3

I have recently been experimenting with the different ways to run things at startup/logon, and I have found something that I don't quite understand.

Autoruns treats entries in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as things that will run at logon.

However, you can go to the Settings GUI, go to Startup apps, and disable them there, but they will not disappear (or get moved) from the registry.

Meanwhile, if you disable them through Autoruns, they simply are moved to a subkey named AutorunsDisabled (and they disappear from the settings startup apps list), so it seems like the registry entries are simply a list of POTENTIAL startup commands, and there should be something somewhere that enables or disables those.

Since I'm trying to learn how these work so I can add or remove them programmatically, What does the Settings GUI do under the hood to let the computer know which entries to run and which entries to ignore?

Amazon Dies In Darkness
  • 9,990
rovda
  • 128

2 Answers2

4

I have traced the execution of Task Manager when enabling and disabling an item from the Startup tab, and have found the following.

Task Manager does this magic by another mechanism than Autoruns. It changes the values under the following registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

For each application to be run you will find an entry under this registry key whose name is the name of the application, and whose value is one of the following:

  • Entry is enabled : 02 00 00 00 00 00 00 00 00 00 00 00 (hex)
  • Entry is disabled : 63 60 60 60 62 F9 8C 76 C5 3B D9 91 (hex) or O3 00 00 00 d4 0d 43 8d c8 3b d9 01
    This value was different each time that I disabled it.

Task Manager does its magic by modifying the values of the items.

Now that I knew what to search for, I found the article Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run that says:

Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

The values below HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run can be used to enable or disable the corresponding values under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

A value of 02 00 00 … or 06 00 00 … seems to indicate that the entry is enabled, all(?) other values that it is disabled. (Possibly, in the case of disabledness, the value is the timestamp of the disabling).

These values can be modified in the startup tab of taskmgr.exe.

See also
The corresponding key for all users is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run.

harrymc
  • 498,455
0

From playing around with the SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run settings, it looks like the values can be narrowed down to four different ones:

01 - startup disabled, user with admin rights can enable

02 - startup enabled, user with admin rights can disable

08 - startup enabled, user cannot disable (greyed out)

09 - startup disabled, user cannot enable (greyed out)

It works with just the two digits. 99 works the same as 09, etc. There may be others that do something different, but those four were all I cared about.

Pete Mitchell
  • 1