SportSavant said:
Tell me more about the startup controls, those are a real pain in the ass when all the programs install themselves to load up upon start up....
I can never figure out how to turn off the Start Ups 1/2 the time.
A program can be loaded at startup from various places. By knowing where these are located, you have more direct control over them. How to edit and control startup program launching is different in Windows 95 than in Windows 98 and Millennium, primarily due to the innovation in Win98 of
MSCONFIG.EXE. In the instructions below, the programs
MSCONFIG, SYSEDIT, and
REGEDIT each can be launched by clicking Start, then Run, typing in the program name, and clicking OK. (MSCONFIG does not come with Win95, and looks significantly different in Windows XP. SYSEDIT does not come with Windows Millennium. Either may be copied over from a version of Windows that has it. Consult your operating system licensing agreement to determining whether you may do this legally.)
Locations that control startup loading of programs include the following:
THE CONFIG.SYS & AUTOEXEC.BAT FILES
Launch
SYSEDIT and examine the AUTOEXEC.BAT and CONFIG.SYS files. At machine startup, configuration steps in CONFIG.SYS and command lines listed in AUTOEXEC.BAT will execute. For more information on individual MS-DOS or command prompt commands, open a DOS or command prompt window and type the individual command followed by
/?. For more information on special batch file commands, see the
Batch File Commands article on this site. You can temporarily suspend any line of this file by placing
REM (followed by a space) in front of the line.
QUIRKS by QUIRKE: South African Windows watchdog,
Chris Quirke, has alerted me to a strange Windows quirk I never knew about. In Win95/98, COMMAND.COM launches not “Autoexec.bat”
per se but, rather, the simple command AUTOEXEC. This means that the usual command line launching rules apply so that a .BAT file is first sought (AUTOEXEC.BAT) but, if one isn’t found, the OS next will look for AUTOEXEC.COM and, thereafter, AUTOEXEC.EXE! On the one hand, this is a useful trick; on the other hand, it’s an especially useful trick for malware designers!
In
Win98, you have the additional option of launching
MSCONFIG, clicking on the AUTOEXEC.BAT and CONFIG.SYS tabs, finding these lines, and unchecking the box in front of them. In
Windows Millennium Edition, the
MSCONFIG method, or editing AUTOEXEC.BAT and CONFIG.SYS with Notepad, are your only options unless you migrate SYSEDIT.EXE to your system. In
Windows XP, the only option is to edit AUTOEXEC.BAT (if it exists) with Notepad.
NOTE ON RESTARTING IN MS-DOS MODE: Though somewhat outside the scope of this article (which primarily deals with
Windows startup program loading), some mention should be made of the DOSSTART.BAT file. If you use the option, from within Windows 95/98, to “Restart in MS-DOS Mode,“ different startup execution files are run depending on certain options you select when shutting down to DOS. Under most circumstances, the DOSSTART.BAT file in the
C:\Windows folder is executed much like AUTOEXEC.BAT (except that it will not execute SET commands). However, if you create a shortcut for shutting down to DOS and select the option to specify a new MS-DOS configuration (thereby creating custom AUTOEXEC.BAT and CONFIG.SYS files), DOSSTART.BAT is not executed, but your custom AUTOEXEC.BAT and CONFIG.SYS files are executed instead. A more detailed explanation of what happens in these situations is given in MS Knowledge Base Article 138996,
Description of Restarting Computer in MS-DOS Mode.
A somewhat related, but quite distinctive, process occurs in Windows ME when you open a command prompt (that is, a “DOS window”). Windows ME does not have a provision to shut down to DOS. However, when you open a command prompt window it executes commands contained in the CMDINIT.BAT file in the
C:\Windows\Command folder. By default, CMDINIT.BAT launches the DosKey program for each command prompt session.
THE WINSTART.BAT FILE
The WINSTART.BAT file in
Windows 95 and 98 loads TSR programs required for Windows-based programs but not needed in MS-DOS sessions. This file, if it exists, is usually in the
C:\Windows folder, and is executed every time Windows starts — just like AUTOEXEC.BAT, except that AUTOEXEC.BAT is also launched during a DOS startup. You can examine and edit the contents of WINSTART.BAT with Notepad. You can temporarily suspend any line of WINSTART.BAT by placing
REM (followed by a space) in front of the line. (Note that this is ignored in all other versions of Windows, since there is no need to differentiate MS-DOS session behavior.)
THE STARTUP FOLDER
This is usually located at
C:\Windows\Start Menu\Programs\Startup in
Windows 95, 98, or ME, or at
C:\Documents and Settings\All Users\Start Menu\Programs\Startup in
Windows XP. However, it may be at a different location on
your computer. You can view the Startup folder in Windows Explorer by clicking the appropriate link (immediately above) if you have used the default; or you can view it by clicking
Start | Programs | StartUp. In
Win98 or Millennium, or if
Internet Explorer 4 or later is installed, you can edit this directly in the Start Menu, by right clicking on the item you want modify or remove. In
Win95 (pre-IE4), the most efficient way to edit it is with Windows Explorer. In
Win98 or Millennium, you also can suspend the action of individual startup programs by launching
MSCONFIG, clicking the Startup tab, and unchecking the box of any startup items you want to suspend.
You can freely delete any items in this folder without risking modifying or damaging any existing programs, because everything in this folder is a shortcut. (It doesn’t have to be. You can put an actual program or batch file here. But, almost always, it’s a shortcut.) The actual program is somewhere else. (You must, of course, know how to create a new shortcut if you want to restore it in the future.) You also may want to remove them to a different (storage) folder. (Disabling them with
MSCONFIG actually moves them to a separate folder titled
Disabled Startup Items.)
NOTE: There may be an additional Startup folder on your Win 9x computer if multiple users were implemented. This is usually located at C:\Windows\All Users\Start Menu\Programs\Startup. Don’t forget to check this one! (Credit to MS-MVP Alan Edwards for this tip.) Similarly, in Windows XP. there normally is an additional Startup folder for each user account. These are found by going to C:\Documents and Settings, clicking the folder for the particular user name, and navigating down through Start Menu and Programs folders to the individual Startup folder. Please note that a number of the points made in this article may have multiple elements in a multi-user environment.
The location of the folders that Windows treats as the Startup folder (including the individual user profile’s Startup folder) is stored in the
Startup key of
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
and the
Common Startup key of
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
THE WIN.INI FILE
WINDOWS XP NOTE: I have not seen WIN.INI used Windows XP for startup purposes. However, Microsoft continues to include WIN.INI in their XP Help & Support instructions for Selective Startup troubleshooting, so it may still be in use in addition to the Registry key mentioned immediately below.
In
Windows 95, launch
SYSEDIT and examine the WIN.INI file. In the first section (titled
[windows]), look for any files beginning with
LOAD= or
RUN=. These are executed at startup. (Empty
LOAD= or
RUN= lines do not launch anything.) You can temporarily suspend these by placing a semi-colon in front of the line.
In
Win98, you have the additional option of using
SYSEDIT or of launching
MSCONFIG, clicking on the WIN.INI tab, finding these lines, and unchecking the box in front of them. In
Windows Millennium Edition and
Windows XP, the MSCONFIG method, or editing WIN.INI with Notepad, are your only options (unless you migrate SYSEDIT.EXE to your
Windows ME system).
In
Windows 2000 and XP, the
LOAD= and
RUN= items are usually stored, instead, in the Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows — this (at least generally) replaces the WIN.INI file in those operating systems. Some viruses and parasites exploit this key; see
Common Loading Points of Threats in Windows NT/2000/XP.
THE WININIT.INI FILE
Another file, C:\Windows\WININIT.INI, also is loaded at each Windows normal mode startup. WININIT.INI is used to complete Windows and program installation steps that cannot be completed while Windows is running and, therefore, are deferred until after a reboot. During the boot process, Windows checks to see if there is a WININIT.INI file and, if it finds one, executes its instructions. (After its successful use, it is supposed to be automatically renamed to WININIT.BAK.) You can search for a copy of this file using the Find or Search feature on your Start Menu, and then examine and edit its contents with Notepad. You can temporarily suspend any line of this file by placing a semi-colon in front of the line.
In Windows 2000 and XP, the WININIT.INI file, if existing, will be executed. However it is usually replaced by the “PendingFileRenameOperations” sub-key in the Registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager.
REGISTRY KEYS
The following Registry keys may contain items to execute at launch.
WARNING: Do not edit the Registry directly without first backing it up. For Registry backup recommendations, see
Registry Patches.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx (in XP)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Additionally, the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key (on Windows NT, 2000, and XP, and Server 2003 systems) has a Userint item which normally points to the perfectly legitimate and important program
C:\WINDOWS\system32\userinit.exe. However, other programs can be made to launch from the same key by appending them to the legitimate value data, separated by a comma.
(Thanks to AumHa Forum participant Grinler for this tip.)
Please note that in
Win98, Win ME, and Win XP, these items will appear on the Startup tab of
MSCONFIG along with items in the StartUp folder. You can most safely and most easily disable them by unchecking the box in front of them. Also, please note that some items may appear twice in these Registry keys, and thus twice on MSCONFIG’s Startup tab. For some items — such as power management and TweakUI — this is normal, and both are needed for normal functioning. (They do different jobs, at different stages of system startup.) Some other duplicates may, in fact, be unnecessary. It is not possible to give a complete list, in advance, of all possible examples. If there are duplicates that are truly unnecessary, the simplest way to get rid of them is to be sure that
both are checked, click OK to close MSCONFIG, and reboot the computer.
DRIVER FILES
Driver files (.VXD files) are also loaded at system startup in
Windows 95, 98, and ME. These are primarily loaded from the following locations:
- The SYSTEM.INI file in the the [386enh] section (edit with SYSEDIT or MSCONFIG).
- The following Registry keys:
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\VMM32Files
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\VxD
- The C:\Windows\System\Vmm folder.
- In Windows ME, on the Static VxDs tab of MSCONFIG.
SERVICES in WINDOWS XP
In addition to the foregoing, in Windows XP you should examine the
Services that are automatically launched at startup. You can see these by pressing Ctrl+Alt+Del, then clicking the Processes tab, or by launching the Services management tool that you will use to modify them. To launch the Services tool, log in as an Administrator, then click
Start | Control Panel | Performance & Maintenance | Administrative Tools | Services. (Note that this Control Panel item is simply a shortcut, which you can copy to your desktop or anywhere else you want it.) Even faster, from a Run box (click
Start | Run or press
Win+R) type
SERVICES.MSC.
By default, Windows initiates many Services you just don’t need. For example, if you aren’t on a network, there are at least half a dozen Services that should be set to Manual rather than Automatic — meaning, they still can be launched, but will not launch automatically at Windows startup.
The best discussion of individual Services I yet have seen — including an item-by-item discussion of which Services you might want to set to Manual (or, rarely, Disable) — is
Windows 2000 Services Tweak Guide by Thomas McGuire. As far as I can tell, everything in it applies to Windows XP just as much as to 2000. (I do apologize in advance for sending you someplace where so many pop-up ads appear!) Another helpful site is
Tweaking Win2K Services for Home Users by Andrew McConville. For further information on managing services, I highly recommend
How to Determine what Services are Running in Win XP by MS-MVP Mike Burgess.
MORE HIDDEN LOADS...
Chris Quirke, who was kind enough to look over this article and offer abundant recommendations, rightly suggested that I include mention of auto-execution mechanisms that run at times other than startup. After all (he reasonably reasoned), many of you are probably reading this page because you want to exclude unwanted software and haven’t been able to find out what’s launching it! Here, courtesy of Chris, is a list of some non-startup loading mechanisms:
- Network logon processes (e.g., Novell Client)
- Tasks, both time-based and event-based (e.g., associated with on network login, or executed by a task scheduler)
- Magic-name dropper attacks (e.g., AutoRun.inf)
- File infection (what a true “virus” does)
There are several other possibilities which, however, come under the heading of malware detection more than the simpler topic to which this page is dedicated,
viz., a general user’s management of their startup process. For example, we could go into topics of file substitutions (dropping a malicious or alternate program onto the computer to replace one with a known name,
e.g., replacing ScanDisk), or the well-known use of the SHELL= line in SYSTEM.INI to launch more than one program. These are well-known to malicious hackers, virus developers, etc. There are still other startup locations that have not been mentioned here because, according to security experts I know, they haven’t yet been used in malware attacks, and don’t really have any practical use for the typical user. If this were an overall “securing your system” article, quite a lot more would be incorporated. But it isn’t. I do hope, however, that this page helps you control what programs your computer does, and does not, load at startup.