Startup Items (Autostart's) - also called "Tasks"

show up in Windows Task Manager

what you need, and what you don't !!

    

Typical set of running Tasks in Task Manager     vs     Minimal set of running Tasks

The "typical seems like a lot, eh?  Well this tool only reports "some" of the processes !!!

 

IMPORTANT - the first couple of pages here go through some background information that you will NEED to be able to understand this stuff.  It is dry reading but worth it !! 

We will show you how to find the items that autostart, and how to locate the sections where they are being started from.

*** or if you don't care about all the "info" just download and install Autoruns Manager (Startup Control Panel)  and then click the following link:

Just show me which ones I can STOP and how to STOP them !!!

Identify Startup Items

First you will want to start up Windows Task Manager (shown above) - hit CTRL-Alt-Del

Then download these two tiny utilities which will display most of your automatic startups and will allow you to remove them.

Autoruns  -  lists all the executables that are configured to automatically start when you boot Windows.  You will find quite a few programs just taking up system resources with this - then go and shut-em-down !!

Autoruns Manager (Startup Control Panel) - similar to Autoruns but has checkboxes for removing startups.  Don't worry about removing them - it does not delete files - just stops them from starting with Windows bootup.  In addition, you can recheck the boxes later if you find that you need any of them to autostart.

Autostart Processes that are not in the Usual Autostart Locations

***  the next few sections will describe where all the usual Autostart locations are.  

Typically, you can stop about half the processes with the Task Manager by clicking on the process and then clicking the End Process button.  Critical System processes will give a message that they are critical and cannot be stopped.  All others can be stopped on the fly.

BUT - there will be processes that you cannot find the AutoStart entry for  anywhere !!!  You can stop them in Windows - but they return upon reboot !!  Most of these are "Services", and they are started deep within the Operating System code - not from an entry in the Registry.  With WinXP they can be turned off by running "Services.msc" - but be careful - you need many services to run Windows !!  See www.blackviper.com for details on this.

Over time, your list of running processes may grow to a harmful length, even though the Autoruns utility shows only one or two processes in the usual Autostart locations.  If this happens, uninstall as many of the offending apps as possible, and buy Registry First Aid, which is an absolute hound dog at finding excess registry entries !!  

Personally, my Task Manager showed a list of approx 6 or 7 processes that were Auto-starting yet were not listed in any of the traditional Autostart locations !!!  Autoruns did not show them either !!!  Even common ones such as Norton Ghost and Black Ice kept starting upon every reboot.  I had to uninstall them, reinstall, and then remove their startup entries which magically popped up in the usual locations - this finally got rid of their errant Autostart behavior !!

This page lists the common areas where process and apps are started from, but just be aware that there will be some that you will never stop from running.  There will be others that can only be stopped by uninstalling the Application.

The Auto-Startup areas of Windows

First, you must understand the primary areas where auto startup commands are issued from, upon bootup:

  • registry  -  there are several registry folders that store startup items.  These can be access with either the downloaded Startup Control Panel, or more popularly, with msconfig

  • autoexec.bat and config.sys  -  Win95-98-ME only - these are text files from the old DOS days

  • config.nt  -  WinNT-2000-XP only  -  similar to config.sys - rarely used !!

  • win.ini  -  Windows refers to this file every time it boots.  There are two lines that autostart programs . . . they begin with Run=  and  Load=

  • StartUp folder - this is a folder buried several level underneath the Windows folder.  Anything in it will autostart.

  • Services - you can configure any service to either start automatically, or manually - or you can disable the service altogether.  You access all services as follows:  Start/Run . . . services.msc

 MSconfig

 

This is the most often used editor for startup items.  Most users click Start/Run . . . msconfig . . . select the Startup tab, and uncheck the entries they want to remove from startup.  It does not remove the entries from your registry - and keeps them showing in Msconfig !!

 

To completely remove the entries - look at the “Location” of each entry.  This is very important in finding these shortcuts – should you wish to delete them instead of un-checking them.  The locations listed will tell you where the shortcut is as follows:

-  check all "Run" folders (do a search) and MAKE SURE to look in:

 

HKLM/Software/Microsoft/Shared Tools/MSConfig  -  this is the main Autostart registry folder.  There are two sub-folders that contain Autostart items here:  StartupFolder and StartupReg

CommonStartup – the shortcut will be in the folder:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

(use Explorer to delete)

Startup - the shortcut will be in the folder:

C:\Documents and Settings\username\Start Menu\Programs\Startup

(use Explorer to delete)

           

Any of the msconfig entries can be either checked to start, or unchecked to not start with Windows.  If you only want specific items toi start and want some of them unchecked, make sure that when you are done, click the "General" tab and check the "Selective Startup" radio button.

 

Remember - MSconfig does not delete the entries when you uncheck them - it just disables them from starting automatically.  They can only be deleted using regedit.

 

Config.sys and Autoexec.bat

 

For Win95-98 only, these are the two DOS startup files.  They are simple text files that reside at the root of your C drive and can be edit with Notepad to remove any unwanted startup items.

 

Win.ini

The lines "load ="  and "run=" can automatically start applications.  Win.ini is a text file and can simply be edited to add or remove these items.  Typically you should not need to start any items with Win.ini although there are exceptions.

 

The "Start Menu" folders

 

  Any shortcuts placed in these folders will automatically start when Windows boots.  It is located at:

 

Win95-98        c:\windows\start menu\programs\startup *

Win2000-XP:   c:\Document and Settings\username\start menu\programs\startup *

    And              c:\Document and Settings\All Users\start menu\programs\startup

 

*To quickly access this folder, right-click on the START button, and then left-click on "Explore"

 

 

The Registry Autorun Locations

 

CAUTION - messing with the Registry can mess up your machine, although you can always to a System Restore to an earlier time.  A quick way to safeguard yourself is  . . .  when in doubt, first export the keys - click on the key (the folder) and select File/Export . . .  You can export them to a temp folder on your hard drive and name them:  temp1.reg,  temp2.reg,  etc.  If problems occur or you want something back that you deleted - just start up Regedit again and import the ".reg" files.

There are numerous registry entries that can cause an application to autostart with Windows.  Here are the most common ones.  Pay particular attention to the entries in the msconfig\startupreg folder  -  the startup items in it will be keys (folders) - NOT values.  The keys can only be viewed on the left, so click the plus symbol next to both msconfig keys (folders - startupfolder and startupreg) , and it will expand out to show you the sub-keys (sub-folders).  These sub-keys are the autostart items the appear as checkboxes in the actual msconfig application (Start/Run . . . msconfig), under the Startup tab.

 

To see if these items are actually autostarting - open the Windows Task Manager (CTRL-Alt-Delete) and view the Applications and Processes tabs.  Here are the most common XP registry autostart locations .

 

NOTE:  the "MSconfig" entry only exists with WinXP SP1  -  with SP2 it has been removed !!!
and all the MSconfig "startup items are in the Registry "run" folders and the Startup folders.

 

NOTE about the "HKEY_USERS" registry branch:  as stated, the long key under "HKEY_USERS" that contains S-1-5-21 . . . etc  -  will be named differently on your machine.  There are also often several of these folders.

 

 

S-1-5-21-515967899-113007714-854245398-1003

(several Autorun's)

 

S-1-5-18

(just one Autorun - but that is a "RUNONCE" entry, so it can probably be deleted)

 

 

 

NOTE2:  there are other reg locations that can cause items to Autostart !!  Not many, but they do exist with certain, odd applications.  If this fails to stop an application from autostarting - search the entire registry for that application.  Also check the other autostart areas outside of the registry (see the rest of this page).  If you still cannot get rid of it - it is either absolutely required and not stoppable, or the application is corrupt and you will need to remove and reinstall it.

 

To get rid of these, you will want to first export the keys - just in case.  Since there are numerous keys, you can export them to a temp folder on your hard drive and name them:  temp1.reg,  temp2.reg,  etc.

 

  • click the folder - one at a time

  • File/Export . . .  name it as temp1.reg

  • delete the items you no longer want to autostart

  • repeat for each key - deleting the subkeys for the MSconfig folders, and the Values (on the right) for the Run folders

 

IMPORTANT !!  Bookmark the keys   -  these keys are so commonly used, since so many garbage apps add unwanted entries - that you should bookmark them in regedit.  It works just like IE !!   Navigate to each folder, select it, and click "Favorites/Add to Favorites", and name the folders.  I nemaed them  “Local_Machine – Run” and “Current_User – Run”, etc.  

 

Other Registry folders - Win95-98 also contain a folder called "Run-" which contains all the "unchecked" items in msconfig.  So you need to check that folder also if you want to delete a startup item.  All versions of windows have a folder called "RunOnce" and "RunOnceEx" which you should also check - although they are usually empty, since they are used for application that reboot the system and run one routine one time to complete an installation.

 

Processes and Services - those you should leave running and those you can Stop

Needed - or leave in for other Reasons

Adobelmsvc.exe - NOT an Autostart !!  starts whenever Adobe Photoshop CS2 starts - Adobe Photoshop CS2 activation License Manager, which "calls home" tp check to make sure your Adobe programs are properly licensed and activated

Adobelm_Cleanup.0001 - NOT an Autostart !!  starts whenever Adobe Photoshop CS2 starts - you may have more than one instance of this start up.  I have four of them stored at:

     C:\Documents and Settings\Ken\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000

     C:\Documents and Settings\Ken\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001

     C:\Documents and Settings\Ken\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0002

     C:\Documents and Settings\Ken\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0003

         etc    etc

ATIPTA (ATIPtaxx.exe) - needed if you use ATI "schemes" to switch from PC wityh TV Out to just PC only.  Puts an icon in the system tray to access all of the ATI settings and the Control Panel (right-click, goto Settings/ATI Desktop Settings).  If you do not use TV out then you do not need schemes, and can remove this from your registry HKLM Run folder.  You can then use Windows Display Properties to do the same thing this icon does.

NOTE:  if youuse schemes and want to get to the ATI Control Panel, add this shortcut to Quick Launch:

     "C:\Program Files\ATI Technologies\ATI Control Panel\atiprbxx.exe" /a

AND when you run the Control Panel, it always puts the icon back in the System Tray, so you may as well leave it there and use it to access the Control panel instead of the Quick Launch shortcut !!

AVGAMSVR.exe - small TSR, part of an AVG anti-virus program. anti-virus programs sometimes report other anti-virus programs as viruses or trojans.

AVGupsvc.exe - AVG antivirus update manager - need it to update your antivirus definition files

CSRSS.exe - system process - a Windows system file, but a lot of viruses will also use this name because the WinXP task manager won't let you close it.  However, your antivirus software should catch it if it is a virus and leave the good one.  This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

Guard.exe - this is eWido malware's constant monitoring for malware (spyware, adware, trojans, worms, auto-dialers, and keyloggers)

LSASS.exe - system process - the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server. It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell

RapApp.exe - system process - BlackIce application Firewall - informs you of any modifications to the system, such as changes in your files or folders and detects unknown programs trying to launch.

services.exe - system process - Windows Service Controller used for starting, stopping, and interacting with system services.  CAUTION - the similar named "service.exe" is a trojan

SMSS-exe - system process - Session Manager SubSystem - starts the user session, this is launches the Winlogon and Win32 (Csrss.exe) processes and sets system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).

Spoolsv.exe - system process - the spooler service - manages spooled print/fax jobs.

SVCHOST.exe - checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging.

Svchost.exe groups are identified in the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Svchost

Each value under this key represents a separate Svchost group and appears as a separate instance when you are viewing active processes. Each value is a REG_MULTI_SZ value and contains the services that run under that Svchost group. Each Svchost group can contain one or more service names that are extracted from the following registry key, whose Parameters key contains a ServiceDLL value:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Service

To view the list of services that are running in Svchost:

   Start/Run . . . cmd

   Tasklist /SVC

   (Tasklist displays a list of active processes. The /SVC switch shows active services in each process)

For more information about a process, type the following command:

   Tasklist /FI "PID eq processID" (with the quotation marks)

System Idle Process - the system idle task - it measures how much idle capacity the CPU has at any given time. The process runs in the background and constantly monitors processing bandwidth, occupied memory and the Windows virtual paging file

Winlogon.exe - part of the Windows Login subsystem. Winlogon is necessary for user authorization and checks the Windows XP activation code

 

Needed - In Regedit Run Folder

Adobe Reader Speed Launch (reader_sl.exe) - Optional but keep - it speeds up the opening of PDF files and since there are so many these days, and this is a small TSR that does NOT place an icon in the system tray, why not keep it?

CTsysVol (CTsysVol.exe) - Creative Volume Control in system tray - much faster than the WinXP volume control so keep it !!

AVG7_CT (AVGcc.exe) - AVG antivirus autoprotect

Scan-Registry

Task Monitor

SysTray

Norton Auto-Protect

LoadPowerProfile

Adobe Gamma (Adobe Gammer Loader.exe) - Optional - monitor color calibration - keep it but it really does not do much.  For a better calibration utility, use ColorVision's "Spyder 2"

 

Not Needed - in Regedit "Run" Folders

NOTE:  for tasks that keep coming back - do this:

go to Regedit HKLM Run folder, Double-click the task, put semicolon in front of the string

SunJavaUpdateSched (Jusched) - JAVA - jusched.exe is the scheduler process of Java Update, and jucheck.exe is the process for checking/performing updates in Java Update. These processes run automatically and transparently to users. To shutdown these processes, simply uncheck the "Check for Updates Automatically" checkbox in the Update tab of Java Plug-in Control Panel.  The icon is a JAVA version check, update, and control panel combined - if you right-click and select Properties it brings up the JAVA Control panel, which allows you to delete cached JAVA files.  If you left-click it will let you update your JAVA if needed.

NeroFilterCheck (NeroCheck.exe) - REMOVE - not needed - but will not hurt either - runs integrity checks on the filter drivers for the cdrom.sys driver stack and fix some issues such as missing filter driver binaries which would cause cdrom device to malfunction otherwise.

CTHelper - REMOVE - not needed and can take up a lot of memory - Creative Soundcards add it in.  It is used as an interface by third party vendors to integrate their software with Creative soundcards and drivers. It has been reported to consume 100% CPU time and cause other system problems.

CTstartup - REMOVE - Creative splash screen - pretty and nice short tune, but not needed

UpdReg - REMOVE - not needed - updreg.exe is a process from Creative Technology Ltd. It is used to reminds users to register for their Creative Labs products.

DiskeeperSystray (DKicon.exe) - REMOVE - not needed

Diskeeper (SKservice.exe) - REMOVE - defrags your hartd drive, but you can run Diskeeper on your own.  Start/Run . . . services.msc, double-click "Diskeeper", and select "Manual" instead of Automatice, and then click the "Stop" button

QTtask (Quicktime) - REMOVE BUT has a nasty habit of coming back - so go to Regedit HKLM Run folder, Double-click Quick Time Task put semicolon ( ;  - not a colon) in front of "C:\Program Files\QuickTime\qttask.exe" -atboottime

RemoteControl (PDVDserv.exe) - REMOVE - PDVDServ.exe is a process belonging to PowerDVD which allows a user to plug in a remote control.

SSBKgdupdate (ssbkgdupdate.exe) REMOVE - ScanSoft PDF Converter update nag screen - a process which belongs to the Scansoft Product Updater which provides software updates for Scansoft products

PDF Converter Registry Controller (RegistryController.exe) - save Run folder to Reg file, then REMOVE - I am not 100% sure but I think this is the nag screen to update and/or buy OMNIpage pro - ScanSoft's PDF converter TSR, which no info is available anywhere - try removing, then reboot.  If you can still load PDF's into Word then you are fine - if not you need to import the saved REG file

wscntfy.exe - the little "sheild" in the system tray that opens up info about your Windows SP2 firewall, automatic updates, and virus protestion.  It is part of the Windows Login subsystem. Winlogon is necessary for user authorization and checks the Windows XP activation code.  wscntfy.exe can be disabled by going in to "Services" and disabling Security Center (not recommented) - better yet, just disable the system tray icon as follows:

  1. Control Panel/Security Center  .  .  . 

  2. goto "Chaneg the way the Security Center Alerts me"

  3. clear all 3 checkboxes

IN Clipboard Monitor (clipmon.exe) - save Run folder to Reg file, then REMOVE - - Deerfield's Internet Neighborhood - I am not 100% sure if you can delete this - try removing, then reboot.  If you can still goto FTP sites using Explorer via the Internet Neighborhood, then you are fine - if not you need to import the saved REG file

BGMonitor (NMBGmonitor.exe) and NMIndexStoreSvr.exe - REMOVE - used by Nero Scout which is a useless app included with Nero 7.  the program is a media indexer. It constantly runs in the background, looking for new media files, i.e. MP3s, videos, and photos. When it finds such a file, it adds it to its own internal database. The database is used by other Nero programs, such as Wave Editor, Burning ROM, and PhotoSnap. The only purpose for the database is to give you a more convenient way to access those media files, without having to navigate the folders on your hard drive

After removing the process from RegEdit Run folder, also remove Nero Scout as follows:

   Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe

   uncheck "Enable Nero Scout"

   Next step is optional by may be necessary - unload the DLL) as follows:

      Start/Run . . . regsvr32 /u "%commonprogramfiles%\Ahead\Lib\MediaLibraryNSE.dll"

HelpSvc (HelpScv.exe) - REMOVE REMOVE REMOVE - a core component of the Windows "Help and support" and cannot be deleted.  Normally it only runs when you are installing a Windows Update or you are reading articles from the Windows Help and Support pages.  Then it shuts down and all is well.  But in some cases, it goes crazy . . . will not close by itself, and consumes your computer CPU !!!  If this restarts itself and takes up a lot of CPU - then see the file in my Help folder on it for the detailed instructions on how to stop it (a long process)

AnyDVD (AnyDVD.exe) - REMOVE - nag screen for updates.  The updates are important but you get the nag anyway when you run AnyDVD

 

Not Needed - and NOT in Regedit Run Folder

ATI2EVXX.exe - two may show up in Task Manager - one assigned to the "User" and one to the "System" - the System entry causes an ATI icon to show up in the system tray - allows the same thing that Display Properties does (change screen resolution, etc)

jucheck.exe - JAVA - jucheck.exe is the process for checking/performing updates in Java Update, and jusched.exe is the scheduler process jucheck of Java UpdateJAVA - . These processes run automatically and transparently to users. To shutdown these processes, simply uncheck the "Check for Updates Automatically" checkbox in the Update tab of Java Plug-in Control Panel.  The icon is a JAVA version check, update, and control panel combined - if you right-click and select Properties it brings up the JAVA Control panel, which allows you to delete cached JAVA files.  If you left-click it will let you update your JAVA if needed.

 

Services

To Stop, Start, or change the defaul way a service is started:

Start/Run . . . services.msc

To list all services currently running in XP:

Start/Run . . . cmd

then in the DOS box, type:  net start

a list will be displayed

To list all Processes:

Use Systernals "Process Explorer" for detailed into on processes

tasklist  (for all processes and their PID's)

tasklist /svc  (for all processes and their ralated Services)

A few services you can "safely" STOP

Themes (and disabled), stopped ATI Hotkey Poller, Fast User switching (Stop and set to Manual), Ghost Start Service (disable), IPsec (Manual), IISadmin (Manual), "MS Software Shadow Copy Provider" (for Backups - disable)

 

Non-essentials Services that you can Stop - but be careful

Alerter Manual  Services.exe Notifies selected users and computers of administrative alerts  Manual  Manual (Office); Disabled (Home)

Wuauserv  Svchost.exe Enables download and installation of critical Windows updates  Automatic Automatic

BITS Svchost.exe Uses idle network bandwidth to transfer data  Automatic Manual 

ClipSrv Clipsrv.exe Enables ClipBook Viewer to store information and share with remote computers Manual  Disabled 

MSDTC Msdtc.exe Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems  Manual Manual (

Office); Disabled (Home)

DNSCache Svchost.exe  Caches Domain Name System (DNS) names for this computer  Automatic Disabled

ERSvc Svchost.exe Displays dialog box that lets you report an application error or system crash to Microsoft  Automatic Disabled

Netman Svchost.exe Controls the network and your ability to connect to the Internet via dial-up Manual Automatic

Spooler  Spoolsv.exe Loads files to memory for later printing  Manual Automatic

SCardDRV Scardsvr.exe Enables support for smart-card readers that do not support Plug and Play  Manual Disabled

  

 

Services Advice from an MVP

Go to Control Panel - Admin tools - Services, and look down at things that are Started (if they are not then they are not using RAM).    You can double click items and set 'startup type' to Manual - if they then start, something needs them.   Ones you can probably have on Manual on a stand alone machine (or probably non-corporate LAN )  are  Background Intelligent transfer (though it is used by Auto Update, manual update works fine without) Routing and remote access Both of which seem BTW implicated in heavy usage of CPU  SSDP Discovery and U PnP provided you don't need it for a UPnP router  Alerter (which is *not* needed for error alerts on the local machine)  

Indexing (unless the use of context in searches is an actual benefit - not likely for the moment at least)  

IMAPI CD Burning (if third party CD burning is implemented or if you do not use a burner anyway )  

Messenger (against the pop-up ads, though of course NetBIOS should be blocked in a firewall, this is better than nothing - and is doing no good in the sort of setups  mentioned)  

QoS RSVP (not that it causes the trouble that street wisdom suggests - but it doesn't do anything positive)  The Secondary logon one could be used if you have a program that was

installed from one account, and you want to run it from another, using 'Run As'.  Judge whether this matters.  

Other things that can safely be set to manual probably are anyway - and things that are not essential are candidates for rolling out to page file.  But one thing - at 128MB I think it highly likely that the page file is not set to be big enough.  It ought to be bigger on a small RAM, not smaller.  So at Control Panel - System - Advanced - in Performance click Settings - Advanced - Virtual Memory and click Change.  Highlight the drive and set the Initial size to 400; Max to 800 (or more) and click Set.  That should give adequate headroom to be going on with  

Alex Nichol MS MVP (Windows Technologies)

Bournemouth, U.K.  A...@mvps.org