Raymond.CC Blog

How To Identify Good or Bad StartUp Programs

raymond

·

There are a lot, I mean REALLY a lot of free startup and hijack analyzer program which scans your system for all running programs, autostart locations, drivers, services and hijack points. Silent Runners, HijackThis, RunScanner, HiJackFree and AutoRuns is a few popular ones and each has their own pros and cons. Startup analyzer is a very powerful tool to remove malwares but it requires the user to have an advance computer knowledge to be able to determine which file or process is a malware.

For normal computer users who only wants to use the computer, he/she can submit the log file to forum and have it checked by experts. Have you ever wonder how does the experts in virus removing forum learn and know which file or process is a suspicious malware? Identifying malwares is not easy because the filename itself can be deceiving. If you’re feeling adventurous and want to learn how to identify malwares, here is how you can get started…


Most important factor when using startup analyzers is the ability to recognize which file is good and bad. Unless you many years of experience and very constantly checking file names, you’re not going to be able to identify the good and bad files. Who knows one day you might even accidentally remove an important file such as userinit.exe and you will no longer be able to log in to Windows. I admit that I once removed userinit.exe and I had a hard time restoring the registry entry back. Instead of removing malwares, I ended up wasting more time in restoring the damage that I’ve created.

Before making any changes with startup analyzers, always make sure you’ve done your BACKUP.

When you run any startup analyzer, it’ll take a few seconds to scan all startup entries. An example of me running AutoRuns on my computer.

Identify Malicious files with Autoruns

As you can see, the first one is userinit.exe file located at c:\windows\system32 folder. Try searching for the filename at all these websites.

  • CastleCops – CLSID BHOList ToolbarList
  • Process Library
  • SysInfo Startup Applications List
  • Windows Startup Online Repository
  • RunScanner Process List
  • TaskList

    • If the program isn’t listed on any of those sites, Google it and look for sources that positively identify it. Some startup analyzers such as RunScanner is able to check the MD5 hash of a file. A MD5 hash is a unique fingerprint of a file. Different files/versions can have the same filename in windows. The MD5 hash verifies that the legitimate file is not altered or “fake”.

    If you have any other websites that has a database of startup entries, please share it with us. Good luck in learning how to identify dangerous startup programs.