autoruns.exe

Sysinternals Autoruns – Startup Programs Auditor

Application ProcessSafeSystem Utility

CPU Usage

0-2%

Memory

5-20 MB

Location

C:\Sysinternals\Autoruns

Publisher

Sysinternals (Microsoft)

Quick Answer

autoruns.exe is safe. It’s a legitimate Sysinternals tool from Microsoft used to audit and manage startup entries, listing autostart locations and allowing disablement without installation.

Is it a Virus?

✔ NO - Safe

Must be located at C:\Sysinternals\Autoruns\autoruns.exe or C:\Program Files\Sysinternals\Autoruns\autoruns.exe

Warning

Entries may include legitimate system items

Some autostart entries are critical for OS operations; disable with care

Can I Disable?

✔ YES

Uncheck or remove non-essential startup entries to reduce boot impact

What is autoruns.exe?

autoruns.exe is a Sysinternals utility that inventories every startup entry on Windows. It analyzes multiple autostart locations, including registry Run keys, RunOnce, startup folders, services, and scheduled tasks, to provide a complete view of what launches automatically.

Autoruns enumerates autostart points across locations, enabling you to identify persistence mechanisms used by software or malware and to disable or remove entries without installing any software.

Quick Fact: Autoruns can show hidden startup locations and offers filtering to reveal all autostarts, including those not visible through normal startup settings.

Types of Autorun Entries

Registry Run Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU equivalents
Startup Folder: Startup items stored in the user and all users Startup directories
Scheduled Tasks: Tasks configured to run at logon or on a schedule
Services: Services configured to start automatically
Drivers: Low-level autostart entries for drivers and related components
WMI Events: WMI-based persistence mechanisms

Is autoruns.exe Safe?

Yes, autoruns.exe is safe when downloaded from the official Sysinternals/Microsoft site and run from a legitimate path (e.g., C:\Sysinternals\Autoruns\autoruns.exe).

Is autoruns.exe a Virus or Malware?

The real autoruns.exe is not a virus. Malware may imitate names; verify the digital signature and location to confirm authenticity.

How to Tell if autoruns.exe is Legitimate or Malware

File Location: Must be in C:\Sysinternals\Autoruns\autoruns.exe or C:\Program Files\Sysinternals\Autoruns\autoruns.exe. Any other path is suspicious.
Digital Signature: Right-click autoruns.exe > Properties > Digital Signatures. Should show publisher "Sysinternals, a Microsoft subsidiary".
Resource Usage: Normal usage is minimal when the tool is idle. Significant background activity indicates misuse or a compromised system.
Behavior: Autoruns should only run when you launch it; it should not create background processes on its own.

Red Flags: If autoruns.exe is located in unusual folders (Temp, AppData\Roaming, or System32), runs without a user launch, has no valid signature, or creates unexpected processes, scan with antivirus and verify integrity.

Why Is autoruns.exe Running on My PC?

autoruns.exe only runs when you launch the tool or when you use a security or IT workflow to audit startup entries. It does not start as a background service by default.

Reasons it's running:

Manual Audit: You opened Autoruns to review startup entries for security or troubleshooting.
Forensic/Incident Response: Analysts use Autoruns to identify persistence mechanisms used by malware.
Startup Diagnostics: System administrators audit autostart items to optimize boot times.
Software Troubleshooting: Investigating faulty software that injects startup entries or autostart tasks.
Policy Compliance: Verifying that approved items exist in startup locations and that unknown items are flagged.

Can I Disable or Remove autoruns.exe?

Yes, you can disable startup entries identified by Autoruns. Autoruns itself is a portable tool; you typically delete or relocate the program to remove it, or simply do not run it. Use the unchecked state to disable specific autostarts without removing them.

How to Stop Autoruns from Changing Startup State

Run Autoruns as Administrator: Right-click autoruns.exe and choose 'Run as administrator' to view all locations.
Uncheck Entries: Clear the checkbox next to an item to disable it from starting with Windows.
Save Snapshot: Use File > Save to export the current list for auditing or rollback.
Backup before Changes: Create a system restore point or copy the Startup entries before edits.
Close and Reboot: Restart the system to apply changes and verify boot behavior.

How to Remove Autoruns

✔ Delete autoruns.exe from its folder (e.g., C:\Sysinternals\Autoruns\autoruns.exe) or remove the Sysinternals folder.
✔ If you downloaded a package, delete the entire Sysinternals directory to remove all tools.
✔ Optionally clear temporary extraction paths and downloaded archives.
✔ Keep a copy of the tool in case you need to audit again, or download a fresh copy when needed.

Common Problems: Autoruns Not Showing All Locations

If Autoruns does not display all autostart locations, try these fixes.

Common Causes & Solutions

Insufficient permissions: Run Autoruns as Administrator to access protected registry keys and service configurations.
Filters hiding entries: Check Options and ensure no filters are hiding locations; reset filters if needed.
Outdated version: Download the latest Sysinternals Autoruns from the official site and replace the older copy.
Corrupted data: Redownload the tool; clear the folder and re-extract to a clean path.
Antivirus interference: Temporarily disable antivirus or add an exception for Autoruns during auditing.
Hidden system locations: Enable viewing of protected locations and WMI-based autostarts within Autoruns.

Quick Fixes:
1. Run as administrator and refresh the view
2. Check and reset all filters in Options
3. Update to the latest Autoruns version
4. Export results to a known-good location
5. Disable non-critical startup items and reboot

Frequently Asked Questions

Is autoruns.exe safe to download from Microsoft?

Yes. Download Autoruns from the official Sysinternals page hosted by Microsoft. Verify the digital signature and ensure the path matches expected Sysinternals directories.

What does Autoruns show exactly?

Autoruns lists all autostart locations including Run keys, RunOnce, startup folders, services, drivers, scheduled tasks, and WMI Event subscriptions.

Can I disable startup items with Autoruns?

Yes. You can uncheck items to disable them from starting automatically, or delete entries for permanent removal after confirmation.

Do I need admin rights to use Autoruns effectively?

Admin rights are often required to view and modify certain startup locations such as HKLM registry keys and services.

How do I export Autoruns results?

Use File > Save to export the current startup view to a text or CSV file for documentation or auditing.

Is Autoruns portable or does it require installation?

Autoruns is a portable tool; you simply run autoruns.exe from its folder without a formal installation.