banner
Rising Galaxy

Galactic World

Share something here.
tg_channel
github
bilibili
steam
email
follow
HomeArchives

Startup Items

#Windows#开机启动项#Autoruns48
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses an issue with a persistent startup folder named "SysdiagDisabledAutoruns" that appears every time the computer is booted. The author initially attempted to disable it using Task Manager and various security tools, but the folder kept reappearing. After some investigation, they discovered the folder was located in the Windows startup directory for the current user. Deleting it resolved the issue. The author speculates that the folder was created by a security tool called 火绒 (HuoRong), specifically its "安全分析工具" (Security Analysis Tool), which creates this folder when certain shortcuts are disabled. They also note that the Task Manager does not show all startup items, as it only scans specific directories and registry locations. To manage startup items, the document provides several methods, including using the Settings app, creating shortcuts in the startup directory, using Task Scheduler, and editing the registry. It recommends using a tool called Autoruns for comprehensive management of startup items, as it provides detailed insights into all auto-start locations and configurations.

Startup Items#

First Encounter#

A while ago, every time I booted up, a folder SysdiagDisabledAutoruns would always open.

My usual process was:

Task Manager -> Startup Applications -> Find it and disable it

However, I couldn't find it there, so I tried:

Huorong 6.0 - Security Tools - Startup Management

Image

Great, I found it and disabled it, as shown in operation ① in the image above. Then I thought it was resolved, but the next day when I opened my computer again, I saw that folder again. So I took operation ② from the image above - deleted this item, restarted, and it still didn’t work. In fact, after deleting it, I could just reopen the Startup Management without restarting, and it would show up again.

Then I tried several tools that could manage startup items (I downloaded quite a few various tools, but since I didn't organize them, I couldn't remember where many of them were, so I only tried a few this time), and they were even worse than Huorong; none of them detected this startup item.

In the end, since it only appeared once at startup, I just disabled it and didn't bother anymore.

Clue#

After enduring it for several days, I finally couldn't take it anymore and decided to find it.

Suddenly, I remembered there was one place I hadn't checked - the built-in Windows startup folder.

Current User:

Path: C:\Users\{User}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Quick access: Win + R -> shell:startup

All Users:

Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Quick access: Win + R -> shell:common startup

Upon entering the current user's startup folder, sure enough, I saw a folder SysdiagDisabledAutoruns lying there.

I decisively deleted it, and after restarting, I never encountered it again.

At that time, I pondered the name of this folder, which probably indicated it was for disabling startup items; indeed, there were a few shortcuts inside, which I remembered disabling before. However, this handling method was quite baffling; I guessed it was to manage these shortcuts in one folder for easy re-enabling later through tools, but placing this folder directly in the built-in Windows startup folder was quite outrageous, causing that folder to pop up every time I booted up.

Since I was using many tools to manage it, I couldn't recall who had done this good deed at the time, and I didn't think to search for it. I thought it was resolved and would look for it again if I encountered it next time.

Leads#

One day, during my leisure time, I revisited this issue.

I first tested my usual methods to disable startup items, but the SysdiagDisabledAutoruns folder did not appear.

So I searched online; others had encountered this issue and asked about it, including a post in the Microsoft community, but to no avail. There was also a question in the Huorong security forum: What is SysdiagDisabledAutoruns? This post was from 2016-5-28, and there weren't many replies in the comments. Among all the replies from 2016, I did see one mentioning it was related to Huorong:

Image

But I had tried it and couldn't reproduce the problem.

Until I saw the last comment from 2021, which pointed out it should be caused by Huorong Sword.

Huorong Sword has been discontinued: Notice on the discontinuation of Huorong Sword security tool, Security issues with the independently circulated Huorong Sword

So I used Huorong Sword in the corresponding tool in Huorong 6.0 version: Huorong 6.0 -> Security Tools -> Security Analysis Tool -> Startup Items.

The problem was still there; as long as the original shortcuts existed in the startup directory, disabling them in the security analysis tool would create the SysdiagDisabledAutoruns folder.

Image

Thus, the cause of the problem was found.

Focus#

Why are there so few startup items detected by Task Manager?#

I couldn't find much useful information online, but it seems that Task Manager only scans the following locations:

  1. File Explorer

    1. C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    2. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

  2. Registry

    1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    2. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

I also tested it:

Image

I created a folder and a shortcut pointing to another directory in the startup directory.

In Task Manager, it could only detect that shortcut, not the folder.

How to add startup items on your Windows#

  1. Win + I open Settings -> Apps -> Startup
  2. Create a shortcut and place it in the startup directory; refer to the specific path and quick access method in the text above
  3. Win + R -> shell:appsfolder -> Drag the application you want to add from this directory to the startup directory
  4. Some software has built-in startup settings in their options
  5. Win + S -> Task Scheduler -> Create a task based on the guide
  6. Win + R -> regedit -> Navigate to the two registry locations mentioned in the text above as needed -> Create a new entry

You can find more details here.

Manage your Windows startup items#

  1. You can view and manage all the above methods of adding
  2. The startup tab in Task Manager
  3. Many third-party software can manage startup items, such as the two places mentioned in the Huorong security software

Here I recommend a tool - Autoruns

This utility provides the most comprehensive view of auto-start locations for any startup monitor. It shows which programs are configured to run at system startup or login, as well as when various built-in Windows applications (like Internet Explorer, Explorer, and media players) are launched. These programs and drivers are included in startup folders, Run, RunOnce, and other registry entries. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and more. Autoruns far surpasses other auto-start utilities.

The “Hide Microsoft-signed items” option in Autoruns helps highlight third-party auto-start images added to the system and supports viewing auto-start images configured for other accounts on the system. The download package also includes command-line equivalents that can output in CSV format via Autorunsc.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.