Home » Windows »StartUp Programs

Remix to Ignition

So you've got a pesky program which just seems to keep running itself, every time you start Windows. How does that happen?

There's several different ways to get a program to run, each with pros and cons. Here, we'll take a look at each of them in turn.

The Registry Run Keys

Nowadays, the generally accepted way of doing this is to place a key in the registry. Often, the little icons you see next to the clock in your system tray are being loaded because of a key in the registry.

System Tray showing tooltip for Copernic Search

Here, we can see that Copernic Desktop Search has an icon in the system tray. This is being loaded each time because of a key in the registry.


The key lives in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. All it is, is a simple string value, which specifies programs to be run every time I log on to Windows. Note that I said it happens whenever I log on to Windows. This key by itself has no effect on anyone else who might use the computer.

If a program is supposed to run every time anyone logs on to Windows, you need to very slightly alter where the key goes. Instead of living under the HKCU (HKEY_CURRENT_USER) hive, it lives under HKLM (HKEY_LOCAL_MACHINE).


Here we can see that one of these other icons is for Daemon Tools.

One thing to note about using HKLM instead of HKCU is that not everyone can put data in it. Ordinarily, standard users only get read-only permissions to the key. You have to be an administrator or a power user in order to create or modify data in this bit of the registry.

In these registry keys, you can specify any program you like. You can create a key to make Microsoft Word run every time you, or indeed anyone logs on to the workstation.

Which key a program uses will depend upon many things. Put a key in HKLM if you want every user to run the program, and HKCU if it's just you. Beware of using HKCU if you think people with roaming profiles will want to use the program, but may not have it installed on every machine. Be on the lookout for keys with suspicious names in these keys. If you find a key called 'HDJSKQQZ', running a program called 'dskios33.exe', and neither of those terms means anything to you, search your hard drive for the program and see what comes up. Spyware can tend to hide in these keys.

The Startup Group

Ideally, if you wanted to run Word every time you logged in, you'd just place a shortcut in the startup group. The startup group can be seen in your start menu.

Start Menu Startup

There's nothing in here, but if I right-click on the bit which says 'startup', I'll get given a context menu with the choices - Explore and Explore All Users. This is because much like the registry keys, the startup group is split into two places - one which is specific to the individual user, and one which is applicable to all users. This was far more obvious in Windows NT 4, as two separate folders called 'StartUp' appeared on the Start Menu. In Windows XP, there's just one folder which shows the contents of both of the 'real' folders.

Again, ordinary users can't write to the startup group for all users, you need to be a Power User or an Administrator.

The StartUp folder for the specific user will live in c:\Documents and Settings\USERNAME\Start Menu\Programs\Startup - or if you're inclined towards environment variables - in %USERPROFILE%\Start Menu\Programs\Startup.

The folder for all users lives in c:\Documents and Settings\All Users\Start Menu\Programs\Startup - or %ALLUSERSPROFILE%\Start Menu\Programs\Startup.

Use the environment variable rather than the full specified path. You never know - profiles can be moved to other partitions. Even if Windows is installed on the C: drive, it's no guarantee that the profile (including the user's start menu) is on that drive too.

If you're looking for spyware, the StartUp group is probably the wrong place. It's too obvious and easy to find. Spyware authors like to hide away what's happening, and tend to use other methods of getting their programs to run.

System Services

System Services are slightly different to normal programs, but I have seen at least one piece of malware disguising itself as the 'Network Security Service'.

Cisco Systems, Inc VPN Service Properties

The above is a legitimate service, which is always running in the background. You can change the startup type of a service to Automatic, Manual or Disabled. Automatic means that Windows will decide when to start the service, manual means that you decide, and disabled means that the service just doesn't run at all. If you find a suspicious service, you can set the startup type to disabled. But make sure you stop the service too. Setting the startup type to disabled will merely prevet the service from running in future. You can also start and stop services from the command line, using the net start and net stop commands.

net stop apache

There's an example of me restarting the apache service, which could be done more efficiently using the command net stop apache & net start apache, but I digress...


Harking back to Windows 3.x, there was a file called WIN.INI. It's still there in Windows XP, and you can add a line to it, to make a program run whenever Windows is started. This will apply to all users of the computer, not just a specific user. Win.INI lives in your Windows folder, and you can open it with notepad - or you can just run a program called Sysedit, which is still here in Windows XP.

You shouldn't really find anything running from Win.INI since the days of Windows 9x, but you never know what might be hiding in there.

To get a program to run, you'll need to add a line beginning with 'RUN='. You can then add the programs you want to run, delimiting them with a semi-colon.

You can achieve the same thing using a line beginning with 'LOAD=' instead of RUN.

Again, either an Administrator or a Power User can make changes, which makes it difficult for spyware to hide out here - with the possible exception of var users - where it seems every account is set up to be an administrator.

Browser Helper Objects (BHOs)

Think of BHOs as being mini-programs, written to integrate with Internet Explorer. These things can be the bane of many a support team's existence. They get installed by end users, wowed by the promise of extra Internet features, quick access to search results and the chance to have adverts popping up every five minutes. Well, maybe not the last one.

Google Toolbar is an example of a Browser Helper Object, and it's a very popular one, as it features quick access to everyone's favourite search engine, as well as translation tools, a popup blocker and the PageRank™ icon.

Other BHOs aren't really 'helpers' - more 'hinderers', spewing up popup adverts or spying on your surfing habits.

Most BHOs limit themselves to Internet Explorer, but some also run in Windows Explorer. Quite why you'd want an Internet search toolbar to be displayed whilst you're looking at 'My Documents' is beyond me.

BHOs can be seen in your registry in HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects. In here, you'll see the Class IDs for some of them, which look something like {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}. If you search the HKEY_CLASSES_ROOT hive, you'll find that same ClassID in there. In this case, it's called AcroIEHelper - or rather the 'Adobe PDF Reader Link Helper'.

Rather than go hacking through your registry to find out which BHOs do what, you can get a handy utility called BHO Demon. It isn't supported any longer, but it will still help you in identifying and removing BHOs.