Revisiting MS TechNet’s updated Autoruns utility

Nathan Segal

One of Microsoft’s more popular TechNet/Sysinternals power utilities, Autoruns provides a detailed view into apps that start automatically in Windows.

It’s a powerful tool for sniffing out malware, system performance problems, and obsolete-but-still-running code.

I gave an introduction to Autoruns this past March, and then Microsoft updated it in October. Here’s what’s new.

For a review of Autoruns’ capabilities, see the March 19, 2015, Best Utilities story, “A tour through the powerful Autoruns utility.” If you like Autoruns, you might also want to review Process Explorer, which I wrote about in the Feb. 5 and Feb. 12 Best Utilities columns.

As with those previous articles, I contacted Tektegrity’s IT senior consultant Joshua Erdman, who guided me through the latest updates. They include:

  • VirusTotal is now integrated into Autoruns; it lets you check whether a suspicious executable (.exe) file might be malware.

    VirusTotal column

    Figure 1. The enhanced Autoruns with a VirusTotal column (note: window split and shrunk for space).

  • Find MS Office plugins — a new filter/tab shows any Office plugins that are automatically loading.
  • Windows/Microsoft filters — Actually, this isn’t a new feature, but it wasn’t covered in previous articles. Use the filter to quickly hide all Windows- and Microsoft-specific auto-loading apps. (A Microsoft Channel 9 video briefly shows how this filter works — along with a bunch of other information on Autoruns and the related MSConfig tool.)

One other powerful Autoruns feature you should know about is the ability to double-click any entry and go directly to the related entry in Windows Registry editor.

(Note: When you launch Autoruns, be sure to enable administrator privileges in the File menu, first.)

Using the new VirusTotal option

Of the recent Autoruns enhancements, the addition of a VirusTotal component is the most useful for most Windows users looking for malware. If you’ve not used VirusTotal, it’s a respected and free online service into which you can upload a suspicious file or enter a suspect URL and it will be scanned by numerous anti-malware engines.

Keep in mind, however, that as with all AV apps and services, VirusTotal can protect you only against what’s known. If you’re the victim of a brand-new exploit, there’s a chance it won’t get flagged. Joshua noted that he occasionally encounters new malware, usually as an email attachment. To see whether it’s been reported, he submits it to VirusTotal or Jotti.org. Typically, new malware is flagged by only two or three AV scanners, out of the forty or so employed. But by the next day, two-thirds of the scanners will have the new virus signature in their databases — and soon after, they’ll all know about it.

Again, Autoruns can also help find remnant Registry entries that are causing system slowdowns — detritus Windows is still loading but the system is not using on behalf of a removed application. But finding out what a particular entry or file actually does might take a fair amount of detective work, especially if these orphan entries are unsigned.

Autoruns uses color coding to highlight these leftover bits. For example, an entry highlighted in yellow (see Figure 2) is typically a Registry entry that references a missing file; items highlighted in pink don’t list who made them — an indication that they might be malware.

Color coding

Figure 2. Autoruns uses color coding to highlight orphaned Registry entries or files from unknown sources.

If you see a file that appears suspicious, you can right-click it and choose the Check VirusTotal option, as shown in Figure 3. (If you’ve checked the file before, the option will read “Resubmit to VirusTotal.”)

Check VirusTotal

Figure 3. Autoruns makes it easy to check suspect files.

Figure 4 shows the results of IObit Unlocker file; the stats are highlighted in red.

VirusTotal results

Figure 4. VirusTotal results in Autoruns

Clicking on the red scan stats brings up the VirusTotal page. As you can see in Figure 5, out of 54 different scans, only one flagged the IObit file; DrWeb listed 276 “unwanted program” complaints. Not shown in Figure 5 are two devil/angel icons that you can use to vote the file up or down. (VirusTotal asks you to do so only if you have evidence the file is either harmless or malicious.)

VirusTotal report

Figure 5. The VirusTotal report on an IObit file notes only that it might be a potentially unwanted app.

If you’ve sent a file for scanning and the scanning process doesn’t seem to complete, it might have done so but was not displayed in Autoruns. Should that happen, click the scanning link; you’ll be taken to the VirusTotal page for that file. Chances are good that the full scan is done.

(Note: The first time you submit a suspect item to VirusTotal, you’ll be taken to the license-agreement page; you must then sign up for the service.)

Use Autoruns filtering to prevent data overload

In the main Autoruns window, the first tab is Everything. Autoruns collects a sea of information (Figure 6), and it can quickly become overwhelming. The rest of the tabs are subsets of the collected information, but it can still be daunting.

Showing everything

Figure 6. Without the use of filters, sorting through the information Autoruns collects is challenging.

Most users, especially those in small business or where Windows’ group policy isn’t applied, won’t need to see the long, long list of entries.

By applying all the default filters under the Options menu (Hide Empty Locations, Hide Microsoft Entries, Hide Windows Entries, and Hide VirusTotal Clean Entries) your display might look like Figure 7 — a shorter list that has more of what you really need to see.

Filtered list

Figure 7. Applying filters will show the items of most interest.

The Office tab: This new option shows add-ons and tools loaded with Office. If your copy of Office is crashing or you’re running into related problems, they might be caused by incompatible add-ons or plugins.

As you can see in Figure 8, many of the related add-on files aren’t fully named, making it more difficult to find the offending file or process. But as mentioned above, double-clicking an entry will open the Registry editor and take you directly to where Autoruns found that entry.

Office filter

Figure 8. Use the Office filter to find problematic add-ons.

Microsoft filters: As mentioned, this option lets you hide or reveal Microsoft-related startup apps. For example, Microsoft killed off Gadgets in Windows because of serious security issues. Vista users will be familiar with these applets; Win7 users had to hunt for them, and an update effectively eliminated their use.

But if you click the Sidebar Gadgets tab, leftover gadgets might not appear. Check that the Microsoft filter isn’t switched on. On my machine, turning off the filter revealed a gadget entry for Avast Antivirus.

If you’ve repeatedly upgraded your PC, you might also use the Microsoft filter to reveal other leftover apps from previous versions of Windows.

Similarly, Autoruns filters can help you find other third-party applications you no longer use, making it another good tool for cleaning up your system.

Side note: You’re probably familiar with Windows’ MSConfig/System Configuration utility (Figure 9). You might use this tool to troubleshoot system problems, by turning off entries in the Services and Startup tabs. But if you leave it in diagnostics mode, you (or an unhappy customer, if you’re a computer tech) might end up getting the message shown in Figure 10. Autoruns makes it easier to disable specific applications and not worry about receiving the warning.

MSCONFIG

Figure 9. MSConfig/System Configuration is the more limited but much more user-friendly sibling to Autoruns.

MSCONFIG message

Figure 10. Unlike MSConfig, Autoruns lets you temporarily disable startup apps without getting this message.

Summary: Autoruns’ power is in its depth; it’ll take some time to become familiar with its many options and capabilities. Starting off with filters will help keep the huge volume of information under control. Also, when you run this program, make sure that you first enable administrator privileges in the File menu.



= Paid content

All Windows Secrets articles posted on 2016-01-21:

Nathan Segal

About Nathan Segal

Nathan Segal has been a freelance writer for over 15 years. He has authored over 600 articles and six books. His topics have included digital imaging and Photoshop, technology, tutorials, and travel.