2

I have recently been experimenting with the different ways to run things at startup/logon, and I have found something that I don't quite understand.

Autoruns treats entries in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as things that will run at logon.

However, you can go to the Settings GUI, go to Startup apps, and disable them there, but they will not disappear (or get moved) from the registry.

Meanwhile, if you disable them through Autoruns, they simply are moved to a subkey named AutorunsDisabled (and they disappear from the settings startup apps list), so it seems like the registry entries are simply a list of POTENTIAL startup commands, and there should be something somewhere that enables or disables those.

Since I'm trying to learn how these work so I can add or remove them programmatically, What does the Settings GUI do under the hood to let the computer know which entries to run and which entries to ignore?

RockPaperLz- Mask it or Casket
  • 7,741
  • 30
  • 73
  • 122
rovda
  • 118
  • 5
  • There is also one under LOCAL MACHINE (for all users). I think there are also legacy locations, because I routinely have trouble doing the same. – Rohit Gupta Feb 04 '23 at 14:27
  • FYI Autoruns is a [sysinternals](https://en.wikipedia.org/wiki/Sysinternals) tool, which its currently owned by Microsoft, it wasn't always. So basically they had a different way of doing things than Microsoft – gregg Feb 13 '23 at 14:26

2 Answers2

2

I have traced the execution of Task Manager when enabling and disabling an item from the Startup tab, and have found the following.

Task Manager does this magic by another mechanism than Autoruns. It changes the values under the following registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

For each application to be run you will find an entry under this registry key whose name is the name of the application, and whose value is one of the following:

  • Entry is enabled : 02 00 00 00 00 00 00 00 00 00 00 00 (hex)
  • Entry is disabled : 63 60 60 60 62 F9 8C 76 C5 3B D9 91 (hex) or O3 00 00 00 d4 0d 43 8d c8 3b d9 01
    This value was different each time that I disabled it.

Task Manager does its magic by modifying the values of the items.

Now that I knew what to search for, I found the article Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run that says:

Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

The values below HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run can be used to enable or disable the corresponding values under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

A value of 02 00 00 … or 06 00 00 … seems to indicate that the entry is enabled, all(?) other values that it is disabled. (Possibly, in the case of disabledness, the value is the timestamp of the disabling).

These values can be modified in the startup tab of taskmgr.exe.

See also
The corresponding key for all users is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • I'll add that there can be `Run`,`Run32`, and `StartupFolder` under the `StartupApproved` key, which match up to the default `Run` key, the `WOW6432Node` key, and the `\Start Menu\Programs\Startup` folder – Cpt.Whale Feb 08 '23 at 14:38
  • Any idea what all the other bytes are used for in those flags? – RockPaperLz- Mask it or Casket Feb 14 '23 at 16:44
  • @RockPaperLz-MaskitorCasket: My guess is the same as that of the author above, that the disabled bytes are some kind of a timestamp, because they are different every time. – harrymc Feb 14 '23 at 16:47
  • Yes, I wish Microsoft documented these things (it would be so simple), used existing standards, or at least was consistent with their implementation. But then again, it's Microsoft... (I think their corporate slogan should be ***"Setting the bar low since 1989"***, which is when things **noticeably** went downhill there.) – RockPaperLz- Mask it or Casket Feb 14 '23 at 16:53
0

From playing around with the SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run settings, it looks like the values can be narrowed down to four different ones:

01 - startup disabled, user with admin rights can enable

02 - startup enabled, user with admin rights can disable

08 - startup enabled, user cannot disable (greyed out)

09 - startup disabled, user cannot enable (greyed out)

It works with just the two digits. 99 works the same as 09, etc. There may be others that do something different, but those four were all I cared about.

Pete Mitchell
  • 1
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 19 '23 at 16:10