Wednesday, October 7, 2009

Autoruns for Windows v9.55 Published: October 1, 2009


This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!




See the November 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of Autoruns . If you have questions or problems, visit the Sysinternals Autoruns Forum.

Simply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.

To view the properties of an executable configured to run automatically, select it and use the Properties menu item or toolbar button. If Process Explorer is running and there is an active process executing the selected executable then the Process Explorer menu item in the Entry menu will open the process properties dialog box for the process executing the selected image.

Navigate to the Registry or file system location displayed or the configuration of an auto-start item by selecting the item and using the Jump menu item or toolbar button.

To disable an auto-start entry uncheck its check box. To delete an auto-start configuration entry use the Delete menu item or toolbar button.

Select entries in the User menu to view auto-starting images for different user accounts.

More information on display options and additional information is available in the on-line help.

Autorunsc Usage

Autorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc [-a] | [-c] [-b] [-d] [-e] [-g] [-h] [-i] [-l] [-m] [-n] [-p] [-r] [-s] [-v] [-w] [-x] [user]

-a Show all entries.
-b Boot execute.
-c Print output as CSV.
-d Appinit DLLs.
-e Explorer addons.
-g Sidebar gadgets (Vista and higher).
-h Image hijacks.
-i Internet Explorer addons.
-l Logon startups (this is the default).
-m Hide signed Microsoft entries.
-n Winsock protocol and network providers.
-p Printer monitor drivers.
-r LSA providers.
-s Autostart services and non-disabled drivers.
-t Scheduled tasks.
-v Verify digital signatures.
-w Winlogon entries.
-x Print output as XML.
user Specifies the name of the user account for which autorun items will be shown.

Download Autoruns and Autorunsc
(576 KB)

Run Autoruns now from

Syser Kernel Debugger & Syser Win32 Debugger

Syser Debugger

Syser Kernel Debugger is designed for Windows NT Family based on X86 platform. It is a kernel debugger with full-graphical interfaces and supports assembly debugging and source code debugging.
Softice is left. Syser will continue.

1. Supports multi-CPU and Intel Hyper-Threaded processors
2. Supports Microsoft Windows 2000, Windows xp,Windows 2003 or Windows Vista operation system
3. Supports VMWare and Virtual PC
4. Source code debugging supports syntax coloring.
5. Supports color disassembly
6. Commands are Softice-compatible

Syser Kernel Debugger

(full-graphical SoftIce)

Trace windows driver

with source code

Syser Kernel Debugger

In VMWare 5.5

Syser Kernel Debugger

In Virtual 2007

Process Explorer VS Process Hacker

Process Hacker Functions

1) Process Dump
2) DLL Inject / Unload
3) Driver Load / Unload
4) Scan PEid….
5) Full Memory Dump
6) Hidden Process View
7) Memory View / Editor

Process Hacker Download :


Process Hacker can terminate, suspend, resume, restart and set the priority of processes. Processes are highlighted to provide additional information such as whether they are elevated or in a job. More interesting things you can do with processes includes injecting DLLs and even replacing security tokens (XP only).
Processes Threads


It can also terminate, suspend, resume and set the priority of threads. Symbolic start addresses are provided, and double-clicking a thread will show its call stack. Additionally, GUI threads (threads which have made at least one call to a GUI function) are highlighted.


It can display the modules loaded by each process and their properties. It can also find the address of any exported function in a module, change page protection of the module's memory region, and read the module's memory.


Token It can display each process' primary token and its user, source, groups and privileges. It even allows you to enable and disable privileges.


It can display (using VirtualQueryEx()) the memory regions in a process' virtual memory space, and even read/write data using a built-in hex editor.
Memory Memory Editor


It can display the handles opened by processes and can close them.


Process Hacker also supports saving memory search results and even intersecting (finding common items between) two sets of search results!
Memory Search Search Results