If you're frustrated with the time it takes your Windows PC to boot and then it seems to be running slowly you may have too many programs running at start-up - and have come to the right place to identify them. This is the original startup programs (as opposed to processes/tasks) list - one of the most comprehensive and most accurate!
"Name or Startup Item" in the table below refers to how an entry is displayed in MSConfig, Windows Defender or the registry "Run" keys. "Command or Data" refers to the program the entry runs. For further information on this and how to identify and disable startup programs please visit the Startup Content page.
For further information on random startup entries please visit the Startup Info page. For the next few months and foreseeable future I'll be verifying many of the Y, U, N & ? entries via virtual machines. If you can verify/identify those entries with a "?" status (especially hardware specific - such as laptops and motherboards) then please E-mail me (address at bottom of the page) or use the new Message Board.
Last update :- 31st August
21939 items listed
"Status" key:
- "Y" - Normally leave to run at start-up
- "N" - Not required or not recommended - typically infrequently used tasks that can be started manually if necessary
- "U" - User's choice - depends whether a user deems it necessary
- "X" - Definitely not required - typically viruses, spyware, adware and "resource hogs"
- "?" - Unknown
Variables:
- %System% - refers to the System folder; by default this is C:\Windows\System (9x/Me), C:\Winnt\System32 (NT/2K), or C:\Windows\System32 (XP/Vista)
- %Windir% - refers to the Windows installation folder; by default this is C:\Windows (9x/Me/XP/Vista) or C:\Winnt (NT/2K)
- %UserProfile% - refers to the current user's profile folder; by default this is C:\Documents and Settings\ (NT/2K/XP) or C:\Users\ (Vista)
- %ProgramFiles% - refers to the Program Files folder; typically the path is C:\Program Files
|
|
| Name or Startup Item | Status | Command or Data | Description | Tested? |
|---|
| winsystem.sys | X | smss.exe | Added by the SOBER.K WORM! Note - this is not the legitimate smss.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %Windir%\msagent\win32 and note the space at the beginning of the "Startup Item" field | No |
| µTorrent | N | uTorrent.exe | µTorrent - file sharing client for Windows sporting a very small footprint from BitTorrent, Inc. Designed to use as little cpu, memory and space as possible while offering all the functionality expected from advanced clients. For more information about the protocol see here. As µTorrent is a peer-to-peer (P2P) file-sharing client used to distribute large amounts of data between multiple users make sure you have good, up-to-date virus protection and check any downloads | Yes |
| ϵͳע�ï½ï¿½ï¿½ | X | zhuruqi.exe | Added by the QHOST.V TROJAN! | No |
| 'AdwarePro' | X | 'AdwarePro'.exe | AdWarePro rogue security software - not recommended | No |
| @ | X | RUNDLL.EXE | Added by the SPYBOT-DN WORM! Note - this is NOT the Win9x/Me system file of the same name as described here | No |
| @ | X | sysload.exe | Added by the DELF-EL TROJAN! | No |
| \IEService.exe | X | IEService.exe | FastFind adware variant | No |
| \Pribi.exe | X | Pribi.exe | FastFind adware variant | No |
| \SysInit | X | svchost.exe | Added by the STARTPA-BD TROJAN! Note - this is not the legitimate svchost.exe process which is always located in %System% and should not normally figure in Msconfig/Startup! This one is located in %ProgramFiles%\Common Files | No |
| \tools.exe | X | tools.exe | FastFind adware variant | No |
| 'Ashampoo AntiSpyWare 2 Guard' | Y | AntiSpyWare2Guard.exe | Part of Ashampoo® AntiSpyWare 2 from Ashampoo GmbH & Co. KG. This part is the realtime monitor that looks for changes on the users system such as BHO, Winsock LSPs, Windows Hosts file, Autostart entries, etc | Yes |
| (*)API Machine | X | winSOCKS.exe | Homepage hijacker, see here (* = any digit) | No |
| (*)Run | X | win32API.exe | Homepage hijacker, see here (* = any digit) | No |
| (Default) | X | media_driver.exe | Added by the TUPEG VIRUS! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | Shania.vbs | Added by the SHANIA BACKDOOR! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | NOTEPAD.exe | Added by the RUSTY WORM! Note - not to be confused with the valid Windows "NOTEPAD" text editor! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | [random filename].exe | Added by the BLACKMAL WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | twunk_32.exe | Added by the BLACKMAL.C WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | winhelp.exe | Added by the BLACKMAL.C WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | spolsvr2.exe | Added by the EVILSOCK.10 TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | winbas12.exe | Adware, CoolWebSearch parasite related - detected by Kaspersky as the VB.DU TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | Systrsy.exe | Added by the CDTRAY TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | llsass.exe | Added by the PROXY-GG TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | syspol.exe | Added by the DREMN-B TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKCU\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (default) | X | winlog.exe | Added by the RBOT-CVY WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (default) | X | rundll32.exe [path to DLL file],Do98Work | Added by the HESIVE.B TROJAN! Note that rundll32.exe is a legitimate Microsoft file used to launch DLL file types and shouldn't be deleted. Note - this malware actually changes the value data of the "(Default)" key in HKCU\Run, HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | winligom.exe | Added by the RBOT-GAI WORM! Note - this malware actually changes the value data of the "(Default)" key in HKCU\Run, HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | 5640.exe | Added by the DOWNLD-ABF TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKCU\Run, HKLM\Run and HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | QQUpdate.exe | Added by the QUADRULE.A WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | Mcafee.exe | Added by the AGENT.AY TROJAN! Note - this is not a valid McAfee program and is located in %System%. This malware actually changes the value data of the "(Default)" key in HKCU\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | fada.exe | Added by the VB.HEI TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run, HKLM\RunServices and HKCU\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | Default.exe | Added by the AUTORUN.BUK WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\RunOnce & HKCU\RunOnce in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | KEYBOARD.exe | Added by the AUTORUN.BUK WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | msarti.com | Added by the SILLYFDC.CJ WORM! Note - this malware actually changes the value data of the "(Default)" key in HKLM\..\Policies\Explorer\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | msnupdate.exe | Added by the RBOT-GWT BACKDOOR! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run & HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | xtreme.exe | Added by the DROPR-CZ TROJAN! Note - this malware actually changes the value data of the "(Default)" key in HKLM\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (default) | X | WINLOGON.EXE | Added by the DELF-LP TROJAN! Note - this malware actually changes the value data of the "(default)" key in HKCU\Policies\Explorer\Run in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (Default) | X | diagcfg.exe | Added by the GWGIRL BACKDOOR! Note - this malware actually changes the value data of the "(Default)" key in HKLM\RunServices in order to force Windows to launch it at boot. The name field in MSConfig may be blank | No |
| (L4r1$$4) (4nt1) (V1ruz) | X | SP00Lsv32.pif | Added by the ASSIRAL.B WORM! | No |
| *Bandook | X | msdll.exe | Added by an unidentified TROJAN - see here | No |
| *Intelli Mouse Pro Version 2.0B* | X | ncsjapi32.exe | Added by the BUZUS-O WORM! | No |
| *JanisRuckenbrodII | X | janis.com | Added by the POPS WORM! | No |
| *loadfax | X | loadfax.exe | Added by the WINFLUX-C BACKDOOR! | No |
| *Microsoft Update | X | ctxma.exe | Added by the STMU TROJAN! | No |
| *Microsoft Update | X | cxma.exe | Added by the STMU TROJAN! | No |
| *Microsoft Update | X | wstcl.exe | Added by the STMU TROJAN! | No |
| *Microsoft Update | X | wucxt.exe | Added by the STMU TROJAN! | No |
| *Microsoft Update | X | wuytc.exe | Added by the STMU TROJAN! | No |
| *MS Setup | X | [random filename] | Virtumondo adware, also known as the VUNDO TROJAN! | No |
| *MSConfig32 | X | aecache.exe | Detected by F-Secure as the OBFUSCATED.GP TROJAN! | No |
|
The following files are available for people developing mirrors of the site and using the information presented here:
Startup XML File - Startup INI File - Startup HTML File
For IE users, right-click on the link and select "Save Target As..." - note that for the INI and HTML files the suggested filename will be "startuplist.htm" and you'll have to rename them "startuplist.ini" and "startuplist.html" respectively.
For Firefox users, I recommend downloading the zipped versions from here. Otherwise, you'll have to open the file and save it - which can take a long time due to the size.
NOTE: These downloads are password protected and free to anyone producing a mirror or free utility. If you produce a commercial/shareware utility please contact me to discuss options. If you don't fall into any of these categories and want to download any of these files you will need to either make a donation of $15/year or more via PayPal (or E-mail me) and you will be provided with the login details which will change at the beginning of each year. The donation will go towards researching new and existing entries for the database and creating these files. Since making these files available for download they've been available free of charge and downloaded thousands of times. I believe they are unique as to my knowledge, no similar site offers such a resource as the lists they offer are on-line only.
DISCLAIMER: It is assumed that users are familiar with the operating system they are using and comfortable with making the suggested changes. I will not be held responsible if changes you make cause a system failure.
NOTE: This is NOT a database of tasks/processes taken from Task Manager or the Close Program window (CTRL+ALT+DEL) but a database of startup applications, although you will find some of them listed via this method. Pressing CTRL+ALT+DEL identifies programs that are currently running - not necessarily at startup. For a list of tasks/processes you should try the Process Library from Uniblue, the list at PC Pitstop or one of the many others now available. Therefore, before ending a task/process via CTRL+ALT+DEL just because it has an "X" recommendation, please check whether it's in MSConfig or the registry first. An example would be "svchost.exe" - which doesn't appear in either under normal conditions but does via CTRL+ALT+DEL. If in doubt, don't do anything.
To avoid the database becoming too large, all virus entries are only shown using the registry version which is common to all Windows versions. Otherwise there would be multiple entries for popular filenames that viruses often use - such as "svchost" above for example. Multiple viruses can also use the same startup entries, in this case only those with significant differences (such as file location) are repeated in this database.
NOTE : There are a number of virus and malware entried listed in this database where specific removal instructions haven't been given. If this is the case then you could try SDFix, a program written by AndyManchesta that can remove many different types of Trojans and Worms. See here for a tutorial on how to use the program and here for the latest ReadMe file detailing the fixes included.
IMPORTANT: A number of entries are repeated due to the way that different operating systems display startup items. For example, WinMe lists "POPROXY.EXE" as "Norton eMail Protect" in both MSCONFIG and the registry whereas WinXP lists it as "Poproxy" in MSCONFIG and "Norton eMail Protect" in the registry.
RECOMMENDATIONS:
If you're looking for a startup manager then why not try WinPatrol (by BillP Studios) or Advanced SystemCare Free (by IObit) - both include the option to search this database for a particular entry. Alternatively try Spybot - Search & Destroy (by Safer Networking Ltd) as the startup programs section (select the Advanced mode) includes descriptions from this database. You might also want to try their RunAlyzer and FileAlyzer tools.
There are an ever increasing number of rogue applications appearing these days and many of the removal guides referenced in this database use MalwareBytes Anti-Malware (which now incorporates the now discontinued RogueRemover).
As there are more than 10,000 entries in this database related to viruses, trojans, worms and other malware I recommend you use a quality internet security package. Which ever you choose, keep it updated.
Presentation, format & comments Copyright © 2001 - 2010 Paul Collins
Portions Copyright © Peter Forrest, Denny Denham, Sylvain Prevost, Tony Klein, CastleCops & Bleeping Computer
Database creation and support by Patrick Kolla
Software support by John Mayer
All rights reserved