office plugins — a new filter/tab shows any Office plugins that are automatically loading.
- Windows/Microsoft filters — Actually, this isn’t a new feature, but it wasn’t covered in previous articles. Use the filter to quickly hide all Windows- and Microsoft-specific auto-loading apps. (A Microsoft Channel 9 video briefly shows how this filter works — along with a bunch of other information on Autoruns and the related MSConfig tool.)
One other powerful Autoruns feature you should know about is the ability to double-click any entry and go directly to the related entry in Windows Registry editor.
(Note: When you launch Autoruns, be sure to enable administrator privileges in the File menu, first.)
Using the new VirusTotal option
Of the recent Autoruns enhancements, the addition of a VirusTotal component is the most useful for most Windows users looking for malware. If you’ve not used VirusTotal, it’s a respected and free online service into which you can upload a suspicious file or enter a suspect URL and it will be scanned by numerous anti-malware engines.
Keep in mind, however, that as with all AV apps and services, VirusTotal can protect you only against what’s known. If you’re the victim of a brand-new exploit, there’s a chance it won’t get flagged. Joshua noted that he occasionally encounters new malware, usually as an email attachment. To see whether it’s been reported, he submits it to VirusTotal or Jotti.org. Typically, new malware is flagged by only two or three AV scanners, out of the forty or so employed. But by the next day, two-thirds of the scanners will have the new virus signature in their databases — and soon after, they’ll all know about it.
Again, Autoruns can also help find remnant Registry entries that are causing system slowdowns — detritus Windows is still loading but the system is not using on behalf of a removed application. But finding out what a particular entry or file actually does might take a fair amount of detective work, especially if these orphan entries are unsigned.
Autoruns uses color coding to highlight these leftover bits. For example, an entry highlighted in yellow (see Figure 2) is typically a Registry entry that references a missing file; items highlighted in pink don’t list who made them — an indication that they might be malware.
If you see a file that appears suspicious, you can right-click it and choose the Check VirusTotal option, as shown in Figure 3. (If you’ve checked the file before, the option will read “Resubmit to VirusTotal.”)
Figure 4 shows the results of IObit Unlocker file; the stats are highlighted in red.
Clicking on the red scan stats brings up the VirusTotal page. As you can see in Figure 5, out of 54 different scans, only one flagged the IObit file; DrWeb listed 276 “unwanted program” complaints. Not shown in Figure 5 are two devil/angel icons that you can use to vote the file up or down. (VirusTotal asks you to do so only if you have evidence the file is either harmless or malicious.)
If you’ve sent a file for scanning and the scanning process doesn’t seem to complete, it might have done so but was not displayed in Autoruns. Should that happen, click the scanning link; you’ll be taken to the VirusTotal page for that file. Chances are good that the full scan is done.
(Note: The first time you submit a suspect item to VirusTotal, you’ll be taken to the license-agreement page; you must then sign up for the service.)
Use Autoruns filtering to prevent data overload
In the main Autoruns window, the first tab is Everything. Autoruns collects a sea of information (Figure 6), and it can quickly become overwhelming. The rest of the tabs are subsets of the collected information, but it can still be daunting.
Most users, especially those in small business or where Windows’ group policy isn’t applied, won’t need to see the long, long list of entries.
By applying all the default filters under the Options menu (Hide Empty Locations, Hide Microsoft Entries, Hide Windows Entries, and Hide VirusTotal Clean Entries) your display might look like Figure 7 — a shorter list that has more of what you really need to see.
The Office tab: This new option shows add-ons and tools loaded with Office. If your copy of Office is crashing or you’re running into related problems, they might be caused by incompatible add-ons or plugins.
As you can see in Figure 8, many of the related add-on files aren’t fully named, making it more difficult to find the offending file or process. But as mentioned above, double-clicking an entry will open the Registry editor and take you directly to where Autoruns found that entry.
Microsoft filters: As mentioned, this option lets you hide or reveal Microsoft-related startup apps. For example, Microsoft killed off Gadgets in Windows because of serious security issues. Vista users will be familiar with these applets; Win7 users had to hunt for them, and an update effectively eliminated their use.
But if you click the Sidebar Gadgets tab, leftover gadgets might not appear. Check that the Microsoft filter isn’t switched on. On my machine, turning off the filter revealed a gadget entry for Avast Antivirus.
If you’ve repeatedly upgraded your PC, you might also use the Microsoft filter to reveal other leftover apps from previous versions of Windows.
Similarly, Autoruns filters can help you find other third-party applications you no longer use, making it another good tool for cleaning up your system.
Side note: You’re probably familiar with Windows’ MSConfig/System Configuration utility (Figure 9). You might use this tool to troubleshoot system problems, by turning off entries in the Services and Startup tabs. But if you leave it in diagnostics mode, you (or an unhappy customer, if you’re a computer tech) might end up getting the message shown in Figure 10. Autoruns makes it easier to disable specific applications and not worry about receiving the warning.
Summary: Autoruns’ power is in its depth; it’ll take some time to become familiar with its many options and capabilities. Starting off with filters will help keep the huge volume of information under control. Also, when you run this program, make sure that you first enable administrator privileges in the File menu.