Pro Tips #53
Part of ensuring compliance, performance and security is checking for startup applications. Startup applications can slow down the login process for users, it can be a severe security problem when applications silently run in the background without your knowledge and can lead to breaches of your company policy.
Having all the detailed data about your startup applications can help you with many scenarios including optimizing performance by identifying and disabling unnecessary programs, managing system resources more effectively, enhancing security by detecting malware and potentially unwanted software, troubleshooting startup issues, protecting privacy by preventing unauthorized programs from running, and ultimately reducing boot times for a smoother user experience. But first, let’s dive into how to set it all up.
Autorun Scan Settings
Startup applications, or as they are branded in Lansweeper “Autorun” items, are automatically scanned every 30 days. Obviously, to ensure that your data is up-to-date, you might want to increase this interval. Especially if you want to keep a closer eye on these items.
In Lansweeper On-prem, you’ll find the Scanned item interval in the scanning menu. Here you can adjust how frequently Windows items are scanned and whether history is kept. Setting the Refresh to 0 means the item is rescanned with every scan. Any other value equals the number of days before the item is rescanned.
Now every time your asset is scanned the startup applications will also be scanned, and you will have history on it as well which will let you report on new startup applications that have entered your environment.
Analyzing The Results
There are quite a few built-in reports about startup applications, you can find them easily by searching for “Autorun”. However, they are all for very specific startup applications.
Startup Applications Overview
First thing I created is a report that gives you a simple overview of all startup applications per device. Quite a simple report just to have all the data in one big list. You can also use this as a template should you want to create more specific reports yourself.
Startup Applications per Asset
Second is a report that counts the number of startup applications per asset. In Lansweeper on-prem this can also be used in a dashboard chart widget, but I think it’s better as a regular report since it will have a lot of entries. It lets you easily find assets that have a large number of startup items.
Startup Applications per Asset
Startup Applications History
The main goal of keeping startup application history is to be able to see when new entries occurred. Generally speaking, you want to be aware when new startup applications are created, especially since those could be malicious. This report gives you all the changes in the last 7 days, but feel free to adjust it if you want.
Startup Application Charts
I have created multiple charts for the on-premise dashboard widget. One that shows you the total number of times a specific startup application is present in your environment. Great to find the most popular startup applications.
One that shows the number of enabled startup applications per asset, further down you will see how we get the status of a startup application.
Lastly, the startup application per asset. As I mentioned above, this can also be used as a chart.
Scanning Startup Application Status
Now comes the non-default, harder part. I’m using a similar trick I used when I created a Pro Tip to identify HDD vs SSDs. I create a PowerShell script that takes data from multiple registry keys and writes it to a single registry key. This lets us configure custom registry key scanning for a fixed registry key instead of dynamic ones.
Specifically: HKEY_LOCAL_MACHINE\SYSTEM\Startup
All you need to do is configure that registry key scan in Lansweeper, using the values 0 through 20. I stopped at 20 because I assume a single device won’t have more than 20 startup applications. You can go higher if you want.
How you deploy the script I will mostly leave up to you. But you can also use this deployment package in Lansweeper on-prem if you want.
Download PowerShell script and Lansweeper Deployment package
Scanned Registry Data
Once the script has run, the assets have been rescanned, you’ll notice that we’ve scanned the startup application name and status in number format.
Using some reporting magic, we’re able to pull this data apart, link it based on the application name and translate the value to statuses. Which after a longer than expected session of googling pointed to the fact that even numbers mean Enabled, while uneven mean Disabled.
That is how we get to our last report, a combination of the startup applications scanned via WMI and the status scanned via the registry. This is also how we’re able to create the chart I mentioned earlier that lists the number of enabled startup applications per device.
Startup Application Status Audit
All of the resources above should give you some nice tools to manage the startup applications a bit better. Specifically, the number of enabled startup applications and the historical audit have a lot of value when it comes to preventing user complains of slow or long booting processes and ensuring they don’t run any malicious software without your knowledge!
