“Start-Up Programs -- Why Should I Care?”
Article by Dick Curry

I have been asked to post a detailed article of the material we covered at our meeting this month on how to determine what programs automatically start up and run when we boot-up our computers.

And, if you were not at the meeting, you might first ask,”why should I care?”.  I can offer at least two reasons: programs that load and run in the background when booting a computer use system resources.  This is less of a problem with Windows 2000 and XP operating systems but can be a real problem with those of use with older operating systems.  (Right click on your My Computer desk top icon, click on Properties, then the Performance tab.  Note what percent of your system resources are free.  It is desirable to have approximately 90% free immediately after startup and over 60% at all other times when operating your computer).  The second reason is to provide a look-see as to whether or not your computer may have a Trojan Horse malware program installed (or, less sinister, just to become better acquainted with just what’s going on within your computer).

I noted 7 (yes, seven!) places that need be checked to ensure you have a complete list of all programs that load and run when you start your computer.  You probably could winnow this list down a bit, but I look in all seven places to ensure I have them all.

The first place I look is in my StartUp folder in my Windows Explorer program.  Launch Windows Explorer (right click on the Start button in the bottom left hand corner of your computer and click on Explore).  In the left frame, find the folder C:\Windows\Start Menu\Programs\StartUp.  (It may have a different path in your computer; if so, click on the Tools menu at the top of your computer screen, click on Find\Files or Folders… and type StartUp in the “Named:” box and C:\ in the “Look In:” box.  Then click Find Now).  Make a note of any files listed in your StartUp folder.  These are usually short cuts to computer programs you have installed two or more years ago as more recent programs are more sophisticated and install themselves in ways that make it more difficult to find.

You may get tired of writing down all the programs that are listed here and in the next six places I discuss so, rather than writing down the file names you can copy the names of the programs as you see them on your computer screen by, first, maximizing the window so that it fills up the entire screen, then press the “Print Screen” key on your keyboard (this copies the image shown on your computer screen to your clipboard), open your word processing program (Microsoft Word, Word Perfect or whatever you use) and click on the Paste icon.  Your screen image appears as a graphic in your Word document.  To resize the image, click on it, grab one of the corners with your cursor, and pull the corner out making a larger image.

The second place I look is found when you depress the Control, Alt, and Delete keys simultaneously.  Again, make a note of programs that you see listed and click on the Cancel button.

The third place is found by clicking on Start\Run…  and typing msconfig in the white box, and clicking OK.  In the System Configuration window that is opened, click on the Startup tab.  Note all the programs that have been “checked” in the left column.  These are all programs that run when you start your computer.

Yet a more complete list can be found in your System Information program window.  Click on your Start button, then Programs\Accessories\System Tools\System Information.  Then click on the “+” sign to the left of Software Environment.  First click on Startup Programs, then click on Running Tasks.  Again, make note of all programs that are listed in the right frame of each of these headings (Startup Programs and Running Tasks).

In the next two places discussed we are looking for programs that very likely will be Trojan Horses.  These two places are referred to as Win.ini and System.ini (or sys.ini).  Before looking into the innards of these two programs we are first going to check the attributes assigned to these programs.  Launch your Windows Explorer program again.  In the left pane go down to and click C:\Windows.  In your right frame scroll down until you see System.ini.  If you do not see any files listed or if the files do not have file extensions you will need to make some changes in the way you “view” this page and in your Folder Options.  (I am not covering how to do this in this article.) 

Place your cursor over the file name System.ini (or click on it if you do not have your program set to view as a Web Page.)  The attribute should be shown on the left side of this frame.  If not, right click on the file name, click Properties and note which box is checked under Attributes.  What you want to see is the word Normal or the word Archive.  You do not want to see an attribute stating Read Only.  If the attribute is Read Only call me or get help you can depend on.  If the attribute is Read Only some program has written to this ini program and has changed the attribute to Read Only to ensure that another program does not change it.  There is a strong possibility the program making the ini file Read Only is a Trojan Horse.

Now repeat this exercise for the file Win.ini.

Now we are ready to look at the innards of these two programs.  Click on the Start button, then Run … and type sysedit in the box, then click OK.  This will launch your System Configuration Editor.  You will see a number of windows cascading on your screen.  We’ll work first with the Win.ini file.

Click somewhere on the Win.ini file.  This will bring the Win.ini file to the front.  Maximize the window for ease in viewing/working with this file.  We are interested in two line items under the heading [Windows].  They are Load=  and Run=.  First drag the horizontal scroll bar at the bottom of the window all the way to the right and check to ensure there is noting written on these two lines that are not initially visible.  Record anything written on either of these two lines.  For most computer users there will be nothing written on either of these two lines (and that is good).  However, if there is something listed make note of the name and you will need to check to determine what this program is, what it does, and whether or not it is needed (see below).  For example:  Run=hpfsched refers to a program that loads a Hewlett Packard program for cleaning its printer cartridge; Run=%Window%\CapsideRed.pif is instructing your program to go to C:\Windows\ and load the program CapsideRed.pif which is the CASPID worm that spreads through file-sharing networks such as KaZaA.  You may see Load=asistat.exe which is a program required by an NEC printer; however, Load=C:\Windows\System32.exe is the Marijuana virus.

Now click anywhere on the file System.ini (you may have to close the Win.ini window).  This will bring the System.ini file to the front.  Follow the same instructions provided above for Win.ini only related to a line item Shell= under the heading [boot] (scrolling all the way to the right to ensure there are no instructions written off the screen).  In general there will be a line item Shell=Explorer.exe.  This is a Microsoft operating system program and is okay.  Shell=%Windows\Capside.exe will load the CASPID worm mentioned above. 

Shell=Explore.exe which looks very much like Microsoft’s program is also a virus. 

Shell=%path%\Explorer.exe where “path” is a folder other than C:\Window will also be a virus.

If you want to know more about Trojan Horses go to http://www.google.com/and search for Trojan Horse.

I mentioned seven places to look.  The seventh place is in your Registry.  With good reason Microsoft and others warn against tooling around in this program.  However, having been forewarned there are a handful of places one can look through for the names of additional programs that may launch when starting your computer.  To enter your Registry click on the Start button, Run…, and type regedit in the box.  Before doing anything else, back up your  Registry files.  In the Registry Editor window, click on the Registry menu button.  Click on Export Registry File…, provide your backup with a file name and save it in a folder that you will remember.

There are six folders in the Registry that contain information relating to programs that are launched at start up.  They are:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

In In the left frame click on each of these six folder names, one at a time, (Run, Runonce, Run, RunOnce, RunServices, and RunServicesOnce) and record the filenames listed in the right frame.

That’s it.  At this point you have a list of all the files and their locations (path) on your hard drive.  Now how do you separate the bad, the good, and the ugly?

To do this you can go to http://www.google.com/ and search for List of Computer Startup Programs.  Two sites that are my favorites are:

 http://www.pacs-portal.co.uk/startup_content.php and http://www.answersthatwork.com and click on Task List).

I find the list provided at answersthatwork.com to be in greater and more useful detail, but you have to work with the list online.  This site also has many other interesting links to issues such as software questions, hardware problems, configuration advice, networking issues, general computer advice, drivers, boot disks, software downloads, recommendations, and a library of answers.

At the Pacman site (pacs-portal) you can download the most current complete list in a compressed (zip) file or in individual uncompressed pages for use offline on your own computer.  The detail and information provided is not as complete.  I use both.  I zero in on programs that I want more detail on using the Pacman list offline and then go to answersthatwork.com with my condensed list for additional detail.

Now as to how to get rid of programs that you have determined you don’t want loaded when starting your computer, first determine whether you want to delete the program or only to stop it from loading at startup.  Unless you have a good handle on this I am inclined to suggest you get help from someone that does.  If you only want to stop the program from loading at computer startup you will be looking at deleting only shortcuts and startup instructions – not deleting the programs themselves.  If you want to delete a program you should first check to see if that program has an uninstall routine (best way is to click the Start button, Settings, Control Panel, Add/Remove Programs and see if the program is listed and follow the uninstall instructions, next best way is to have a program like McAfee’s Uninstaller).  If you find you have a Trojan Horse installed get help in removing it.  If you are not sure, get help.  In any event backup your computer data.

Hope this helps and may all your computer experiences be pleasant. 

Dick Curry

Return to Home Page                                                                                                       Return to Curry’s Comments

 

 

Return to Home Page                                                                                                          Return to Curry’s Comments