Want to delay startup of program but can't find it in Task Scheduler

Question

I'm trying to delay the startup of a specific program that loads at login. As per an answer in this question, I should be able to do it using Task Scheduler. The problem is, I can't find the program listed anywhere. Is there a particular pane I should be looking in? The program is Razer Synapse so I don't think it would be in the Microsoft or Western Digital folders.

If it's not in Task Scheduler, is there another way I can delay it at startup?

Out of curiosity how many ways are there for a program to be run at Startup in Windows?

Answer 1

I can't find the program listed anywhere.

There are many locations that can be used to run programs on startup. You need to check them all until you find the program you are looking for.

There are a few programs that allow easy checking of the startup locations.

1. msconfig (Startup tab):

   

2. Autoruns from SysInternals:

   

3. WhatInStartup from NirSoft:

   

4. WinPatrol:

   

   Note:

   • WinPatrol allows you to move programs from "Startup Programs" to "Delayed Start"

   • You can specify the delay time if you do this.

     

---

How many ways are there for a program to be run at Startup in Windows?

There are at least 17 locations from where programs can be started:

1. Windows Boot Device Drivers
2. Windows Auto-start Services & Drivers
3. RunServicesOnce
4. RunServices
5. Notify
6. UserInit Key
7. Shell Value
8. RunOnce Local Machine Key
9. Run
10. All Users Startup Folder
11. User Profile Startup Folder
12. RunOnce Current User Key
13. Explorer Run
14. Load Key
15. AppInit_DLLs
16. ShellServiceObjectDelayLoad
17. SharedTaskScheduler

^{Source: Windows Program Automatic Startup Locations}

See the above link for a detailed description of each of those 17 locations.

---

Disclaimer

I am not affiliated with SysInternals, Nirsoft or WinPatrol in any way, I am just an end user of the software.

---

Further Reading

• Windows Program Automatic Startup Locations

Answer 2

If your program isn't available in Task Scheduler, then it could be residing in the Registry or in the startup folder, or running as a background service.

Startup folder's location for all users is as follows:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Startup folder's location for current user is as follows:
C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Startup registry's location for all users is as follows:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup registry's location for current user is as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Once you find your program name, you can safely disable it, and make a new task in the Task Scheduler and delay it as you need.

If you are not able to find your program is the above locations, the it could be residing in the services console. Hit start button and type services.msc and get services management console and you'll find your program there.

You can download Autoruns from Microsoft's SysInternal suite and check for yourself a whole bunch of startup programs.

Answer 3

I made a batch file in order to find the location of the vbs malware and get its code source from the stratup folders :

Processes_Services_Tasks_Startup.bat

@echo off
cls & color 9E & Mode 95,5
Title Running Processes - Scheduled Tasks - Services - Startup items by Hackoo 2020
If [%1] NEQ [Admin] Goto RunAsAdmin
echo(
echo(                ===========================================================
echo(                    Please wait a while ... Working is in progress....
echo(                ===========================================================
Set "Filter_Ext=%Temp%\Filter_Ext"
Call :GetFileNameWithDateTime MyDate
Set "Log=%~dpn0_%Computername%_%MyDate%.txt"
Set "Lnk_Target_Path_Log=%~dp0Lnk_Target_Path_Log.txt"
Set "All_Users=%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
Set "Current_User=%UserProfile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
set "Winlogonkey=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Set StartupFolders="%All_Users%" "%Current_User%"
If Exist "%Log%" Del "%Log%"
Set "VbsFile=%Tmp%%~n0.vbs"
Call :Generate_VBS_File
Powershell ^
  Get-WmiObject Win32_Process ^
| where commandline -NE $null ^
| Select-Object ProcessID,Name,CommandLine ^
| Out-String -Width 450 ^
| Findstr /I /V "Admin" ^
| Findstr /I /V "Get-WmiObject" ^
| Out-File "%Log%" -Encoding  ASCII
Powershell ^
  Get-CimInstance Win32_StartupCommand ^
| Select-Object Name,command,Location,user ^
| Format-List ^
| Out-File -Append "%Log%" -Encoding  ASCII
>"%Lnk_Target_Path_Log%" (
    @For %%A in (%StartupFolders%) Do (
        Call :Execute_VBS_File "%%~A"
    )
)
>> "%Log%" (Type "%Lnk_Target_Path_Log%")
> "%Filter_Ext%" (
    echo .vbs
    echo .vbe
    echo .js
    echo .jse
    echo .hta
    echo .bat
    echo .cmd
    echo .ps1
)
@for /f "delims=" %%a in ('Type "%Lnk_Target_Path_Log%" ^| Findstr /I /G:"%Filter_Ext%"') do (
    @for /f "tokens=2 delims==" %%b in ('echo %%a') do (
        >> "%Log%" 2>&1 (
            echo(
            echo ===================================================================================
            echo( Source code of TargetPath=%%b
            echo ===================================================================================
            Type %%b
        )
    )
)
Del "%Filter_Ext%" /F >nul 2>&1
Del "%Lnk_Target_Path_Log%" >nul 2>&1
SetLocal EnableDelayedExpansion
>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    echo(                                 No Microsoft Scheduled Tasks List
    echo ****************************************************************************************************
    @For /F "tokens=2,9,17,19,20,21,22 delims=," %%a in ('SCHTASKS /Query /NH /FO CSV /V ^|find /I /V "Microsoft" ^|findstr /I /C:"VBS" /C:"EXE"') do (
        Set TaskName=%%~a
        Set TaskPath=%%~b
        Call :Trim_Dequote !TaskName! TaskName
        Call :Trim_Dequote !TaskPath! TaskPath
        echo "!TaskName!"
        echo "!TaskPath!"
        echo %%c;%%d;%%f;%%g
        echo( ---------------------------------------------------------------------------------------------------
    )
)
>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    echo(                                 No Microsoft Services List
    echo ****************************************************************************************************
@for /f "tokens=*" %%a in (
    'WMIC service where "Not PathName like '%%Micro%%' AND Not PathName like '%%Windows%%'" get Name^,DisplayName^,PathName^,Status'
    ) do (
        @for /f "delims=" %%b in ("%%a") do (
            echo %%b
            )
    )
)
>> "%Log%" (
    echo(
    echo ****************************************************************************************************
    Reg Query "%Winlogonkey%" | find /I "userinit"
)
If Exist "%Log%" Start /MAX "Log" "%Log%" & Exit 
::-----------------------------------------------------------------------------------
:Trim_Dequote <Var> <NewVar>
(
    echo    Wscript.echo Trim_Dequote("%~1"^)
    echo    Function Trim_Dequote(S^)
    echo    If Left(S, 1^) = """" And Right(S, 1^) = """" Then Trim_Dequote = Trim(Mid(S, 2, Len(S^) - 2^)^) Else Trim_Dequote = Trim(S^)
    echo    End Function
)>"%VbsFile%"
for /f "delims=" %%a in ('Cscript //nologo "%VbsFile%"') do ( 
    set "%2=%%a" 
)
Del "%VbsFile%" /F >nul 2>&1
exit /b
REM ------------------------------------------------------------------------------
:GetFileNameWithDateTime <FileName>
for /f "skip=1" %%x in ('wmic os get localdatetime') do if not defined MyDate set "MyDate=%%x"
set "%1=%MyDate:~0,4%-%MyDate:~4,2%-%MyDate:~6,2%-%MyDate:~8,2%-%MyDate:~10,2%"
Exit /B
REM -----------------------------------------------------------------------------
:Generate_VBS_File
>"%VbsFile%" ( 
    echo    Option Explicit
    echo    Dim Ws,objStartFolder,objFSO,objFolder,colFiles
    echo    Dim objFile,strFilePath,Lnk,Title
    echo    Title = "Extracting Target Path from .lnk and .url files by Hackoo 2020"
    echo    Set Ws = CreateObject("Wscript.Shell"^)
    echo    If WSH.Arguments.Count = 0 Then MsgBox "Missing Arguments",vbExclamation,Title : Wscript.Quit(1^)
    echo    objStartFolder = WSH.Arguments(0^)
    echo    Set objFSO = CreateObject("Scripting.FileSystemObject"^)
    echo    Set objFolder = objFSO.GetFolder(objStartFolder^)
    echo    Set colFiles = objFolder.Files
    echo    For Each objFile in colFiles
    echo    strFilePath = objFile.Path
    echo      If Ucase(objFSO.GetExtensionName(strFilePath^)^) = "LNK"_
    echo       Or Ucase(objFSO.GetExtensionName(strFilePath^)^) = "URL" Then
    echo          Call ExtractTargetPath(strFilePath^)
    echo      End If
    echo    Next
    echo    '-------------------------------------------------------------
    echo    Sub ExtractTargetPath(Lnk^)
    echo    set Lnk = Ws.Createshortcut(Lnk^)
    echo    WScript.echo "Link="^& DblQuote(Lnk^) ^& vbcrlf ^&_
    echo    "Target="^& DblQuote(Lnk.TargetPath^) ^& vbcrlf ^&_
    echo    String(100,"-"^)
    echo    End Sub
    echo    '-------------------------------------------------------------
    echo    Function DblQuote(Str^)
    echo        DblQuote = Chr(34^) ^& Str ^& Chr(34^)
    echo    End Function
    echo    '-------------------------------------------------------------
)
Exit /B
REM -----------------------------------------------------------------------------
:Execute_VBS_File
cscript //nologo "%VbsFile%" "%~1"
Exit /B
REM -----------------------------------------------------------------------------
:RunAsAdmin
cls & color 9E & Mode 95,5
echo(
echo(               ===========================================================
echo(                    Please wait a while ... Running as Admin ....
echo(               ===========================================================
Powershell start -verb runas '%0' Admin & Exit
REM -----------------------------------------------------------------------------