autoruns.exe

Microsoft Sysinternals Autoruns

Application ProcessSafe

CPU Usage

1-5%

Memory

50-120 MB

Location

C:\Sysinternals\Autoruns\Autoruns64.exe

Publisher

Microsoft Corporation

Quick Answer

autoruns.exe is safe. Microsoft Sysinternals Autoruns is a legitimate Windows utility for auditing and managing startup items. It reveals every auto-start entry and lets you disable or remove suspicious ones.

Is it a Virus?

YES - No

Must be in C:\Sysinternals\Autoruns\Autoruns64.exe or C:\Sysinternals\Autoruns\Autoruns.exe

Can I Disable?

YES

Disabling items stops them from auto-starting; some items are required for proper system operation.

Is Autoruns Legit?

YES - Legit Microsoft Sysinternals utility

Official Sysinternals tool for auditing startup entries.

What is autoruns.exe?

autoruns.exe is the Windows Sysinternals utility that shows programs configured to run automatically during system boot or user login. It lists startup locations such as Run keys in the registry, startup folders, services, drivers, and scheduled tasks, enabling you to audit and manage persistence mechanisms.

Autoruns enumerates startup locations and highlights the status of each item. It helps identify persistence mechanisms used by malware and legitimate software, enabling safe disablement or removal to improve boot times and security.

Quick Fact: Autoruns can reveal every auto-start entry including less-visible locations, making it a powerful tool for malware investigations or cleanups.

Types of Autoruns Data Sources

Registry Run Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Startup Folders: Startup folders in Start Menu and Common Startup
Services: Windows services registered to start automatically
Drivers: Device drivers configured to load at boot
Scheduled Tasks: Tasks configured to run at boot or login
Winlogon and LSASS entries: Logon related startup entries

Is autoruns.exe Safe?

Yes, autoruns.exe is Safe when downloaded from the official Microsoft Sysinternals site and run with standard user privileges.

Is autoruns.exe a Virus or Malware?

The real autoruns.exe is not a virus. Malware may disguise itself with similar names.

How to Tell if Autoruns is Legitimate or Malware

File Location:: Must be located at C:\Sysinternals\Autoruns\Autoruns64.exe or C:\Sysinternals\Autoruns\Autoruns.exe.
Digital Signature:: Right-click the file -> Properties -> Digital Signatures -> Should show "Microsoft Corporation".
Hash Verification:: Run C:\Windows\System32\certutil.exe -hashfile C:\Sysinternals\Autoruns\Autoruns64.exe SHA256 and compare with the official Microsoft hash.
Source Integrity:: Download only from the official Microsoft Sysinternals page and verify the accompanying SHA256 hash in the download package.

Red Flags: If autoruns.exe is located in Temp or AppData folders, runs without user action, or lacks a valid digital signature, treat as suspicious. Verify against Microsoft Sysinternals distribution and check for paths like C:\Users\<User>\AppData or C:\Temp.

Why Is autoruns.exe Running on My PC?

autoruns.exe runs when you launch the Sysinternals Autoruns utility to enumerate and audit every startup entry configured on Windows.

Reasons it's running:

Manual Audit Session: You started Autoruns to inspect and manage startup entries across registry Run keys, startup folders, and services.
Comprehensive Enumeration: Autoruns collects data from multiple locations (registry, drivers, tasks, services) to give a complete view of persistence mechanisms.
Administrative Access Required: Reading some startup locations (HKLM, certain services) requires administrative privileges.
Security Investigations: Used in malware incident response to identify unexpected auto-start items and persistence techniques.
Snapshot Tool: It provides a snapshot of startup items at the moment of launch; changes won’t persist until you modify via the UI.

Can I Disable or Remove autoruns startup entries?

Yes, you can disable startup entries with Autoruns. Disabling entries prevents them from starting automatically, which can speed boot times and reduce nuisance programs, but you may affect functionality of some software or services if you disable critical items.

How to Stop autoruns Startup Items

Open Autoruns as Admin: Run Autoruns64.exe as Administrator to see all system locations.
Review Items: Look through the list and identify unfamiliar or suspicious entries.
Disable Selected Entries: Uncheck the checkbox next to an item to disable it from startup.
Reboot to Apply: Restart the computer to ensure the change takes effect.
Backup Before Changes: Use the 'Save' option to export a snapshot before making changes.

How to Uninstall Autoruns

✔ Delete the Autoruns files: locate the extracted Sysinternals Autoruns folder and delete it
✔ Remove any downloaded zip from the download location
✔ No system components are installed; uninstall simply means removing the tool

Common Problems: Autoruns Issues

If Autoruns is not showing all startup entries or behaves unexpectedly:

Common Causes & Solutions

Filtered locations hide items: In Autoruns, disable filters: Options > Hide Empty Locations and uncheck Microsoft signed items to reveal all locations.
Insufficient privileges: Run Autoruns as Administrator to read HKLM keys and protected services.
Conflicting security software: Some antivirus/EDR products may interfere; temporarily disable protection or run offline analysis to verify.
Incorrect interpretation of items: Research each startup item before disabling; not all items are safe to remove.
Outdated tool data: Update to the latest Sysinternals Autoruns release from Microsoft.
Hash or signature mismatch after download: Re-download from the official site and verify the SHA256 hash included in the package.

Quick Fixes:
1. Open Autoruns as Administrator to access all locations
2. In the 'Options' menu, uncheck 'Hide Empty Locations' and 'Hide Signed Microsoft Entries' if needed
3. Refresh the view and re-scan to capture latest startup data
4. Disable suspicious entries and reboot to verify changes
5. If in doubt, export a backup before making changes

Frequently Asked Questions

What is Autoruns and why would I use it?

Autoruns is a Sysinternals utility that shows every program configured to run at startup, including hidden and hard-to-find locations like registry keys, scheduled tasks, and drivers. It helps identify persistence mechanisms used by malware and clean up unnecessary startup items.

Is Autoruns safe to download and use?

Yes, when downloaded from the official Microsoft Sysinternals site, Autoruns is a legitimate tool used by IT professionals for malware analysis and system maintenance.

Can Autoruns disable startup programs?

Yes. You can disable startup entries directly in Autoruns by unchecking items. Some entries may be critical for system operation, so review before disabling.

Where can I download Autoruns from?

Download Autoruns from the official Microsoft Sysinternals website: https://learn.microsoft.com/sysinternals/downloads/autoruns. Always verify the ZIP hash from the download page.

Does Autoruns modify the registry or system files?

Autoruns reads and edits startup locations but does not modify essential system files. Changes affect startup behavior; back up data before making changes.

Do I need admin rights to use Autoruns effectively?

Admin rights are required to view and modify startup items in HKLM and other protected locations. Running as Administrator provides full visibility.

Related Processes

procmon.exe

Process Monitor (Sysinternals) for real-time system activity, including registry and file system calls.

regedit.exe

Registry Editor used to inspect and edit startup-related registry keys.